0% found this document useful (0 votes)

52 views

FortiOS 7.4.4 CLI Reference

Uploaded by

abelokihiro

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

52 views

FortiOS 7.4.4 CLI Reference

Uploaded by

abelokihiro

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2328

CLI Reference

FortiOS 7.4.4
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

May 15, 2024

FortiOS 7.4.4 CLI Reference
01-744-912654-20240515
TABLE OF CONTENTS

Change Log 16
FortiOS CLI reference 17
Availability of commands and options 17
Command tree 17
CLI configuration commands 19
alertemail 20
config alertemail setting 20
antivirus 27
config antivirus exempt-list 27
config antivirus profile 28
config antivirus quarantine 58
config antivirus settings 62
application 64
config application custom 64
config application group 65
config application list 66
config application name 75
config application rule-settings 77
authentication 78
config authentication rule 78
config authentication scheme 80
config authentication setting 83
automation 86
config automation setting 86
casb 87
config casb profile 87
config casb saas-application 90
config casb user-activity 91
certificate 97
config certificate ca 97
config certificate crl 99
config certificate local 100
config certificate remote 105
diameter-filter 106
config diameter-filter profile 106
dlp 109
config dlp data-type 109
config dlp dictionary 110
config dlp exact-data-match 112
config dlp filepattern 113
config dlp fp-doc-source 117
config dlp profile 120
config dlp sensitivity 125
config dlp sensor 126

FortiOS 7.4.4 CLI Reference 3

Fortinet Inc.
config dlp settings 128
dnsfilter 130
config dnsfilter domain-filter 130
config dnsfilter profile 131
dpdk 137
config dpdk cpus 137
config dpdk global 138
emailfilter 141
config emailfilter block-allow-list 141
config emailfilter bword 143
config emailfilter dnsbl 145
config emailfilter fortishield 146
config emailfilter iptrust 147
config emailfilter mheader 148
config emailfilter options 150
config emailfilter profile 150
endpoint-control 159
config endpoint-control fctems-override 159
config endpoint-control fctems 164
config endpoint-control settings 168
ethernet-oam 170
config ethernet-oam cfm 170
extension-controller 173
config extension-controller dataplan 173
config extension-controller extender-profile 176
config extension-controller extender-vap 202
config extension-controller extender 206
config extension-controller fortigate-profile 209
config extension-controller fortigate 210
file-filter 212
config file-filter profile 212
firewall 215
config firewall DoS-policy 217
config firewall DoS-policy6 219
config firewall access-proxy-ssh-client-cert 222
config firewall access-proxy-virtual-host 224
config firewall access-proxy 225
config firewall access-proxy6 251
config firewall acl 278
config firewall acl6 280
config firewall address 281
config firewall address6-template 287
config firewall address6 288
config firewall addrgrp 292
config firewall addrgrp6 294
config firewall auth-portal 296
config firewall central-snat-map 297
config firewall city 299

FortiOS 7.4.4 CLI Reference 4

Fortinet Inc.
config firewall country 300
config firewall decrypted-traffic-mirror 300
config firewall dnstranslation 301
config firewall global 302
config firewall identity-based-route 303
config firewall interface-policy 304
config firewall interface-policy6 307
config firewall internet-service-addition 310
config firewall internet-service-append 312
config firewall internet-service-botnet 313
config firewall internet-service-custom-group 313
config firewall internet-service-custom 314
config firewall internet-service-definition 316
config firewall internet-service-extension 317
config firewall internet-service-group 321
config firewall internet-service-ipbl-reason 322
config firewall internet-service-ipbl-vendor 322
config firewall internet-service-list 323
config firewall internet-service-name 323
config firewall internet-service-owner 324
config firewall internet-service-reputation 325
config firewall internet-service-sld 325
config firewall internet-service-subapp 326
config firewall internet-service 327
config firewall ip-translation 329
config firewall ipmacbinding setting 329
config firewall ipmacbinding table 330
config firewall ippool 331
config firewall ippool6 336
config firewall ipv6-eh-filter 337
config firewall ldb-monitor 338
config firewall local-in-policy 340
config firewall local-in-policy6 343
config firewall multicast-address 346
config firewall multicast-address6 348
config firewall multicast-policy 349
config firewall multicast-policy6 352
config firewall network-service-dynamic 354
config firewall on-demand-sniffer 355
config firewall policy 356
config firewall profile-group 380
config firewall profile-protocol-options 382
config firewall proxy-address 406
config firewall proxy-addrgrp 410
config firewall proxy-policy 412
config firewall region 421
config firewall schedule group 421
config firewall schedule onetime 422
config firewall schedule recurring 423

FortiOS 7.4.4 CLI Reference 5

Fortinet Inc.
config firewall security-policy 424
config firewall service category 434
config firewall service custom 435
config firewall service group 439
config firewall shaper per-ip-shaper 440
config firewall shaper traffic-shaper 442
config firewall shaping-policy 445
config firewall shaping-profile 450
config firewall sniffer 452
config firewall ssh host-key 458
config firewall ssh local-ca 460
config firewall ssh local-key 460
config firewall ssh setting 461
config firewall ssl-server 462
config firewall ssl-ssh-profile 465
config firewall ssl setting 494
config firewall traffic-class 496
config firewall ttl-policy 497
config firewall vendor-mac 498
config firewall vip 498
config firewall vip6 532
config firewall vipgrp 564
config firewall vipgrp6 565
config firewall wildcard-fqdn custom 566
config firewall wildcard-fqdn group 567
ftp-proxy 568
config ftp-proxy explicit 568
icap 570
config icap profile 570
config icap server-group 576
config icap server 577
ips 580
config ips custom 580
config ips decoder 582
config ips global 582
config ips rule-settings 586
config ips rule 587
config ips sensor 589
config ips settings 594
config ips view-map 595
log 597
config log custom-field 598
config log disk filter 599
config log disk setting 602
config log eventfilter 608
config log fortianalyzer-cloud filter 611
config log fortianalyzer-cloud override-filter 615
config log fortianalyzer-cloud override-setting 618
config log fortianalyzer-cloud setting 619

FortiOS 7.4.4 CLI Reference 6

Fortinet Inc.
config log fortianalyzer2 filter 622
config log fortianalyzer2 override-filter 626
config log fortianalyzer2 override-setting 629
config log fortianalyzer2 setting 633
config log fortianalyzer3 filter 638
config log fortianalyzer3 override-filter 641
config log fortianalyzer3 override-setting 645
config log fortianalyzer3 setting 649
config log fortianalyzer filter 654
config log fortianalyzer override-filter 657
config log fortianalyzer override-setting 661
config log fortianalyzer setting 665
config log fortiguard filter 670
config log fortiguard override-filter 673
config log fortiguard override-setting 677
config log fortiguard setting 678
config log gui-display 681
config log memory filter 682
config log memory global-setting 685
config log memory setting 686
config log null-device filter 687
config log null-device setting 690
config log setting 691
config log syslogd2 filter 695
config log syslogd2 override-filter 699
config log syslogd2 override-setting 702
config log syslogd2 setting 706
config log syslogd3 filter 710
config log syslogd3 override-filter 713
config log syslogd3 override-setting 717
config log syslogd3 setting 720
config log syslogd4 filter 724
config log syslogd4 override-filter 728
config log syslogd4 override-setting 731
config log syslogd4 setting 735
config log syslogd filter 739
config log syslogd override-filter 742
config log syslogd override-setting 746
config log syslogd setting 749
config log tacacs+accounting2 filter 753
config log tacacs+accounting2 setting 754
config log tacacs+accounting3 filter 755
config log tacacs+accounting3 setting 756
config log tacacs+accounting filter 757
config log tacacs+accounting setting 758
config log threat-weight 759
config log webtrends filter 769
config log webtrends setting 773
monitoring 774

FortiOS 7.4.4 CLI Reference 7

Fortinet Inc.
config monitoring np6-ipsec-engine 774
config monitoring npu-hpe 775
nsxt 777
config nsxt service-chain 777
config nsxt setting 779
report 780
config report layout 780
config report setting 789
router 791
config router access-list 791
config router access-list6 792
config router aspath-list 794
config router auth-path 795
config router bfd 795
config router bfd6 797
config router bgp 798
config router community-list 861
config router extcommunity-list 862
config router isis 863
config router key-chain 877
config router multicast-flow 878
config router multicast 879
config router multicast6 888
config router ospf 890
config router ospf6 907
config router policy 922
config router policy6 925
config router prefix-list 928
config router prefix-list6 929
config router rip 930
config router ripng 937
config router route-map 943
config router setting 949
config router static 950
config router static6 953
rule 956
config rule fmwp 956
config rule otdt 958
config rule otvp 960
sctp-filter 963
config sctp-filter profile 963
ssh-filter 965
config ssh-filter profile 965
switch-controller 968
config switch-controller 802-1X-settings 969
config switch-controller acl group 972
config switch-controller acl ingress 973
config switch-controller auto-config custom 975

FortiOS 7.4.4 CLI Reference 8

Fortinet Inc.
config switch-controller auto-config default 976
config switch-controller auto-config policy 977
config switch-controller custom-command 979
config switch-controller dsl policy 980
config switch-controller dynamic-port-policy 983
config switch-controller flow-tracking 986
config switch-controller fortilink-settings 989
config switch-controller global 992
config switch-controller igmp-snooping 998
config switch-controller initial-config template 999
config switch-controller initial-config vlans 1001
config switch-controller lldp-profile 1002
config switch-controller lldp-settings 1007
config switch-controller location 1008
config switch-controller mac-policy 1013
config switch-controller managed-switch 1015
config switch-controller network-monitor-settings 1057
config switch-controller ptp interface-policy 1058
config switch-controller ptp profile 1059
config switch-controller qos dot1p-map 1061
config switch-controller qos ip-dscp-map 1065
config switch-controller qos qos-policy 1068
config switch-controller qos queue-policy 1069
config switch-controller quarantine 1072
config switch-controller remote-log 1073
config switch-controller security-policy 802-1X 1076
config switch-controller security-policy local-access 1080
config switch-controller sflow 1082
config switch-controller snmp-community 1083
config switch-controller snmp-sysinfo 1086
config switch-controller snmp-trap-threshold 1087
config switch-controller snmp-user 1089
config switch-controller storm-control-policy 1091
config switch-controller storm-control 1093
config switch-controller stp-instance 1095
config switch-controller stp-settings 1096
config switch-controller switch-group 1098
config switch-controller switch-interface-tag 1099
config switch-controller switch-log 1100
config switch-controller switch-profile 1101
config switch-controller system 1103
config switch-controller traffic-policy 1106
config switch-controller traffic-sniffer 1108
config switch-controller virtual-port-pool 1110
config switch-controller vlan-policy 1111
system 1113
config system 3g-modem custom 1117
config system accprofile 1118
config system acme 1130

FortiOS 7.4.4 CLI Reference 9

Fortinet Inc.
config system admin 1131
config system affinity-interrupt 1138
config system affinity-packet-redistribution 1139
config system alarm 1140
config system alias 1143
config system api-user 1144
config system arp-table 1145
config system auto-install 1146
config system auto-script 1147
config system automation-action 1148
config system automation-destination 1153
config system automation-stitch 1154
config system automation-trigger 1155
config system autoupdate schedule 1160
config system autoupdate tunneling 1161
config system bypass 1162
config system central-management 1163
config system console 1169
config system csf 1169
config system custom-language 1175
config system ddns 1175
config system dedicated-mgmt 1178
config system device-upgrade 1179
config system dhcp6 server 1182
config system dhcp server 1185
config system dnp3-proxy 1197
config system dns-database 1198
config system dns-server 1202
config system dns 1203
config system dns64 1206
config system dscp-based-priority 1207
config system elbc 1208
config system email-server 1209
config system evpn 1211
config system external-resource 1212
config system fabric-vpn 1215
config system federated-upgrade 1219
config system fips-cc 1222
config system fortiguard 1223
config system fortindr 1232
config system fortisandbox 1233
config system fsso-polling 1235
config system ftm-push 1236
config system geneve 1237
config system geoip-override 1238
config system global 1239
config system gre-tunnel 1284
config system ha-monitor 1287
config system ha 1288

FortiOS 7.4.4 CLI Reference 10

Fortinet Inc.
config system icond 1302
config system ike 1306
config system interface 1320
config system ipam 1385
config system ipip-tunnel 1388
config system ips-urlfilter-dns 1389
config system ips-urlfilter-dns6 1390
config system ips 1391
config system ipsec-aggregate 1391
config system ipv6-neighbor-cache 1392
config system ipv6-tunnel 1393
config system isf-queue-profile 1394
config system link-monitor 1396
config system lldp network-policy 1401
config system lte-modem 1409
config system mac-address-table 1417
config system management-tunnel 1417
config system mobile-tunnel 1419
config system modem 1421
config system nd-proxy 1428
config system netflow 1429
config system network-visibility 1430
config system np6 1432
config system np6xlite 1444
config system npu-post 1458
config system npu-setting prp 1459
config system npu-vlink 1460
config system npu 1461
config system ntp 1551
config system object-tagging 1555
config system password-policy-guest-admin 1556
config system password-policy 1558
config system pcp-server 1560
config system physical-switch 1563
config system pppoe-interface 1564
config system probe-response 1566
config system proxy-arp 1567
config system ptp 1568
config system replacemsg-group 1570
config system replacemsg-image 1582
config system replacemsg admin 1583
config system replacemsg alertmail 1584
config system replacemsg auth 1585
config system replacemsg automation 1586
config system replacemsg custom-message 1587
config system replacemsg fortiguard-wf 1587
config system replacemsg ftp 1588
config system replacemsg http 1589
config system replacemsg icap 1590

FortiOS 7.4.4 CLI Reference 11

Fortinet Inc.
config system replacemsg mail 1591
config system replacemsg nac-quar 1592
config system replacemsg spam 1593
config system replacemsg sslvpn 1593
config system replacemsg traffic-quota 1594
config system replacemsg utm 1595
config system replacemsg webproxy 1596
config system resource-limits 1597
config system saml 1600
config system sdn-connector 1603
config system sdn-proxy 1612
config system sdwan 1613
config system serial-port 1638
config system session-helper 1638
config system session-ttl 1640
config system settings 1641
config system sflow 1665
config system sit-tunnel 1666
config system smc-ntp 1668
config system sms-server 1669
config system snmp community 1670
config system snmp mib-view 1678
config system snmp sysinfo 1678
config system snmp user 1680
config system speed-test-schedule 1686
config system speed-test-server 1689
config system speed-test-setting 1690
config system ssh-config 1691
config system sso-admin 1694
config system sso-forticloud-admin 1695
config system sso-fortigate-cloud-admin 1695
config system standalone-cluster 1696
config system storage 1699
config system stp 1701
config system switch-interface 1703
config system timezone 1704
config system tos-based-priority 1705
config system vdom-dns 1706
config system vdom-exception 1707
config system vdom-link 1709
config system vdom-netflow 1710
config system vdom-property 1711
config system vdom-radius-server 1713
config system vdom-sflow 1714
config system vdom 1715
config system vin-alarm 1716
config system virtual-switch 1718
config system virtual-wire-pair 1720
config system vne-tunnel 1721

FortiOS 7.4.4 CLI Reference 12

Fortinet Inc.
config system vxlan 1722
config system wccp 1724
config system wireless ap-status 1728
config system wireless settings 1729
config system zone 1732
user 1734
config user adgrp 1734
config user certificate 1735
config user domain-controller 1736
config user exchange 1739
config user external-identity-provider 1742
config user fortitoken 1744
config user fsso-polling 1745
config user fsso 1746
config user group 1750
config user krb-keytab 1755
config user ldap 1756
config user local 1763
config user nac-policy 1767
config user password-policy 1770
config user peer 1771
config user peergrp 1773
config user pop3 1774
config user quarantine 1775
config user radius 1776
config user saml 1791
config user security-exempt-list 1795
config user setting 1796
config user tacacs+ 1800
videofilter 1803
config videofilter keyword 1803
config videofilter profile 1804
config videofilter youtube-key 1807
virtual-patch 1808
config virtual-patch profile 1808
voip 1810
config voip profile 1810
vpn 1835
config vpn certificate ca 1835
config vpn certificate crl 1837
config vpn certificate local 1839
config vpn certificate ocsp-server 1843
config vpn certificate remote 1844
config vpn certificate setting 1845
config vpn ipsec concentrator 1850
config vpn ipsec fec 1851
config vpn ipsec forticlient 1853
config vpn ipsec manualkey-interface 1853
config vpn ipsec manualkey 1856

FortiOS 7.4.4 CLI Reference 13

Fortinet Inc.
config vpn ipsec phase1-interface 1858
config vpn ipsec phase1 1888
config vpn ipsec phase2-interface 1913
config vpn ipsec phase2 1922
config vpn kmip-server 1931
config vpn l2tp 1933
config vpn pptp 1934
config vpn qkd 1935
config vpn ssl client 1936
config vpn ssl settings 1938
config vpn ssl web host-check-software 1952
config vpn ssl web portal 1954
config vpn ssl web realm 1976
config vpn ssl web user-bookmark 1977
config vpn ssl web user-group-bookmark 1985
waf 1992
config waf main-class 1992
config waf profile 1992
config waf signature 2017
config waf sub-class 2018
wanopt 2019
config wanopt auth-group 2019
config wanopt cache-service 2021
config wanopt content-delivery-network-rule 2024
config wanopt peer 2030
config wanopt profile 2031
config wanopt remote-storage 2039
config wanopt settings 2040
config wanopt webcache 2042
web-proxy 2046
config web-proxy debug-url 2046
config web-proxy explicit 2047
config web-proxy fast-fallback 2053
config web-proxy forward-server-group 2054
config web-proxy forward-server 2056
config web-proxy global 2058
config web-proxy profile 2062
config web-proxy url-match 2066
config web-proxy wisp 2067
webfilter 2069
config webfilter content-header 2069
config webfilter content 2070
config webfilter fortiguard 2072
config webfilter ftgd-local-cat 2074
config webfilter ftgd-local-rating 2075
config webfilter ips-urlfilter-cache-setting 2076
config webfilter ips-urlfilter-setting 2076
config webfilter ips-urlfilter-setting6 2077
config webfilter override 2077

FortiOS 7.4.4 CLI Reference 14

Fortinet Inc.
config webfilter profile 2079
config webfilter search-engine 2096
config webfilter urlfilter 2097
wireless-controller 2101
config wireless-controller access-control-list 2102
config wireless-controller ap-status 2104
config wireless-controller apcfg-profile 2105
config wireless-controller arrp-profile 2107
config wireless-controller ble-profile 2110
config wireless-controller bonjour-profile 2113
config wireless-controller global 2114
config wireless-controller hotspot20 anqp-3gpp-cellular 2119
config wireless-controller hotspot20 anqp-ip-address-type 2120
config wireless-controller hotspot20 anqp-nai-realm 2121
config wireless-controller hotspot20 anqp-network-auth-type 2125
config wireless-controller hotspot20 anqp-roaming-consortium 2125
config wireless-controller hotspot20 anqp-venue-name 2126
config wireless-controller hotspot20 anqp-venue-url 2127
config wireless-controller hotspot20 h2qp-advice-of-charge 2128
config wireless-controller hotspot20 h2qp-conn-capability 2129
config wireless-controller hotspot20 h2qp-operator-name 2132
config wireless-controller hotspot20 h2qp-osu-provider-nai 2133
config wireless-controller hotspot20 h2qp-osu-provider 2134
config wireless-controller hotspot20 h2qp-terms-and-conditions 2135
config wireless-controller hotspot20 h2qp-wan-metric 2136
config wireless-controller hotspot20 hs-profile 2137
config wireless-controller hotspot20 icon 2145
config wireless-controller hotspot20 qos-map 2146
config wireless-controller inter-controller 2148
config wireless-controller log 2150
config wireless-controller mpsk-profile 2155
config wireless-controller nac-profile 2158
config wireless-controller qos-profile 2159
config wireless-controller region 2162
config wireless-controller setting 2163
config wireless-controller snmp 2173
config wireless-controller ssid-policy 2177
config wireless-controller syslog-profile 2177
config wireless-controller timers 2179
config wireless-controller vap-group 2181
config wireless-controller vap 2182
config wireless-controller wag-profile 2213
config wireless-controller wids-profile 2214
config wireless-controller wtp-group 2222
config wireless-controller wtp-profile 2224
config wireless-controller wtp 2305

FortiOS 7.4.4 CLI Reference 15

Fortinet Inc.
Change Log

Date Change Description

2024-05-15 Initial release of the FortiOS 7.4.4 CLI Reference.

FortiOS 7.4.4 CLI Reference 16

Fortinet Inc.
FortiOS CLI reference

This document describes FortiOS 7.4.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI). For information on using the CLI, see the FortiOS 7.4.4 Administration Guide, which
contains information such as:
l Connecting to the CLI
l CLI basics
l Command syntax
l Subcommands
l Permissions

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error message if
you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to verify the commands
and options that are available.
Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, a hardware switch can be configured only on
models which have the corresponding hardware switch chipset.

Hardware configuration

For example, settings like mediatype would only be available on units with SFPs.

FortiOS Carrier, FortiGate 5K/6K/7K, FortiGate with LTE, etc.

Commands for extended functionality are not available on all FortiGate models. The CLI Reference may not include all
commands.

Command tree

Enter tree to display the entire FortiOS CLI command tree. To capture the full output, connect to your device using a
terminal emulation program, such as PuTTY, and capture the output to a log file.
l To view all available commands, enter tree.
l To view a specific configuration branch of a tree, enter tree <branch>, for example: tree system.

FortiOS 7.4.4 CLI Reference 17

Fortinet Inc.
FortiOS CLI reference

l To view all available diagnose commands, enter tree diagnose.

l To view all available execute commands, enter tree execute.

FortiOS 7.4.4 CLI Reference 18

Fortinet Inc.
CLI configuration commands

Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI).
The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.4.4 and reformatting the
resultant CLI output. If you have comments on this content, its format, or requests for commands that are not included,
contact us at [email protected].

FortiOS 7.4.4 CLI Reference 19

Fortinet Inc.
alertemail

This section includes syntax for the following commands:

l config alertemail setting on page 20

config alertemail setting

Configure alert email settings.

config alertemail setting
Description: Configure alert email settings.
set FDS-license-expiring-warning [enable|disable]
set FDS-update-logs [enable|disable]
set FIPS-CC-errors [enable|disable]
set FSSO-disconnect-logs [enable|disable]
set HA-logs [enable|disable]
set IPS-logs [enable|disable]
set IPsec-errors-logs [enable|disable]
set PPP-errors-logs [enable|disable]
set admin-login-logs [enable|disable]
set alert-interval {integer}
set amc-interface-bypass-mode [enable|disable]
set antivirus-logs [enable|disable]
set configuration-changes-logs [enable|disable]
set critical-interval {integer}
set debug-interval {integer}
set email-interval {integer}
set emergency-interval {integer}
set error-interval {integer}
set filter-mode [category|threshold]
set firewall-authentication-failure-logs [enable|disable]
set fortiguard-log-quota-warning [enable|disable]
set information-interval {integer}
set local-disk-usage {integer}
set log-disk-usage-warning [enable|disable]
set mailto1 {string}
set mailto2 {string}
set mailto3 {string}
set notification-interval {integer}
set severity [emergency|alert|...]
set ssh-logs [enable|disable]
set sslvpn-authentication-errors-logs [enable|disable]
set username {string}
set violation-traffic-logs [enable|disable]
set warning-interval {integer}
set webfilter-logs [enable|disable]
end

FortiOS 7.4.4 CLI Reference 20

Fortinet Inc.
config alertemail setting

Parameter Description Type Size Default

FDS-license- Enable/disable FortiGuard license expiration option - disable

expiring-warning warnings in alert email.

Option Description

enable Enable FortiGuard license expiration warnings in alert email.

disable Disable FortiGuard license expiration warnings in alert email.

FDS-update-logs Enable/disable FortiGuard update logs in alert email. option - disable

Option Description

enable Enable FortiGuard update logs in alert email.

disable Disable FortiGuard update logs in alert email.

FIPS-CC-errors Enable/disable FIPS and Common Criteria error logs option - disable
in alert email.

Option Description

enable Enable FIPS and Common Criteria error logs in alert email.

disable Disable FIPS and Common Criteria error logs in alert email.

disable Disable IPS logs in alert email.

IPsec-errors-logs Enable/disable IPsec error logs in alert email. option - disable

FortiOS 7.4.4 CLI Reference 21

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IPsec error logs in alert email.

disable Disable IPsec error logs in alert email.

PPP-errors-logs Enable/disable PPP error logs in alert email. option - disable

Option Description

enable Enable PPP error logs in alert email.

disable Disable PPP error logs in alert email.

admin-login-logs Enable/disable administrator login/logout logs in alert option - disable

email.

Option Description

enable Enable administrator login/logout logs in alert email.

disable Disable administrator login/logout logs in alert email.

alert-interval Alert alert interval in minutes. integer Minimum 2

value: 1
Maximum
value:
99999

amc-interface- Enable/disable Fortinet Advanced Mezzanine Card option - disable

bypass-mode (AMC) interface bypass mode logs in alert email.

Option Description

enable Enable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.

disable Disable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.

antivirus-logs Enable/disable antivirus logs in alert email. option - disable

Option Description

enable Enable antivirus logs in alert email.

disable Disable antivirus logs in alert email.

configuration- Enable/disable configuration change logs in alert option - disable

changes-logs email.

FortiOS 7.4.4 CLI Reference 22

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable configuration change logs in alert email.

disable Disable configuration change logs in alert email.

FortiOS 7.4.4 CLI Reference 23

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable firewall authentication failure logs in alert email.

disable Disable firewall authentication failure logs in alert email.

fortiguard-log- Enable/disable FortiCloud log quota warnings in alert option - disable

quota-warning email.

Option Description

enable Enable FortiCloud log quota warnings in alert email.

disable Disable FortiCloud log quota warnings in alert email.

information- Information alert interval in minutes. integer Minimum 30

interval value: 1
Maximum
value:
99999

local-disk-usage Disk usage percentage at which to send alert email. integer Minimum 75
value: 1
Maximum
value: 99

log-disk-usage- Enable/disable disk usage warnings in alert email. option - disable

warning

Option Description

enable Enable disk usage warnings in alert email.

disable Disable disk usage warnings in alert email.

mailto1 Email address to send alert email to (usually a string Maximum

system administrator) (max. 63 characters). length: 63

mailto2 Optional second email address to send alert email to string Maximum
(max. 63 characters). length: 63

mailto3 Optional third email address to send alert email to string Maximum
(max. 63 characters). length: 63

notification- Notification alert interval in minutes. integer Minimum 20

interval value: 1
Maximum
value:
99999

severity Lowest severity level to log. option - alert

FortiOS 7.4.4 CLI Reference 24

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

ssh-logs Enable/disable SSH logs in alert email. option - disable

Option Description

enable Enable SSH logs in alert email.

disable Disable SSH logs in alert email.

sslvpn- Enable/disable SSL-VPN authentication error logs in option - disable

authentication- alert email.
errors-logs

Option Description

enable Enable SSL-VPN authentication error logs in alert email.

disable Disable SSL-VPN authentication error logs in alert email.

username Name that appears in the From: field of alert emails string Maximum
(max. 63 characters). length: 63

violation-traffic- Enable/disable violation traffic logs in alert email. option - disable

logs

Option Description

enable Enable violation traffic logs in alert email.

disable Disable violation traffic logs in alert email.

warning-interval Warning alert interval in minutes. integer Minimum 10

value: 1
Maximum
value:
99999

FortiOS 7.4.4 CLI Reference 25

Fortinet Inc.
Parameter Description Type Size Default

webfilter-logs Enable/disable web filter logs in alert email. option - disable

Option Description

enable Enable web filter logs in alert email.

disable Disable web filter logs in alert email.

FortiOS 7.4.4 CLI Reference 26

Fortinet Inc.
antivirus

This section includes syntax for the following commands:

l config antivirus exempt-list on page 27
l config antivirus profile on page 28
l config antivirus quarantine on page 58
l config antivirus settings on page 62

config antivirus exempt-list

Configure a list of hashes to be exempt from AV scanning.

config antivirus exempt-list
Description: Configure a list of hashes to be exempt from AV scanning.
edit <name>
set comment {var-string}
set hash {string}
set hash-type [md5|sha1|...]
set status [disable|enable]
next
end

config antivirus exempt-list

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

hash Hash value to be matched. string Maximum

length: 64

hash-type Hash type. option - sha1

Option Description

md5 MD5 hash value (32 characters in length).

sha1 SHA1 hash value (40 characters in length).

sha256 SHA256 hash value (64 characters in length).

name Table entry name. string Maximum

length: 35

status Enable/disable table entry. option - enable

FortiOS 7.4.4 CLI Reference 27

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable AV exempt-list table entry.

enable Enable AV exempt-list table entry.

config antivirus profile

Configure AntiVirus profiles.

config antivirus profile
Description: Configure AntiVirus profiles.
edit <name>
set analytics-accept-filetype {integer}
set analytics-db [disable|enable]
set analytics-ignore-filetype {integer}
set av-virus-log [enable|disable]
config cifs
Description: Configure CIFS AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
set comment {var-string}
config content-disarm
Description: AV Content Disarm and Reconstruction settings.
set original-file-destination [fortisandbox|quarantine|...]
set error-action [block|log-only|...]
set office-macro [disable|enable]
set office-hylink [disable|enable]
set office-linked [disable|enable]
set office-embed [disable|enable]
set office-dde [disable|enable]
set office-action [disable|enable]
set pdf-javacode [disable|enable]
set pdf-embedfile [disable|enable]
set pdf-hyperlink [disable|enable]
set pdf-act-gotor [disable|enable]
set pdf-act-launch [disable|enable]
set pdf-act-sound [disable|enable]
set pdf-act-movie [disable|enable]
set pdf-act-java [disable|enable]
set pdf-act-form [disable|enable]
set cover-page [disable|enable]
set detect-only [disable|enable]
end

FortiOS 7.4.4 CLI Reference 28

Fortinet Inc.
set ems-threat-feed [disable|enable]
set extended-log [enable|disable]
set external-blocklist <name1>, <name2>, ...
set external-blocklist-enable-all [disable|enable]
set feature-set [flow|proxy]
set fortindr-error-action [log-only|block|...]
set fortindr-timeout-action [log-only|block|...]
set fortisandbox-error-action [log-only|block|...]
set fortisandbox-max-upload {integer}
set fortisandbox-mode [inline|analytics-suspicious|...]
set fortisandbox-timeout-action [log-only|block|...]
config ftp
Description: Configure FTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
config http
Description: Configure HTTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set content-disarm [disable|enable]
end
config imap
Description: Configure IMAP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config mapi
Description: Configure MAPI AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]

FortiOS 7.4.4 CLI Reference 29

Fortinet Inc.
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
end
set mobile-malware-db [disable|enable]
config nac-quar
Description: Configure AntiVirus quarantine settings.
set infected [none|quar-src-ip]
set expiry {user}
set log [enable|disable]
end
config nntp
Description: Configure NNTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
set outbreak-prevention-archive-scan [disable|enable]
config pop3
Description: Configure POP3 AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
set replacemsg-group {string}
set scan-mode [default|legacy]
config smtp
Description: Configure SMTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]

FortiOS 7.4.4 CLI Reference 30

Fortinet Inc.
end
config ssh
Description: Configure SFTP and SCP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
next
end

config antivirus profile

Parameter Description Type Size Default

analytics- Only submit files matching this DLP file-pattern to integer Minimum 0
accept-filetype FortiSandbox (post-transfer scan only). value: 0
Maximum
value:
4294967295

analytics-db Enable/disable using the FortiSandbox signature option - disable

database to supplement the AV signature
databases.

Option Description

disable Use only the standard AV signature databases.

enable Also use the FortiSandbox signature database.

analytics- Do not submit files matching this DLP file-pattern to integer Minimum 0
ignore-filetype FortiSandbox (post-transfer scan only). value: 0
Maximum
value:
4294967295

av-virus-log Enable/disable AntiVirus logging. option - enable

Option Description

enable Enable setting.

disable Disable setting.

comment Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 31

Fortinet Inc.
Parameter Description Type Size Default

ems-threat- Enable/disable use of EMS threat feed when option - disable

feed performing AntiVirus scan. Analyzes files including
the content of archives.

Option Description

disable Disable use of EMS threat feed when performing AntiVirus scan.

enable Enable use of EMS threat feed when performing AntiVirus scan.

extended-log Enable/disable extended logging for antivirus. option - disable

Option Description

enable Enable setting.

disable Disable setting.

external- One or more external malware block lists. string Maximum

blocklist External blocklist. length: 79
<name>

external- Enable/disable all external blocklists. option - disable

blocklist-
enable-all

Option Description

disable Use configured external blocklists.

enable Enable all external blocklists.

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

proxy Proxy feature set.

fortindr-error- Action to take if FortiNDR encounters an error. option - log-only

action

Option Description

log-only Log FortiNDR error, but allow the file.

block Block the file on FortiNDR error.

ignore Do nothing on FortiNDR error.

fortindr- Action to take if FortiNDR encounters a scan option - log-only

timeout-action timeout.

FortiOS 7.4.4 CLI Reference 32

Fortinet Inc.
Parameter Description Type Size Default

Option Description

log-only Log FortiNDR scan timeout, but allow the file.

block Block the file on FortiNDR scan timeout.

ignore Do nothing on FortiNDR scan timeout.

fortisandbox- Action to take if FortiSandbox inline scan option - log-only

error-action encounters an error.

Option Description

log-only Log FortiSandbox inline scan error, but allow the file.

block Block the file on FortiSandbox inline scan error.

ignore Do nothing on FortiSandbox inline scan error.

fortisandbox- Maximum size of files that can be uploaded to integer Minimum 10

max-upload FortiSandbox in Mbytes. value: 1
Maximum
value: 1606 **

fortisandbox- FortiSandbox scan modes. option - analytics-

mode everything

Option Description

inline FortiSandbox inline scan.

analytics- FortiSandbox post-transfer scan: submit supported files if heuristics or other

suspicious methods determine they are suspicious.

analytics- FortiSandbox post-transfer scan: submit supported files and known infected
everything files.

fortisandbox- Action to take if FortiSandbox inline scan option - log-only

scan-mode Configure scan mode. option - default

Option Description

default On the fly decompression and scanning of certain archive files.

legacy Scan archive files only after the entire file is received.

** Values may differ between models.

config cifs

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

FortiOS 7.4.4 CLI Reference 34

Fortinet Inc.
Parameter Description Type Size Default

Option Description

block Block the matched files.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

FortiOS 7.4.4 CLI Reference 35

Fortinet Inc.
Parameter Description Type Size Default

Option Description

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config content-disarm

Parameter Description Type Size Default

original-file- Destination to send original file if active content is option - discard

destination removed.

Option Description

fortisandbox Send original file to configured FortiSandbox.

quarantine Send original file to quarantine.

discard Original file will be discarded after content disarm.

FortiOS 7.4.4 CLI Reference 36

Fortinet Inc.
Parameter Description Type Size Default

error-action Action to be taken if CDR engine encounters an option - log-only

unrecoverable error.

Option Description

block Block file on CDR error.

log-only Log CDR error, but allow file.

ignore Do nothing on CDR error.

office-macro Enable/disable stripping of macros in Microsoft Office option - enable

documents.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-hylink Enable/disable stripping of hyperlinks in Microsoft Office option - enable

documents.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-linked Enable/disable stripping of linked objects in Microsoft option - enable

Office documents.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-embed Enable/disable stripping of embedded objects in option - enable

Microsoft Office documents.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-dde Enable/disable stripping of Dynamic Data Exchange option - enable

events in Microsoft Office documents.

FortiOS 7.4.4 CLI Reference 37

enable Enable this Content Disarm and Reconstruction feature.

cover-page Enable/disable inserting a cover page into the disarmed option - enable
document.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

detect-only Enable/disable only detect disarmable files, do not alter option - disable
content.

FortiOS 7.4.4 CLI Reference 39

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

config ftp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.4.4 CLI Reference 41

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config http

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.4.4 CLI Reference 43

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config imap

quarantine Enable/disable quarantine for infected files. option - disable

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

FortiOS 7.4.4 CLI Reference 45

Fortinet Inc.
Parameter Description Type Size Default

Option Description

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config mapi

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

FortiOS 7.4.4 CLI Reference 46

Fortinet Inc.
Parameter Description Type Size Default

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

block Block the FortiSandbox detected infections.

monitor Log the FortiSandbox detected infections.

quarantine Enable/disable quarantine for infected files. option - disable

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

FortiOS 7.4.4 CLI Reference 47

Fortinet Inc.
Parameter Description Type Size Default

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

FortiOS 7.4.4 CLI Reference 48

Fortinet Inc.
config nac-quar

Parameter Description Type Size Default

infected Enable/Disable quarantining infected hosts to the option - none

banned user list.

Option Description

none Do not quarantine infected hosts.

quar-src-ip Quarantine all traffic from the infected hosts source IP.

expiry Duration of quarantine. user Not 5m

Specified

log Enable/disable AntiVirus quarantine logging. option - disable

Option Description

enable Enable AntiVirus quarantine logging.

disable Disable AntiVirus quarantine logging.

config nntp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

FortiOS 7.4.4 CLI Reference 49

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

fortindr Enable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

FortiOS 7.4.4 CLI Reference 50

Fortinet Inc.
Parameter Description Type Size Default

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config pop3

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

FortiOS 7.4.4 CLI Reference 51

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

fortindr Enable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

FortiOS 7.4.4 CLI Reference 52

Fortinet Inc.
Parameter Description Type Size Default

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

block Block the FortiSandbox detected infections.

monitor Log the FortiSandbox detected infections.

quarantine Enable/disable quarantine for infected files. option - disable

FortiOS 7.4.4 CLI Reference 54

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

FortiOS 7.4.4 CLI Reference 55

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config ssh

quarantine Enable/disable quarantine for infected files. option - disable

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

FortiOS 7.4.4 CLI Reference 57

Fortinet Inc.
Parameter Description Type Size Default

Option Description

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config antivirus quarantine

Configure quarantine options.

config antivirus quarantine
Description: Configure quarantine options.
set agelimit {integer}
set destination [NULL|disk|...]
set drop-infected {option1}, {option2}, ...
set drop-machine-learning {option1}, {option2}, ...
set lowspace [drop-new|ovrw-old]
set maxfilesize {integer}
set quarantine-quota {integer}
set store-infected {option1}, {option2}, ...
set store-machine-learning {option1}, {option2}, ...
end

config antivirus quarantine

Parameter Description Type Size Default

agelimit Age limit for quarantined files. integer Minimum 0

value: 0
Maximum
value: 479

destination Choose whether to quarantine files to the FortiGate option - disk **

disk or to FortiAnalyzer or to delete them instead of
quarantining them.

FortiOS 7.4.4 CLI Reference 58

Fortinet Inc.
Parameter Description Type Size Default

Option Description

NULL Files that would be quarantined are deleted.

disk Quarantine files to the FortiGate hard disk.

FortiAnalyzer FortiAnalyzer

drop-infected Do not quarantine infected files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

drop- Do not quarantine files detected by machine learning option -

machine- found in sessions using the selected protocols.
learning Dropped files are deleted instead of being
quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

FortiOS 7.4.4 CLI Reference 59

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

lowspace Select the method for handling additional files when option - ovrw-old
running low on disk space.

Option Description

drop-new Drop (delete) the most recently quarantined files.

ovrw-old Overwrite the oldest quarantined files. That is, the files that are closest to
being deleted from the quarantine.

maxfilesize Maximum file size to quarantine. integer Minimum 0

value: 0
Maximum
value: 500

quarantine- The amount of disk space to reserve for quarantining integer Minimum 0
quota files. value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 60

Fortinet Inc.
Parameter Description Type Size Default

store-infected Quarantine infected files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

store- Quarantine files detected by machine learning found in option - imap smtp
machine- sessions using the selected protocols. pop3 http
learning ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

Option Description

imap IMAP.

FortiOS 7.4.4 CLI Reference 61

Fortinet Inc.
Parameter Description Type Size Default

Option Description

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

** Values may differ between models.

config antivirus settings

Configure AntiVirus settings.

config antivirus settings
Description: Configure AntiVirus settings.
set cache-infected-result [enable|disable]
set grayware [enable|disable]
set machine-learning-detection [enable|monitor|...]
set override-timeout {integer}
set use-extreme-db [enable|disable]
end

config antivirus settings

Parameter Description Type Size Default

cache- Enable/disable cache of infected scan results. option - enable

infected-result

FortiOS 7.4.4 CLI Reference 62

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable cache of infected scan results.

disable Disable cache of infected scan results.

grayware Enable/disable grayware detection when an AntiVirus option - disable

profile is applied to traffic.

Option Description

enable Enable grayware detection.

disable Disable grayware detection.

machine- Use machine learning based malware detection. option - enable

learning-
detection

Option Description

enable Enable machine learning based malware detection.

monitor Enable machine learning based malware detection for monitoring only.

disable Disable machine learning based malware detection.

override- Override the large file scan timeout value in seconds. integer Minimum 0
timeout Zero is the default value and is used to disable this value: 30
command. When disabled, the daemon adjusts the Maximum
large file scan timeout based on the file size. value: 3600

use-extreme- Enable/disable the use of Extreme AVDB. option - disable

Option Description

enable Enable extreme AVDB.

disable Disable extreme AVDB.

FortiOS 7.4.4 CLI Reference 63

Fortinet Inc.
application

This section includes syntax for the following commands:

l config application custom on page 64
l config application group on page 65
l config application list on page 66
l config application name on page 75
l config application rule-settings on page 77

config application custom

Configure custom application signatures.

config application custom
Description: Configure custom application signatures.
edit <tag>
set behavior {user}
set category {integer}
set comment {string}
set id {integer}
set protocol {user}
set signature {var-string}
set technology {user}
set vendor {user}
next
end

config application custom

Parameter Description Type Size Default

behavior Custom application signature behavior. user Not Specified

category Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

comment Comment. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 64

Fortinet Inc.
Parameter Description Type Size Default

id Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

protocol Custom application signature protocol. user Not Specified

signature The text that makes up the actual custom application var-string Maximum
signature. length: 4095

tag Signature tag. string Maximum

length: 63

technology Custom application signature technology. user Not Specified

vendor Custom application signature vendor. user Not Specified

config application group

Configure firewall application groups.

config application group
Description: Configure firewall application groups.
edit <name>
set application <id1>, <id2>, ...
set behavior {user}
set category <id1>, <id2>, ...
set comment {var-string}
set popularity {option1}, {option2}, ...
set protocols {user}
set risk <level1>, <level2>, ...
set technology {user}
set type [application|filter]
set vendor {user}
next
end

config application group

Parameter Description Type Size Default

application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

behavior Application behavior filter. user Not Specified all

FortiOS 7.4.4 CLI Reference 65

Fortinet Inc.
Parameter Description Type Size Default

category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295

comment Comments. var-string Maximum

length: 255

name Application group name. string Maximum

length: 63

popularity Application popularity filter. option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

protocols Application protocol filter. user Not Specified all

risk <level> Risk, or impact, of allowing traffic from this integer Minimum
application to occur (1 - 5; Low, Elevated, Medium, value: 0
High, and Critical). Maximum
Risk, or impact, of allowing traffic from this value:
application to occur (1 - 5; Low, Elevated, Medium, 4294967295
High, and Critical).

technology Application technology filter. user Not Specified all

type Application group type. option - application

Option Description

application Application ID.

filter Application filter.

vendor Application vendor filter. user Not Specified all

config application list

Configure application control lists.

config application list
Description: Configure application control lists.
edit <name>

FortiOS 7.4.4 CLI Reference 66

Fortinet Inc.
set app-replacemsg [disable|enable]
set comment {var-string}
set control-default-network-services [disable|enable]
set deep-app-inspection [disable|enable]
config default-network-services
Description: Default network service entries.
edit <id>
set port {integer}
set services {option1}, {option2}, ...
set violation-action [pass|monitor|...]
next
end
set enforce-default-app-port [disable|enable]
config entries
Description: Application list entries.
edit <id>
set risk <level1>, <level2>, ...
set category <id1>, <id2>, ...
set application <id1>, <id2>, ...
set protocols {user}
set vendor {user}
set technology {user}
set behavior {user}
set popularity {option1}, {option2}, ...
set exclusion <id1>, <id2>, ...
config parameters
Description: Application parameters.
edit <id>
config members
Description: Parameter tuple members.
edit <id>
set name {string}
set value {string}
next
end
next
end
set action [pass|block|...]
set log [disable|enable]
set log-packet [disable|enable]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
set session-ttl {integer}
set shaper {string}
set shaper-reverse {string}
set per-ip-shaper {string}
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
set extended-log [enable|disable]
set force-inclusion-ssl-di-sigs [disable|enable]
set options {option1}, {option2}, ...

FortiOS 7.4.4 CLI Reference 67

Fortinet Inc.
set other-application-action [pass|block]
set other-application-log [disable|enable]
set p2p-block-list {option1}, {option2}, ...
set replacemsg-group {string}
set unknown-application-action [pass|block]
set unknown-application-log [disable|enable]
next
end

config application list

Parameter Description Type Size Default

app- Enable/disable replacement messages for blocked option - enable

replacemsg applications.

Option Description

disable Disable replacement messages for blocked applications.

enable Enable replacement messages for blocked applications.

disable Disable default application port enforcement.

enable Enable default application port enforcement.

FortiOS 7.4.4 CLI Reference 68

Fortinet Inc.
Parameter Description Type Size Default

extended-log Enable/disable extended logging. option - disable

Option Description

enable Enable setting.

disable Disable setting.

force- Enable/disable forced inclusion of SSL deep inspection option - disable

inclusion-ssl- signatures.
di-sigs

Option Description

disable Disable forced inclusion of signatures which normally require SSL deep
inspection.

enable Enable forced inclusion of signatures which normally require SSL deep
inspection.

name List name. string Maximum

length: 35

options Basic application protocol signatures allowed by option - allow-dns

default.

Option Description

allow-dns Allow DNS.

allow-icmp Allow ICMP.

allow-http Allow generic HTTP web browsing.

allow-ssl Allow generic SSL communication.

other- Action for other applications. option - pass

application-
action

Option Description

pass Allow sessions matching an application in this application list.

block Block sessions matching an application in this application list.

Option Description

disable Disable logging for unknown applications.

enable Enable logging for unknown applications.

config default-network-services

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

port Port number. integer Minimum 0

value: 0
Maximum
value: 65535

services Network protocols. option -

FortiOS 7.4.4 CLI Reference 70

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http HTTP.

ssh SSH.

telnet TELNET.

ftp FTP.

dns DNS.

smtp SMTP.

pop3 POP3.

imap IMAP.

snmp SNMP.

nntp NNTP.

https HTTPS.

violation- Action for protocols not in the allowlist for selected option - block
action port.

Option Description

pass Allow protocols not in the allowlist for selected port.

monitor Monitor protocols not in the allowlist for selected port.

block Block protocols not in the allowlist for selected port.

config entries

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 71

Fortinet Inc.
Parameter Description Type Size Default

category Category ID list. integer Minimum

<id> Application category ID. value: 0
Maximum
value:
4294967295

application ID of allowed applications. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

protocols Application protocol filter. user Not Specified all

vendor Application vendor filter. user Not Specified all

technology Application technology filter. user Not Specified all

behavior Application behavior filter. user Not Specified all

popularity Application popularity filter. option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

exclusion ID of excluded applications. integer Minimum

<id> Excluded application IDs. value: 0
Maximum
value:
4294967295

action Pass or block traffic, or reset connection for traffic option - block
from this application.

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

log Enable/disable logging for this application list. option - enable

FortiOS 7.4.4 CLI Reference 72

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

session-ttl Session TTL. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 73

Fortinet Inc.
Parameter Description Type Size Default

shaper Traffic shaper. string Maximum

length: 35

shaper- Reverse traffic shaper. string Maximum

reverse length: 35

per-ip-shaper Per-IP traffic shaper. string Maximum

length: 35

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config parameters

Parameter Description Type Size Default

id Parameter tuple ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config members

Parameter Description Type Size Default

id Parameter. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 74

Fortinet Inc.
Parameter Description Type Size Default

name Parameter name. string Maximum

length: 31

value Parameter value. string Maximum

length: 199

config application name

Configure application signatures.

config application name
Description: Configure application signatures.
edit <name>
set behavior {user}
set category {integer}
set id {integer}
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
config parameters
Description: Application parameters.
edit <name>
set default value {string}
next
end
set popularity {integer}
set protocol {user}
set risk {integer}
set technology {user}
set vendor {user}
set weight {integer}
next
end

config application name

Parameter Description Type Size Default

behavior Application behavior. user Not Specified

category Application category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 75

Fortinet Inc.
Parameter Description Type Size Default

id Application ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Application name. string Maximum

length: 63

popularity Application popularity. integer Minimum 0

value: 0
Maximum
value: 255

protocol Application protocol. user Not Specified

risk Application risk. integer Minimum 0

value: 0
Maximum
value: 255

technology Application technology. user Not Specified

vendor Application vendor. user Not Specified

weight Application weight. integer Minimum 0

value: 0
Maximum
value: 255

config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 76

Fortinet Inc.
config parameters

Parameter Description Type Size Default

name Parameter name. string Maximum

length: 31

default value Parameter default value. string Maximum

length: 199

config application rule-settings

Configure application rule settings.

config application rule-settings
Description: Configure application rule settings.
edit <id>
next
end

config application rule-settings

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 77

Fortinet Inc.
authentication

This section includes syntax for the following commands:

l config authentication rule on page 78
l config authentication scheme on page 80
l config authentication setting on page 83

config authentication rule

Configure Authentication Rules.

config authentication rule
Description: Configure Authentication Rules.
edit <name>
set active-auth-method {string}
set cert-auth-cookie [enable|disable]
set comments {var-string}
set cors-depth {integer}
set cors-stateful [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set ip-based [enable|disable]
set protocol [http|ftp|...]
set srcaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set sso-auth-method {string}
set status [enable|disable]
set transaction-based [enable|disable]
set web-auth-cookie [enable|disable]
set web-portal [enable|disable]
next
end

config authentication rule

Parameter Description Type Size Default

active-auth- Select an active authentication method. string Maximum

method length: 35

cert-auth- Enable/disable to use device certificate as option - enable

cookie authentication cookie.

Option Description

enable Enable device certificate as authentication cookie.

FortiOS 7.4.4 CLI Reference 78

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable device certificate as authentication cookie.

comments Comment. var-string Maximum

length: 1023

cors-depth Depth to allow CORS access. integer Minimum 3

value: 1
Maximum
value: 8

cors-stateful Enable/disable allowance of CORS access. option - disable

Option Description

enable Enable allowance of CORS access

disable Disable allowance of CORS access

dstaddr Select an IPv4 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

dstaddr6 Select an IPv6 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

ip-based Enable/disable IP-based authentication. When enabled, option - enable

previously authenticated users from the same IP
address will be exempted.

Option Description

enable Enable IP-based authentication.

disable Disable IP-based authentication.

name Authentication rule name. string Maximum

length: 35

protocol Authentication is required for the selected protocol. option - http

Option Description

http HTTP traffic is matched and authentication is required.

ftp FTP traffic is matched and authentication is required.

socks SOCKS traffic is matched and authentication is required.

ssh SSH traffic is matched and authentication is required.

FortiOS 7.4.4 CLI Reference 79

Fortinet Inc.
Parameter Description Type Size Default

srcaddr Authentication is required for the selected IPv4 source string Maximum
<name> address. length: 79
Address name.

srcaddr6 Authentication is required for the selected IPv6 source string Maximum
<name> address. length: 79
Address name.

srcintf Incoming (ingress) interface. string Maximum

<name> Interface name. length: 79

sso-auth- Select a single-sign on (SSO) authentication method. string Maximum

method length: 35

status Enable/disable this authentication rule. option - enable

Option Description

enable Enable this authentication rule.

enable Enable web-portal.

disable Disable web-portal.

config authentication scheme

Configure Authentication Schemes.

FortiOS 7.4.4 CLI Reference 80

Fortinet Inc.
config authentication scheme
Description: Configure Authentication Schemes.
edit <name>
set domain-controller {string}
set fsso-agent-for-ntlm {string}
set fsso-guest [enable|disable]
set kerberos-keytab {string}
set method {option1}, {option2}, ...
set negotiate-ntlm [enable|disable]
set require-tfa [enable|disable]
set saml-server {string}
set saml-timeout {integer}
set ssh-ca {string}
set user-cert [enable|disable]
set user-database <name1>, <name2>, ...
next
end

config authentication scheme

Parameter Description Type Size Default

domain- Domain controller setting. string Maximum

controller length: 35

fsso-agent- FSSO agent to use for NTLM authentication. string Maximum

for-ntlm length: 35

fsso-guest Enable/disable user fsso-guest authentication. option - disable

Option Description

enable Enable user fsso-guest authentication.

disable Disable user fsso-guest authentication.

kerberos- Kerberos keytab setting. string Maximum

keytab length: 35

method Authentication methods. option -

saml-timeout SAML authentication timeout in seconds. integer Minimum 120

value: 30
Maximum
value: 1200

ssh-ca SSH CA name. string Maximum

length: 35

user-cert Enable/disable authentication with user certificate. option - disable

Option Description

enable Enable client certificate field authentication.

disable Disable client certificate field authentication.

user- Authentication server to contain user information; "local" string Maximum

database (default) or "123" (for LDAP). length: 79
<name> Authentication server name.

FortiOS 7.4.4 CLI Reference 82

Fortinet Inc.
config authentication setting

Configure authentication setting.

config authentication setting
Description: Configure authentication setting.
set active-auth-scheme {string}
set auth-https [enable|disable]
set captive-portal {string}
set captive-portal-ip {ipv4-address-any}
set captive-portal-ip6 {ipv6-address}
set captive-portal-port {integer}
set captive-portal-ssl-port {integer}
set captive-portal-type [fqdn|ip]
set captive-portal6 {string}
set cert-auth [enable|disable]
set cert-captive-portal {string}
set cert-captive-portal-ip {ipv4-address-any}
set cert-captive-portal-port {integer}
set cookie-max-age {integer}
set cookie-refresh-div {integer}
set dev-range <name1>, <name2>, ...
set ip-auth-cookie [enable|disable]
set persistent-cookie [enable|disable]
set sso-auth-scheme {string}
set update-time {user}
set user-cert-ca <name1>, <name2>, ...
end

config authentication setting

Parameter Description Type Size Default

active-auth- Active authentication method (scheme name). string Maximum

scheme length: 35

auth-https Enable/disable redirecting HTTP user authentication to option - enable

HTTPS.

Option Description

enable Enable setting.

disable Disable setting.

captive-portal Captive portal host name. string Maximum

length: 255

captive- Captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

captive- Captive portal IPv6 address. ipv6- Not ::

portal-ip6 address Specified

FortiOS 7.4.4 CLI Reference 83

Fortinet Inc.
Parameter Description Type Size Default

captive- Captive portal port number. integer Minimum 7830

portal-port value: 1
Maximum
value:
65535

captive- Captive portal SSL port number. integer Minimum 7831

portal-ssl-port value: 1
Maximum
value:
65535

captive- Captive portal type. option - fqdn

portal-type

Option Description

fqdn Use FQDN for captive portal.

ip Use an IP address for captive portal.

captive- IPv6 captive portal host name. string Maximum

portal6 length: 255

cert-auth Enable/disable redirecting certificate authentication to option - disable

HTTPS portal.

Option Description

enable Enable setting.

disable Disable setting.

cert-captive- Certificate captive portal host name. string Maximum

portal length: 255

cert-captive- Certificate captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

cert-captive- Certificate captive portal port number. integer Minimum 7832

portal-port value: 1
Maximum
value:
65535

cookie-max- Persistent web portal cookie maximum age in minutes. integer Minimum 480
age value: 30
Maximum
value:
10080

FortiOS 7.4.4 CLI Reference 84

Fortinet Inc.
Parameter Description Type Size Default

cookie- Refresh rate divider of persistent web portal cookie. integer Minimum 2
refresh-div Refresh value = cookie-max-age/cookie-refresh-div. value: 2
Maximum
value: 4

dev-range Address range for the IP based device query. string Maximum
<name> Address name. length: 79

ip-auth-cookie Enable/disable persistent cookie on IP based web portal option - disable

authentication.

Option Description

enable Enable persistent cookie for IP-based authentication.

disable Disable persistent cookie for IP-based authentication.

persistent- Enable/disable persistent cookie on web portal option - enable

cookie authentication.

Option Description

enable Enable persistent cookie.

disable Disable persistent cookie.

sso-auth- Single-Sign-On authentication method (scheme name). string Maximum

scheme length: 35

update-time Time of the last update. user Not

Specified

user-cert-ca CA certificate used for client certificate verification. string Maximum

<name> CA certificate list. length: 79

FortiOS 7.4.4 CLI Reference 85

Fortinet Inc.
automation

This section includes syntax for the following commands:

l config automation setting on page 86

config automation setting

Automation setting configuration.

config automation setting
Description: Automation setting configuration.
set fabric-sync [enable|disable]
set max-concurrent-stitches {integer}
end

config automation setting

Parameter Description Type Size Default

fabric-sync Enable/disable synchronization of automation settings option - enable

with security fabric.

Option Description

enable Synchronize automation setting with security fabric.

disable Do not synchronize automation setting with security fabric.

max- Maximum number of automation stitches that are integer Minimum 512 **
concurrent- allowed to run concurrently. value: 32
stitches Maximum
value: 1024
**

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 86

Fortinet Inc.
casb

This section includes syntax for the following commands:

l config casb profile on page 87
l config casb saas-application on page 90
l config casb user-activity on page 91

config casb profile

Configure CASB profile.

config casb profile
Description: Configure CASB profile.
edit <name>
set comment {var-string}
config saas-application
Description: CASB profile SaaS application.
edit <name>
set status [enable|disable]
set safe-search [enable|disable]
set safe-search-control <name1>, <name2>, ...
set tenant-control [enable|disable]
set tenant-control-tenants <name1>, <name2>, ...
set domain-control [enable|disable]
set domain-control-domains <name1>, <name2>, ...
set log [enable|disable]
config access-rule
Description: CASB profile access rule.
edit <name>
set action [monitor|bypass|...]
set bypass {option1}, {option2}, ...
next
end
config custom-control
Description: CASB profile custom control.
edit <name>
config option
Description: CASB custom control option.
edit <name>
set user-input <value1>, <value2>, ...
next
end
next
end
next
end
next
end

FortiOS 7.4.4 CLI Reference 87

Fortinet Inc.
config casb profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

name CASB profile name. string Maximum

length: 35

config saas-application

Parameter Description Type Size Default

name CASB profile SaaS application name. string Maximum

length: 79

status Enable/disable setting. option - enable

Option Description

enable Enable setting.

disable Disable setting.

safe-search Enable/disable safe search. option - disable

Option Description

enable Enable setting.

disable Disable setting.

safe-search- CASB profile safe search control. string Maximum

control Safe search control name. length: 79
<name>

tenant-control Enable/disable tenant control. option - disable

Option Description

enable Enable setting.

disable Disable setting.

tenant- CASB profile tenant control tenants. string Maximum

control- Tenant control tenants name. length: 79
tenants
<name>

domain- Enable/disable domain control. option - disable

control

FortiOS 7.4.4 CLI Reference 88

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

domain- CASB profile domain control domains. string Maximum

control- Domain control domain name. length: 79
domains
<name>

log Enable/disable log settings. option - enable

Option Description

enable Enable log setting.

disable Disable log setting.

config access-rule

Parameter Description Type Size Default

name CASB access rule activity name. string Maximum

length: 79

action CASB access rule action. option - monitor

Option Description

monitor Log when log is enabled.

bypass Apply bypass options.

block Block the request.

bypass CASB bypass options. option -

Option Description

av Exempt from AV scanning.

dlp Exempt from data loss prevention (DLP).

web-filter Exempt from web filter.

file-filter Exempt from file filter.

video-filter Exempt from video filter.

FortiOS 7.4.4 CLI Reference 89

Fortinet Inc.
config custom-control

Parameter Description Type Size Default

name CASB custom control user activity name. string Maximum

length: 79

config option

Parameter Description Type Size Default

name CASB custom control option name. string Maximum

length: 79

user-input CASB custom control user input. string Maximum

<value> user input value. length: 79

config casb saas-application

Configure CASB SaaS application.

config casb saas-application
Description: Configure CASB SaaS application.
edit <name>
set casb-name {string}
set description {string}
set domains <domain1>, <domain2>, ...
set status [enable|disable]
set type [built-in|customized]
set uuid {string}
next
end

config casb saas-application

Parameter Description Type Size Default

casb-name SaaS application signature name. string Maximum

length: 79

description SaaS application description. string Maximum

length: 63

domains SaaS application domain list. string Maximum

<domain> Domain list separated by space. length: 127

name SaaS application name. string Maximum

length: 79

status Enable/disable setting. option - enable

FortiOS 7.4.4 CLI Reference 90

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

type SaaS application type. option - customized

Option Description

built-in Built-in SaaS application.

customized User customized SaaS appliciation.

uuid Universally Unique Identifier (UUID; automatically string Maximum

assigned but can be manually reset). length: 36

config casb user-activity

Configure CASB user activity.

config casb user-activity
Description: Configure CASB user activity.
edit <name>
set application {string}
set casb-name {string}
set category [activity-control|tenant-control|...]
config control-options
Description: CASB control options.
edit <name>
set status [enable|disable]
config operations
Description: CASB control option operations.
edit <name>
set target [header|path]
set action [append|prepend|...]
set direction {option}
set header-name {string}
set search-pattern [simple|substr|...]
set search-key {string}
set case-sensitive [enable|disable]
set value-from-input [enable|disable]
set values <value1>, <value2>, ...
next
end
next
end
set description {string}
config match
Description: CASB user activity match rules.
edit <id>
set strategy [and|or]
config rules

FortiOS 7.4.4 CLI Reference 91

Fortinet Inc.
Description: CASB user activity rules.
edit <id>
set type [domains|host|...]
set domains <domain1>, <domain2>, ...
set methods <method1>, <method2>, ...
set match-pattern [simple|substr|...]
set match-value {string}
set header-name {string}
set case-sensitive [enable|disable]
set negate [enable|disable]
next
end
next
end
set match-strategy [and|or]
set status [enable|disable]
set type [built-in|customized]
set uuid {string}
next
end

config casb user-activity

Parameter Description Type Size Default

application CASB SaaS application name. string Maximum

length: 79

casb-name CASB user activity signature name. string Maximum

length: 79

category CASB user activity category. option - activity-

control

Option Description

activity-control Activity control.

tenant-control Tenant control.

domain-control Domain control.

safe-search- Safe search control.

control

other User customized category.

description CASB user activity description. string Maximum

length: 63

match- CASB user activity match strategy. option - or

strategy

FortiOS 7.4.4 CLI Reference 92

Fortinet Inc.
Parameter Description Type Size Default

Option Description

and Match user activity using a logical AND operator.

or Match user activity using a logical OR operator.

name CASB user activity name. string Maximum

length: 79

status CASB user activity status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

type CASB user activity type. option - customized

Option Description

built-in Built-in CASB user-activity.

customized User customized CASB user-activity.

uuid Universally Unique Identifier (UUID; automatically string Maximum

assigned but can be manually reset). length: 36

config control-options

Parameter Description Type Size Default

name CASB control option name. string Maximum

length: 79

status CASB control option status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

config operations

Parameter Description Type Size Default

name CASB control option operation name. string Maximum

length: 79

target CASB operation target. option - header

FortiOS 7.4.4 CLI Reference 93

Fortinet Inc.
Parameter Description Type Size Default

Option Description

header Header.

path Path.

action CASB operation action. option - append

Option Description

append Append the values after the target.

prepend Prepend the values before the target.

replace Replace the target by the value.

new Create a new header regardless if existing header is found or not.

new-on-not- Create new header only if existing HTTP header is not found.
found

delete Delete the target.

direction CASB operation direction. option - request

Option Description

request Request.

header-name CASB operation header name to search. string Maximum

length: 255

search- CASB operation search pattern. option - simple

pattern

Option Description

simple Exact string match pattern.

substr Sub-string pattern.

regexp Regular expression pattern.

search-key CASB operation key to search. string Maximum

length: 1023

case- CASB operation search case sensitive. option - disable

sensitive

Option Description

enable Enable case sensitive search.

disable Disable case sensitive search.

FortiOS 7.4.4 CLI Reference 94

Fortinet Inc.
Parameter Description Type Size Default

value-from- Enable/disable value from user input. option - disable

input

Option Description

enable Enable value from input.

disable Disable value from input.

values CASB operation new values. string Maximum

<value> Operation value. length: 79

config match

Parameter Description Type Size Default

id CASB user activity match rules ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

strategy CASB user activity rules strategy. option - and

Option Description

and Match user activity using a logical AND operator.

or Match user activity using a logical OR operator.

config rules

Parameter Description Type Size Default

id CASB user activity rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type CASB user activity rule type. option - host

Option Description

domains Domains.

host Host.

path Path.

FortiOS 7.4.4 CLI Reference 95

Fortinet Inc.
Parameter Description Type Size Default

Option Description

header HTTP header.

header-value HTTP header and value.

method HTTP method.

domains CASB user activity domain list. string Maximum

<domain> Domain list separated by space. length: 127

methods CASB user activity method list. string Maximum

<method> User activity method. length: 79

match-pattern CASB user activity rule match pattern. option - simple

Option Description

simple Exact string match pattern.

substr Sub-string pattern.

regexp Regular expression pattern.

match-value CASB user activity rule match value. string Maximum

length: 1023

header-name CASB user activity rule header name. string Maximum

length: 255

case- CASB user activity match case sensitive. option - disable

sensitive

Option Description

enable Enable value case sensitive match.

disable Disable value case sensitive match.

negate Enable/disable what the matching strategy must not option - disable
be.

Option Description

enable Matching strategy is negated.

disable Matching strategy is not negated.

FortiOS 7.4.4 CLI Reference 96

Fortinet Inc.
certificate

This section includes syntax for the following commands:

l config certificate ca on page 97
l config certificate crl on page 99
l config certificate local on page 100
l config certificate remote on page 105

config certificate ca

CA certificate.
config certificate ca
Description: CA certificate.
edit <name>
set auto-update-days {integer}
set auto-update-days-warning {integer}
set ca {user}
set ca-identifier {string}
set est-url {string}
set fabric-ca [disable|enable]
set obsolete [disable|enable]
set range [global|vdom]
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set ssl-inspection-trusted [enable|disable]
next
end

config certificate ca

Parameter Description Type Size Default

auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate. value: 0
Maximum
value:
4294967295

auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated. value: 0
Maximum
value:
4294967295

ca CA certificate as a PEM file. user Not Specified

FortiOS 7.4.4 CLI Reference 97

Fortinet Inc.
Parameter Description Type Size Default

ca-identifier CA identifier of the SCEP server. string Maximum

length: 255

est-url URL of the EST server. string Maximum

length: 255

fabric-ca Enable/disable synchronization of CA across Security option - disable

Fabric.

Option Description

disable Disable synchronization of CA across Security Fabric.

enable Enable synchronization of CA across Security Fabric.

name Name. string Maximum

length: 79

obsolete Enable/disable this CA as obsoleted. option - disable

Option Description

disable Alive.

enable Obsolete.

range Either global or VDOM IP address range for the CA option - global
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-url URL of the SCEP server. string Maximum

length: 255

source CA certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for communications to the SCEP ipv4- Not Specified 0.0.0.0
server. address

ssl- Enable/disable this CA as a trusted CA for SSL option - enable

inspection- inspection.
trusted

FortiOS 7.4.4 CLI Reference 98

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Trusted CA for SSL inspection.

disable Untrusted CA for SSL inspection.

config certificate crl

Certificate Revocation List as a PEM file.

config certificate crl
Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set http-url {string}
set ldap-password {password}
set ldap-server {string}
set ldap-username {string}
set range [global|vdom]
set scep-cert {string}
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set update-interval {integer}
set update-vdom {string}
next
end

config certificate crl

Parameter Description Type Size Default

crl Certificate Revocation List as a PEM file. user Not Specified

http-url HTTP server URL for CRL auto-update. string Maximum

length: 255

ldap- LDAP server user password. password Not Specified

password

ldap-server LDAP server name for CRL auto-update. string Maximum

length: 35

ldap- LDAP server user name. string Maximum

username length: 63

name Name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 99

Fortinet Inc.
Parameter Description Type Size Default

range Either global or VDOM IP address range for the option - global
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-cert Local certificate for SCEP communication for CRL string Maximum Fortinet_
auto-update. length: 35 CA_SSL

scep-url SCEP server URL for CRL auto-update. string Maximum

length: 255

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address

update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295

update-vdom VDOM for CRL update. string Maximum root

length: 31

config certificate local

Local keys and certificates.

config certificate local
Description: Local keys and certificates.
edit <name>
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-renew-window {integer}
set acme-rsa-key-size {integer}
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set ca-identifier {string}
set certificate {user}

FortiOS 7.4.4 CLI Reference 100

Fortinet Inc.
set cmp-path {string}
set cmp-regeneration-method [keyupate|renewal]
set cmp-server {string}
set cmp-server-cert {string}
set comments {string}
set csr {user}
set enroll-protocol [none|scep|...]
set est-ca-id {string}
set est-client-cert {string}
set est-http-password {string}
set est-http-username {string}
set est-server {string}
set est-server-cert {string}
set est-srp-password {string}
set est-srp-username {string}
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set name-encoding [printable|utf8]
set password {password}
set private-key {user}
set private-key-retain [enable|disable]
set range [global|vdom]
set scep-password {password}
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set state {user}
next
end

config certificate local

Parameter Description Type Size Default

acme-ca-url The URL for the ACME CA string Maximum https://acme-

server. length: 255 v02.api.letsencrypt.org/directory

acme-domain A valid domain that resolves string Maximum

to this FortiGate unit. length: 255

acme-email Contact email address that is string Maximum

required by some CAs like length: 255
LetsEncrypt.

acme-renew- Beginning of the renewal integer Minimum 30

window window. value: 1
Maximum
value: 100

acme-rsa-key- Length of the RSA private key integer Minimum 2048

size of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096

FortiOS 7.4.4 CLI Reference 101

Fortinet Inc.
Parameter Description Type Size Default

auto- Number of days to wait integer Minimum 0

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

auto- Number of days to wait integer Minimum 0

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295

ca-identifier CA identifier of the CA server string Maximum

for signing via SCEP. length: 255

certificate PEM format certificate. user Not Specified

cmp-path Path location inside CMP string Maximum

server. length: 255

cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method

Option Description

keyupate Key Update.

renewal Renewal.

cmp-server Address and port for CMP string Maximum

server (format = length: 63
address:port).

cmp-server- CMP server certificate. string Maximum

cert length: 79

comments Comment. string Maximum

length: 511

csr Certificate Signing Request. user Not Specified

enroll-protocol Certificate enrollment option - none

protocol.

Option Description

none None (default).

scep Simple Certificate Enrollment Protocol.

cmpv2 Certificate Management Protocol Version 2.

FortiOS 7.4.4 CLI Reference 102

Fortinet Inc.
Parameter Description Type Size Default

Option Description

acme2 Automated Certificate Management Environment Version 2.

est Enrollment over Secure Transport.

est-ca-id CA identifier of the CA server string Maximum

for signing via EST. length: 255

est-client-cert Certificate used to string Maximum

authenticate this FortiGate to length: 79
EST server.

est-http- HTTP Authentication string Maximum

password password for signing via EST. length: 63

est-http- HTTP Authentication string Maximum

username username for signing via length: 63
EST.

est-server Address and port for EST string Maximum

server (e.g. length: 255
https://example.com:1234).

est-server-cert EST server's certificate must string Maximum

be verifiable by this certificate length: 79
to be authenticated.

est-srp- EST SRP authentication string Maximum

password password. length: 63

est-srp- EST SRP authentication string Maximum

username username. length: 63

ike-localid Local ID the FortiGate uses string Maximum

for authentication as a VPN length: 63
client.

ike-localid-type IKE local ID type. option - asn1dn

Option Description

asn1dn ASN.1 distinguished name.

fqdn Fully qualified domain name.

name Name. string Maximum

length: 35

name-encoding Name encoding method for option - printable

auto-regeneration.

FortiOS 7.4.4 CLI Reference 103

Fortinet Inc.
Parameter Description Type Size Default

Option Description

printable Printable encoding (default).

utf8 UTF-8 encoding.

password Password as a PEM file. password Not Specified

private-key PEM format key encrypted user Not Specified

with a password.

private-key- Enable/disable retention of option - disable

retain private key during SCEP
renewal.

Option Description

enable Keep the existing private key during SCEP renewal.

disable Generate a new private key during SCEP renewal.

range Either a global or VDOM IP option - global

address range for the
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.

scep-url SCEP server URL. string Maximum

length: 255

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the SCEP address
server.

state Certificate Signing Request user Not Specified

State.

FortiOS 7.4.4 CLI Reference 104

Fortinet Inc.
config certificate remote

Remote certificate as a PEM file.

config certificate remote
Description: Remote certificate as a PEM file.
edit <name>
set range [global|vdom]
set remote {user}
set source [factory|user|...]
next
end

config certificate remote

Parameter Description Type Size Default

name Name. string Maximum

length: 35

range Either the global or VDOM IP address range for the option - global
remote certificate.

Option Description

global Global range.

vdom VDOM IP address range.

remote Remote certificate. user Not

Specified

source Remote certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

FortiOS 7.4.4 CLI Reference 105

Fortinet Inc.
diameter-filter

This section includes syntax for the following commands:

l config diameter-filter profile on page 106

config diameter-filter profile

Configure Diameter filter profiles.

config diameter-filter profile
Description: Configure Diameter filter profiles.
edit <name>
set cmd-flags-reserve-set [allow|block|...]
set command-code-invalid [allow|block|...]
set command-code-range {user}
set comment {var-string}
set log-packet [disable|enable]
set message-length-invalid [allow|block|...]
set missing-request-action [allow|block|...]
set monitor-all-messages [disable|enable]
set protocol-version-invalid [allow|block|...]
set request-error-flag-set [allow|block|...]
set track-requests-answers [disable|enable]
next
end

config diameter-filter profile

Parameter Description Type Size Default

cmd-flags- Action to be taken for messages with cmd flag reserve option - block
reserve-set bits set.

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

command- Action to be taken for messages with invalid command option - block
code-invalid code.

FortiOS 7.4.4 CLI Reference 106

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

command- Valid range for command codes. user Not

code-range Specified

comment Comment. var-string Maximum

length: 255

log-packet Enable/disable packet log for triggered diameter option - disable

settings.

Option Description

disable Disable.

enable Enable.

message- Action to be taken for invalid message length. option - block

length-invalid

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

missing- Action to be taken for answers without corresponding option - block

request- request.
action

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

monitor-all- Enable/disable logging for all User Name and Result option - disable
messages Code AVP messages.

FortiOS 7.4.4 CLI Reference 107

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

enable Enable.

name Profile name. string Maximum

length: 35

protocol- Action to be taken for invalid protocol version. option - block

version-
invalid

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

request-error- Action to be taken for request messages with error flag option - block
flag-set set.

Option Description

allow Allow or pass matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Allow and log matching traffic.

track- Enable/disable validation that each answer has a option - enable

requests- corresponding request.
answers

Option Description

disable Disable.

enable Enable.

FortiOS 7.4.4 CLI Reference 108

Fortinet Inc.
dlp

This section includes syntax for the following commands:

l config dlp data-type on page 109
l config dlp dictionary on page 110
l config dlp exact-data-match on page 112
l config dlp filepattern on page 113
l config dlp fp-doc-source on page 117
l config dlp profile on page 120
l config dlp sensitivity on page 125
l config dlp sensor on page 126
l config dlp settings on page 128

config dlp data-type

Configure predefined data type used by DLP blocking.

config dlp data-type
Description: Configure predefined data type used by DLP blocking.
edit <name>
set comment {var-string}
set look-ahead {integer}
set look-back {integer}
set match-ahead {integer}
set match-around {string}
set match-back {integer}
set pattern {string}
set transform {string}
set verify {string}
set verify-transformed-pattern [enable|disable]
set verify2 {string}
next
end

config dlp data-type

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 109

Fortinet Inc.
Parameter Description Type Size Default

look-ahead Number of characters to obtain in advance for integer Minimum 1

verification. value: 1
Maximum
value: 255

look-back Number of characters required to save for verification. integer Minimum 1

value: 1
Maximum
value: 255

match-ahead Number of characters behind for match-around. integer Minimum 1

value: 1
Maximum
value: 4096

match-around Dictionary to check whether it has a match around string Maximum

(Only support match-any and basic types, no repeat length: 35
supported).

match-back Number of characters in front for match-around. integer Minimum 1

value: 1
Maximum
value: 4096

name Name of table containing the data type. string Maximum

length: 35

pattern Regular expression pattern string without look around. string Maximum
length: 255

transform Template to transform user input to a pattern using string Maximum

capture group from 'pattern'. length: 255

verify Regular expression pattern string used to verify the string Maximum
data type. length: 255

verify- Enable/disable verification for transformed pattern. option - disable

transformed-
pattern

Option Description

enable Enable verification for transformed pattern.

disable Disable verification for transformed pattern.

verify2 Extra regular expression pattern string used to verify string Maximum
the data type. length: 255

config dlp dictionary

Configure dictionaries used by DLP blocking.

FortiOS 7.4.4 CLI Reference 110

Fortinet Inc.
config dlp dictionary
Description: Configure dictionaries used by DLP blocking.
edit <name>
set comment {var-string}
config entries
Description: DLP dictionary entries.
edit <id>
set type {string}
set pattern {string}
set ignore-case [enable|disable]
set repeat [enable|disable]
set status [enable|disable]
set comment {var-string}
next
end
set match-around [enable|disable]
set match-type [match-all|match-any]
set uuid {uuid}
next
end

config dlp dictionary

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

match-around Enable/disable match-around support. option - disable

Option Description

enable Enable match-around support.

disable Disable match-around support.

match-type Logical relation between entries. option - match-any

Option Description

match-all Match all entries.

match-any Match any entries.

name Name of table containing the dictionary. string Maximum

length: 35

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

FortiOS 7.4.4 CLI Reference 111

Fortinet Inc.
config entries

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Pattern type to match. string Maximum

length: 35

pattern Pattern to match. string Maximum

length: 255

ignore-case Enable/disable ignore case. option - disable

Option Description

enable Enable ignore case.

disable Disable ignore case.

repeat Enable/disable repeat match. option - disable

Option Description

enable Enable repeat match.

disable Disable repeat match.

status Enable/disable this pattern. option - enable

Option Description

enable Enable this pattern.

disable Disable this pattern.

comment Optional comments. var-string Maximum

length: 255

config dlp exact-data-match

Configure exact-data-match template used by DLP scan.

config dlp exact-data-match
Description: Configure exact-data-match template used by DLP scan.
edit <name>
config columns
Description: DLP exact-data-match column types.
edit <index>
set type {string}
set optional [enable|disable]

FortiOS 7.4.4 CLI Reference 112

Fortinet Inc.
next
end
set data {string}
set optional {integer}
next
end

config dlp exact-data-match

Parameter Description Type Size Default

data External resource for exact data match. string Maximum

length: 35

name Name of table containing the exact-data-match string Maximum

template. length: 35

optional Number of optional columns need to match. integer Minimum 0

value: 0
Maximum
value: 32

config columns

Parameter Description Type Size Default

index Column index. integer Minimum 0

value: 1
Maximum
value: 32

type Data-type for this column. string Maximum

length: 35

optional Enable/disable optional match. option - disable

Option Description

enable Enable optional match.

disable Disable optional match.

config dlp filepattern

Configure file patterns used by DLP blocking.

config dlp filepattern
Description: Configure file patterns used by DLP blocking.
edit <id>
set comment {var-string}
config entries
Description: Configure file patterns used by DLP blocking.

FortiOS 7.4.4 CLI Reference 113

Fortinet Inc.
edit <pattern>
set filter-type [pattern|type]
set file-type [7z|arj|...]
next
end
set name {string}
next
end

config dlp filepattern

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table containing the file pattern list. string Maximum
length: 63

config entries

Parameter Description Type Size Default

filter-type Filter by file name pattern or by file type. option - pattern

Option Description

pattern Filter by file name pattern.

type Filter by file type.

pattern Add a file name pattern. string Maximum

length: 79

file-type Select a file type. option - unknown

Option Description

7z Match 7-zip files.

arj Match arj compressed files.

cab Match Windows cab files.

lzh Match lzh compressed files.

rar Match rar archives.

FortiOS 7.4.4 CLI Reference 114

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tar Match tar files.

zip Match zip files.

bzip Match bzip files.

gzip Match gzip files.

bzip2 Match bzip2 files.

xz Match xz files.

bat Match Windows batch files.

uue Match uue files.

mime Match mime files.

base64 Match base64 files.

binhex Match binhex files.

elf Match elf files.

exe Match Windows executable files.

hta Match hta files.

html Match html files.

jad Match jad files.

class Match class files.

cod Match cod files.

javascript Match javascript files.

msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg Match fsg files.

upx Match upx files.

petite Match petite files.

aspack Match aspack files.

sis Match sis files.

hlp Match Windows help files.

activemime Match activemime files.

jpeg Match jpeg files.

FortiOS 7.4.4 CLI Reference 115

Fortinet Inc.
Parameter Description Type Size Default

Option Description

gif Match gif files.

tiff Match tiff files.

png Match png files.

bmp Match bmp files.

unknown Match unknown files.

mpeg Match mpeg files.

mov Match mov files.

mp3 Match mp3 files.

wma Match wma files.

wav Match wav files.

pdf Match Acrobat PDF files.

avi Match avi files.

rm Match rm files.

torrent Match torrent files.

hibun Match special-file-23-support files.

msi Match Windows Installer msi files.

mach-o Match Mach object files.

dmg Match Apple disk image files.

.net Match .NET files.

xar Match xar archive files.

chm Match Windows compiled HTML help files.

iso Match ISO archive files.

crx Match Chrome extension files.

flac Match flac files.

registry Match registry files.

hwp Match hwp files.

rpm Match rpm files.

c/cpp Match c/cpp files.

FortiOS 7.4.4 CLI Reference 116

Fortinet Inc.
config dlp fp-doc-source

This command is available for model(s): FortiGate 1000D, FortiGate 1001F, FortiGate 101F,
FortiGate 1101E, FortiGate 1801F, FortiGate 2000E, FortiGate 201E, FortiGate 201F,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 3001F, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3201F,
FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E, FortiGate 3700D,
FortiGate 3701F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4201F, FortiGate 4401F, FortiGate 5001E1, FortiGate 501E, FortiGate 601E,
FortiGate 601F, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F,
FortiGate 800D, FortiGate 80F Bypass, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-
POE, FortiGate 81F, FortiGate 900D, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F
3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R,
FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000F, FortiGate 100F, FortiGate 1100E, FortiGate 140E-
POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F, FortiGate 2200E,
FortiGate 3000F, FortiGate 300E, FortiGate 3200F, FortiGate 3300E, FortiGate 3400E,
FortiGate 3500F, FortiGate 3600E, FortiGate 3700F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 4200F, FortiGate 4400F,
FortiGate 5001E, FortiGate 500E, FortiGate 600E, FortiGate 600F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 80E-POE, FortiGate 80E,
FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL,
FortiWiFi 60E.

Create a DLP fingerprint database by allowing the FortiGate to access a file server containing files from which to create
fingerprints.
config dlp fp-doc-source
Description: Create a DLP fingerprint database by allowing the FortiGate to access a
file server containing files from which to create fingerprints.
edit <name>
set date {integer}
set file-path {string}
set file-pattern {string}
set keep-modified [enable|disable]
set password {password}
set period [none|daily|...]
set remove-deleted [enable|disable]
set scan-on-creation [enable|disable]
set scan-subdirectories [enable|disable]
set sensitivity {string}
set server {string}
set server-type {option}
set tod-hour {integer}
set tod-min {integer}
set username {string}
set vdom [mgmt|current]
set weekday [sunday|monday|...]
next
end

FortiOS 7.4.4 CLI Reference 117

Fortinet Inc.
config dlp fp-doc-source

Parameter Description Type Size Default

date Day of the month on which to scan the server. integer Minimum 1
value: 1
Maximum
value: 31

file-path Path on the server to the fingerprint files (max 119 string Maximum
characters). length: 119

file-pattern Files matching this pattern on the server are string Maximum *
fingerprinted. Optionally use the * and ? wildcards. length: 35

keep-modified Enable so that when a file is changed on the server option - enable
the FortiGate keeps the old fingerprint and adds a
new fingerprint to the database.

Option Description

enable Keep the old fingerprint and add a new fingerprint when a file is changed on
the server.

disable Replace the old fingerprint with the new fingerprint when a file is changed on
the server.

name Name of the DLP fingerprint database. string Maximum

length: 35

password Password required to log into the file server. password Not
Specified

period Frequency for which the FortiGate checks the server option - none
for new or changed files.

Option Description

none Check the server when the FortiGate starts up.

daily Check the server once a day.

weekly Check the server once a week.

monthly Check the server once a month.

remove-deleted Enable to keep the fingerprint database up to date option - enable

when a file is deleted from the server.

Option Description

enable Keep the fingerprint database up to date when a file is deleted from the
server.

disable Do not check for deleted files on the server. Saves system resources.

FortiOS 7.4.4 CLI Reference 118

Fortinet Inc.
Parameter Description Type Size Default

scan-on- Enable to keep the fingerprint database up to date option - enable

creation when a file is added or changed on the server.

Option Description

enable Keep the fingerprint database up to date when a file is added or changed on
the server.

disable Do not check for added or changed files on the server. Saves system
resources.

scan- Enable/disable scanning subdirectories to find files to option - enable

subdirectories create fingerprints from.

Option Description

enable Scan subdirectories.

disable Do not scan subdirectories.

sensitivity Select a sensitivity or threat level for matches with string Maximum
this fingerprint database. Add sensitivities using length: 35
sensitivity.

server IPv4 or IPv6 address of the server. string Maximum

length: 35

server-type Protocol used to communicate with the file server. option - samba
Currently only Samba (SMB) servers are supported.

Option Description

samba SAMBA server.

tod-hour Hour of the day on which to scan the server. integer Minimum 1
value: 0
Maximum
value: 23

tod-min Minute of the hour on which to scan the server. integer Minimum 0
value: 0
Maximum
value: 59

username User name required to log into the file server. string Maximum
length: 35

vdom Select the VDOM that can communicate with the file option - mgmt
server.

FortiOS 7.4.4 CLI Reference 119

Fortinet Inc.
Parameter Description Type Size Default

Option Description

mgmt Communicate with the file server through the management VDOM.

current Communicate with the file server through the VDOM containing this DLP
fingerprint database configuration.

weekday Day of the week on which to scan the server. option - sunday

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

config dlp profile

Configure DLP profiles.

config dlp profile
Description: Configure DLP profiles.
edit <name>
set comment {var-string}
set dlp-log [enable|disable]
set extended-log [enable|disable]
set feature-set [flow|proxy]
set full-archive-proto {option1}, {option2}, ...
set nac-quar-log [enable|disable]
set replacemsg-group {string}
config rule
Description: Set up DLP rules for this profile.
edit <id>
set name {string}
set severity [info|low|...]
set type [file|message]
set proto {option1}, {option2}, ...
set filter-by [sensor|mip|...]
set file-size {integer}
set sensitivity <name1>, <name2>, ...
set match-percentage {integer}
set file-type {integer}
set sensor <name1>, <name2>, ...
set label {string}
set archive [disable|enable]

FortiOS 7.4.4 CLI Reference 120

Fortinet Inc.
set action [allow|log-only|...]
set expiry {user}
next
end
set summary-proto {option1}, {option2}, ...
next
end

config dlp profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

dlp-log Enable/disable DLP logging. option - enable

Option Description

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

FortiOS 7.4.4 CLI Reference 121

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

nac-quar-log Enable/disable NAC quarantine logging. option - disable

Option Description

enable Enable NAC quarantine logging.

disable Disable NAC quarantine logging.

name Name of the DLP profile. string Maximum

length: 35

replacemsg- Replacement message group used by this DLP profile. string Maximum
group length: 35

summary- Protocols to always log summary. option -

proto

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

FortiOS 7.4.4 CLI Reference 122

Fortinet Inc.
config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Filter name. string Maximum

length: 35

severity Select the severity or threat level that matches this option - medium
filter.

Option Description

info Informational.

low Low.

medium Medium.

high High.

critical Critical.

type Select whether to check the content of messages (an option - file
email message) or files (downloaded files or email
attachments).

Option Description

file Check the contents of downloaded or attached files.

message Check the contents of email messages, web pages, etc.

proto Check messages or files over one or more of these option -

protocols.

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

FortiOS 7.4.4 CLI Reference 123

Fortinet Inc.
Parameter Description Type Size Default

Option Description

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

filter-by Select the type of content to match. option - none

Option Description

sensor Use DLP sensors to match content.

mip Use MIP label dictionary to match content.

fingerprint Match against a fingerprint sensitivity.

encrypted Look for encrypted files.

none No content scan.

file-size Match files greater than or equal to this size (KB). integer Minimum 0
value: 0
Maximum
value:
1644544 **

sensitivity Select a DLP file pattern sensitivity to match. string Maximum

<name> * Select a DLP sensitivity. length: 35

match- Percentage of fingerprints in the fingerprint integer Minimum 10

percentage * databases designated with the selected sensitivity to value: 1
match. Maximum
value: 100

file-type Select the number of a DLP file pattern table to integer Minimum 0
match. value: 0
Maximum
value:
4294967295

sensor Select DLP sensors. string Maximum

<name> Address name. length: 35

label MIP label dictionary. string Maximum

length: 35

archive Enable/disable DLP archiving. option - disable

FortiOS 7.4.4 CLI Reference 124

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable No DLP archiving.

enable Enable full DLP archiving.

action Action to take with content that this DLP profile option - allow
matches.

Option Description

allow Allow the content to pass through the FortiGate and do not create a log
message.

log-only Allow the content to pass through the FortiGate, but write a log message.

block Block the content and write a log message.

quarantine-ip Quarantine all traffic from the IP address and write a log message.

expiry Quarantine duration in days, hours, minutes (format = user Not Specified 5m
dddhhmm).

* This parameter may not exist in some models.

** Values may differ between models.

config dlp sensitivity

FortiOS 7.4.4 CLI Reference 125

Fortinet Inc.
Create self-explanatory DLP sensitivity levels to be used when setting sensitivity under config fp-doc-source.
config dlp sensitivity
Description: Create self-explanatory DLP sensitivity levels to be used when setting
sensitivity under config fp-doc-source.
edit <name>
next
end

config dlp sensitivity

Parameter Description Type Size Default

name DLP Sensitivity Levels. string Maximum

length: 35

config dlp sensor

Configure sensors used by DLP blocking.

config dlp sensor
Description: Configure sensors used by DLP blocking.
edit <name>
set comment {var-string}
config entries
Description: DLP sensor entries.
edit <id>
set dictionary {string}
set count {integer}
set status [enable|disable]
next
end
set eval {string}
set match-type [match-all|match-any|...]
next
end

config dlp sensor

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

eval Expression to evaluate. string Maximum

length: 255

match-type Logical relation between entries. option - match-any

FortiOS 7.4.4 CLI Reference 126

Fortinet Inc.
Parameter Description Type Size Default

Option Description

match-all Match all entries.

match-any Match any entries.

match-eval Match an expression evaluation.

name Name of table containing the sensor. string Maximum

length: 35

config entries

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 1
Maximum
value: 32

dictionary Select a DLP dictionary or exact-data-match. string Maximum

length: 35

count Count of dictionary matches to trigger sensor entry integer Minimum 1

match. value: 1
Maximum
value: 255

status Enable/disable this entry. option - enable

Option Description

enable Enable this entry.

disable Disable this entry.

FortiOS 7.4.4 CLI Reference 127

Fortinet Inc.
config dlp settings

Designate logical storage for DLP fingerprint database.

config dlp settings
Description: Designate logical storage for DLP fingerprint database.
set cache-mem-percent {integer}
set chunk-size {integer}
set db-mode [stop-adding|remove-modified-then-oldest|...]
set size {integer}
set storage-device {string}
end

config dlp settings

Parameter Description Type Size Default

cache-mem- Maximum percentage of available memory allocated integer Minimum 2

percent to caching. value: 1
Maximum
value: 15

chunk-size Maximum fingerprint chunk size. Caution, changing integer Minimum 2800
this setting will flush the entire database. value: 100
Maximum
value: 100000

FortiOS 7.4.4 CLI Reference 128

Fortinet Inc.
Parameter Description Type Size Default

db-mode Behavior when the maximum size is reached. option - stop-adding

Option Description

stop-adding Stop adding entries.

remove- Remove modified chunks first, then oldest file entries.

modified-then-
oldest

remove-oldest Remove the oldest files first.

size Maximum total size of files within the storage (MB). integer Minimum 16
value: 16
Maximum
value:
4294967295

storage- Storage device name. string Maximum

device length: 35

FortiOS 7.4.4 CLI Reference 129

Fortinet Inc.
dnsfilter

This section includes syntax for the following commands:

l config dnsfilter domain-filter on page 130
l config dnsfilter profile on page 131

config dnsfilter domain-filter

Configure DNS domain filters.

config dnsfilter domain-filter
Description: Configure DNS domain filters.
edit <id>
set comment {var-string}
config entries
Description: DNS domain filter entries.
edit <id>
set domain {string}
set type [simple|regex|...]
set action [block|allow|...]
set status [enable|disable]
next
end
set name {string}
next
end

config dnsfilter domain-filter

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

enable Enable this domain filter.

disable Disable this domain filter.

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
Description: Configure DNS domain filter profile.
edit <name>
set block-action [block|redirect|...]
set block-botnet [disable|enable]
set comment {var-string}
config dns-translation
Description: DNS translation settings.
edit <id>
set addr-type [ipv4|ipv6]

FortiOS 7.4.4 CLI Reference 131

Fortinet Inc.
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set status [enable|disable]
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
set external-ip-blocklist <name1>, <name2>, ...
config ftgd-dns
Description: FortiGuard DNS Filter settings.
set options {option1}, {option2}, ...
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set category {integer}
set action [block|monitor]
set log [enable|disable]
next
end
end
set log-all-domain [enable|disable]
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set safe-search [disable|enable]
set sdns-domain-log [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set strip-ech [disable|enable]
set transparent-dns-database <name1>, <name2>, ...
set youtube-restrict [strict|moderate|...]
next
end

config dnsfilter profile

Parameter Description Type Size Default

block-action Action to take for blocked domains. option - redirect

Option Description

block Return NXDOMAIN for blocked domains.

redirect Redirect blocked domains to SDNS portal.

block-sevrfail Return SERVFAIL for blocked domains.

block-botnet Enable/disable blocking botnet C&C DNS lookups. option - disable

FortiOS 7.4.4 CLI Reference 132

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable blocking botnet C&C DNS lookups.

enable Enable blocking botnet C&C DNS lookups.

comment Comment. var-string Maximum

length: 255

external-ip- One or more external IP block lists. string Maximum

blocklist External domain block list name. length: 79
<name>

log-all-domain Enable/disable logging of all domains visited (detailed option - disable

DNS logging).

Option Description

enable Enable logging of all domains visited.

disable Disable logging of all domains visited.

name Profile name. string Maximum

length: 35

redirect-portal IPv4 address of the SDNS redirect portal. ipv4- Not 0.0.0.0
address Specified

redirect- IPv6 address of the SDNS redirect portal. ipv6- Not ::

portal6 address Specified

safe-search Enable/disable Google, Bing, YouTube, Qwant, option - disable

DuckDuckGo safe search.

Option Description

disable Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

enable Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

sdns-domain- Enable/disable domain filtering and botnet domain option - enable

log logging.

Option Description

enable Enable domain filtering and botnet domain logging.

disable Disable domain filtering and botnet domain logging.

sdns-ftgd-err- Enable/disable FortiGuard SDNS rating error logging. option - enable

log

FortiOS 7.4.4 CLI Reference 133

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiGuard SDNS rating error logging.

disable Disable FortiGuard SDNS rating error logging.

strip-ech Enable/disable removal of the encrypted client hello option - enable

service parameter from supporting DNS RRs.

Option Description

disable Disable removal of the encrypted client hello service parameter from
supporting DNS RRs.

enable Enable removal of the encrypted client hello service parameter from
supporting DNS RRs.

transparent- Transparent DNS database zones. string Maximum

dns-database DNS database zone name. length: 79
<name>

youtube- Set safe search for YouTube restriction level. option - strict
restrict

Option Description

strict Enable strict safe seach for YouTube.

moderate Enable moderate safe search for YouTube.

none Disable safe search for YouTube.

config dns-translation

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type DNS translation type (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 address type.

ipv6 IPv6 address type.

FortiOS 7.4.4 CLI Reference 134

Fortinet Inc.
Parameter Description Type Size Default

src IPv4 address or subnet on the internal ipv4- Not Specified 0.0.0.0
network to compare with the resolved address address
in DNS query replies. If the resolved address
matches, the resolved address is substituted
with dst.

dst IPv4 address or subnet on the external ipv4- Not Specified 0.0.0.0
network to substitute for the resolved address address
in DNS query replies. Can be single IP
address or subnet on the external network, but
number of addresses must equal number of
mapped IP addresses in src.

netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.

status Enable/disable this DNS translation entry. option - enable

Option Description

enable Enable this DNS translation.

disable Disable this DNS translation.

src6 IPv6 address or subnet on the internal ipv6- Not Specified ::

network to compare with the resolved address address
in DNS query replies. If the resolved address
matches, the resolved address is substituted
with dst6.

dst6 IPv6 address or subnet on the external ipv6- Not Specified ::

network to substitute for the resolved address address
in DNS query replies. Can be single IP
address or subnet on the external network, but
number of addresses must equal number of
mapped IP addresses in src6.

prefix If src6 and dst6 are subnets rather than single integer Minimum 128
IP addresses, enter the prefix for both src6 value: 1
and dst6. Maximum
value: 128

FortiOS 7.4.4 CLI Reference 135

Fortinet Inc.
config domain-filter

Parameter Description Type Size Default

domain-filter- DNS domain filter table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

config ftgd-dns

Parameter Description Type Size Default

options FortiGuard DNS filter options. option -

Option Description

error-allow Allow all domains when FortiGuard DNS servers fail.

ftgd-disable Disable FortiGuard DNS domain rating.

config filters

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value: 255

category Category number. integer Minimum 0

value: 0
Maximum
value: 255

action Action to take for DNS requests matching the category. option - monitor

Option Description

block Block DNS requests matching the category.

monitor Allow DNS requests matching the category and log the result.

log Enable/disable DNS filter logging for this DNS profile. option - enable

Option Description

enable Enable DNS filter logging.

disable Disable DNS filter logging.

FortiOS 7.4.4 CLI Reference 136

Fortinet Inc.
dpdk

This section includes syntax for the following commands:

l config dpdk cpus on page 137
l config dpdk global on page 138

config dpdk cpus

This command is available for model(s): FortiGate VM64.

It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate
81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged
60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure CPUs enabled to run engines in each DPDK stage.

config dpdk cpus
Description: Configure CPUs enabled to run engines in each DPDK stage.
set rx-cpus {string}
set vnp-cpus {string}
set vnpsp-cpus {string}
set ips-cpus {string}
set tx-cpus {string}
set isolated-cpus {string}
end

FortiOS 7.4.4 CLI Reference 137

Fortinet Inc.
config dpdk cpus

Parameter Description Type Size Default

rx-cpus CPUs enabled to run DPDK RX engines. string Maximum all

length: 1022

vnp-cpus CPUs enabled to run DPDK VNP engines. string Maximum all
length: 1022

vnpsp-cpus CPUs enabled to run DPDK VNP slow path. string Maximum all
length: 1022

ips-cpus CPUs enabled to run DPDK IPS engines. string Maximum all
length: 1022

tx-cpus CPUs enabled to run DPDK TX engines. string Maximum all

length: 1022

isolated-cpus CPUs isolated to run only the DPDK engines with the string Maximum none
exception of processes that have affinity explicitly set by length: 1022
either a user configuration or by their implementation.

config dpdk global

This command is available for model(s): FortiGate VM64.

Configure global DPDK options.

FortiOS 7.4.4 CLI Reference 138

Fortinet Inc.
config dpdk global
Description: Configure global DPDK options.
set status [disable|enable]
set interface <interface-name1>, <interface-name2>, ...
set multiqueue [disable|enable]
set sleep-on-idle [disable|enable]
set elasticbuffer [disable|enable]
set protects {string}
set per-session-accounting [disable|traffic-log-only|...]
set ipsec-offload [disable|enable]
set hugepage-percentage {integer}
set mbufpool-percentage {integer}
end

config dpdk global

Parameter Description Type Size Default

status Enable/disable DPDK operation for the entire option - disable

system.

Option Description

disable Disable DPDK operation.

enable Enable DPDK operation. *The minimum system requirements for DPDK is
2 vCPUs and 4GB memory.

interface Physical interfaces that enable DPDK. string Maximum

<interface- Physical interface name. length: 31
name>

multiqueue Enable/disable multi-queue RX/TX support for all option - disable

DPDK ports.

Option Description

disable Disable multi-queue RX/TX support for DPDK ports.

enable Enable multi-queue RX/TX support for DPDK ports.

sleep-on-idle Enable/disable sleep-on-idle support for all FDH option - disable

engines.

Option Description

disable Disable sleep-on-idle support for FDH engines.

enable Enable sleep-on-idle support for FDH engines.

elasticbuffer Enable/disable elasticbuffer support for all DPDK option - disable

ports.

FortiOS 7.4.4 CLI Reference 139

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable elasticbuffer support for DPDK ports.

enable Enable elasticbuffer support for DPDK ports.

protects Special arguments for device string Maximum

length: 2047

per-session- Enable/disable per-session accounting. option - traffic-log-

accounting only

Option Description

disable Disable per-session accounting.

traffic-log-only Enable per-session accounting only for VNP sessions with traffic logging
turned on in firewall policy.

enable Enable per-session accounting for all VNP sessions. *Affect performance.

ipsec-offload Enable/disable DPDK IPsec phase 2 offloading. option - disable

Option Description

disable Disable DPDK IPsec phase 2 offloading.

enable Enable DPDK IPsec phase 2 offloading.

hugepage- Percentage of main memory allocated to hugepages, integer Minimum 30

percentage which are available for DPDK operation. value: 15
Maximum
value: 50

mbufpool- Percentage of main memory allocated to DPDK integer Minimum 25

percentage packet buffer. value: 10
Maximum
value: 45

FortiOS 7.4.4 CLI Reference 140

Fortinet Inc.
emailfilter

This section includes syntax for the following commands:

l config emailfilter block-allow-list on page 141
l config emailfilter bword on page 143
l config emailfilter dnsbl on page 145
l config emailfilter fortishield on page 146
l config emailfilter iptrust on page 147
l config emailfilter mheader on page 148
l config emailfilter options on page 150
l config emailfilter profile on page 150

config emailfilter block-allow-list

Configure anti-spam block/allow list.

config emailfilter block-allow-list
Description: Configure anti-spam block/allow list.
edit <id>
set comment {var-string}
config entries
Description: Anti-spam block/allow entries.
edit <id>
set status [enable|disable]
set type [ip|email-to|...]
set action [reject|spam|...]
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
set pattern-type [wildcard|regexp]
set pattern {string}
next
end
set name {string}
next
end

config emailfilter block-allow-list

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 141

Fortinet Inc.
Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Maximum

length: 63

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network

pattern-type Wildcard pattern or regular expression. option - wildcard

Option Description

wildcard Wildcard pattern.

regexp Perl regular expression.

pattern Pattern to match. string Maximum

length: 127

config emailfilter bword

Configure AntiSpam banned word list.

config emailfilter bword
Description: Configure AntiSpam banned word list.
edit <id>
set comment {var-string}
config entries
Description: Spam filter banned word.
edit <id>
set status [enable|disable]
set pattern {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
set where [subject|body|...]
set language [western|simch|...]
set score {integer}
next
end
set name {string}
next
end

FortiOS 7.4.4 CLI Reference 143

Fortinet Inc.
config emailfilter bword

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Maximum

length: 63

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Banned word entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

pattern Pattern for the banned word. string Maximum

length: 127

pattern-type Wildcard pattern or regular expression. option - wildcard

korean Korean.

french French.

thai Thai.

spanish Spanish.

score Score value. integer Minimum 10

value: 1
Maximum
value: 99999

config emailfilter dnsbl

Configure AntiSpam DNSBL/ORBL.

config emailfilter dnsbl
Description: Configure AntiSpam DNSBL/ORBL.
edit <id>
set comment {var-string}
config entries
Description: Spam filter DNSBL and ORBL server.
edit <id>
set status [enable|disable]
set server {string}
set action [reject|spam]
next
end
set name {string}
next
end

FortiOS 7.4.4 CLI Reference 145

Fortinet Inc.
config emailfilter dnsbl

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Maximum

length: 63

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id DNSBL/ORBL entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server DNSBL or ORBL server name. string Maximum

length: 127

action Reject connection or mark as spam email. option - spam

Option Description

reject Reject the connection.

spam Mark as spam email.

config emailfilter fortishield

Configure FortiGuard - AntiSpam.

config emailfilter fortishield
Description: Configure FortiGuard - AntiSpam.
set spam-submit-force [enable|disable]
set spam-submit-srv {string}

FortiOS 7.4.4 CLI Reference 146

Fortinet Inc.
set spam-submit-txt2htm [enable|disable]
end

config emailfilter fortishield

Parameter Description Type Size Default

spam-submit- Enable/disable force insertion of a new mime option - enable

force entity for the submission text.

Option Description

enable Enable setting.

disable Disable setting.

spam-submit- Hostname of the spam submission server. string Maximum www.nospammer.net

srv length: 63

spam-submit- Enable/disable conversion of text email to option - enable

txt2htm HTML email.

Option Description

enable Enable setting.

disable Disable setting.

config emailfilter iptrust

Configure AntiSpam IP trust.

config emailfilter iptrust
Description: Configure AntiSpam IP trust.
edit <id>
set comment {var-string}
config entries
Description: Spam filter trusted IP addresses.
edit <id>
set status [enable|disable]
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
next
end
set name {string}
next
end

FortiOS 7.4.4 CLI Reference 147

Fortinet Inc.
config emailfilter iptrust

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Maximum

length: 63

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Trusted IP entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ipv4

Option Description

ipv4 IPv4 Address type.

ipv6 IPv6 Address type.

ip4-subnet IPv4 network address or network address/subnet ipv4- Not Specified 0.0.0.0
mask bits. classnet 0.0.0.0

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network

config emailfilter mheader

Configure AntiSpam MIME header.

FortiOS 7.4.4 CLI Reference 148

Fortinet Inc.
config emailfilter mheader
Description: Configure AntiSpam MIME header.
edit <id>
set comment {var-string}
config entries
Description: Spam filter mime header content.
edit <id>
set status [enable|disable]
set fieldname {string}
set fieldbody {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
next
end
set name {string}
next
end

config emailfilter mheader

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Maximum

length: 63

config entries

Parameter Description Type Size Default

spam Mark as spam email.

clear Mark as good email.

config emailfilter options

Configure AntiSpam options.

config emailfilter options
Description: Configure AntiSpam options.
set dns-timeout {integer}
end

config emailfilter options

Parameter Description Type Size Default

dns-timeout DNS query time out. integer Minimum 7

value: 1
Maximum
value: 30

config emailfilter profile

Configure Email Filter profiles.

config emailfilter profile
Description: Configure Email Filter profiles.
edit <name>
set comment {var-string}
set external [enable|disable]

FortiOS 7.4.4 CLI Reference 150

Fortinet Inc.
set feature-set [flow|proxy]
config gmail
Description: Gmail.
set log-all [disable|enable]
end
config imap
Description: IMAP.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
config mapi
Description: MAPI.
set log-all [disable|enable]
set action [pass|discard]
end
config msn-hotmail
Description: MSN Hotmail.
set log-all [disable|enable]
end
set options {option1}, {option2}, ...
config other-webmails
Description: Other supported webmails.
set log-all [disable|enable]
end
config pop3
Description: POP3.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
set replacemsg-group {string}
config smtp
Description: SMTP.
set log-all [disable|enable]
set action [pass|tag|...]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
set hdrip [disable|enable]
set local-override [disable|enable]
end
set spam-bal-table {integer}
set spam-bword-table {integer}
set spam-bword-threshold {integer}
set spam-filtering [enable|disable]
set spam-iptrust-table {integer}
set spam-log [disable|enable]
set spam-log-fortiguard-response [disable|enable]
set spam-mheader-table {integer}
set spam-rbl-table {integer}
config yahoo-mail
Description: Yahoo! Mail.
set log-all [disable|enable]
end

FortiOS 7.4.4 CLI Reference 151

Fortinet Inc.
next
end

config emailfilter profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

external Enable/disable external Email inspection. option - disable

Option Description

enable Enable setting.

disable Disable setting.

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

proxy Proxy feature set.

name Profile name. string Maximum

length: 35

options Options. option -

Option Description

bannedword Content block.

spambal Block/allow list.

spamfsip Email IP address FortiGuard AntiSpam block list check.

spamfssubmit Add FortiGuard AntiSpam spam submission text.

spamfschksum Email checksum FortiGuard AntiSpam check.

spamfsurl Email content URL FortiGuard AntiSpam check.

spamhelodns Email helo/ehlo domain DNS check.

spamraddrdns Email return address DNS check.

spamrbl Email DNSBL & ORBL check.

spamhdrcheck Email mime header check.

spamfsphish Email content phishing URL FortiGuard AntiSpam check.

replacemsg- Replacement message group. string Maximum

group length: 35

FortiOS 7.4.4 CLI Reference 152

Fortinet Inc.
Parameter Description Type Size Default

spam-bal-table Anti-spam block/allow list table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

spam-bword- Anti-spam banned word table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

spam-bword- Spam banned word threshold. integer Minimum 10

threshold value: 0
Maximum
value:
2147483647

spam-filtering Enable/disable spam filtering. option - disable

Option Description

enable Enable setting.

disable Disable setting.

spam-iptrust- Anti-spam IP trust table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

spam-log Enable/disable spam logging for email filtering. option - enable

Option Description

disable Disable spam logging for email filtering.

enable Enable spam logging for email filtering.

spam-log- Enable/disable logging FortiGuard spam response. option - disable

fortiguard-
response

Option Description

disable Disable logging FortiGuard spam response.

enable Enable logging FortiGuard spam response.

FortiOS 7.4.4 CLI Reference 153

Fortinet Inc.
Parameter Description Type Size Default

spam- Anti-spam MIME header table ID. integer Minimum 0

mheader-table value: 0
Maximum
value:
4294967295

spam-rbl-table Anti-spam DNSBL table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config gmail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

config imap

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

discard Discard (block) spam email.

config msn-hotmail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

config other-webmails

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

FortiOS 7.4.4 CLI Reference 155

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

config pop3

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - tag

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

tag-type Tag subject or header for spam email. option - subject

spaminfo

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Maximum Spam
length: 63

config smtp

Parameter Description Type Size Default

hdrip Enable/disable SMTP email header IP checks for option - disable

spamfsip, spamrbl, and spambal filters.

Option Description

disable Disable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

enable Enable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

local-override Enable/disable local filter to override SMTP remote option - disable

check result.

Option Description

disable Disable local filter to override SMTP remote check result.

enable Enable local filter to override SMTP remote check result.

config yahoo-mail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

FortiOS 7.4.4 CLI Reference 157

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

FortiOS 7.4.4 CLI Reference 158

Fortinet Inc.
endpoint-control

This section includes syntax for the following commands:

l config endpoint-control fctems-override on page 159
l config endpoint-control fctems on page 164
l config endpoint-control settings on page 168

config endpoint-control fctems-override

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems-override
Description: Configure FortiClient Enterprise Management Server (EMS) entries.
edit <ems-id>
set call-timeout {integer}
set capabilities {option1}, {option2}, ...
set cloud-authentication-access-key {string}
set dirty-reason [none|mismatched-ems-sn]
set fortinetone-cloud-authentication [enable|disable]
set https-port {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set name {string}
set out-of-sync-threshold {integer}
set preserve-ssl-session [enable|disable]
set pull-avatars [enable|disable]
set pull-malware-hash [enable|disable]
set pull-sysinfo [enable|disable]
set pull-tags [enable|disable]
set pull-vulnerabilities [enable|disable]
set send-tags-to-all-vdoms [enable|disable]
set serial-number {string}
set server {string}
set source-ip {ipv4-address-any}
set status [enable|disable]
set tenant-id {string}
set trust-ca-cn [enable|disable]
set verifying-ca {string}
set websocket-override [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 159

Fortinet Inc.
config endpoint-control fctems-override

Parameter Description Type Size Default

call-timeout FortiClient EMS call timeout in seconds. integer Minimum 30

value: 1
Maximum
value: 180

capabilities List of EMS capabilities. option -

Option Description

fabric-auth Allow this FortiGate unit to load the authentication page provided by EMS to
authenticate itself with EMS.

silent-approval Allow silent approval of non-root or FortiGate HA clusters on EMS in the

Security Fabric.

websocket Enable/disable websockets for this FortiGate unit. Override behavior using
websocket-override.

websocket- Allow this FortiGate unit to request malware hash notifications over
malware websocket.

push-ca-certs Enable/disable syncing deep inspection certificates with EMS.

common-tags- Can recieve tag information from New Common Tags API from EMS.
api

tenant-id Allow this FortiGate to retrieve Tenant-ID from EMS.

client-avatars Allow this FortiGate to retrieve avatars from EMS by fingerprint.

single-vdom- Allow this FortiGate to create a vdom connector to EMS.

connector

fgt-sysinfo-api Allow this FortiGate to send additional info to EMS.

ztna-server-info Allow this FortiGate to send vdom's ZTNA server information to EMS.

cloud- FortiClient EMS Cloud multitenancy access key string Maximum

authentication- length: 20
access-key

dirty-reason Dirty Reason for FortiClient EMS. option - none

Option Description

none FortiClient EMS entry not dirty.

mismatched- FortiClient EMS entry dirty because EMS SN is mismatched with

ems-sn configured SN.

FortiOS 7.4.4 CLI Reference 160

Fortinet Inc.
Parameter Description Type Size Default

ems-id EMS ID in order. integer Minimum 0

value: 1
Maximum
value: 7

fortinetone- Enable/disable authentication of FortiClient EMS option - disable

cloud- Cloud through FortiCloud account.
authentication

Option Description

enable Enable authentication of FortiClient EMS Cloud through FortiCloud

account.

disable Disable authentication of FortiClient EMS Cloud through FortiCloud

account.

https-port FortiClient EMS HTTPS access port number.. integer Minimum 443
value: 1
Maximum
value:
65535

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

name FortiClient Enterprise Management Server (EMS) string Maximum

name. length: 35

pull- Enable/disable pulling vulnerabilities from EMS. option - enable

vulnerabilities

Option Description

enable Enable pulling client vulnerabilities from EMS.

disable Disable pulling client vulnerabilities from EMS.

send-tags-to-all- Relax restrictions on tags to send all EMS tags to all option - disable
vdoms VDOMs

FortiOS 7.4.4 CLI Reference 162

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sending tags to all vdoms.

disable Disable sending tags to all vdoms.

serial-number EMS Serial Number. string Maximum

length: 16

server FortiClient EMS FQDN or IPv4 address. string Maximum

length: 255

source-ip REST API call source IP. ipv4- Not 0.0.0.0

address- Specified
any

status Enable or disable this EMS configuration. option - disable

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
Description: Configure FortiClient Enterprise Management Server (EMS) entries.
edit <ems-id>
set call-timeout {integer}
set capabilities {option1}, {option2}, ...
set cloud-authentication-access-key {string}
set dirty-reason [none|mismatched-ems-sn]
set fortinetone-cloud-authentication [enable|disable]
set https-port {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set name {string}
set out-of-sync-threshold {integer}
set preserve-ssl-session [enable|disable]
set pull-avatars [enable|disable]
set pull-malware-hash [enable|disable]
set pull-sysinfo [enable|disable]
set pull-tags [enable|disable]
set pull-vulnerabilities [enable|disable]
set send-tags-to-all-vdoms [enable|disable]
set serial-number {string}
set server {string}
set source-ip {ipv4-address-any}
set status [enable|disable]
set tenant-id {string}
set trust-ca-cn [enable|disable]
set verifying-ca {string}
set websocket-override [enable|disable]
next
end

config endpoint-control fctems

Parameter Description Type Size Default

call-timeout FortiClient EMS call timeout in seconds. integer Minimum 30

value: 1
Maximum
value: 180

capabilities List of EMS capabilities. option -

Option Description

fabric-auth Allow this FortiGate unit to load the authentication page provided by EMS to
authenticate itself with EMS.

FortiOS 7.4.4 CLI Reference 164

Fortinet Inc.
Parameter Description Type Size Default

Option Description

silent-approval Allow silent approval of non-root or FortiGate HA clusters on EMS in the

Security Fabric.

websocket Enable/disable websockets for this FortiGate unit. Override behavior using
websocket-override.

websocket- Allow this FortiGate unit to request malware hash notifications over
malware websocket.

push-ca-certs Enable/disable syncing deep inspection certificates with EMS.

common-tags- Can recieve tag information from New Common Tags API from EMS.
api

tenant-id Allow this FortiGate to retrieve Tenant-ID from EMS.

client-avatars Allow this FortiGate to retrieve avatars from EMS by fingerprint.

single-vdom- Allow this FortiGate to create a vdom connector to EMS.

connector

fgt-sysinfo-api Allow this FortiGate to send additional info to EMS.

ztna-server-info Allow this FortiGate to send vdom's ZTNA server information to EMS.

cloud- FortiClient EMS Cloud multitenancy access key string Maximum

authentication- length: 20
access-key

dirty-reason Dirty Reason for FortiClient EMS. option - none

Option Description

none FortiClient EMS entry not dirty.

mismatched- FortiClient EMS entry dirty because EMS SN is mismatched with

ems-sn configured SN.

ems-id EMS ID in order. integer Minimum 0

value: 1
Maximum
value: 7

fortinetone- Enable/disable authentication of FortiClient EMS option - disable

cloud- Cloud through FortiCloud account.
authentication

FortiOS 7.4.4 CLI Reference 165

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable authentication of FortiClient EMS Cloud through FortiCloud

account.

disable Disable authentication of FortiClient EMS Cloud through FortiCloud

account.

https-port FortiClient EMS HTTPS access port number.. integer Minimum 443
value: 1
Maximum
value:
65535

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

name FortiClient Enterprise Management Server (EMS) string Maximum

name. length: 35

out-of-sync- Outdated resource threshold in seconds. integer Minimum 180

threshold value: 10
Maximum
value: 3600

preserve-ssl- Enable/disable preservation of EMS SSL session option - disable

session connection. Warning, most users should not touch
this setting.

Option Description

enable Allow preservation of EMS SSL session connection.

disable Don't allow preservation of EMS SSL session connection.

pull-avatars Enable/disable pulling avatars from EMS. option - enable

Option Description

enable Enable pulling FortiClient user avatars from EMS.

disable Disable pulling FortiClient user avatars from EMS.

FortiOS 7.4.4 CLI Reference 166

Fortinet Inc.
Parameter Description Type Size Default

pull-malware- Enable/disable pulling FortiClient malware hash from option - enable

hash EMS.

Option Description

enable Enable pulling FortiClient malware hash from EMS.

disable Disable pulling FortiClient malware hash from EMS.

pull-sysinfo Enable/disable pulling SysInfo from EMS. option - enable

enable Enable sending tags to all vdoms.

disable Disable sending tags to all vdoms.

serial-number EMS Serial Number. string Maximum

length: 16

server FortiClient EMS FQDN or IPv4 address. string Maximum

length: 255

source-ip REST API call source IP. ipv4- Not 0.0.0.0

address- Specified
any

FortiOS 7.4.4 CLI Reference 167

Fortinet Inc.
Parameter Description Type Size Default

status Enable or disable this EMS configuration. option - disable

Option Description

enable Enable EMS configuration and operation.

disable Disable EMS configuration and operation.

tenant-id EMS Tenant ID. string Maximum

length: 32

trust-ca-cn Enable/disable trust of the EMS certificate issuer(CA) option - enable

and common name(CN) for certificate auto-renewal.

Option Description

enable Trust EMS certificate CA & CN to automatically renew certificate.

disable Do not trust EMS certificate CA & CN to automatically renew certificate.

verifying-ca Lowest CA cert on Fortigate in verified EMS cert string Maximum

chain. length: 79

websocket- Enable/disable override behavior for how this option - disable

override FortiGate unit connects to EMS using a WebSocket
connection.

Option Description

enable Do not override the WebSocket connection. Connect to WebSocket of this

EMS server if it is capable (default).

disable Override the WebSocket connection. Do not connect to WebSocket even if

EMS is capable of a WebSocket connection.

config endpoint-control settings

Configure endpoint control settings.

config endpoint-control settings
Description: Configure endpoint control settings.
set override [enable|disable]
end

config endpoint-control settings

Parameter Description Type Size Default

override Override global EMS table for this VDOM. option - disable

FortiOS 7.4.4 CLI Reference 168

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Overriding global EMS table.

disable Disable Overriding global EMS table.

FortiOS 7.4.4 CLI Reference 169

Fortinet Inc.
ethernet-oam

This section includes syntax for the following commands:

l config ethernet-oam cfm on page 170

config ethernet-oam cfm

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 1100E,
FortiGate 200E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60E-POE, FortiGate 60E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F Bypass, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1101E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate
601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 70F, FortiGate
71F, FortiGate 800D, FortiGate 80F-POE, FortiGate 81F-POE, FortiGate 900D, FortiGate
90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL,
FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

CFM domain configuration.

config ethernet-oam cfm
Description: CFM domain configuration.
edit <domain-id>
set domain-level {integer}
set domain-name {text}
config service
Description: CFM service configuration.
edit <service-id>
set service-name {text}
set interface {string}
set mepid {integer}
set message-interval [100|1000|...]
set cos {integer}
set sender-id [None|Hostname]
next

FortiOS 7.4.4 CLI Reference 170

Fortinet Inc.
end
next
end

config ethernet-oam cfm

Parameter Description Type Size Default

domain-id OAM domain ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

domain-level OAM maintenance level integer Minimum 7

value: 0
Maximum
value: 7

domain-name OAM domain name. Maintenance Domain Identifier text Not Specified
(MDID).

config service

Parameter Description Type Size Default

service-id Service ID to specify service integer Minimum 0

value: 0
Maximum
value:
4294967295

service-name Short MA Name (SMAN) text Not Specified

interface VLAN interface name where service is enabled string Maximum

length: 63

mepid ID of the local MEP. range[1 - 8191] integer Minimum 1

value: 1
Maximum
value: 8191

message- Continuity-check message frequency interval in ms option - 1000

interval

Option Description

100 100 msc

1000 1000 msc

10000 10000 msc

FortiOS 7.4.4 CLI Reference 171

Fortinet Inc.
Parameter Description Type Size Default

Option Description

60000 60000 msc

600000 600000 msc

cos Set Class of service (CoS) bit for continuity-check integer Minimum 0
messages. range[0 - 7] value: 0
Maximum
value: 7

sender-id TLV Sender ID. {None | Hostname} option - None

Option Description

None None

Hostname Hostname

FortiOS 7.4.4 CLI Reference 172

Fortinet Inc.
extension-controller

This section includes syntax for the following commands:

l config extension-controller dataplan on page 173
l config extension-controller extender-profile on page 176
l config extension-controller extender-vap on page 202
l config extension-controller extender on page 206
l config extension-controller fortigate-profile on page 209
l config extension-controller fortigate on page 210

config extension-controller dataplan

FortiExtender dataplan configuration.

config extension-controller dataplan
Description: FortiExtender dataplan configuration.
edit <name>
set apn {string}
set auth-type [none|pap|...]
set billing-date {integer}
set capacity {integer}
set carrier {string}
set iccid {string}
set modem-id [modem1|modem2|...]
set monthly-fee {integer}
set overage [disable|enable]
set password {password}
set pdn [ipv4-only|ipv6-only|...]
set preferred-subnet {integer}
set private-network [disable|enable]
set signal-period {integer}
set signal-threshold {integer}
set slot [sim1|sim2]
set type [carrier|slot|...]
set username {string}
next
end

config extension-controller dataplan

Parameter Description Type Size Default

apn APN configuration. string Maximum

length: 63

auth-type Authentication type. option - none

FortiOS 7.4.4 CLI Reference 173

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No authentication.

pap PAP.

chap CHAP.

billing-date Billing day of the month. integer Minimum 1

value: 1
Maximum
value: 31

capacity Capacity in MB. integer Minimum 0

value: 0
Maximum
value:
102400000

carrier Carrier configuration. string Maximum

length: 31

iccid ICCID configuration. string Maximum

length: 31

modem-id Dataplan's modem specifics, if any. option - all

Option Description

modem1 Modem one.

modem2 Modem two.

all All modems.

monthly-fee Monthly fee of dataplan. integer Minimum 0

value: 0
Maximum
value:
1000000

name FortiExtender data plan name. string Maximum

length: 31

overage Enable/disable dataplan overage detection. option - disable

Option Description

disable Disable dataplan overage detection.

enable Enable dataplan overage detection.

password Password. password Not Specified

FortiOS 7.4.4 CLI Reference 174

Fortinet Inc.
Parameter Description Type Size Default

pdn PDN type. option - ipv4-only

Option Description

ipv4-only IPv4 only PDN activation.

ipv6-only IPv6 only PDN activation.

ipv4-ipv6 Both IPv4 and IPv6 PDN activations.

preferred- Preferred subnet mask. integer Minimum 0

subnet value: 0
Maximum
value: 32

private- Enable/disable dataplan private network support. option - disable

network

Option Description

disable Disable dataplan private network support.

enable Enable dataplan private network support.

signal-period Signal period (600 to 18000 seconds). integer Minimum 3600

value: 600
Maximum
value: 18000

signal- Signal threshold. Specify the range between 50 - 100, integer Minimum 100
threshold where 50/100 means -50/-100 dBm. value: 50
Maximum
value: 100

slot SIM slot configuration. option -

Option Description

sim1 Sim slot one.

sim2 Sim slot two.

type Type preferences configuration. option - generic

Option Description

carrier Assign by SIM carrier.

slot Assign to SIM slot 1 or 2.

iccid Assign to a specific SIM by ICCID.

generic Compatible with any SIM. Assigned if no other dataplan matches the chosen
SIM.

FortiOS 7.4.4 CLI Reference 175

Fortinet Inc.
Parameter Description Type Size Default

username Username. string Maximum

length: 127

config extension-controller extender-profile

FortiExtender extender profile configuration.

config extension-controller extender-profile
Description: FortiExtender extender profile configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set bandwidth-limit {integer}
config cellular
Description: FortiExtender cellular configuration.
set dataplan <name1>, <name2>, ...
config controller-report
Description: FortiExtender controller report configuration.
set status [disable|enable]
set interval {integer}
set signal-threshold {integer}
end
config sms-notification
Description: FortiExtender cellular SMS notification configuration.
set status [disable|enable]
config alert
Description: SMS alert list.
set system-reboot {string}
set data-exhausted {string}
set session-disconnect {string}
set low-signal-strength {string}
set os-image-fallback {string}
set mode-switch {string}
set fgt-backup-mode-switch {string}
end
config receiver
Description: SMS notification receiver list.
edit <name>
set status [disable|enable]
set phone-number {string}
set alert {option1}, {option2}, ...
next
end
end
config modem1
Description: Configuration options for modem 1.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]

FortiOS 7.4.4 CLI Reference 176

Fortinet Inc.
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
config modem2
Description: Configuration options for modem 2.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
end
set enforce-bandwidth [enable|disable]
set extension [wan-extension|lan-extension]
set id {integer}
config lan-extension
Description: FortiExtender lan extension configuration.
set link-loadbalance [activebackup|loadbalance]
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
config backhaul
Description: LAN extension backhaul tunnel configuration.
edit <name>
set port [wan|lte1|...]
set role [primary|secondary]
set weight {integer}
next

FortiOS 7.4.4 CLI Reference 177

Fortinet Inc.
end
end
set login-password {password}
set login-password-change [yes|default|...]
set model [FX201E|FX211E|...]
config wifi
Description: FortiExtender wifi configuration.
set country [--|AF|...]
config radio-1
Description: Radio-1 config for Wi-Fi 2.4GHz
set mode [AP|Client]
set band {option}
set status [disable|enable]
set operating-standard [auto|11A-N-AC-AX|...]
set guard-interval [auto|400ns|...]
set channel {option1}, {option2}, ...
set bandwidth [auto|20MHz|...]
set power-level {integer}
set beacon-interval {integer}
set 80211d [disable|enable]
set max-clients {integer}
set extension-channel [auto|higher|...]
set bss-color-mode [auto|static]
set bss-color {integer}
set lan-ext-vap {string}
set local-vaps <name1>, <name2>, ...
end
config radio-2
Description: Radio-2 config for Wi-Fi 5GHz
set mode [AP|Client]
set band {option}
set status [disable|enable]
set operating-standard [auto|11A-N-AC-AX|...]
set guard-interval [auto|400ns|...]
set channel {option1}, {option2}, ...
set bandwidth [auto|20MHz|...]
set power-level {integer}
set beacon-interval {integer}
set 80211d [disable|enable]
set max-clients {integer}
set extension-channel [auto|higher|...]
set bss-color-mode [auto|static]
set bss-color {integer}
set lan-ext-vap {string}
set local-vaps <name1>, <name2>, ...
end
end
next
end

FortiOS 7.4.4 CLI Reference 178

Fortinet Inc.
config extension-controller extender-profile

Parameter Description Type Size Default

allowaccess Control management access to the managed option -

extender. Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

Option Description

enable Enable to enforce bandwidth limit on LAN extension interface.

disable Disable to enforce bandwidth limit on LAN extension interface.

extension Extension option. option - wan-

extension

Option Description

wan-extension WAN extension.

lan-extension LAN extension.

id ID. integer Minimum 32

value: 0
Maximum
value:
102400000

FortiOS 7.4.4 CLI Reference 179

Fortinet Inc.
Parameter Description Type Size Default

login- Change or reset the administrator password of a option - no

password- managed extender.
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

model Model. option - FX201E

Option Description

FX201E FEX-201E model.

FX211E FEX-211E model.

FX200F FEX-200F model.

FXA11F FEX-101F-AM model.

FXE11F FEX-101F-EA model.

FXA21F FEX-201F-AM model.

FXE21F FEX-201F-EA model.

FXA22F FEX-202F-AM model.

FXE22F FEX-202F-EA model.

FX212F FEX-212F model.

FX311F FEX-311F model.

FX312F FEX-312F model.

FX511F FEX-511F model.

FXR51G FER-511G model.

FVG21F FEV-211F model.

FVA21F FEV-211F-AM model.

FVG22F FEV-212F model.

FVA22F FEV-212F-AM model.

FX04DA FX40D-AMEU model.

FortiOS 7.4.4 CLI Reference 180

Fortinet Inc.
Parameter Description Type Size Default

Option Description

FG FG-CONNECTOR model.

BS10FW FBS-10FW model.

BS20GW FBS-20GW model.

BS20GN FBS-20G model.

name FortiExtender profile name. string Maximum

length: 31

config cellular

Parameter Description Type Size Default

dataplan Dataplan names. string Maximum

<name> Dataplan name. length: 79

config controller-report

Parameter Description Type Size Default

status FortiExtender controller report status. option - disable

Option Description

disable Controller is configured to not provide service to this FortiExtender.

enable Controller is configured to provide service to this FortiExtender.

interval Controller report interval. integer Minimum 300

value: 0
Maximum
value:
4294967295

signal- Controller report signal threshold. integer Minimum 10

threshold value: 10
Maximum
value: 50

config sms-notification

Parameter Description Type Size Default

status FortiExtender SMS notification status. option - disable

FortiOS 7.4.4 CLI Reference 181

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable SMS notification is configured to not provide service to this FortiExtender.

enable SMS notification is configured to provide service to this FortiExtender.

config alert

Parameter Description Type Size Default

system- Display string when system rebooted. string Maximum system will
reboot length: 63 reboot

data- Display string when data exhausted. string Maximum data plan is
exhausted length: 63 exhausted

session- Display string when session disconnected. string Maximum LTE data
disconnect length: 63 session is
disconnected

low-signal- Display string when signal strength is low. string Maximum LTE signal
strength length: 63 strength is too
low

os-image- Display string when falling back to a previous OS string Maximum system start to
fallback image. length: 63 fallback OS
image

mode-switch Display string when mode is switched. string Maximum system

length: 63 networking
mode switched

fgt-backup- Display string when FortiGate backup mode string Maximum FortiGate
mode-switch switched. length: 63 backup work
mode switched

config receiver

Parameter Description Type Size Default

name FortiExtender SMS notification receiver name. string Maximum

length: 31

status SMS notification receiver status. option - disable

Option Description

disable Disable SMS notification receiver.

enable Enable SMS notification receiver.

FortiOS 7.4.4 CLI Reference 182

Fortinet Inc.
Parameter Description Type Size Default

phone- Receiver phone number. Format: [+][country code][area string Maximum

number code][local phone number]. For example, length: 31
+16501234567.

alert Alert multi-options. option -

Option Description

system-reboot System will reboot.

data-exhausted Data plan is exhausted.

session- LTE data session is disconnected.

disconnect

low-signal- LTE signal strength is too low.

strength

mode-switch System is starting to use fallback OS image.

os-image- System networking mode switched.

fallback

fgt-backup- FortiGate backup work mode switched.

mode-switch

config modem1

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

enable Enable GPS.

sim1-pin SIM #1 PIN status. option - disable

Option Description

disable Disable SIM #1 PIN.

enable Enable SIM #1 PIN.

sim2-pin SIM #2 PIN status. option - disable

Option Description

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

preferred- Preferred carrier. string Maximum

carrier length: 31

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

Option Description

disable Disable switching of SIM card based on cellular disconnections.

enable Enable switching of SIM card based on cellular disconnections.

FortiOS 7.4.4 CLI Reference 184

Fortinet Inc.
Parameter Description Type Size Default

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

signal Automatically switch based on signal strength. option - disable

Option Description

disable Disable switching of SIM card based on cellular signal quality.

enable Enable switching of SIM card based on cellular signal quality.

dataplan Automatically switch based on data usage. option - disable

Option Description

disable Disable switching of SIM card based on cellular data usage.

enable Enable switching of SIM card based on cellular data usage.

switch-back Auto switch with switch back multi-options. option -

Option Description

time Switch back based on specific time in UTC (HH:MM).

timer Switch back based on an interval.

switch-back- Automatically switch over to preferred SIM/carrier at a string Maximum 00:01

time specified time in UTC (HH:MM). length: 31

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647

config modem2

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

FortiOS 7.4.4 CLI Reference 185

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable interface redundancy.

enable Enable interface redundancy.

redundant-intf Redundant interface. string Maximum

length: 15

conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

default-sim Default SIM selection. option - sim1

Option Description

sim1 Use SIM #1 by default.

sim2 Use SIM #2 by default.

carrier Assign default SIM based on carrier.

cost Assign default SIM based on cost.

gps FortiExtender GPS enable/disable. option - enable

Option Description

disable Disable GPS.

enable Enable GPS.

sim1-pin SIM #1 PIN status. option - disable

Option Description

disable Disable SIM #1 PIN.

enable Enable SIM #1 PIN.

sim2-pin SIM #2 PIN status. option - disable

Option Description

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

FortiOS 7.4.4 CLI Reference 186

Fortinet Inc.
Parameter Description Type Size Default

preferred- Preferred carrier. string Maximum

carrier length: 31

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

signal Automatically switch based on signal strength. option - disable

dataplan Automatically switch based on data usage. option - disable

switch-back Auto switch with switch back multi-options. option -

switch-back- Automatically switch over to preferred SIM/carrier at a string Maximum 00:01

time specified time in UTC (HH:MM). length: 31

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647

config lan-extension

Parameter Description Type Size Default

link- LAN extension link load balance strategy. option - activebackup

loadbalance

Option Description

activebackup FortiExtender LAN extension active-backup.

loadbalance FortiExtender LAN extension load-balance.

ipsec-tunnel IPsec tunnel name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 187

Fortinet Inc.
Parameter Description Type Size Default

backhaul- IPsec phase1 interface. string Maximum

interface length: 15

backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the string Maximum

external IP/FQDN when the FortiGate unit is behind length: 63
a NAT device.

config backhaul

Parameter Description Type Size Default

name FortiExtender LAN extension backhaul name. string Maximum

length: 31

port FortiExtender uplink port. option - wan

Option Description

wan FortiExtender WAN port.

lte1 FortiExtender LTE1 port.

lte2 FortiExtender LTE2 port.

port1 FortiExtender port1 port.

port2 FortiExtender port2 port.

port3 FortiExtender port3 port.

port4 FortiExtender port4 port.

port5 FortiExtender port5 port.

sfp FortiExtender SFP port.

role FortiExtender uplink port. option - primary

Option Description

primary FortiExtender LAN extension primary role.

secondary FortiExtender LAN extension secondary role.

weight WRR weight parameter. integer Minimum 1

value: 1
Maximum
value: 256

FortiOS 7.4.4 CLI Reference 188

Fortinet Inc.
config wifi

Parameter Description Type Size Default

country Country in which this FEX will operate. option - --

Option Description

-- NO_COUNTRY_SET

AF AFGHANISTAN

AL ALBANIA

DZ ALGERIA

AS AMERICAN SAMOA

AO ANGOLA

AR ARGENTINA

AM ARMENIA

AU AUSTRALIA

AT AUSTRIA

AZ AZERBAIJAN

BS BAHAMAS

BH BAHRAIN

BD BANGLADESH

BB BARBADOS

BY BELARUS

BE BELGIUM

BZ BELIZE

BJ BENIN

BM BERMUDA

BT BHUTAN

BO BOLIVIA

BA BOSNIA AND HERZEGOVINA

BW BOTSWANA

BR BRAZIL

BN BRUNEI DARUSSALAM

BG BULGARIA

FortiOS 7.4.4 CLI Reference 189

Fortinet Inc.
Parameter Description Type Size Default

Option Description

BF BURKINA-FASO

KH CAMBODIA

CM CAMEROON

KY CAYMAN ISLANDS

CF CENTRAL AFRICA REPUBLIC

TD CHAD

CL CHILE

CN CHINA

CX CHRISTMAS ISLAND

CO COLOMBIA

CG CONGO REPUBLIC

CD DEMOCRATIC REPUBLIC OF CONGO

CR COSTA RICA

HR CROATIA

CY CYPRUS

CZ CZECH REPUBLIC

DK DENMARK

DJ DJIBOUTI

DM DOMINICA

DO DOMINICAN REPUBLIC

EC ECUADOR

EG EGYPT

SV EL SALVADOR

ET ETHIOPIA

EE ESTONIA

GF FRENCH GUIANA

PF FRENCH POLYNESIA

FO FAEROE ISLANDS

FJ FIJI

FortiOS 7.4.4 CLI Reference 190

Fortinet Inc.
Parameter Description Type Size Default

Option Description

FI FINLAND

FR FRANCE

GA GABON

GE GEORGIA

GM GAMBIA

DE GERMANY

GH GHANA

GI GIBRALTAR

GR GREECE

GL GREENLAND

GD GRENADA

GP GUADELOUPE

GU GUAM

GT GUATEMALA

GY GUYANA

HT HAITI

HN HONDURAS

HK HONG KONG

HU HUNGARY

IS ICELAND

IN INDIA

ID INDONESIA

IQ IRAQ

IE IRELAND

IM ISLE OF MAN

IL ISRAEL

IT ITALY

CI COTE_D_IVOIRE

JM JAMAICA

FortiOS 7.4.4 CLI Reference 191

Fortinet Inc.
Parameter Description Type Size Default

Option Description

JO JORDAN

KZ KAZAKHSTAN

KE KENYA

KR KOREA REPUBLIC

KW KUWAIT

LA LAOS

LV LATVIA

LB LEBANON

LS LESOTHO

LR LIBERIA

LY LIBYA

LI LIECHTENSTEIN

LT LITHUANIA

LU LUXEMBOURG

MO MACAU SAR

MK MACEDONIA, FYRO

MG MADAGASCAR

MW MALAWI

MY MALAYSIA

MV MALDIVES

ML MALI

MT MALTA

MH MARSHALL ISLANDS

MQ MARTINIQUE

MR MAURITANIA

MU MAURITIUS

YT MAYOTTE

MX MEXICO

FM MICRONESIA

FortiOS 7.4.4 CLI Reference 192

Fortinet Inc.
Parameter Description Type Size Default

Option Description

MD REPUBLIC OF MOLDOVA

MC MONACO

MN MONGOLIA

MA MOROCCO

MZ MOZAMBIQUE

MM MYANMAR

NA NAMIBIA

NP NEPAL

NL NETHERLANDS

AN NETHERLANDS ANTILLES

AW ARUBA

NZ NEW ZEALAND

NI NICARAGUA

NE NIGER

NG NIGERIA

NO NORWAY

MP NORTHERN MARIANA ISLANDS

OM OMAN

PK PAKISTAN

PW PALAU

PA PANAMA

PG PAPUA NEW GUINEA

PY PARAGUAY

PE PERU

PH PHILIPPINES

PL POLAND

PT PORTUGAL

PR PUERTO RICO

QA QATAR

FortiOS 7.4.4 CLI Reference 193

Fortinet Inc.
Parameter Description Type Size Default

Option Description

RE REUNION

RO ROMANIA

RU RUSSIA

RW RWANDA

BL SAINT BARTHELEMY

KN SAINT KITTS AND NEVIS

LC SAINT LUCIA

MF SAINT MARTIN

PM SAINT PIERRE AND MIQUELON

VC SAINT VINCENT AND GRENADIENS

SA SAUDI ARABIA

SN SENEGAL

RS REPUBLIC OF SERBIA

ME MONTENEGRO

SL SIERRA LEONE

SG SINGAPORE

SK SLOVAKIA

SI SLOVENIA

SO SOMALIA

ZA SOUTH AFRICA

ES SPAIN

LK SRI LANKA

SR SURINAME

SZ SWAZILAND

SE SWEDEN

CH SWITZERLAND

TW TAIWAN

TZ TANZANIA

TH THAILAND

FortiOS 7.4.4 CLI Reference 194

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TG TOGO

TT TRINIDAD AND TOBAGO

TN TUNISIA

TR TURKEY

TM TURKMENISTAN

AE UNITED ARAB EMIRATES

TC TURKS AND CAICOS

UG UGANDA

UA UKRAINE

GB UNITED KINGDOM

US UNITED STATES2

PS UNITED STATES (PUBLIC SAFETY)

UY URUGUAY

UZ UZBEKISTAN

VU VANUATU

VE VENEZUELA

VN VIET NAM

VI VIRGIN ISLANDS

WF WALLIS AND FUTUNA

YE YEMEN

ZM ZAMBIA

ZW ZIMBABWE

JP JAPAN14

CA CANADA2

config radio-1

Parameter Description Type Size Default

auto Wi-Fi operating standard auto

11A-N-AC-AX Wi-Fi support 802.11 A-N-AC

11A-N-AC Wi-Fi support 802.11 A-N-AC

11A-N Wi-Fi support 802.11 A-N

11A Wi-Fi support 802.11 A

11N-AC-AX Wi-Fi support 802.11 N-AC-AX

11AC-AX Wi-Fi support 802.11 AC-AX

11AC Wi-Fi support 802.11 AC

11N-AC Wi-Fi support 802.11 N-AC

11B-G-N-AX Wi-Fi support 802.11 B-G-N-AX

11B-G-N Wi-Fi support 802.11 B-G-N

11B-G Wi-Fi support 802.11 B-G

11B Wi-Fi support 802.11 B

11G-N-AX Wi-Fi support 802.11 G-N-AX

CH1 Channel 1

CH2 Channel 2

CH3 Channel 3

CH4 Channel 4

CH5 Channel 5

CH6 Channel 6

CH7 Channel 7

CH8 Channel 8

CH9 Channel 9

CH10 Channel 10

CH11 Channel 11

bandwidth Wi-Fi channel bandwidth. option - auto

Option Description

auto Wi-Fi channel bandwidth auto

20MHz Wi-Fi channel bandwidth 20MHz

40MHz Wi-Fi channel bandwidth 40MHz

80MHz Wi-Fi channel bandwidth 80MHz

FortiOS 7.4.4 CLI Reference 197

Fortinet Inc.
Parameter Description Type Size Default

power-level Wi-Fi power level in percent. integer Minimum 100

value: 0
Maximum
value: 100

beacon- Wi-Fi beacon interval in miliseconds. integer Minimum 100

interval value: 100
Maximum
value: 3500

80211d Enable/disable Wi-Fi 802.11d. option - enable

Option Description

disable Disable 802.11d.

enable Enable 802.11d.

max-clients Maximum number of Wi-Fi radio clients. integer Minimum 0

value: 0
Maximum
value: 512

extension- Wi-Fi extension channel. option - auto

channel

Option Description

auto Wi-Fi extension channel auto.

higher Wi-Fi extension channel higher.

lower Wi-Fi extension channel lower.

bss-color- Wi-Fi 802.11AX BSS color mode. option - auto

mode

Option Description

auto Wi-Fi BSS color mode auto.

static Wi-Fi BSS color mode static.

bss-color Wi-Fi 802.11AX BSS color value. integer Minimum 0

value: 0
Maximum
value: 63

lan-ext-vap Wi-Fi LAN-Extention VAP. Select only one VAP. string Maximum
length: 31

local-vaps Wi-Fi local VAP. Select up to three VAPs. string Maximum

<name> Wi-Fi local VAP name. length: 79

FortiOS 7.4.4 CLI Reference 198

Fortinet Inc.
config radio-2

Parameter Description Type Size Default

mode Wi-Fi radio mode AP(LAN mode) / Client(WAN mode). option - AP

Option Description

AP AP Mode (LAN mode)

Client Client mode (WAN mode)

band Wi-Fi band selection 2.4GHz / 5GHz. option - 5GHz

11A-N Wi-Fi support 802.11 A-N

11A Wi-Fi support 802.11 A

11N-AC-AX Wi-Fi support 802.11 N-AC-AX

11AC-AX Wi-Fi support 802.11 AC-AX

11AC Wi-Fi support 802.11 AC

11N-AC Wi-Fi support 802.11 N-AC

11B-G-N-AX Wi-Fi support 802.11 B-G-N-AX

CH44 Channel 44

CH48 Channel 48

CH52 Channel 52

CH56 Channel 56

CH60 Channel 60

CH64 Channel 64

CH100 Channel 100

CH104 Channel 104

CH108 Channel 108

CH112 Channel 112

CH116 Channel 116

CH120 Channel 120

CH124 Channel 124

CH128 Channel 128

FortiOS 7.4.4 CLI Reference 200

Fortinet Inc.
Parameter Description Type Size Default

Option Description

CH132 Channel 132

CH136 Channel 136

CH140 Channel 140

CH144 Channel 144

CH149 Channel 149

CH153 Channel 153

CH157 Channel 157

CH161 Channel 161

CH165 Channel 165

bandwidth Wi-Fi channel bandwidth. option - auto

Option Description

auto Wi-Fi channel bandwidth auto

20MHz Wi-Fi channel bandwidth 20MHz

40MHz Wi-Fi channel bandwidth 40MHz

80MHz Wi-Fi channel bandwidth 80MHz

power-level Wi-Fi power level in percent. integer Minimum 100

value: 0
Maximum
value: 100

beacon- Wi-Fi beacon interval in miliseconds. integer Minimum 100

interval value: 100
Maximum
value: 3500

80211d Enable/disable Wi-Fi 802.11d. option - enable

Option Description

disable Disable 802.11d.

enable Enable 802.11d.

max-clients Maximum number of Wi-Fi radio clients. integer Minimum 0

value: 0
Maximum
value: 512

FortiOS 7.4.4 CLI Reference 201

Fortinet Inc.
Parameter Description Type Size Default

extension- Wi-Fi extension channel. option - auto

channel

Option Description

auto Wi-Fi extension channel auto.

higher Wi-Fi extension channel higher.

lower Wi-Fi extension channel lower.

bss-color- Wi-Fi 802.11AX BSS color mode. option - auto

mode

Option Description

auto Wi-Fi BSS color mode auto.

static Wi-Fi BSS color mode static.

bss-color Wi-Fi 802.11AX BSS color value. integer Minimum 0

value: 0
Maximum
value: 63

lan-ext-vap Wi-Fi LAN-Extention VAP. Select only one VAP. string Maximum
length: 31

local-vaps Wi-Fi local VAP. Select up to three VAPs. string Maximum

<name> Wi-Fi local VAP name. length: 79

config extension-controller extender-vap

FortiExtender wifi vap configuration.

config extension-controller extender-vap
Description: FortiExtender wifi vap configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set auth-server-address {string}
set auth-server-port {integer}
set auth-server-secret {string}
set broadcast-ssid [disable|enable]
set bss-color-partial [disable|enable]
set dtim {integer}
set end-ip {ipv4-address}
set ip-address {ipv4-classnet-host}
set max-clients {integer}
set mu-mimo [disable|enable]
set passphrase {password}
set pmf [disabled|optional|...]
set rts-threshold {integer}
set sae-password {password}

FortiOS 7.4.4 CLI Reference 202

Fortinet Inc.
set security [OPEN|WPA2-Personal|...]
set ssid {string}
set start-ip {ipv4-address}
set target-wake-time [disable|enable]
set type [local-vap|lan-ext-vap]
next
end

config extension-controller extender-vap

Parameter Description Type Size Default

allowaccess Control management access to the managed extender. option -

Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

auth-server- Wi-Fi Authentication Server Address (IPv4 format). string Maximum

address length: 63

auth-server- Wi-Fi Authentication Server Port. integer Minimum 0

port value: 1
Maximum
value:
65535

auth-server- Wi-Fi Authentication Server Secret. string Maximum

secret length: 63

broadcast-ssid Wi-Fi broadcast SSID enable / disable. option - enable

Option Description

disable Disable broadcast SSID.

enable Enable broadcast SSID.

bss-color- Wi-Fi 802.11AX bss color partial enable / disable, option - enable
partial default = enable.

FortiOS 7.4.4 CLI Reference 203

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable bss color partial.

enable Enable bss color partial.

dtim Wi-Fi DTIM default = 1. integer Minimum 1

value: 1
Maximum
value: 255

end-ip End ip address. ipv4- Not 0.0.0.0

address Specified

ip-address Extender ip address. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

max-clients Wi-Fi max clients integer Minimum 0

value: 0
Maximum
value: 512

mu-mimo Wi-Fi multi-user MIMO enable / disable, default = option - enable

enable.

Option Description

disable Disable multi-user MIMO.

enable Enable multi-user MIMO.

name Wi-Fi VAP name. string Maximum

length: 15

passphrase Wi-Fi passphrase. password Not

Specified

pmf Wi-Fi pmf enable/disable, default = disable. option - disabled

Option Description

disabled Disable PMF (Protected Management Frames).

optional Set PMF (Protected Management Frames) optional.

required Require PMF (Protected Management Frames).

rts-threshold Wi-Fi RTS Threshold. integer Minimum 2347

value: 256
Maximum
value: 2347

FortiOS 7.4.4 CLI Reference 204

Fortinet Inc.
Parameter Description Type Size Default

sae-password Wi-Fi SAE Password. password Not

Specified

security Wi-Fi security. option - WPA2-

Personal

Option Description

OPEN Wi-Fi security OPEN

WPA2-Personal Wi-Fi security WPA2 Personal

WPA-WPA2- Wi-Fi security WPA-WPA2 Personal

Personal

WPA3-SAE Wi-Fi security WPA3 SAE

WPA3-SAE- Wi-Fi security WPA3 SAE Transition

Transition

WPA2- Wi-Fi security WPA2 Enterprise

Enterprise

WPA3- Wi-Fi security WPA3 Enterprise only

Enterprise-only

WPA3- Wi-Fi security WPA3 Enterprise Transition

Enterprise-
transition

WPA3- Wi-Fi security WPA3 Enterprise 192-bit

Enterprise-192-
bit

ssid Wi-Fi SSID. string Maximum

length: 32

start-ip Start ip address. ipv4- Not 0.0.0.0

address Specified

target-wake- Wi-Fi 802.11AX target wake time enable / disable, option - enable
time default = enable.

Option Description

disable Disable target wake time.

enable Enable target wake time.

type Wi-Fi VAP type local-vap / lan-extension-vap. option -

Option Description

local-vap Local VAP.

FortiOS 7.4.4 CLI Reference 205

Fortinet Inc.
Parameter Description Type Size Default

Option Description

lan-ext-vap Lan Extension VAP.

config extension-controller extender

Extender controller configuration.

config extension-controller extender
Description: Extender controller configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set authorized [discovered|disable|...]
set bandwidth-limit {integer}
set description {string}
set device-id {integer}
set enforce-bandwidth [enable|disable]
set ext-name {string}
set extension-type [wan-extension|lan-extension]
set firmware-provision-latest [disable|once]
set id {string}
set login-password {password}
set login-password-change [yes|default|...]
set override-allowaccess [enable|disable]
set override-enforce-bandwidth [enable|disable]
set override-login-password-change [enable|disable]
set profile {string}
set vdom {integer}
config wan-extension
Description: FortiExtender wan extension configuration.
set modem1-extension {string}
set modem2-extension {string}
end
next
end

enable Controller is configured to provide service to this FortiExtender.

bandwidth- FortiExtender LAN extension bandwidth limit integer Minimum 1024

limit (Mbps). value: 1
Maximum
value:
16776000

description Description. string Maximum

length: 255

device-id Device ID. integer Minimum 1026

value: 0
Maximum
value:
4294967295

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

length: 19

login- Set the managed extender's administrator password Not Specified

password password.

login- Change or reset the administrator password of a option - no

password- managed extender.
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

name FortiExtender entry name. string Maximum

length: 19

override- Enable to override the extender profile option - disable

allowaccess management access configuration.

Option Description

enable Override the extender profile management access configuration.

disable Use the extender profile management access configuration.

override- Enable to override the extender profile enforce- option - disable

enforce- bandwidth setting.
bandwidth

Option Description

enable Enable override of FortiExtender profile bandwidth setting.

disable Disable override of FortiExtender profile bandwidth setting.

FortiOS 7.4.4 CLI Reference 208

Fortinet Inc.
Parameter Description Type Size Default

override-login- Enable to override the extender profile login- option - disable

password- password (administrator password) setting.
change

Option Description

enable Override the WTP profile login-password (administrator password) setting.

disable Use the the WTP profile login-password (administrator password) setting.

profile FortiExtender profile configuration. string Maximum

length: 31

vdom VDOM. integer Minimum 1

value: 0
Maximum
value:
4294967295

config wan-extension

Parameter Description Type Size Default

modem1- FortiExtender interface name. string Maximum

extension length: 31

modem2- FortiExtender interface name. string Maximum

extension length: 31

config extension-controller fortigate-profile

FortiGate connector profile configuration.

config extension-controller fortigate-profile
Description: FortiGate connector profile configuration.
edit <name>
set extension {option}
set id {integer}
config lan-extension
Description: FortiGate connector LAN extension configuration.
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
end
next
end

FortiOS 7.4.4 CLI Reference 209

Fortinet Inc.
config extension-controller fortigate-profile

Parameter Description Type Size Default

extension Extension option. option - lan-

extension

Option Description

lan-extension LAN extension.

id ID. integer Minimum 32

value: 0
Maximum
value:
102400000

name FortiGate connector profile name. string Maximum

length: 31

config lan-extension

Parameter Description Type Size Default

ipsec-tunnel IPsec tunnel name. string Maximum

length: 15

backhaul- IPsec phase1 interface. string Maximum

interface length: 15

backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the external string Maximum
IP/FQDN when the FortiGate unit is behind a NAT length: 63
device.

config extension-controller fortigate

FortiGate controller configuration.

config extension-controller fortigate
Description: FortiGate controller configuration.
edit <name>
set authorized [discovered|disable|...]
set description {string}
set device-id {integer}
set hostname {string}
set id {string}
set profile {string}
set vdom {integer}
next
end

FortiOS 7.4.4 CLI Reference 210

Fortinet Inc.
config extension-controller fortigate

Parameter Description Type Size Default

authorized Enable/disable FortiGate administration. option - discovered

Option Description

discovered Controller discovered this FortiGate.

disable Controller is configured to not provide service to this FortiGate.

enable Controller is configured to provide service to this FortiGate.

description Description. string Maximum

length: 255

device-id Device ID. integer Minimum 1026

value: 0
Maximum
value:
4294967295

hostname FortiGate hostname. string Maximum

length: 31

id FortiGate serial number. string Maximum

length: 19

name FortiGate entry name. string Maximum

length: 19

profile FortiGate profile configuration. string Maximum

length: 31

vdom VDOM. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 211

Fortinet Inc.
file-filter

This section includes syntax for the following commands:

l config file-filter profile on page 212

config file-filter profile

disable Disable logging.

enable Enable logging.

name Profile name. string Maximum

length: 35

replacemsg- Replacement message group. string Maximum

group length: 35

scan-archive- Enable/disable archive contents scan. option - enable

contents

Option Description

disable Disable scanning archive contents.

enable Enable scanning archive contents.

config rules

Parameter Description Type Size Default

name File-filter rule name. string Maximum

length: 35

comment Comment. var-string Maximum

length: 255

protocol Protocols to apply rule to. option - http ftp

smtp imap
pop3 mapi
cifs ssh

Option Description

http Filter on HTTP.

ftp Filter on FTP.

smtp Filter on SMTP.

FortiOS 7.4.4 CLI Reference 213

Fortinet Inc.
Parameter Description Type Size Default

Option Description

imap Filter on IMAP.

pop3 Filter on POP3.

mapi Filter on MAPI. (Proxy mode only.)

cifs Filter on CIFS.

ssh Filter on SFTP and SCP. (Proxy mode only.)

action Action taken for matched file. option - log-only

Option Description

log-only Allow the content and write a log message.

block Block the content and write a log message.

direction Traffic direction (HTTP, FTP, SSH, CIFS, and MAPI option - any
only).

Option Description

incoming Match files transmitted in the session's reply direction.

outgoing Match files transmitted in the session's originating direction.

any Match files transmitted in the session's originating and reply directions.

password- Match password-protected files. option - any

protected

Option Description

yes Match only password-protected files.

any Match any file.

file-type Select file type. string Maximum

<name> File type name. length: 39

FortiOS 7.4.4 CLI Reference 214

Fortinet Inc.
firewall

This section includes syntax for the following commands:

l config firewall DoS-policy on page 217
l config firewall DoS-policy6 on page 219
l config firewall access-proxy-ssh-client-cert on page 222
l config firewall access-proxy-virtual-host on page 224
l config firewall access-proxy on page 225
l config firewall access-proxy6 on page 251
l config firewall acl on page 278
l config firewall acl6 on page 280
l config firewall address on page 281
l config firewall address6-template on page 287
l config firewall address6 on page 288
l config firewall addrgrp on page 292
l config firewall addrgrp6 on page 294
l config firewall auth-portal on page 296
l config firewall central-snat-map on page 297
l config firewall city on page 299
l config firewall country on page 300
l config firewall decrypted-traffic-mirror on page 300
l config firewall dnstranslation on page 301
l config firewall global on page 302
l config firewall identity-based-route on page 303
l config firewall interface-policy on page 304
l config firewall interface-policy6 on page 307
l config firewall internet-service-addition on page 310
l config firewall internet-service-append on page 312
l config firewall internet-service-botnet on page 313
l config firewall internet-service-custom-group on page 313
l config firewall internet-service-custom on page 314
l config firewall internet-service-definition on page 316
l config firewall internet-service-extension on page 317
l config firewall internet-service-group on page 321
l config firewall internet-service-ipbl-reason on page 322
l config firewall internet-service-ipbl-vendor on page 322
l config firewall internet-service-list on page 323
l config firewall internet-service-name on page 323
l config firewall internet-service-owner on page 324
l config firewall internet-service-reputation on page 325

FortiOS 7.4.4 CLI Reference 215

Fortinet Inc.
l config firewall internet-service-sld on page 325
l config firewall internet-service-subapp on page 326
l config firewall internet-service on page 327
l config firewall ip-translation on page 329
l config firewall ipmacbinding setting on page 329
l config firewall ipmacbinding table on page 330
l config firewall ippool on page 331
l config firewall ippool6 on page 336
l config firewall ipv6-eh-filter on page 337
l config firewall ldb-monitor on page 338
l config firewall local-in-policy on page 340
l config firewall local-in-policy6 on page 343
l config firewall multicast-address on page 346
l config firewall multicast-address6 on page 348
l config firewall multicast-policy on page 349
l config firewall multicast-policy6 on page 352
l config firewall network-service-dynamic on page 354
l config firewall on-demand-sniffer on page 355
l config firewall policy on page 356
l config firewall profile-group on page 380
l config firewall profile-protocol-options on page 382
l config firewall proxy-address on page 406
l config firewall proxy-addrgrp on page 410
l config firewall proxy-policy on page 412
l config firewall region on page 421
l config firewall schedule group on page 421
l config firewall schedule onetime on page 422
l config firewall schedule recurring on page 423
l config firewall security-policy on page 424
l config firewall service category on page 434
l config firewall service custom on page 435
l config firewall service group on page 439
l config firewall shaper per-ip-shaper on page 440
l config firewall shaper traffic-shaper on page 442
l config firewall shaping-policy on page 445
l config firewall shaping-profile on page 450
l config firewall sniffer on page 452
l config firewall ssh host-key on page 458
l config firewall ssh local-ca on page 460
l config firewall ssh local-key on page 460
l config firewall ssh setting on page 461
l config firewall ssl-server on page 462
l config firewall ssl-ssh-profile on page 465

FortiOS 7.4.4 CLI Reference 216

Fortinet Inc.
l config firewall ssl setting on page 494
l config firewall traffic-class on page 496
l config firewall ttl-policy on page 497
l config firewall vendor-mac on page 498
l config firewall vip on page 498
l config firewall vip6 on page 532
l config firewall vipgrp on page 564
l config firewall vipgrp6 on page 565
l config firewall wildcard-fqdn custom on page 566
l config firewall wildcard-fqdn group on page 567

config firewall DoS-policy

Configure IPv4 DoS policies.

config firewall DoS-policy
Description: Configure IPv4 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set interface {string}
set name {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

config firewall DoS-policy

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address name from available addresses. string Maximum

<name> Address name. length: 79

FortiOS 7.4.4 CLI Reference 217

Fortinet Inc.
Parameter Description Type Size Default

interface Incoming interface name from available interfaces. string Maximum

length: 35

name Policy name. string Maximum

length: 35

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999
**

service Service object from available options. string Maximum

<name> Service name. length: 79

srcaddr Source address name from available addresses. string Maximum

<name> Address name. length: 79

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

** Values may differ between models.

config anomaly

Parameter Description Type Size Default

name Anomaly name. string Maximum

length: 63

status Enable/disable this anomaly. option - disable

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall DoS-policy6

Configure IPv6 DoS policies.

config firewall DoS-policy6
Description: Configure IPv6 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set status [disable|enable]
set log [enable|disable]
set action [pass|block]

FortiOS 7.4.4 CLI Reference 219

Fortinet Inc.
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set interface {string}
set name {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

config firewall DoS-policy6

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address name from available addresses. string Maximum

<name> Address name. length: 79

interface Incoming interface name from available interfaces. string Maximum

length: 35

name Policy name. string Maximum

length: 35

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999
**

service Service object from available options. string Maximum

<name> Service name. length: 79

srcaddr Source address name from available addresses. string Maximum

<name> Address name. length: 79

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 220

Fortinet Inc.
config anomaly

Parameter Description Type Size Default

name Anomaly name. string Maximum

length: 63

status Enable/disable this anomaly. option - disable

Option Description

disable Disable this status.

enable Enable this status.

log Enable/disable anomaly logging. option - disable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

action Action taken when the threshold is reached. option - pass

Option Description

pass Allow traffic but record a log message if logging is enabled.

block Block traffic if this anomaly is found.

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

FortiOS 7.4.4 CLI Reference 221

Fortinet Inc.
Parameter Description Type Size Default

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall access-proxy-ssh-client-cert

Configure Access Proxy SSH client certificate.

config firewall access-proxy-ssh-client-cert
Description: Configure Access Proxy SSH client certificate.
edit <name>
set auth-ca {string}
config cert-extension
Description: Configure certificate extension for user certificate.
edit <name>
set critical [no|yes]
set type [fixed|user]
set data {string}
next
end
set permit-agent-forwarding [enable|disable]
set permit-port-forwarding [enable|disable]
set permit-pty [enable|disable]
set permit-user-rc [enable|disable]
set permit-x11-forwarding [enable|disable]
set source-address [enable|disable]
next
end

config firewall access-proxy-ssh-client-cert

Parameter Description Type Size Default

auth-ca Name of the SSH server public key authentication CA. string Maximum
length: 79

name SSH client certificate name. string Maximum

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 223

Fortinet Inc.
config cert-extension

Parameter Description Type Size Default

name Name of certificate extension. string Maximum

length: 127

critical Critical option. option - no

Option Description

no Certificate extension, server ignores the unsupported certificate extension.

yes Critical option, server refuses to authorize if it cannnot recognize the critical
option.

type Type of certificate extension. option - fixed

Option Description

fixed Fixed certificate extension entry.

user Certificate extension entry filled with authenticated username.

data Data of certificate extension. string Maximum

length: 127

config firewall access-proxy-virtual-host

Configure Access Proxy virtual hosts.

config firewall access-proxy-virtual-host
Description: Configure Access Proxy virtual hosts.
edit <name>
set host {string}
set host-type [sub-string|wildcard]
set replacemsg-group {string}
set ssl-certificate <name1>, <name2>, ...
next
end

config firewall access-proxy-virtual-host

Parameter Description Type Size Default

host The host name. string Maximum

length: 79

host-type Type of host pattern. option - sub-string

FortiOS 7.4.4 CLI Reference 224

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

name Virtual host name. string Maximum

length: 79

replacemsg- Access-proxy-virtual-host replacement message string Maximum

group override group. length: 35

ssl-certificate SSL certificates for this host. string Maximum

<name> Certificate list. length: 79

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
Description: Configure IPv4 access proxy.
edit <name>
set add-vhost-domain-to-dnsdb [enable|disable]
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
set h2-support [enable|disable]
set h3-support [enable|disable]
config quic
Description: QUIC setting.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}

FortiOS 7.4.4 CLI Reference 225

Fortinet Inc.
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set external-auth [enable|disable]
set tunnel-encryption [enable|disable]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set translate-host [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
set h2-support [enable|disable]
set h3-support [enable|disable]
config quic
Description: QUIC setting.

FortiOS 7.4.4 CLI Reference 226

Fortinet Inc.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv6-address}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set external-auth [enable|disable]
set tunnel-encryption [enable|disable]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set translate-host [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]

FortiOS 7.4.4 CLI Reference 227

Fortinet Inc.
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set decrypted-traffic-mirror {string}
set empty-cert-action [accept|block|...]
set log-blocked-traffic [enable|disable]
set svr-pool-multiplex [enable|disable]
set svr-pool-server-max-concurrent-request {integer}
set svr-pool-server-max-request {integer}
set svr-pool-ttl {integer}
set user-agent-detect [disable|enable]
set vip {string}
next
end

config firewall access-proxy

Parameter Description Type Size Default

add-vhost- Enable/disable adding vhost/domain to dnsdb for option - disable

domain-to- ztna dox tunnel.
dnsdb

Option Description

enable add dns entry for all vhosts used by access proxy.

disable Do not add dns entry for all vhosts used by access proxy.

auth-portal Enable/disable authentication portal. option - disable

Option Description

disable Disable authentication portal.

enable Enable authentication portal.

auth-virtual- Virtual host for authentication portal. string Maximum

host length: 79

client-cert Enable/disable to request client certificate. option - enable

Option Description

disable Disable client certificate request.

enable Enable client certificate request.

enable Enable server pool multiplexing. Share connected server.

disable Disable server pool multiplexing. Do not share connected server.

svr-pool- Maximum number of concurrent requests that servers integer Minimum 0

server-max- in server pool could handle. value: 0
concurrent- Maximum
request value:
2147483647

svr-pool- Maximum number of requests that servers in server integer Minimum 0

server-max- pool handle before disconnecting. value: 0
request Maximum
value:
2147483647

FortiOS 7.4.4 CLI Reference 229

Fortinet Inc.
Parameter Description Type Size Default

svr-pool-ttl Time-to-live in the server pool for idle connections to integer Minimum 15
servers. value: 0
Maximum
value:
2147483647

user-agent- Enable/disable to detect device type by HTTP user- option - enable

detect agent if no client certificate provided.

Option Description

disable Disable to detect unknown device by HTTP user-agent if no client certificate

provided.

enable Enable to detect unknown device by HTTP user-agent if no client certificate

provided.

vip Virtual IP name. string Maximum

length: 79

config api-gateway

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Maximum /

length: 511

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

FortiOS 7.4.4 CLI Reference 230

Fortinet Inc.
Parameter Description Type Size Default

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Maximum

length: 79

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

h2-support HTTP2 support, default=Enable. option - enable

Option Description

enable Enable HTTP2 support.

disable Disable HTTP2 support.

h3-support HTTP3/QUIC support, default=Disable. option - disable

Option Description

enable Enable HTTP3/QUIC support.

disable Disable HTTP3/QUIC support.

application SaaS application controlled by this Access Proxy. string Maximum

<name> SaaS application name. length: 79

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request
that is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

FortiOS 7.4.4 CLI Reference 231

Fortinet Inc.
Parameter Description Type Size Default

http-cookie- Enable/disable use of HTTP cookie domain from option - disable

domain-from- host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Maximum
domain to. length: 35

http-cookie- Limit HTTP cookie persistence to the specified path. string Maximum
path length: 35

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side option - high
of SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version Lowest SSL/TLS version acceptable from a server. option - tls-1.1

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

FortiOS 7.4.4 CLI Reference 233

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl- Enable/disable secure renegotiation to comply with option - enable

renegotiation RFC 5746.

Option Description

enable Enable secure renegotiation.

disable Disable secure renegotiation.

ssl-vpn-web- SSL-VPN web portal. string Maximum

portal length: 35

config quic

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

FortiOS 7.4.4 CLI Reference 234

Fortinet Inc.
Parameter Description Type Size Default

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

Option Description

enable Enable active migration.

disable Disable active migration.

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

Option Description

enable Enable grease QUIC bit.

disable Disable grease QUIC bit.

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

address Address or address group of the real server. string Maximum

length: 79

ip IPv6 address of the real server. ipv6- Not Specified ::

address

FortiOS 7.4.4 CLI Reference 235

Fortinet Inc.
Parameter Description Type Size Default

domain Wildcard domain name of the real server. string Maximum

length: 255

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

FortiOS 7.4.4 CLI Reference 236

Fortinet Inc.
Parameter Description Type Size Default

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

Option Description

ping Use PING to test the link with the server.

http Use HTTP-GET to test the link with the server.

tcp-connect Use a full TCP connection to test the link with the server.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

Option Description

enable Enable per server holddown.

disable Disable per server holddown.

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

Option Description

enable Enable virtual hostname/IP translation.

disable Disable virtual hostname/IP translation.

ssh-client-cert Set access-proxy SSH client certificate profile. string Maximum

length: 79

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

Option Description

disable Disable SSH real server host key validation.

enable Enable SSH real server host key validation.

FortiOS 7.4.4 CLI Reference 237

Fortinet Inc.
Parameter Description Type Size Default

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

FortiOS 7.4.4 CLI Reference 238

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

FortiOS 7.4.4 CLI Reference 239

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

FortiOS 7.4.4 CLI Reference 240

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

FortiOS 7.4.4 CLI Reference 241

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

FortiOS 7.4.4 CLI Reference 242

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

FortiOS 7.4.4 CLI Reference 243

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.4.4 CLI Reference 244

Fortinet Inc.
config api-gateway6

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Maximum /

length: 511

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Maximum

length: 79

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Maximum
domain to. length: 35

http-cookie- Limit HTTP cookie persistence to the specified path. string Maximum
path length: 35

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 246

Fortinet Inc.
Parameter Description Type Size Default

http-cookie-age Time in minutes that client web browsers should integer Minimum 60
keep a cookie. Default is 60 minutes. 0 = no time value: 0
limit. Maximum
value: 525600

http-cookie- Control sharing of cookies across API Gateway. option - same-ip

share Use of same-ip means a cookie from one virtual
server can be used by another. Disable stops cookie
sharing.

Option Description

disable Only allow HTTP cookie to match this API Gateway.

same-ip Allow HTTP cookie to match any API Gateway with same IP.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Maximum

authentication. length: 35

saml-redirect Enable/disable SAML redirection after successful option - enable

authentication.

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

FortiOS 7.4.4 CLI Reference 247

Fortinet Inc.
Parameter Description Type Size Default

Option Description

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side option - high
of SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version Lowest SSL/TLS version acceptable from a server. option - tls-1.1

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

FortiOS 7.4.4 CLI Reference 249

Fortinet Inc.
Parameter Description Type Size Default

address Address or address group of the real server. string Maximum

length: 79

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Maximum

length: 255

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

type TCP forwarding server type. option - tcp-

forwarding

external-auth Enable/disable use of external browser as user- option - disable

agent for SAML user authentication.

tunnel- Tunnel encryption. option - disable

encryption

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

ssh-client-cert Set access-proxy SSH client certificate profile. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 250

Fortinet Inc.
Parameter Description Type Size Default

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

config firewall access-proxy6

Configure IPv6 access proxy.

config firewall access-proxy6
Description: Configure IPv6 access proxy.
edit <name>
set add-vhost-domain-to-dnsdb [enable|disable]
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
set h2-support [enable|disable]
set h3-support [enable|disable]
config quic
Description: QUIC setting.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end

FortiOS 7.4.4 CLI Reference 251

Fortinet Inc.
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set external-auth [enable|disable]
set tunnel-encryption [enable|disable]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set translate-host [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set url-map {string}

FortiOS 7.4.4 CLI Reference 252

Fortinet Inc.
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
set h2-support [enable|disable]
set h3-support [enable|disable]
config quic
Description: QUIC setting.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv6-address}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set external-auth [enable|disable]
set tunnel-encryption [enable|disable]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set translate-host [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites

FortiOS 7.4.4 CLI Reference 253

Fortinet Inc.
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set decrypted-traffic-mirror {string}
set empty-cert-action [accept|block|...]
set log-blocked-traffic [enable|disable]
set svr-pool-multiplex [enable|disable]
set svr-pool-server-max-concurrent-request {integer}
set svr-pool-server-max-request {integer}
set svr-pool-ttl {integer}
set user-agent-detect [disable|enable]
set vip {string}
next
end

config firewall access-proxy6

Parameter Description Type Size Default

add-vhost- Enable/disable adding vhost/domain to dnsdb for option - disable

domain-to- ztna dox tunnel.
dnsdb

Option Description

enable add dns entry for all vhosts used by access proxy.

disable Do not add dns entry for all vhosts used by access proxy.

auth-portal Enable/disable authentication portal. option - disable

Option Description

disable Disable authentication portal.

enable Enable authentication portal.

auth-virtual- Virtual host for authentication portal. string Maximum

host length: 79

server-max- in server pool could handle. value: 0
concurrent- Maximum
request value:
2147483647

FortiOS 7.4.4 CLI Reference 255

Fortinet Inc.
Parameter Description Type Size Default

svr-pool- Maximum number of requests that servers in server integer Minimum 0

server-max- pool handle before disconnecting. value: 0
request Maximum
value:
2147483647

svr-pool-ttl Time-to-live in the server pool for idle connections to integer Minimum 15
servers. value: 0
Maximum
value:
2147483647

user-agent- Enable/disable to detect device type by HTTP user- option - enable

detect agent if no client certificate provided.

Option Description

disable Disable to detect unknown device by HTTP user-agent if no client certificate

provided.

enable Enable to detect unknown device by HTTP user-agent if no client certificate

provided.

vip Virtual IP name. string Maximum

length: 79

config api-gateway

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Maximum /

length: 511

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

FortiOS 7.4.4 CLI Reference 256

Fortinet Inc.
Parameter Description Type Size Default

Option Description

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Maximum

length: 79

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

h2-support HTTP2 support, default=Enable. option - enable

Option Description

enable Enable HTTP2 support.

disable Disable HTTP2 support.

h3-support HTTP3/QUIC support, default=Disable. option - disable

Option Description

enable Enable HTTP3/QUIC support.

disable Disable HTTP3/QUIC support.

application SaaS application controlled by this Access Proxy. string Maximum

<name> SaaS application name. length: 79

FortiOS 7.4.4 CLI Reference 257

Fortinet Inc.
Parameter Description Type Size Default

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request
that is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from option - disable

domain-from- host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Maximum
domain to. length: 35

http-cookie- Limit HTTP cookie persistence to the specified path. string Maximum
path length: 35

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side option - high
of SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version Lowest SSL/TLS version acceptable from a server. option - tls-1.1

Option Description

tls-1.0 TLS 1.0.

FortiOS 7.4.4 CLI Reference 259

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl- Enable/disable secure renegotiation to comply with option - enable

renegotiation RFC 5746.

Option Description

enable Enable secure renegotiation.

disable Disable secure renegotiation.

ssl-vpn-web- SSL-VPN web portal. string Maximum

portal length: 35

config quic

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

FortiOS 7.4.4 CLI Reference 260

Fortinet Inc.
Parameter Description Type Size Default

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

Option Description

enable Enable active migration.

disable Disable active migration.

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

Option Description

enable Enable grease QUIC bit.

disable Disable grease QUIC bit.

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

FortiOS 7.4.4 CLI Reference 261

Fortinet Inc.
Parameter Description Type Size Default

address Address or address group of the real server. string Maximum

length: 79

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Maximum

length: 255

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

type TCP forwarding server type. option - tcp-

forwarding

Option Description

tcp-forwarding TCP forwarding.

ssh SSH.

external-auth Enable/disable use of external browser as user- option - disable

agent for SAML user authentication.

Option Description

enable Enable use of external browser as user-agent for SAML user authentication.

disable Disable use of external browser as user-agent for SAML user authentication.

tunnel- Tunnel encryption. option - disable

encryption

Option Description

enable Enable tcp forwarding tunnel encryption.

disable Disable tcp forwarding tunnel encryption.

FortiOS 7.4.4 CLI Reference 262

Fortinet Inc.
Parameter Description Type Size Default

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

Option Description

ping Use PING to test the link with the server.

http Use HTTP-GET to test the link with the server.

tcp-connect Use a full TCP connection to test the link with the server.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

Option Description

enable Enable per server holddown.

disable Disable per server holddown.

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

Option Description

enable Enable virtual hostname/IP translation.

disable Disable virtual hostname/IP translation.

ssh-client-cert Set access-proxy SSH client certificate profile. string Maximum

length: 79

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

FortiOS 7.4.4 CLI Reference 263

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable SSH real server host key validation.

enable Enable SSH real server host key validation.

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.4.4 CLI Reference 264

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 265

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

FortiOS 7.4.4 CLI Reference 266

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

FortiOS 7.4.4 CLI Reference 267

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 268

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

FortiOS 7.4.4 CLI Reference 269

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

FortiOS 7.4.4 CLI Reference 270

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config api-gateway6

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Maximum /

length: 511

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

FortiOS 7.4.4 CLI Reference 271

Fortinet Inc.
Parameter Description Type Size Default

virtual-host Virtual host. string Maximum

length: 79

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

h2-support HTTP2 support, default=Enable. option - enable

Option Description

enable Enable HTTP2 support.

disable Disable HTTP2 support.

h3-support HTTP3/QUIC support, default=Disable. option - disable

Option Description

enable Enable HTTP3/QUIC support.

disable Disable HTTP3/QUIC support.

application SaaS application controlled by this Access Proxy. string Maximum

<name> SaaS application name. length: 79

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request
that is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from option - disable

domain-from- host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

FortiOS 7.4.4 CLI Reference 272

Fortinet Inc.
Parameter Description Type Size Default

http-cookie- Domain that HTTP cookie persistence should apply string Maximum
domain to. length: 35

http-cookie- Limit HTTP cookie persistence to the specified path. string Maximum
path length: 35

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie-age Time in minutes that client web browsers should integer Minimum 60
keep a cookie. Default is 60 minutes. 0 = no time value: 0
limit. Maximum
value: 525600

http-cookie- Control sharing of cookies across API Gateway. option - same-ip

share Use of same-ip means a cookie from one virtual
server can be used by another. Disable stops cookie
sharing.

Option Description

disable Only allow HTTP cookie to match this API Gateway.

same-ip Allow HTTP cookie to match any API Gateway with same IP.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Maximum

authentication. length: 35

saml-redirect Enable/disable SAML redirection after successful option - enable

authentication.

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

FortiOS 7.4.4 CLI Reference 273

Fortinet Inc.
Parameter Description Type Size Default

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side option - high
of SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version Lowest SSL/TLS version acceptable from a server. option - tls-1.1

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.4.4 CLI Reference 274

Fortinet Inc.
Parameter Description Type Size Default

ssl- Enable/disable secure renegotiation to comply with option - enable

renegotiation RFC 5746.

Option Description

enable Enable secure renegotiation.

disable Disable secure renegotiation.

ssl-vpn-web- SSL-VPN web portal. string Maximum

portal length: 35

config quic

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

FortiOS 7.4.4 CLI Reference 275

Fortinet Inc.
Parameter Description Type Size Default

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

address Address or address group of the real server. string Maximum

length: 79

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Maximum

length: 255

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

type TCP forwarding server type. option - tcp-

forwarding

external-auth Enable/disable use of external browser as user- option - disable

agent for SAML user authentication.

tunnel- Tunnel encryption. option - disable

encryption

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 276

Fortinet Inc.
Parameter Description Type Size Default

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

ssh-client-cert Set access-proxy SSH client certificate profile. string Maximum

length: 79

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

FortiOS 7.4.4 CLI Reference 277

Fortinet Inc.
config firewall acl

This command is available for model(s): FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200F, FortiGate 201F,
FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F,
FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E,
FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F,
FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F,
FortiGate 401E, FortiGate 401F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate
601E, FortiGate 601F.
It is not available for: FortiGate 1000D, FortiGate 200E, FortiGate 201E, FortiGate 40F 3G4G,
FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate
81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure IPv4 access control list.

config firewall acl
Description: Configure IPv4 access control list.
edit <policyid>
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set fragment [pass|drop]
set interface {string}
set name {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

config firewall acl

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address name. string Maximum

<name> Address name. length: 79

FortiOS 7.4.4 CLI Reference 278

Fortinet Inc.
Parameter Description Type Size Default

fragment Pass/drop fragments that match L3 information. option - pass

Option Description

pass Pass fragments that match interface, srcaddr, and dstaddr.

drop Drop fragments that match interface, srcaddr, and dstaddr.

interface Interface name. string Maximum

length: 35

name Policy name. string Maximum

length: 35

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999

service Service name. string Maximum

<name> Service name. length: 79

srcaddr Source address name. string Maximum

<name> Address name. length: 79

status Enable/disable access control list status. option - enable

Option Description

enable Enable access control list status.

disable Disable access control list status.

FortiOS 7.4.4 CLI Reference 279

Fortinet Inc.
config firewall acl6

Configure IPv6 access control list.

config firewall acl6
Description: Configure IPv6 access control list.
edit <policyid>
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set fragment [pass|drop]
set interface {string}
set name {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

config firewall acl6

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address name. string Maximum

<name> Address name. length: 79

FortiOS 7.4.4 CLI Reference 280

Fortinet Inc.
Parameter Description Type Size Default

fragment Pass/drop fragments that match L3 information. option - pass

Option Description

pass Pass fragments that match interface, srcaddr, and dstaddr.

drop Drop fragments that match interface, srcaddr, and dstaddr.

interface Interface name. string Maximum

length: 35

name Policy name. string Maximum

length: 35

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999

service Service name. string Maximum

<name> Service name. length: 79

srcaddr Source address name. string Maximum

<name> Address name. length: 79

status Enable/disable access control list status. option - enable

Option Description

enable Enable access control list status.

disable Disable access control list status.

config firewall address

Configure IPv4 addresses.

config firewall address
Description: Configure IPv4 addresses.
edit <name>
set allow-routing [enable|disable]
set associated-interface {string}
set cache-ttl {integer}
set clearpass-spt [unknown|healthy|...]
set color {integer}
set comment {var-string}
set country {string}
set end-ip {ipv4-address-any}
set epg-name {string}
set fabric-object [enable|disable]
set filter {var-string}
set fqdn {string}
set fsso-group <name1>, <name2>, ...

FortiOS 7.4.4 CLI Reference 281

Fortinet Inc.
set hw-model {string}
set hw-vendor {string}
set interface {string}
config list
Description: IP address list.
edit <ip>
next
end
set macaddr <macaddr1>, <macaddr2>, ...
set node-ip-only [enable|disable]
set obj-id {var-string}
set obj-tag {string}
set obj-type [ip|mac]
set organization {string}
set os {string}
set policy-group {string}
set route-tag {integer}
set sdn {string}
set sdn-addr-type [private|public|...]
set sdn-tag {string}
set start-ip {ipv4-address-any}
set sub-type [sdn|clearpass-spt|...]
set subnet {ipv4-classnet-any}
set subnet-name {string}
set sw-version {string}
set tag-detection-level {string}
set tag-type {string}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set tenant {string}
set type [ipmask|iprange|...]
set uuid {uuid}
set wildcard {ipv4-classnet-any}
set wildcard-fqdn {string}
next
end

config firewall address

Parameter Description Type Size Default

allow-routing Enable/disable use of this address in the static option - disable

route configuration.

Option Description

enable Enable use of this address in the static route configuration.

disable Disable use of this address in the static route configuration.

FortiOS 7.4.4 CLI Reference 282

Fortinet Inc.
Parameter Description Type Size Default

associated- Network interface associated with address. string Maximum

interface length: 35

cache-ttl Defines the minimal TTL of individual IP integer Minimum 0

addresses in FQDN cache measured in value: 0
seconds. Maximum
value: 86400

clearpass-spt SPT (System Posture Token) value. option - unknown

Option Description

unknown UNKNOWN.

healthy HEALTHY.

quarantine QUARANTINE.

checkup CHECKUP.

transient TRANSIENT.

infected INFECTED.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

country IP addresses associated to a specific country. string Maximum

length: 2

end-ip Final IP address (inclusive) in the range for the ipv4- Not Specified 0.0.0.0
address. address-
any

epg-name Endpoint group name. string Maximum

length: 255

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

filter Match criteria filter. var-string Maximum

length: 2047

FortiOS 7.4.4 CLI Reference 283

Fortinet Inc.
Parameter Description Type Size Default

fqdn Fully Qualified Domain Name address. string Maximum

length: 255

fsso-group FSSO group(s). string Maximum

<name> FSSO group name. length: 511

hw-model Dynamic address matching hardware model. string Maximum

length: 35

hw-vendor Dynamic address matching hardware vendor. string Maximum

length: 35

interface Name of interface whose IP address is to be string Maximum

used. length: 35

macaddr Multiple MAC address ranges. string Maximum

<macaddr> MAC address ranges <start>[-<end>] length: 127
separated by space.

name Address name. string Maximum

length: 79

node-ip-only Enable/disable collection of node addresses option - disable

only in Kubernetes.

Option Description

enable Enable collection of node addresses only in Kubernetes.

disable Disable collection of node addresses only in Kubernetes.

obj-id Object ID for NSX. var-string Maximum

length: 255

obj-tag Tag of dynamic address object. string Maximum

length: 255

obj-type Object type. option - ip

Option Description

ip IP address.

mac MAC address

organization Organization domain name (Syntax: string Maximum

organization/domain). length: 35

os Dynamic address matching operating system. string Maximum

length: 35

policy-group Policy group name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 284

Fortinet Inc.
Parameter Description Type Size Default

route-tag route-tag address. integer Minimum 0

value: 1
Maximum
value:
4294967295

sdn SDN. string Maximum

length: 35

sdn-addr-type Type of addresses to collect. option - private

Option Description

private Collect private addresses only.

public Collect public addresses only.

all Collect both public and private addresses.

sdn-tag SDN Tag. string Maximum

length: 15

start-ip First IP address (inclusive) in the range for the ipv4- Not Specified 0.0.0.0
address. address-
any

sub-type Sub-type of address. option - sdn

Option Description

sdn SDN address.

clearpass-spt ClearPass SPT (System Posture Token) address.

fsso FSSO address.

ems-tag FortiClient EMS tag.

fortivoice-tag FortiVoice tag.

fortinac-tag FortiNAC tag.

fortipolicy-tag FortiPolicy tag.

swc-tag Switch Controller NAC policy tag.

device- Device address.

identification

subnet IP address and subnet mask of address. ipv4- Not Specified 0.0.0.0 0.0.0.0
classnet-
any

subnet-name Subnet name. string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 285

Fortinet Inc.
Parameter Description Type Size Default

sw-version Dynamic address matching software version. string Maximum

length: 35

tag-detection- Tag detection level of dynamic address object. string Maximum

level length: 15

tag-type Tag type of dynamic address object. string Maximum

length: 63

tenant Tenant. string Maximum

length: 35

type Type of address. option - ipmask

Option Description

ipmask Standard IPv4 address with subnet mask.

iprange Range of IPv4 addresses between two specified addresses (inclusive).

fqdn Fully Qualified Domain Name address.

geography IP addresses from a specified country.

wildcard Standard IPv4 using a wildcard subnet mask.

dynamic Dynamic address object.

interface-subnet IP and subnet of interface.

mac Range of MAC addresses.

route-tag route-tag addresses.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

wildcard IP address and wildcard netmask. ipv4- Not Specified 0.0.0.0 0.0.0.0
classnet-
any

wildcard-fqdn Fully Qualified Domain Name with wildcard string Maximum

characters. length: 255

config list

Parameter Description Type Size Default

ip IP. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 286

Fortinet Inc.
config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall address6-template

Configure IPv6 address templates.

config firewall address6-template
Description: Configure IPv6 address templates.
edit <name>
set fabric-object [enable|disable]
set ip6 {ipv6-network}
config subnet-segment
Description: IPv6 subnet segments.
edit <id>
set name {string}
set bits {integer}
set exclusive [enable|disable]
config values
Description: Subnet segment values.
edit <name>
set value {string}
next
end
next
end
set subnet-segment-count {integer}
next
end

config firewall address6-template

Parameter Description Type Size Default

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

FortiOS 7.4.4 CLI Reference 287

Fortinet Inc.
Parameter Description Type Size Default

ip6 IPv6 address prefix. ipv6- Not ::/0

network Specified

name IPv6 address template name. string Maximum

length: 63

subnet- Number of IPv6 subnet segments. integer Minimum 0

segment- value: 1
count Maximum
value: 6

config subnet-segment

Parameter Description Type Size Default

id Subnet segment ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Subnet segment name. string Maximum

length: 63

bits Number of bits. integer Minimum 0

value: 1
Maximum
value: 16

exclusive Enable/disable exclusive value. option - disable

Option Description

enable Enable exclusive value.

disable Disable exclusive value.

config values

Parameter Description Type Size Default

name Subnet segment value name. string Maximum

length: 63

value Subnet segment value. string Maximum

length: 35

config firewall address6

Configure IPv6 firewall addresses.

FortiOS 7.4.4 CLI Reference 288

Fortinet Inc.
config firewall address6
Description: Configure IPv6 firewall addresses.
edit <name>
set cache-ttl {integer}
set color {integer}
set comment {var-string}
set country {string}
set end-ip {ipv6-address}
set epg-name {string}
set fabric-object [enable|disable]
set fqdn {string}
set host {ipv6-address}
set host-type [any|specific]
set ip6 {ipv6-network}
config list
Description: IP address list.
edit <ip>
next
end
set macaddr <macaddr1>, <macaddr2>, ...
set obj-id {var-string}
set route-tag {integer}
set sdn {string}
set sdn-tag {string}
set start-ip {ipv6-address}
config subnet-segment
Description: IPv6 subnet segments.
edit <name>
set type [any|specific]
set value {string}
next
end
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set template {string}
set tenant {string}
set type [ipprefix|iprange|...]
set uuid {uuid}
next
end

FortiOS 7.4.4 CLI Reference 289

Fortinet Inc.
config firewall address6

Parameter Description Type Size Default

cache-ttl Minimal TTL of individual IPv6 addresses in integer Minimum 0

FQDN cache. value: 0
Maximum
value: 86400

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

country IPv6 addresses associated to a specific country. string Maximum

length: 2

end-ip Final IP address (inclusive) in the range for the ipv6- Not Specified ::
address (format: address
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

epg-name Endpoint group name. string Maximum

length: 255

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

fqdn Fully qualified domain name. string Maximum

length: 255

host Host Address. ipv6- Not Specified ::

address

host-type Host type. option - any

Option Description

any Wildcard.

specific Specific host address.

ip6 IPv6 address prefix (format: ipv6- Not Specified ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network

macaddr Multiple MAC address ranges. string Maximum

<macaddr> MAC address ranges <start>[-<end>] separated length: 127
by space.

FortiOS 7.4.4 CLI Reference 290

Fortinet Inc.
Parameter Description Type Size Default

name Address name. string Maximum

length: 79

obj-id Object ID for NSX. var-string Maximum

length: 255

route-tag route-tag address. integer Minimum 0

value: 1
Maximum
value:
4294967295

sdn SDN. string Maximum

length: 35

sdn-tag SDN Tag. string Maximum

length: 15

start-ip First IP address (inclusive) in the range for the ipv6- Not Specified ::
address (format: address
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

template IPv6 address template. string Maximum

length: 63

tenant Tenant. string Maximum

length: 35

type Type of IPv6 address object. option - ipprefix

Option Description

ipprefix Uses the IP prefix to define a range of IPv6 addresses.

iprange Range of IPv6 addresses between two specified addresses (inclusive).

fqdn Fully qualified domain name.

geography IPv6 addresses from a specified country.

dynamic Dynamic address object for SDN.

template Template.

mac Range of MAC addresses.

route-tag route-tag addresses.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

FortiOS 7.4.4 CLI Reference 291

Fortinet Inc.
config list

Parameter Description Type Size Default

ip IP. string Maximum

length: 89

config subnet-segment

Parameter Description Type Size Default

name Name. string Maximum

length: 63

type Subnet segment type. option - any

Option Description

any Wildcard.

specific Specific subnet segment address.

value Subnet segment value. string Maximum

length: 35

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp

Configure IPv4 address groups.

config firewall addrgrp
Description: Configure IPv4 address groups.
edit <name>
set allow-routing [enable|disable]
set category [default|ztna-ems-tag|...]
set color {integer}
set comment {var-string}
set exclude [enable|disable]
set exclude-member <name1>, <name2>, ...
set fabric-object [enable|disable]

FortiOS 7.4.4 CLI Reference 292

Fortinet Inc.
set member <name1>, <name2>, ...
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [default|folder]
set uuid {uuid}
next
end

config firewall addrgrp

Parameter Description Type Size Default

allow-routing Enable/disable use of this group in the static route option - disable
configuration.

disable Disable address exclusion.

FortiOS 7.4.4 CLI Reference 293

Fortinet Inc.
Parameter Description Type Size Default

exclude- Address exclusion member. string Maximum

member Address name. length: 79
<name>

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Address objects contained within the group. string Maximum

<name> Address name. length: 79

name Address group name. string Maximum

length: 79

type Address group type. option - default

Option Description

default Default address group type (address may belong to multiple groups).

folder Address folder group (members may not belong to any other group).

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp6

Configure IPv6 address groups.

config firewall addrgrp6
Description: Configure IPv6 address groups.
edit <name>
set color {integer}
set comment {var-string}

FortiOS 7.4.4 CLI Reference 294

Fortinet Inc.
set exclude [enable|disable]
set exclude-member <name1>, <name2>, ...
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set uuid {uuid}
next
end

config firewall addrgrp6

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

exclude Enable/disable address6 exclusion. option - disable

Option Description

enable Enable address6 exclusion.

disable Disable address6 exclusion.

exclude- Address6 exclusion member. string Maximum

member Address6 name. length: 79
<name>

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Address objects contained within the group. string Maximum

<name> Address6/addrgrp6 name. length: 79

name IPv6 address group name. string Maximum

length: 79

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

proxy-auth Enable/disable authentication by proxy daemon. option - disable

Option Description

enable Users are authenticated by proxy daemon.

disable Users are not authenticated by proxy daemon.

FortiOS 7.4.4 CLI Reference 296

Fortinet Inc.
config firewall central-snat-map

Configure IPv4 and IPv6 central SNAT policies.

config firewall central-snat-map
Description: Configure IPv4 and IPv6 central SNAT policies.
edit <policyid>
set comments {var-string}
set dst-addr <name1>, <name2>, ...
set dst-addr6 <name1>, <name2>, ...
set dst-port {user}
set dstintf <name1>, <name2>, ...
set nat [disable|enable]
set nat-ippool <name1>, <name2>, ...
set nat-ippool6 <name1>, <name2>, ...
set nat-port {user}
set nat46 [enable|disable]
set nat64 [enable|disable]
set orig-addr <name1>, <name2>, ...
set orig-addr6 <name1>, <name2>, ...
set orig-port {user}
set port-preserve [enable|disable]
set protocol {integer}
set srcintf <name1>, <name2>, ...
set status [enable|disable]
set type [ipv4|ipv6]
set uuid {uuid}
next
end

config firewall central-snat-map

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 1023

dst-addr IPv4 Destination address. string Maximum

<name> Address name. length: 79

dst-addr6 IPv6 Destination address. string Maximum

<name> Address name. length: 79

dst-port Destination port or port range (1 to 65535, 0 user Not Specified

means any port).

dstintf Destination interface name from available string Maximum

<name> interfaces. length: 79
Interface name.

nat Enable/disable source NAT. option - enable

FortiOS 7.4.4 CLI Reference 297

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable source NAT.

enable Enable source NAT.

nat-ippool Name of the IP pools to be used to translate string Maximum

<name> addresses from available IP Pools. length: 79
IP pool name.

nat-ippool6 IPv6 pools to be used for source NAT. string Maximum

<name> IPv6 pool name. length: 79

nat-port Translated port or port range (1 to 65535, 0 user Not Specified

means any port).

nat46 Enable/disable NAT46. option - disable

Option Description

enable Enable NAT46.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

orig-addr IPv4 Original address. string Maximum

<name> Address name. length: 79

orig-addr6 IPv6 Original address. string Maximum

<name> Address name. length: 79

orig-port Original TCP port (1 to 65535, 0 means any user Not Specified
port).

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

port-preserve Enable/disable preservation of the original option - enable

source port from source NAT if it has not been
used.

FortiOS 7.4.4 CLI Reference 298

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Use the original source port if it has not been used.

disable Source NAT always changes the source port.

protocol Integer value for the protocol type. integer Minimum 0

value: 0
Maximum
value: 255

srcintf Source interface name from available interfaces. string Maximum

<name> Interface name. length: 79

status Enable/disable the active status of this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

type IPv4/IPv6 source NAT. option - ipv4

Option Description

ipv4 Perform IPv4 source NAT.

ipv6 Perform IPv6 source NAT.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config firewall city

Define city table.

config firewall city
Description: Define city table.
edit <id>
set name {string}
next
end

FortiOS 7.4.4 CLI Reference 299

Fortinet Inc.
config firewall city

Parameter Description Type Size Default

id City ID. integer Minimum 0

value: 0
Maximum
value:
65535

name City name. string Maximum

length: 63

config firewall country

Define country table.

config firewall country
Description: Define country table.
edit <id>
set name {string}
set region <id1>, <id2>, ...
next
end

config firewall country

Parameter Description Type Size Default

id Country ID. integer Minimum 0

value: 0
Maximum
value:
65535

name Country name. string Maximum

length: 63

region <id> Region ID list. integer Minimum

Region ID. value: 0
Maximum
value:
65535

config firewall decrypted-traffic-mirror

Configure decrypted traffic mirror.

config firewall decrypted-traffic-mirror
Description: Configure decrypted traffic mirror.

FortiOS 7.4.4 CLI Reference 300

Fortinet Inc.
edit <name>
set dstmac {mac-address}
set interface <name1>, <name2>, ...
set traffic-source [client|server|...]
set traffic-type {option1}, {option2}, ...
next
end

config firewall decrypted-traffic-mirror

Parameter Description Type Size Default

dstmac Set destination MAC address for mirrored traffic. mac- Not ff:ff:ff:ff:ff:ff
address Specified

interface Decrypted traffic mirror interface. string Maximum

<name> Decrypted traffic mirror interface. length: 79

name Name. string Maximum

length: 35

traffic-source Source of decrypted traffic to be mirrored. option - client

Option Description

client Mirror client side decrypted traffic.

server Mirror server side decrypted traffic.

both Mirror both client and server side decrypted traffic.

traffic-type Types of decrypted traffic to be mirrored. option - ssl

Option Description

ssl Mirror decrypted SSL traffic.

ssh Mirror decrypted SSH traffic.

config firewall dnstranslation

Configure DNS translation.

config firewall dnstranslation
Description: Configure DNS translation.
edit <id>
set dst {ipv4-address}
set netmask {ipv4-netmask}
set src {ipv4-address}
next
end

FortiOS 7.4.4 CLI Reference 301

Fortinet Inc.
config firewall dnstranslation

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.

config firewall global

Global firewall settings.

config firewall global
Description: Global firewall settings.
set banned-ip-persistency [disabled|permanent-only|...]
end

config firewall global

Parameter Description Type Size Default

banned-ip- Persistency of banned IPs across power cycling. option - disabled

persistency

Option Description

disabled No entries are kept across power cycling.

permanent-only Only permanent IP bans are kept across power cycling.

all All IP bans are kept across power cycling.

FortiOS 7.4.4 CLI Reference 302

Fortinet Inc.
config firewall identity-based-route

Configure identity based routing.

config firewall identity-based-route
Description: Configure identity based routing.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set gateway {ipv4-address}
set device {string}
set groups <name1>, <name2>, ...
next
end
next
end

config firewall identity-based-route

Parameter Description Type Size Default

comments Comments. string Maximum

length: 127

name Name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

gateway IPv4 address of the gateway (Format: xxx.xxx.xxx.xxx ipv4- Not Specified 0.0.0.0
, Default: 0.0.0.0). address

device Outgoing interface for the rule. string Maximum

length: 35

groups Select one or more group(s) from available groups string Maximum
<name> that are allowed to use this route. Separate group length: 79
names with a space.
Group name.

FortiOS 7.4.4 CLI Reference 303

Fortinet Inc.
config firewall interface-policy

Configure IPv4 interface policies.

config firewall interface-policy
Description: Configure IPv4 interface policies.
edit <policyid>
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set casb-profile {string}
set casb-profile-status [enable|disable]
set comments {var-string}
set dlp-profile {string}
set dlp-profile-status [enable|disable]
set dsri [enable|disable]
set dstaddr <name1>, <name2>, ...
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set interface {string}
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set logtraffic [all|utm|...]
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
set uuid {uuid}
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

config firewall interface-policy

Parameter Description Type Size Default

application- Application list name. string Maximum

list length: 35

application- Enable/disable application control. option - disable

list-status

Option Description

enable Enable application control

disable Disable application control

av-profile Antivirus profile. string Maximum

length: 35

av-profile- Enable/disable antivirus. option - disable

status

FortiOS 7.4.4 CLI Reference 304

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable antivirus

disable Disable antivirus

casb-profile CASB profile. string Maximum

length: 35

casb-profile- Enable/disable CASB. option - disable

status

Option Description

enable Enable CASB.

disable Disable CASB.

comments Comments. var-string Maximum

length: 1023

dlp-profile DLP profile name. string Maximum

length: 35

dlp-profile- Enable/disable DLP. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

dsri Enable/disable DSRI. option - disable

Option Description

enable Enable DSRI.

disable Disable DSRI.

dstaddr Address object to limit traffic monitoring to string Maximum

<name> network traffic sent to the specified address or length: 79
range.
Address name.

emailfilter- Email filter profile. string Maximum

profile length: 35

emailfilter- Enable/disable email filter. option - disable

profile-status

FortiOS 7.4.4 CLI Reference 305

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Email filter.

disable Disable Email filter.

interface Monitored interface name from available string Maximum

interfaces. length: 35

ips-sensor IPS sensor name. string Maximum

length: 35

ips-sensor- Enable/disable IPS. option - disable

status

Option Description

enable Enable IPS.

disable Disable IPS.

logtraffic Logging type to be used in this policy (Options: option - utm

all | utm | disable, Default: utm).

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service Service object from available options. string Maximum

<name> Service name. length: 79

srcaddr Address object to limit traffic monitoring to string Maximum

<name> network traffic sent from the specified address or length: 79
range.
Address name.

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

FortiOS 7.4.4 CLI Reference 306

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

webfilter- Web filter profile. string Maximum

profile length: 35

webfilter- Enable/disable web filtering. option - disable

profile-status

Option Description

enable Enable web filtering.

disable Disable web filtering.

config firewall interface-policy6

Configure IPv6 interface policies.

config firewall interface-policy6
Description: Configure IPv6 interface policies.
edit <policyid>
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set casb-profile {string}
set casb-profile-status [enable|disable]
set comments {var-string}
set dlp-profile {string}
set dlp-profile-status [enable|disable]
set dsri [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set interface {string}
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set logtraffic [all|utm|...]
set service6 <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set status [enable|disable]
set uuid {uuid}
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 307

enable Enable CASB.

disable Disable CASB.

comments Comments. var-string Maximum

length: 1023

dlp-profile DLP profile name. string Maximum

length: 35

dlp-profile- Enable/disable DLP. option - disable

status

Option Description

enable Enable setting.

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

FortiOS 7.4.4 CLI Reference 309

Fortinet Inc.
Parameter Description Type Size Default

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service6 Service name. string Maximum

<name> Service name. length: 79

srcaddr6 IPv6 address object to limit traffic monitoring to string Maximum

<name> network traffic sent from the specified address or length: 79
range.
Address name.

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

webfilter- Web filter profile. string Maximum

profile length: 35

webfilter- Enable/disable web filtering. option - disable

profile-status

Option Description

enable Enable web filtering.

disable Disable web filtering.

config firewall internet-service-addition

Configure Internet Services Addition.

config firewall internet-service-addition
Description: Configure Internet Services Addition.
edit <id>
set comment {var-string}
config entry
Description: Entries added to the Internet Service addition database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range

FortiOS 7.4.4 CLI Reference 310

Fortinet Inc.
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
next
end
next
end

config firewall internet-service-addition

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295

config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 311

Fortinet Inc.
config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-append

Configure additional port mappings for Internet Services.

config firewall internet-service-append
Description: Configure additional port mappings for Internet Services.
set addr-mode [ipv4|ipv6|...]
set append-port {integer}
set match-port {integer}
end

config firewall internet-service-append

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

both Both IPv4 and IPv6 mode.

append-port Appending TCP/UDP/SCTP destination port (1 to integer Minimum 0

65535). value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 312

Fortinet Inc.
Parameter Description Type Size Default

match-port Matching TCP/UDP/SCTP destination port (0 to 65535, integer Minimum 0

0 means any port). value: 0
Maximum
value:
65535

config firewall internet-service-botnet

Show Internet Service botnet.

config firewall internet-service-botnet
Description: Show Internet Service botnet.
edit <id>
set name {string}
next
end

config firewall internet-service-botnet

Parameter Description Type Size Default

id Internet Service Botnet ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service Botnet name. string Maximum

length: 63

config firewall internet-service-custom-group

Configure custom Internet Service group.

config firewall internet-service-custom-group
Description: Configure custom Internet Service group.
edit <name>
set comment {var-string}
set member <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 313

Fortinet Inc.
config firewall internet-service-custom-group

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

member Custom Internet Service group members. string Maximum

<name> Group member name. length: 79

name Custom Internet Service group name. string Maximum

length: 63

config firewall internet-service-custom

Configure custom Internet Services.

config firewall internet-service-custom
Description: Configure custom Internet Services.
edit <name>
set comment {var-string}
config entry
Description: Entries added to the Internet Service database and custom database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
next
end
set reputation {integer}
next
end

config firewall internet-service-custom

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

name Internet Service name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 314

Fortinet Inc.
Parameter Description Type Size Default

reputation Reputation level of the custom Internet Service. integer Minimum 3

value: 0
Maximum
value:
4294967295

config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

dst6 <name> Destination address6 or address6 group name. string Maximum

Select the destination address6 or address group object length: 79
from available options.

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 315

Fortinet Inc.
Parameter Description Type Size Default

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-definition

Configure Internet Service definition.

config firewall internet-service-definition
Description: Configure Internet Service definition.
edit <id>
config entry
Description: Protocol and port information in an Internet Service entry.
edit <seq-num>
set category-id {integer}
set name {string}
set protocol {integer}
config port-range
Description: Port ranges in the definition entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
next
end
next
end

config firewall internet-service-definition

Parameter Description Type Size Default

id Internet Service application list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 316

Fortinet Inc.
config entry

Parameter Description Type Size Default

seq-num Entry sequence number. integer Minimum 0

value: 0
Maximum
value:
4294967295

category-id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service name. string Maximum

length: 63

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Starting TCP/UDP/SCTP destination port (1 to integer Minimum 1

65535). value: 1
Maximum
value: 65535

end-port Ending TCP/UDP/SCTP destination port (1 to 65535). integer Minimum 65535

value: 1
Maximum
value: 65535

config firewall internet-service-extension

Configure Internet Services Extension.

config firewall internet-service-extension
Description: Configure Internet Services Extension.
edit <id>
set comment {var-string}

FortiOS 7.4.4 CLI Reference 317

Fortinet Inc.
config disable-entry
Description: Disable entries in the Internet Service database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the disable entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
config ip-range
Description: IPv4 ranges in the disable entry.
edit <id>
set start-ip {ipv4-address-any}
set end-ip {ipv4-address-any}
next
end
config ip6-range
Description: IPv6 ranges in the disable entry.
edit <id>
set start-ip6 {ipv6-address}
set end-ip6 {ipv6-address}
next
end
next
end
config entry
Description: Entries added to the Internet Service extension database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
next
end
next
end

config firewall internet-service-extension

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 318

Fortinet Inc.
Parameter Description Type Size Default

id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295

config disable-entry

Parameter Description Type Size Default

id Disable entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 319

Fortinet Inc.
config ip-range

Parameter Description Type Size Default

id Disable entry range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip Start IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

end-ip End IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

config ip6-range

Parameter Description Type Size Default

id Disable entry range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip6 Start IPv6 address. ipv6- Not Specified ::

address

end-ip6 End IPv6 address. ipv6- Not Specified ::

address

config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

FortiOS 7.4.4 CLI Reference 320

Fortinet Inc.
Parameter Description Type Size Default

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

dst6 <name> Destination address6 or address6 group name. string Maximum

Select the destination address6 or address group object length: 79
from available options.

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-group

Configure group of Internet Service.

config firewall internet-service-group
Description: Configure group of Internet Service.
edit <name>
set comment {var-string}
set direction [source|destination|...]
set member <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 321

Fortinet Inc.
config firewall internet-service-group

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

direction How this service may be used (source, destination or option - both
both).

Option Description

source As source when applied.

destination As destination when applied.

both Both directions when applied.

member Internet Service group member. string Maximum

<name> Internet Service name. length: 79

name Internet Service group name. string Maximum

length: 63

config firewall internet-service-ipbl-reason

IP block list reason.

config firewall internet-service-ipbl-reason
Description: IP block list reason.
edit <id>
set name {string}
next
end

config firewall internet-service-ipbl-reason

Parameter Description Type Size Default

id IP block list reason ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name IP block list reason name. string Maximum

length: 63

config firewall internet-service-ipbl-vendor

IP block list vendor.

FortiOS 7.4.4 CLI Reference 322

Fortinet Inc.
config firewall internet-service-ipbl-vendor
Description: IP block list vendor.
edit <id>
set name {string}
next
end

config firewall internet-service-ipbl-vendor

Parameter Description Type Size Default

id IP block list vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name IP block list vendor name. string Maximum

length: 63

config firewall internet-service-list

Internet Service list.

config firewall internet-service-list
Description: Internet Service list.
edit <id>
set name {string}
next
end

config firewall internet-service-list

Parameter Description Type Size Default

id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service category name. string Maximum

length: 63

config firewall internet-service-name

Define internet service names.

FortiOS 7.4.4 CLI Reference 323

Fortinet Inc.
config firewall internet-service-name
Description: Define internet service names.
edit <name>
set city-id {integer}
set country-id {integer}
set internet-service-id {integer}
set region-id {integer}
set type [default|location]
next
end

config firewall internet-service-name

Parameter Description Type Size Default

city-id City ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

country-id Country or Area ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

internet- Internet Service ID. integer Minimum 0

service-id value: 0
Maximum
value:
4294967295

name Internet Service name. string Maximum

length: 63

region-id Region ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Internet Service name type. option - default

Option Description

default Automatically generated Internet Service.

location Geography location based Internet Service.

config firewall internet-service-owner

Internet Service owner.

FortiOS 7.4.4 CLI Reference 324

Fortinet Inc.
config firewall internet-service-owner
Description: Internet Service owner.
edit <id>
set name {string}
next
end

config firewall internet-service-owner

Parameter Description Type Size Default

id Internet Service owner ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service owner name. string Maximum

length: 63

config firewall internet-service-reputation

Show Internet Service reputation.

config firewall internet-service-reputation
Description: Show Internet Service reputation.
edit <id>
set description {string}
next
end

config firewall internet-service-reputation

Parameter Description Type Size Default

description Description. string Maximum

length: 127

id Internet Service Reputation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config firewall internet-service-sld

Internet Service Second Level Domain.

FortiOS 7.4.4 CLI Reference 325

Fortinet Inc.
config firewall internet-service-sld
Description: Internet Service Second Level Domain.
edit <id>
set name {string}
next
end

config firewall internet-service-sld

Parameter Description Type Size Default

id Second Level Domain ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Second Level Domain name. string Maximum

length: 63

config firewall internet-service-subapp

Show Internet Service sub app ID.

config firewall internet-service-subapp
Description: Show Internet Service sub app ID.
edit <id>
set sub-app <id1>, <id2>, ...
next
end

config firewall internet-service-subapp

Parameter Description Type Size Default

id Internet Service main ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

sub-app <id> Subapp number list. integer Minimum

Subapp ID. value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 326

Fortinet Inc.
config firewall internet-service

Show Internet Service application.

config firewall internet-service
Description: Show Internet Service application.
edit <id>
set database [isdb|irdb]
set direction [src|dst|...]
set extra-ip-range-number {integer}
set extra-ip6-range-number {integer}
set icon-id {integer}
set ip-number {integer}
set ip-range-number {integer}
set ip6-range-number {integer}
set name {string}
set obsolete {integer}
set singularity {integer}
next
end

config firewall internet-service

Parameter Description Type Size Default

database Database name this Internet Service belongs to. option - isdb

Option Description

isdb Internet Service Database.

irdb Internet RRR Database.

direction How this service may be used in a firewall policy option - both
(source, destination or both).

Option Description

src As source in the firewall policy.

dst As destination in the firewall policy.

both Both directions in the firewall policy.

extra-ip- Extra number of IPv4 ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 327

Fortinet Inc.
Parameter Description Type Size Default

extra-ip6- Extra number of IPv6 ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295

icon-id Icon ID of Internet Service. integer Minimum 0

value: 0
Maximum
value:
4294967295

id Internet Service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-number Total number of IPv4 addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-range- Number of IPv4 ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295

ip6-range- Number of IPv6 ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295

name Internet Service name. string Maximum

length: 63

obsolete Indicates whether the Internet Service can be used. integer Minimum 0
value: 0
Maximum
value: 255

singularity Singular level of the Internet Service. integer Minimum 0

value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 328

Fortinet Inc.
config firewall ip-translation

Configure firewall IP-translation.

config firewall ip-translation
Description: Configure firewall IP-translation.
edit <transid>
set endip {ipv4-address-any}
set map-startip {ipv4-address-any}
set startip {ipv4-address-any}
set type {option}
next
end

config firewall ip-translation

Parameter Description Type Size Default

endip Final IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

map-startip Address to be used as the starting point for translation ipv4- Not Specified 0.0.0.0
in the range. address-
any

startip First IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

transid IP translation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type IP translation type (option: SCTP). option - SCTP

Option Description

SCTP SCTP

config firewall ipmacbinding setting

Configure IP to MAC binding settings.

config firewall ipmacbinding setting
Description: Configure IP to MAC binding settings.
set bindthroughfw [enable|disable]
set bindtofw [enable|disable]
set undefinedhost [allow|block]
end

FortiOS 7.4.4 CLI Reference 329

Fortinet Inc.
config firewall ipmacbinding setting

Parameter Description Type Size Default

bindthroughfw Enable/disable use of IP/MAC binding to filter packets option - disable

that would normally go through the firewall.

Option Description

enable Enable IP/MAC binding for packets that would normally go through the
firewall.

disable Disable IP/MAC binding for packets that would normally go through the
firewall.

bindtofw Enable/disable use of IP/MAC binding to filter packets option - disable

that would normally go to the firewall.

Option Description

enable Enable IP/MAC binding for packets that would normally go to the firewall.

disable Disable IP/MAC binding for packets that would normally go to the firewall.

undefinedhost Select action to take on packets with IP/MAC option - block

addresses not in the binding list.

Option Description

allow Allow packets from MAC addresses not in the IP/MAC list.

block Block packets from MAC addresses not in the IP/MAC list.

config firewall ipmacbinding table

Configure IP to MAC address pairs in the IP/MAC binding table.

config firewall ipmacbinding table
Description: Configure IP to MAC address pairs in the IP/MAC binding table.
edit <seq-num>
set ip {ipv4-address}
set mac {mac-address}
set name {string}
set status [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 330

Fortinet Inc.
config firewall ipmacbinding table

Parameter Description Type Size Default

ip IPv4 address portion of the pair (format: ipv4- Not Specified 0.0.0.0
xxx.xxx.xxx.xxx). address

mac MAC address portion of the pair (format = mac- Not Specified 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx in hexadecimal). address

name Name of the pair. string Maximum noname

length: 35

seq-num Entry number. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Enable/disable this IP-mac binding pair. option - disable

Option Description

enable Enable this IP-mac binding pair.

disable Disable this IP-mac binding pair.

config firewall ippool

Configure IPv4 IP pools.

config firewall ippool
Description: Configure IPv4 IP pools.
edit <name>
set add-nat64-route [disable|enable]
set arp-intf {string}
set arp-reply [disable|enable]
set associated-interface {string}
set block-size {integer}
set cgn-block-size {integer}
set cgn-client-endip {var-string}
set cgn-client-ipv6shift {integer}
set cgn-client-startip {var-string}
set cgn-fixedalloc [disable|enable]
set cgn-overload [disable|enable]
set cgn-port-end {integer}
set cgn-port-start {integer}
set cgn-spa [disable|enable]
set comments {var-string}
set endip {ipv4-address-any}
set endport {integer}
set exclude-ip <ip1>, <ip2>, ...
set nat64 [disable|enable]
set num-blocks-per-user {integer}

FortiOS 7.4.4 CLI Reference 331

Fortinet Inc.
set pba-interim-log {integer}
set pba-timeout {integer}
set permit-any-host [disable|enable]
set port-per-user {integer}
set source-endip {ipv4-address-any}
set source-startip {ipv4-address-any}
set startip {ipv4-address-any}
set startport {integer}
set subnet-broadcast-in-ippool [disable|enable]
set type [overload|one-to-one|...]
set utilization-alarm-clear {integer}
set utilization-alarm-raise {integer}
next
end

config firewall ippool

Parameter Description Type Size Default

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

arp-intf Select an interface from available options that will reply string Maximum
to ARP requests. (If blank, any is selected). length: 15

arp-reply Enable/disable replying to ARP requests when an IP option - enable

Pool is added to a policy.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

associated- Associated interface name. string Maximum

interface length: 15

block-size Number of addresses in a block. integer Minimum 128

value: 64
Maximum
value: 4096

cgn-block- Number of ports in a block. integer Minimum 128

size * value: 64
Maximum
value: 4096

FortiOS 7.4.4 CLI Reference 332

Fortinet Inc.
Parameter Description Type Size Default

cgn-client- Final client IPv4 address (inclusive) (format var-string Maximum

endip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). length: 255

cgn-client- IPv6 shift for fixed-allocation. integer Minimum 0

ipv6shift * value: 0
Maximum
value: 127

cgn-client- First client IPv4 address (inclusive) (format var-string Maximum

startip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). length: 255

cgn-fixedalloc Enable/disable fixed-allocation mode. option - disable

Option Description

disable Disable fixed-allocation mode.

enable Enable fixed-allocation mode.

cgn-overload Enable/disable overload mode. option - disable

Option Description

disable Disable overload mode.

enable Enable overload mode.

cgn-port-end * Ending public port can be allocated. integer Minimum 65530

value: 1024
Maximum
value:
65535

cgn-port-start Starting public port can be allocated. integer Minimum 5117

* value: 1024
Maximum
value:
65535

cgn-spa * Enable/disable single port allocation mode. option - disable

Option Description

disable Disable SPA mode.

enable Enable SPA mode.

comments Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 333

Fortinet Inc.
Parameter Description Type Size Default

endip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

endport Final port number (inclusive) in the range for the integer Minimum 65533
address pool (Default: 65533). value: 5117
Maximum
value:
65533

exclude-ip Exclude IPs x.x.x.x. string Maximum

<ip> * Exclude IPs (xxx.xxx.xxx.xxx) length: 79

name IP pool name. string Maximum

length: 79

nat64 Enable/disable NAT64. option - disable

Option Description

disable Disable DNAT64.

enable Enable DNAT64.

num-blocks- Number of addresses blocks that can be used by a user. integer Minimum 8
per-user value: 1
Maximum
value: 128

pba-interim- Port block allocation interim logging interval. integer Minimum 0

log value: 600
Maximum
value:
86400

pba-timeout Port block allocation timeout (seconds). integer Minimum 30

value: 3
Maximum
value:
86400

permit-any- Enable/disable full cone NAT. option - disable

host

Option Description

disable Disable full cone NAT.

enable Enable full cone NAT.

FortiOS 7.4.4 CLI Reference 334

Fortinet Inc.
Parameter Description Type Size Default

port-per-user Number of port for each user. integer Minimum 0

value: 32
Maximum
value:
60417

source-endip Final IPv4 address (inclusive) in the range of the source ipv4- Not 0.0.0.0
addresses to be translated (format xxx.xxx.xxx.xxx, address- Specified
Default: 0.0.0.0). any

source-startip First IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

startip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

startport First port number (inclusive) in the range for the address integer Minimum 5117
pool (Default: 5117). value: 5117
Maximum
value:
65533

subnet- Enable/disable inclusion of the subnetwork address and option - enable

broadcast-in- broadcast IP address in the NAT64 IP pool.
ippool

Option Description

disable Do not include the subnetwork address and broadcast IP address in the
NAT64 IP pool.

enable Include the subnetwork address and broadcast IP address in the NAT64 IP
pool.

type IP pool type: overload, one-to-one, fixed-port-range, option - overload

port-block-allocation, cgn-resource-allocation
(hyperscale vdom only)

Option Description

overload IP addresses in the IP pool can be shared by clients.

one-to-one One to one mapping.

fixed-port-range Fixed port range.

port-block- Port block allocation.

allocation

FortiOS 7.4.4 CLI Reference 335

Fortinet Inc.
Parameter Description Type Size Default

utilization- Pool utilization alarm clear threshold. integer Minimum 80

alarm-clear * value: 40
Maximum
value: 100

utilization- Pool utilization alarm raise threshold. integer Minimum 100

alarm-raise * value: 50
Maximum
value: 100

* This parameter may not exist in some models.

config firewall ippool6

Configure IPv6 IP pools.

config firewall ippool6
Description: Configure IPv6 IP pools.
edit <name>
set add-nat46-route [disable|enable]
set comments {var-string}
set endip {ipv6-address}
set nat46 [disable|enable]
set startip {ipv6-address}
next
end

config firewall ippool6

Parameter Description Type Size Default

add-nat46- Enable/disable adding NAT46 route. option - enable

route

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

comments Comment. var-string Maximum

length: 255

endip Final IPv6 address. ipv6- Not ::

address Specified

name IPv6 IP pool name. string Maximum

length: 79

nat46 Enable/disable NAT46. option - disable

FortiOS 7.4.4 CLI Reference 336

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable NAT46.

enable Enable NAT46.

startip First IPv6 address. ipv6- Not ::

address Specified

config firewall ipv6-eh-filter

Configure IPv6 extension header filter.

config firewall ipv6-eh-filter
Description: Configure IPv6 extension header filter.
set auth [enable|disable]
set dest-opt [enable|disable]
set fragment [enable|disable]
set hdopt-type {integer}
set hop-opt [enable|disable]
set no-next [enable|disable]
set routing [enable|disable]
set routing-type {integer}
end

config firewall ipv6-eh-filter

Parameter Description Type Size Default

auth Enable/disable blocking packets with the Authentication option - disable

header.

Option Description

value: 0
Maximum
value: 255

config firewall ldb-monitor

Configure server load balancing health monitors.

config firewall ldb-monitor
Description: Configure server load balancing health monitors.
edit <name>
set dns-match-ip {ipv4-address}
set dns-protocol [udp|tcp]
set dns-request-domain {string}
set http-get {string}

FortiOS 7.4.4 CLI Reference 338

Fortinet Inc.
set http-match {string}
set http-max-redirects {integer}
set interval {integer}
set port {integer}
set retry {integer}
set src-ip {ipv4-address}
set timeout {integer}
set type [ping|tcp|...]
next
end

config firewall ldb-monitor

Parameter Description Type Size Default

dns-match-ip Response IP expected from DNS server. ipv4- Not 0.0.0.0

address Specified

dns-protocol Select the protocol used by the DNS health check option - udp
monitor to check the health of the server (UDP | TCP).

Option Description

udp UDP.

tcp TCP.

dns-request- Fully qualified domain name to resolve for the DNS string Maximum
domain probe. length: 255

http-get URL used to send a GET request to check the health of string Maximum
an HTTP server. length: 255

http-match String to match the value expected in response to an string Maximum

HTTP-GET request. length: 255

http-max- The maximum number of HTTP redirects to be allowed. integer Minimum 0

redirects value: 0
Maximum
value: 5

interval Time between health checks. integer Minimum 10

value: 5
Maximum
value:
65535

name Monitor name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 339

Fortinet Inc.
Parameter Description Type Size Default

port Service port used to perform the health check. If 0, integer Minimum 0
health check monitor inherits port configured for the value: 0
server. Maximum
value:
65535

retry Number health check attempts before the server is integer Minimum 3
considered down. value: 1
Maximum
value: 255

src-ip Source IP for ldb-monitor. ipv4- Not 0.0.0.0

address Specified

timeout Time to wait to receive response to a health check from integer Minimum 2
a server. Reaching the timeout means the health check value: 1
failed. Maximum
value: 255

type Select the Monitor type used by the health check option -
monitor to check the health of the server (PING | TCP |
HTTP | HTTPS | DNS).

Option Description

ping PING health monitor.

tcp TCP-connect health monitor.

http HTTP-GET health monitor.

https HTTP-GET health monitor with SSL.

dns DNS health monitor.

config firewall local-in-policy

Configure user defined IPv4 local-in policies.

config firewall local-in-policy
Description: Configure user defined IPv4 local-in policies.
edit <policyid>
set action [accept|deny]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set ha-mgmt-intf-only [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]

FortiOS 7.4.4 CLI Reference 340

Fortinet Inc.
set intf <name1>, <name2>, ...
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set status [enable|disable]
set uuid {uuid}
set virtual-patch [enable|disable]
next
end

config firewall local-in-policy

Parameter Description Type Size Default

action Action performed on traffic matching the policy. option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

ha-mgmt-intf- Enable/disable dedicating the HA management option - disable

only interface only for local-in policy.

Option Description

enable Enable dedicating HA management interface only for local-in policy.

disable Disable dedicating HA management interface only for local-in policy.

internet- Enable/disable use of Internet Services in option - disable

service-src source for this local-in policy. If enabled, source
address is not used.

FortiOS 7.4.4 CLI Reference 341

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable use of Internet Services source in local-in policy.

disable Disable use of Internet Services source in local-in policy.

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group
<name>

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service-src specifies option - disable

service-src- what the service must NOT be.
negate

Option Description

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

intf <name> Incoming interface name from available options. string Maximum
Address name. length: 79

policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

schedule Schedule object from available options. string Maximum

length: 35

service Service object from available options. string Maximum

<name> Service name. length: 79

FortiOS 7.4.4 CLI Reference 342

Fortinet Inc.
Parameter Description Type Size Default

service- When enabled service specifies what the option - disable

negate service must NOT be.

Option Description

enable Enable negated service match.

disable Disable negated service match.

srcaddr Source address object from available options. string Maximum

<name> Address name. length: 79

srcaddr- When enabled srcaddr specifies what the option - disable

negate source address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

status Enable/disable this local-in policy. option - enable

Option Description

enable Enable this local-in policy.

disable Disable this local-in policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

virtual-patch Enable/disable virtual patching. option - disable

Option Description

enable Enable virtual patching.

disable Disable virtual patching.

config firewall local-in-policy6

Configure user defined IPv6 local-in policies.

config firewall local-in-policy6
Description: Configure user defined IPv6 local-in policies.
edit <policyid>
set action [accept|deny]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set internet-service6-src [enable|disable]

FortiOS 7.4.4 CLI Reference 343

Fortinet Inc.
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]
set intf <name1>, <name2>, ...
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set status [enable|disable]
set uuid {uuid}
set virtual-patch [enable|disable]
next
end

config firewall local-in-policy6

Parameter Description Type Size Default

action Action performed on traffic matching the policy. option - deny

Option Description

accept Allow local-in traffic matching this policy.

deny Deny or block local-in traffic matching this policy.

comments Comment. var-string Maximum

length: 1023

dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

internet- Enable/disable use of IPv6 Internet Services in option - disable

service6-src source for this local-in policy.If enabled, source
address is not used.

Option Description

enable Enable use of IPv6 Internet Services source in local-in policy.

disable Disable use of IPv6 Internet Services source in local-in policy.

FortiOS 7.4.4 CLI Reference 344

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom IPv6 Internet Service source name. string Maximum

service6-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service6 source group name. string Maximum

service6-src- Custom Internet Service6 group name. length: 79
custom-group
<name>

internet- Internet Service6 source group name. string Maximum

service6-src- Internet Service group name. length: 79
group
<name>

internet- IPv6 Internet Service source name. string Maximum

service6-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service6-src specifies option - disable

service6-src- what the service must NOT be.
negate

Option Description

enable Enable negated IPv6 Internet Service source match.

disable Disable negated IPv6 Internet Service source match.

intf <name> Incoming interface name from available options. string Maximum
Address name. length: 79

policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

schedule Schedule object from available options. string Maximum

length: 35

service Service object from available options. Separate string Maximum

<name> names with a space. length: 79
Service name.

service- When enabled service specifies what the option - disable

negate service must NOT be.

FortiOS 7.4.4 CLI Reference 345

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable negated service match.

disable Disable negated service match.

srcaddr Source address object from available options. string Maximum

<name> Address name. length: 79

srcaddr- When enabled srcaddr specifies what the option - disable

negate source address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

status Enable/disable this local-in policy. option - enable

Option Description

enable Enable this local-in policy.

disable Disable this local-in policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

virtual-patch Enable/disable the virtual patching feature. option - disable

Option Description

enable Enable setting.

disable Disable setting.

config firewall multicast-address

Configure multicast addresses.

config firewall multicast-address
Description: Configure multicast addresses.
edit <name>
set associated-interface {string}
set color {integer}
set comment {var-string}
set end-ip {ipv4-address-any}
set start-ip {ipv4-address-any}
set subnet {ipv4-classnet-any}
config tagging
Description: Config object tagging.

FortiOS 7.4.4 CLI Reference 346

Fortinet Inc.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [multicastrange|broadcastmask]
next
end

config firewall multicast-address

Parameter Description Type Size Default

associated- Interface associated with the address object. When string Maximum
interface setting up a policy, only addresses associated with length: 35
this interface are available.

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

end-ip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

name Multicast address name. string Maximum

length: 79

start-ip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

subnet Broadcast address and subnet. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any

type Type of address object: multicast IP address range option - multicastrange

or broadcast IP/mask to be treated as a multicast
address.

Option Description

multicastrange Multicast range.

broadcastmask Broadcast IP/mask.

FortiOS 7.4.4 CLI Reference 347

Fortinet Inc.
config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall multicast-address6

Configure IPv6 multicast address.

config firewall multicast-address6
Description: Configure IPv6 multicast address.
edit <name>
set color {integer}
set comment {var-string}
set ip6 {ipv6-network}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
next
end

config firewall multicast-address6

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified

name IPv6 multicast address name. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 348

Fortinet Inc.
config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall multicast-policy

Configure multicast NAT policies.

config firewall multicast-policy
Description: Configure multicast NAT policies.
edit <id>
set action [accept|deny]
set auto-asic-offload [enable|disable]
set comments {var-string}
set dnat {ipv4-address-any}
set dstaddr <name1>, <name2>, ...
set dstintf {string}
set end-port {integer}
set ips-sensor {string}
set logtraffic [all|utm|...]
set name {string}
set protocol {integer}
set snat [enable|disable]
set snat-ip {ipv4-address}
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set start-port {integer}
set status [enable|disable]
set traffic-shaper {string}
set utm-status [enable|disable]
set uuid {uuid}
next
end

config firewall multicast-policy

Parameter Description Type Size Default

action Accept or deny traffic matching the policy. option - accept

FortiOS 7.4.4 CLI Reference 349

Fortinet Inc.
Parameter Description Type Size Default

Option Description

accept Accept traffic matching the policy.

deny Deny or block traffic matching the policy.

auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.

Option Description

enable Enable hardware acceleration offloading.

disable Disable offloading for hardware acceleration.

comments Comment. var-string Maximum

length: 1023

dnat IPv4 DNAT address used for multicast ipv4- Not Specified 0.0.0.0
destination addresses. address-
any

dstaddr Destination address objects. string Maximum

<name> Destination address objects. length: 79

dstintf Destination interface name. string Maximum

length: 35

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range. value: 0
Maximum
value: 65535

id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.

Option Description

all Enable logging traffic accepted by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

FortiOS 7.4.4 CLI Reference 350

Fortinet Inc.
Parameter Description Type Size Default

name Policy name. string Maximum

length: 35

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255

snat Enable/disable substitution of the outgoing option - disable

interface IP address for the original source IP
address (called source NAT or SNAT).

Option Description

enable Enable source NAT.

disable Disable source NAT.

snat-ip IPv4 address to be used as the source address ipv4- Not Specified 0.0.0.0
for NATed traffic. address

srcaddr Source address objects. string Maximum

<name> Source address objects. length: 79

srcintf Source interface name. string Maximum

length: 35

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range. value: 0
Maximum
value: 65535

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

traffic-shaper Traffic shaper to apply to traffic forwarded by string Maximum

the multicast policy. length: 35

utm-status Enable to add an IPS security profile to the option - disable

policy.

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 351

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

* This parameter may not exist in some models.

config firewall multicast-policy6

Configure IPv6 multicast NAT policies.

config firewall multicast-policy6
Description: Configure IPv6 multicast NAT policies.
edit <id>
set action [accept|deny]
set auto-asic-offload [enable|disable]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstintf {string}
set end-port {integer}
set ips-sensor {string}
set logtraffic [all|utm|...]
set name {string}
set protocol {integer}
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set start-port {integer}
set status [enable|disable]
set utm-status [enable|disable]
set uuid {uuid}
next
end

config firewall multicast-policy6

Parameter Description Type Size Default

action Accept or deny traffic matching the policy. option - accept

Option Description

accept Accept.

deny Deny.

auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.

FortiOS 7.4.4 CLI Reference 352

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable offloading policy traffic for hardware acceleration.

disable Disable offloading policy traffic for hardware acceleration.

comments Comment. var-string Maximum

length: 1023

dstaddr IPv6 destination address name. string Maximum

<name> Address name. length: 79

dstintf IPv6 destination interface name. string Maximum

length: 35

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range. value: 0
Maximum
value: 65535

id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.

Option Description

all Enable logging traffic accepted by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

name Policy name. string Maximum

length: 35

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255

srcaddr IPv6 source address name. string Maximum

<name> Address name. length: 79

FortiOS 7.4.4 CLI Reference 353

Fortinet Inc.
Parameter Description Type Size Default

srcintf IPv6 source interface name. string Maximum

length: 35

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range. value: 0
Maximum
value: 65535

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

utm-status Enable to add an IPS security profile to the option - disable

policy.

Option Description

enable Enable setting.

disable Disable setting.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

* This parameter may not exist in some models.

config firewall network-service-dynamic

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 354

Fortinet Inc.
Parameter Description Type Size Default

filter Match criteria filter. var-string Maximum

length: 2047

name Dynamic Network Service name. string Maximum

length: 63

sdn SDN connector name. string Maximum

length: 35

config firewall on-demand-sniffer

Configure on-demand packet sniffer.

config firewall on-demand-sniffer
Description: Configure on-demand packet sniffer.
edit <name>
set advanced-filter {var-string}
set hosts <host1>, <host2>, ...
set interface {string}
set max-packet-count {integer}
set non-ip-packet [enable|disable]
set ports <port1>, <port2>, ...
set protocols <protocol1>, <protocol2>, ...
next
end

config firewall on-demand-sniffer

Parameter Description Type Size Default

advanced-filter Advanced freeform filter that will be used over existing var-string Maximum
filter settings if set. Can only be used by super admin. length: 255

hosts <host> IPv4 or IPv6 hosts to filter in this traffic sniffer. string Maximum
IPv4 or IPv6 host. length: 255

interface Interface name that on-demand packet sniffer will take string Maximum
place. length: 35

max-packet- Maximum number of packets to capture per on- integer Minimum 0

count demand packet sniffer. value: 1
Maximum
value:
20000 **

name On-demand packet sniffer name. string Maximum

length: 35

non-ip-packet Include non-IP packets. option - disable

FortiOS 7.4.4 CLI Reference 355

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable non-IP packets to be included capture.

disable Disable non-IP packets to be included in capture.

ports <port> Ports to filter for in this traffic sniffer. integer Minimum
Port to filter in this traffic sniffer. value: 1
Maximum
value:
65536

protocols Protocols to filter in this traffic sniffer. integer Minimum

<protocol> Integer value for the protocol type as defined by IANA value: 0
(0 - 255). Maximum
value: 255

** Values may differ between models.

config firewall policy

Configure IPv4/IPv6 policies.

config firewall policy
Description: Configure IPv4/IPv6 policies.
edit <policyid>
set action [accept|deny|...]
set anti-replay [enable|disable]
set application-list {string}
set auth-cert {string}
set auth-path [enable|disable]
set auth-redirect-addr {string}
set auto-asic-offload [enable|disable]
set av-profile {string}
set block-notification [enable|disable]
set captive-portal-exempt [enable|disable]
set capture-packet [enable|disable]
set casb-profile {string}
set cifs-profile {string}
set comments {var-string}
set custom-log-fields <field-id1>, <field-id2>, ...
set decrypted-traffic-mirror {string}
set delay-tcp-npu-session [enable|disable]
set diameter-filter-profile {string}
set diffserv-copy [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set disclaimer [enable|disable]
set dlp-profile {string}
set dnsfilter-profile {string}

FortiOS 7.4.4 CLI Reference 356

Fortinet Inc.
set dsri [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstaddr6-negate [enable|disable]
set dstintf <name1>, <name2>, ...
set dynamic-shaping [enable|disable]
set email-collect [enable|disable]
set emailfilter-profile {string}
set fec [enable|disable]
set file-filter-profile {string}
set firewall-session-dirty [check-all|check-new]
set fixedport [enable|disable]
set fsso-agent-for-ntlm {string}
set fsso-groups <name1>, <name2>, ...
set geoip-anycast [enable|disable]
set geoip-match [physical-location|registered-location]
set groups <name1>, <name2>, ...
set http-policy-redirect [enable|disable]
set icap-profile {string}
set identity-based-route {string}
set inbound [enable|disable]
set inspection-mode [proxy|flow]
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set internet-service6-src [enable|disable]
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]
set ippool [enable|disable]
set ips-sensor {string}
set ips-voip-filter {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set name {string}
set nat [enable|disable]

FortiOS 7.4.4 CLI Reference 357

Fortinet Inc.
set nat46 [enable|disable]
set nat64 [enable|disable]
set natinbound [enable|disable]
set natip {ipv4-classnet}
set natoutbound [enable|disable]
set network-service-dynamic <name1>, <name2>, ...
set network-service-src-dynamic <name1>, <name2>, ...
set np-acceleration [enable|disable]
set ntlm [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set ntlm-guest [enable|disable]
set outbound [enable|disable]
set passive-wan-health-measurement [enable|disable]
set pcp-inbound [enable|disable]
set pcp-outbound [enable|disable]
set pcp-poolname <name1>, <name2>, ...
set per-ip-shaper {string}
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set policy-expiry [enable|disable]
set policy-expiry-date {datetime}
set policy-expiry-date-utc {user}
set poolname <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set port-preserve [enable|disable]
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set radius-mac-auth-bypass [enable|disable]
set redirect-url {var-string}
set replacemsg-override-group {string}
set reputation-direction [source|destination]
set reputation-direction6 [source|destination]
set reputation-minimum {integer}
set reputation-minimum6 {integer}
set rtp-addr <name1>, <name2>, ...
set rtp-nat [disable|enable]
set schedule {string}
set schedule-timeout [enable|disable]
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {user}
set sgt <id1>, <id2>, ...
set sgt-check [enable|disable]
set src-vendor-mac <id1>, <id2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcaddr6-negate [enable|disable]
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]

FortiOS 7.4.4 CLI Reference 358

Fortinet Inc.
set tcp-mss-receiver {integer}
set tcp-mss-sender {integer}
set tcp-session-without-syn [all|data-only|...]
set timeout-send-rst [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set virtual-patch-profile {string}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set vlan-filter {user}
set voip-profile {string}
set vpntunnel {string}
set waf-profile {string}
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-peer {string}
set wanopt-profile {string}
set wccp [enable|disable]
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-device-ownership [enable|disable]
set ztna-ems-tag <name1>, <name2>, ...
set ztna-ems-tag-secondary <name1>, <name2>, ...
set ztna-geo-tag <name1>, <name2>, ...
set ztna-policy-redirect [enable|disable]
set ztna-status [enable|disable]
set ztna-tags-match-logic [or|and]
next
end

config firewall policy

Parameter Description Type Size Default

action Policy action (accept/deny/ipsec). option - deny

Option Description

accept Allows session that match the firewall policy.

deny Blocks sessions that match the firewall policy.

ipsec Firewall policy becomes a policy-based IPsec VPN policy.

FortiOS 7.4.4 CLI Reference 359

Fortinet Inc.
Parameter Description Type Size Default

anti-replay Enable/disable anti-replay check. option - enable

Option Description

enable Enable anti-replay check.

disable Disable anti-replay check.

application-list Name of an existing Application list. string Maximum

length: 35

auth-cert HTTPS server certificate for policy string Maximum

authentication. length: 35

auth-path Enable/disable authentication-based routing. option - disable

Option Description

enable Enable authentication-based routing.

disable Disable authentication-based routing.

auth-redirect- HTTP-to-HTTPS redirect address for firewall string Maximum

addr authentication. length: 63

auto-asic- Enable/disable policy traffic ASIC offloading. option - enable

offload *

Option Description

enable Enable auto ASIC offloading.

disable Disable ASIC offloading.

av-profile Name of an existing Antivirus profile. string Maximum

length: 35

block- Enable/disable block notification. option - disable

notification

Option Description

enable Enable setting.

disable Disable setting.

captive-portal- Enable to exempt some users from the option - disable

exempt captive portal.

Option Description

enable Enable exemption of captive portal.

disable Disable exemption of captive portal.

FortiOS 7.4.4 CLI Reference 360

Fortinet Inc.
Parameter Description Type Size Default

capture-packet * Enable/disable capture packets. option - disable

Option Description

enable Enable capture packets.

disable Disable capture packets.

casb-profile Name of an existing CASB profile. string Maximum

length: 35

cifs-profile Name of an existing CIFS profile. string Maximum

length: 35

comments Comment. var-string Maximum

length: 1023

custom-log- Custom fields to append to log messages for string Maximum

fields <field- this policy. length: 35
id> Custom log field.

decrypted- Decrypted traffic mirror. string Maximum

traffic-mirror length: 35

delay-tcp-npu- Enable TCP NPU session delay to guarantee option - disable

session packet order of 3-way handshake.

Option Description

enable Enable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.

disable Disable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.

diameter-filter- Name of an existing Diameter filter profile. string Maximum

profile length: 35

diffserv-copy Enable to copy packet's DiffServ values from option - disable

session's original direction to its reply
direction.

Option Description

enable Enable DSCP copy.

disable Disable DSCP copy.

diffserv-forward Enable to change packet's DiffServ values to option - disable

the specified diffservcode-forward value.

FortiOS 7.4.4 CLI Reference 361

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting forward (original) traffic Diffserv.

disable Disable setting forward (original) traffic Diffserv.

diffserv-reverse Enable to change packet's reverse (reply) option - disable

DiffServ values to the specified diffservcode-
rev value.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

diffservcode-rev Change packet's reverse (reply) DiffServ to user Not Specified

this value.

disclaimer Enable/disable user authentication option - disable

disclaimer.

Option Description

enable Enable user authentication disclaimer.

disable Disable user authentication disclaimer.

dlp-profile Name of an existing DLP profile. string Maximum

length: 35

dnsfilter-profile Name of an existing DNS filter profile. string Maximum

length: 35

dsri Enable DSRI to ignore HTTP server option - disable

responses.

Option Description

enable Enable DSRI.

enable Enable dynamic RADIUS defined traffic shaping.

disable Disable dynamic RADIUS defined traffic shaping.

email-collect Enable/disable email collection. option - disable

Option Description

enable Enable email collection.

disable Disable email collection.

emailfilter- Name of an existing email filter profile. string Maximum

profile length: 35

fec Enable/disable Forward Error Correction on option - disable

traffic matching this policy on a FEC device.

Option Description

enable Enable Forward Error Correction.

disable Disable Forward Error Correction.

file-filter-profile Name of an existing file-filter profile. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 363

Fortinet Inc.
Parameter Description Type Size Default

firewall-session- How to handle sessions if the configuration of option - check-all

dirty this firewall policy changes.

Option Description

check-all Flush all current sessions accepted by this policy. These sessions must be
started and re-matched with policies.

check-new Continue to allow sessions already accepted by this policy.

fixedport Enable to prevent source NAT from changing option - disable

a session's source port.

Option Description

enable Enable setting.

disable Disable setting.

fsso-agent-for- FSSO agent to use for NTLM authentication. string Maximum

ntlm length: 35

fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511

geoip-anycast Enable/disable recognition of anycast IP option - disable

addresses using the geography IP database.

Option Description

enable Enable recognition of anycast IP addresses using the geography IP

database.

disable Disable recognition of anycast IP addresses using the geography IP

database.

geoip-match Match geography address based either on its option - physical-location

physical location or registered location.

Option Description

physical-location Match geography address to its physical location using the geography IP
database.

registered- Match geography address to its registered location using the geography IP
location database.

groups <name> Names of user groups that can authenticate string Maximum
with this policy. length: 79
Group name.

http-policy- Redirect HTTP(S) traffic to matching option - disable

redirect transparent web proxy policy.

FortiOS 7.4.4 CLI Reference 364

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable HTTP(S) policy redirect.

disable Disable HTTP(S) policy redirect.

icap-profile Name of an existing ICAP profile. string Maximum

length: 35

disable Disable use of Internet Services in policy.

internet-service- Custom Internet Service name. string Maximum

custom <name> Custom Internet Service name. length: 79

internet-service- Custom Internet Service group name. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>

internet-service- Internet Service group name. string Maximum

group <name> Internet Service group name. length: 79

internet-service- Internet Service name. string Maximum

name <name> Internet Service name. length: 79

FortiOS 7.4.4 CLI Reference 365

Fortinet Inc.
Parameter Description Type Size Default

internet-service- When enabled internet-service specifies option - disable

negate what the service must NOT be.

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet-service- Enable/disable use of Internet Services in option - disable

src source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

internet-service- Custom Internet Service source name. string Maximum

src-custom Custom Internet Service name. length: 79
<name>

internet-service- Custom Internet Service source group name. string Maximum

src-custom- Custom Internet Service group name. length: 79
group <name>

internet-service- Internet Service source group name. string Maximum

src-group Internet Service group name. length: 79
<name>

internet-service- Internet Service source name. string Maximum

src-name Internet Service name. length: 79
<name>

internet-service- When enabled internet-service-src specifies option - disable

src-negate what the service must NOT be.

Option Description

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

internet- Enable/disable use of IPv6 Internet Services option - disable

service6 for this policy. If enabled, destination address
and service are not used.

Option Description

enable Enable use of IPv6 Internet Services in policy.

disable Disable use of IPv6 Internet Services in policy.

FortiOS 7.4.4 CLI Reference 366

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom IPv6 Internet Service name. string Maximum

service6- Custom Internet Service name. length: 79
custom <name>

internet- Custom Internet Service6 group name. string Maximum

service6- Custom Internet Service6 group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service6-group Internet Service group name. length: 79
<name>

internet- IPv6 Internet Service name. string Maximum

service6-name IPv6 Internet Service name. length: 79
<name>

internet- When enabled internet-service6 specifies option - disable

service6-negate what the service must NOT be.

Option Description

enable Enable negated IPv6 Internet Service match.

disable Disable negated IPv6 Internet Service match.

internet- Enable/disable use of IPv6 Internet Services option - disable

service6-src in source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of IPv6 Internet Services source in policy.

disable Disable use of IPv6 Internet Services source in policy.

internet- Custom IPv6 Internet Service source name. string Maximum

service6-src- Custom Internet Service name. length: 79
custom <name>

internet- Custom Internet Service6 source group string Maximum

service6-src- name. length: 79
custom-group Custom Internet Service6 group name.
<name>

internet- Internet Service6 source group name. string Maximum

service6-src- Internet Service group name. length: 79
group <name>

internet- IPv6 Internet Service source name. string Maximum

service6-src- Internet Service name. length: 79
name <name>

FortiOS 7.4.4 CLI Reference 367

Fortinet Inc.
Parameter Description Type Size Default

internet- When enabled internet-service6-src specifies option - disable

service6-src- what the service must NOT be.
negate

Option Description

enable Enable negated IPv6 Internet Service source match.

disable Disable negated IPv6 Internet Service source match.

ippool Enable to use IP Pools for source NAT. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

ips-voip-filter Name of an existing VoIP (ips) profile. string Maximum

length: 35

logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

logtraffic-start Record logs when a session starts. option - disable

Option Description

enable Enable setting.

disable Disable setting.

match-vip Enable to match packets that have had their option - enable
destination addresses changed by a VIP.

Option Description

enable Match DNATed packet.

disable Do not match DNATed packet.

FortiOS 7.4.4 CLI Reference 368

Fortinet Inc.
Parameter Description Type Size Default

match-vip-only Enable/disable matching of only those option - disable

packets that have had their destination
addresses changed by a VIP.

Option Description

enable Enable matching of only those packets that have had their destination
addresses changed by a VIP.

disable Disable matching of only those packets that have had their destination
addresses changed by a VIP.

name Policy name. string Maximum

length: 35

nat Enable/disable source NAT. option - disable

Option Description

enable Enable setting.

disable Disable setting.

nat46 Enable/disable NAT46. option - disable

Option Description

enable Enable NAT46.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

natinbound Policy-based IPsec VPN: apply destination option - disable

NAT to inbound traffic.

Option Description

enable Enable setting.

disable Disable setting.

natip Policy-based IPsec VPN: source NAT IP ipv4- Not Specified 0.0.0.0 0.0.0.0
address for outgoing traffic. classnet

natoutbound Policy-based IPsec VPN: apply source NAT option - disable

to outbound traffic.

FortiOS 7.4.4 CLI Reference 369

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

network- Dynamic Network Service name. string Maximum

service-dynamic Dynamic Network Service name. length: 79
<name>

network- Dynamic Network Service source name. string Maximum

service-src- Dynamic Network Service name. length: 79
dynamic
<name>

np-acceleration Enable/disable UTM Network Processor option - enable

* acceleration.

Option Description

enable Enable UTM Network Processor acceleration.

disable Disable UTM Network Processor acceleration.

ntlm Enable/disable NTLM authentication. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ntlm-enabled- HTTP-User-Agent value of supported string Maximum

browsers browsers. length: 79
<user-agent- User agent string.
string>

ntlm-guest Enable/disable NTLM guest user access. option - disable

Option Description

enable Enable setting.

disable Disable setting.

outbound Policy-based IPsec VPN: only traffic from the option - enable
internal network can initiate a VPN.

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 370

Fortinet Inc.
Parameter Description Type Size Default

passive-wan- Enable/disable passive WAN health option - disable

health- measurement. When enabled, auto-asic-
measurement offload is disabled.

policy-expiry Enable/disable policy expiry. option - disable

FortiOS 7.4.4 CLI Reference 371

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable policy expiry.

disable Disable polcy expiry.

policy-expiry- Policy expiry date (YYYY-MM-DD datetime Not Specified 0000-00-00

date HH:MM:SS). 00:00:00

policy-expiry- Policy expiry date and time, in epoch format. user Not Specified
date-utc

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

poolname IP Pool names. string Maximum

<name> IP pool name. length: 79

poolname6 IPv6 pool names. string Maximum

<name> IPv6 pool name. length: 79

port-preserve Enable/disable preservation of the original option - enable

source port from source NAT if it has not
been used.

Option Description

enable Use the original source port if it has not been used.

disable Source NAT always changes the source port.

profile-group Name of profile group. string Maximum

length: 35

profile-protocol- Name of an existing Protocol options profile. string Maximum default

options length: 35

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

radius-mac- Enable MAC authentication bypass. The option - disable

auth-bypass bypassed MAC address must be received
from RADIUS server.

FortiOS 7.4.4 CLI Reference 372

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable MAC authentication bypass.

disable Disable MAC authentication bypass.

redirect-url URL users are directed to after seeing and var-string Maximum
accepting the disclaimer or authenticating. length: 1023

replacemsg- Override the default replacement message string Maximum

override-group group for this policy. length: 35

reputation- Direction of the initial traffic for reputation to option - destination

direction take effect.

Option Description

source Check reputation for source address.

destination Check reputation for destination address.

reputation- Direction of the initial traffic for IPv6 option - destination

direction6 reputation to take effect.

Option Description

source Check reputation for IPv6 source address.

destination Check reputation for IPv6 destination address.

reputation- Minimum Reputation to take action. integer Minimum 0

minimum value: 0
Maximum
value:
4294967295

reputation- IPv6 Minimum Reputation to take action. integer Minimum 0

minimum6 value: 0
Maximum
value:
4294967295

rtp-addr Address names if this is an RTP NAT policy. string Maximum

<name> Address name. length: 79

rtp-nat Enable Real Time Protocol (RTP) NAT. option - disable

Option Description

disable Disable setting.

enable Enable setting.

enable Enable negated service match.

disable Disable negated service match.

session-ttl TTL in seconds for sessions accepted by this user Not Specified
policy.

sgt <id> Security group tags. integer Minimum

Security group tag (1 - 65535). value: 1
Maximum
value: 65535

sgt-check Enable/disable security group tags (SGT) option - disable

check.

Option Description

enable Enable SGT check.

disable Disable SGT check.

FortiOS 7.4.4 CLI Reference 374

Fortinet Inc.
Parameter Description Type Size Default

src-vendor-mac Vendor MAC source ID. integer Minimum

<id> Vendor MAC ID. value: 0
Maximum
value:
4294967295

srcaddr <name> Source IPv4 address and address group string Maximum
names. length: 79
Address name.

srcaddr-negate When enabled srcaddr specifies what the option - disable

source address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

srcaddr6 Source IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

srcaddr6- When enabled srcaddr6 specifies what the option - disable

negate source address must NOT be.

Option Description

enable Enable IPv6 source address negate.

disable Disable IPv6 source address negate.

srcintf <name> Incoming (ingress) interface. string Maximum

Interface name. length: 79

ssh-filter-profile Name of an existing SSH filter profile. string Maximum

length: 35

ssh-policy- Redirect SSH traffic to matching transparent option - disable

redirect proxy policy.

Option Description

enable Enable SSH policy redirect.

disable Disable SSH policy redirect.

ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum no-inspection

length: 35

status Enable or disable this policy. option - enable

FortiOS 7.4.4 CLI Reference 375

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

tcp-mss- Receiver TCP maximum segment size integer Minimum 0

receiver (MSS). value: 0
Maximum
value: 65535

tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum 0

value: 0
Maximum
value: 65535

tcp-session- Enable/disable creation of TCP session option - disable

without-syn without SYN flag.

Option Description

all Enable TCP session without SYN.

data-only Enable TCP session data only.

disable Disable TCP session without SYN.

timeout-send-rst Enable/disable sending RST packets when option - disable

TCP sessions expire.

Option Description

enable Enable sending of RST packet upon TCP session expiration.

disable Disable sending of RST packet upon TCP session expiration.

tos ToS (Type of Service) value used for user Not Specified
comparison.

tos-mask Non-zero bit positions are used for user Not Specified
comparison while zero bit positions are
ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

traffic-shaper Traffic shaper. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 376

Fortinet Inc.
Parameter Description Type Size Default

traffic-shaper- Reverse traffic shaper. string Maximum

reverse length: 35

users <name> Names of individual users that can string Maximum

authenticate with this policy. length: 79
Names of individual users that can
authenticate with this policy.

utm-status Enable to add one or more security profiles option - disable

(AV, IPS, etc.) to the firewall policy.

Option Description

enable Enable setting.

disable Disable setting.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

videofilter- Name of an existing VideoFilter profile. string Maximum

profile length: 35

virtual-patch- Name of an existing virtual-patch profile. string Maximum

profile length: 35

vlan-cos-fwd VLAN forward direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

vlan-cos-rev VLAN reverse direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

vlan-filter VLAN ranges to allow user Not Specified

voip-profile Name of an existing VoIP (voipd) profile. string Maximum

length: 35

vpntunnel Policy-based IPsec VPN: name of the IPsec string Maximum

VPN Phase 1. length: 35

waf-profile Name of an existing Web application firewall string Maximum

profile. length: 35

wanopt * Enable/disable WAN optimization. option - disable

FortiOS 7.4.4 CLI Reference 377

wanopt-profile * WAN optimization profile. string Maximum

length: 35

wccp Enable/disable forwarding traffic matching option - disable

this policy to a configured WCCP server.

Option Description

enable Enable WCCP setting.

disable Disable WCCP setting.

webcache * Enable/disable web cache. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 378

Fortinet Inc.
Parameter Description Type Size Default

webcache-https Enable/disable web cache for HTTPS. option - disable

Option Description

or Match ZTNA tags using a logical OR operator.

and Match ZTNA tags using a logical AND operator.

* This parameter may not exist in some models.

config firewall profile-group

webfilter- Name of an existing Web filter profile. string Maximum

profile length: 35

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
Description: Configure protocol options.
edit <name>
config cifs
Description: Configure CIFS protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set server-credential-type [none|credential-replication|...]
set domain-controller {string}
config server-keytab
Description: Server keytab.
edit <principal>
set keytab {string}
next
end
end
set comment {var-string}
config dns
Description: Configure DNS protocol options.
set ports {integer}
set status [enable|disable]
end
config ftp
Description: Configure FTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}

FortiOS 7.4.4 CLI Reference 382

Fortinet Inc.
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set explicit-ftp-tls [enable|disable]
end
config http
Description: Configure HTTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set range-block [disable|enable]
set strip-x-forwarded-for [disable|enable]
set post-lang {option1}, {option2}, ...
set streaming-content-bypass [enable|disable]
set switching-protocols [bypass|block]
set unknown-http-version [reject|tunnel|...]
set tunnel-non-http [enable|disable]
set h2c [enable|disable]
set unknown-content-encoding [block|inspect|...]
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set verify-dns-for-policy-matching [enable|disable]
set block-page-status-code {integer}
set retry-count {integer}
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set address-ip-rating [enable|disable]
end
config imap
Description: Configure IMAP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end
config mail-signature
Description: Configure Mail signature.

FortiOS 7.4.4 CLI Reference 383

Fortinet Inc.
set status [disable|enable]
set signature {string}
end
config mapi
Description: Configure MAPI protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
config nntp
Description: Configure NNTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
set oversize-log [disable|enable]
config pop3
Description: Configure POP3 protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end
set replacemsg-group {string}
set rpc-over-http [enable|disable]
config smtp
Description: Configure SMTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set server-busy [enable|disable]
set ssl-offloaded [no|yes]
end
config ssh

FortiOS 7.4.4 CLI Reference 384

Fortinet Inc.
Description: Configure SFTP and SCP protocol options.
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
end
set switching-protocols-log [disable|enable]
next
end

config firewall profile-protocol-options

Parameter Description Type Size Default

comment Optional comments. var-string Maximum

length: 255

name Name. string Maximum

length: 35

oversize-log Enable/disable logging for antivirus oversize file option - disable

blocking.

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

FortiOS 7.4.4 CLI Reference 386

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value:
65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value:
65536
Maximum
value:
33554432

server-credential- CIFS server credential type. option - none

type

Option Description

none Credential derivation not set.

credential- Credential derived using Replication account on Domain Controller.

replication

credential- Credential derived using server keytab.

keytab

FortiOS 7.4.4 CLI Reference 387

Fortinet Inc.
Parameter Description Type Size Default

domain-controller Domain for which to decrypt CIFS traffic. string Maximum

length: 63

** Values may differ between models.

config server-keytab

Parameter Description Type Size Default

principal Service principal. For example, string Maximum

host/[email protected]. length: 511

keytab Base64 encoded keytab file containing credential of the string Maximum
server. length: 8191

config dns

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

config ftp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

this protocol.

FortiOS 7.4.4 CLI Reference 388

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

clientcomfort Prevent client timeout.

oversize Block oversized file.

splice Enable splice mode.

bypass-rest- Bypass REST command.

command

bypass-mode- Bypass MODE command.

command

comfort-interval Interval between successive transmissions of integer Minimum 10

data for client comforting (seconds). value: 1
Maximum
value: 900

comfort-amount Number of bytes to send in each transmission for integer Minimum 1

client comforting (bytes). value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606 **

FortiOS 7.4.4 CLI Reference 389

Fortinet Inc.
Parameter Description Type Size Default

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

FortiOS 7.4.4 CLI Reference 390

Fortinet Inc.
Parameter Description Type Size Default

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

explicit-ftp-tls Enable/disable FTP redirection for explicit FTPS. option - disable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config http

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

this protocol.

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has option - disable
handshake been established (not before).

FortiOS 7.4.4 CLI Reference 391

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

oversize Block oversized file.

chunkedbypass Bypass chunked transfer encoded sites.

comfort-interval Interval between successive transmissions of integer Minimum 10

data for client comforting (seconds). value: 1
Maximum
value: 900

comfort-amount Number of bytes to send in each transmission for integer Minimum 1

client comforting (bytes). value: 1
Maximum
value: 65535

range-block Enable/disable blocking of partial downloads. option - disable

Option Description

disable Disable range header blocking (allow partial file downloads)

enable Enable range header blocking (treat all partial file downloads as full file
download)

strip-x-forwarded- Enable/disable stripping of HTTP X-Forwarded- option - disable

for For header.

Option Description

disable Disable changing of HTTP X-Forwarded-For header.

enable Enable replacement of X-Forwarded-For value with 1.1.1.1.

post-lang ID codes for character sets to be used to convert option -

to UTF-8 for banned words and DLP on HTTP
posts (maximum of 5 character sets).

FortiOS 7.4.4 CLI Reference 392

Fortinet Inc.
Parameter Description Type Size Default

Option Description

jisx0201 Japanese Industrial Standard 0201.

jisx0208 Japanese Industrial Standard 0208.

jisx0212 Japanese Industrial Standard 0212.

gb2312 Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex Wansung Korean standard 5601.

euc-jp Extended Unicode Japanese.

sjis Shift Japanese Industrial Standard.

iso2022-jp ISO 2022 Japanese.

iso2022-jp-1 ISO 2022-1 Japanese.

iso2022-jp-2 ISO 2022-2 Japanese.

euc-cn Extended Unicode Chinese.

ces-gbk Extended GB2312 (simplified Chinese).

hz Hanzi simplified Chinese.

ces-big5 Big-5 traditional Chinese.

euc-kr Extended Unicode Korean.

iso2022-jp-3 ISO 2022-3 Japanese.

iso8859-1 ISO 8859 Part 1 (Western European).

tis620 Thai Industrial Standard 620.

cp874 Code Page 874 (Thai).

cp1252 Code Page 1252 (Western European Latin).

cp1251 Code Page 1251 (Cyrillic).

streaming- Enable/disable bypassing of streaming content option - enable

content-bypass from buffering.

Option Description

enable Enable bypassing of streaming content from buffering

disable Disable bypassing of streaming content from buffering

switching- Bypass from scanning, or block a connection that option - bypass

protocols attempts to switch protocol.

FortiOS 7.4.4 CLI Reference 393

Fortinet Inc.
Parameter Description Type Size Default

Option Description

bypass Bypass connections when switching protocols.

block Block connections when switching protocols.

unknown-http- How to handle HTTP sessions that do not comply option - reject
version with HTTP 0.9, 1.0, or 1.1.

Option Description

reject Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying
HTTP protocol optimization, byte-caching, or web caching. TCP protocol
optimization is applied.

best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session
uses a different HTTP version, it may not parse correctly and the
connection may be lost.

tunnel-non-http Configure how to process non-HTTP traffic when option - enable

a profile configured for HTTP traffic accepts a
non-HTTP session. Can occur if an application
sends non-HTTP traffic using an HTTP
destination port.

Option Description

enable Pass non-HTTP sessions through the tunnel without applying protocol
optimization, byte-caching, or web caching. TCP protocol optimization is
applied.

disable Drop or tear down non-HTTP sessions accepted by the profile.

h2c Enable/disable h2c HTTP connection upgrade. option - disable

Option Description

enable Allow h2c HTTP connection upgrades. h2c tunnels do not support content
scan.

disable Do not allow h2c HTTP connection upgrades.

unknown-content- Configure the action the FortiGate unit will take on option - block
encoding unknown content-encoding.

Option Description

block Block HTTP session when unknown content-encoding is detected.

FortiOS 7.4.4 CLI Reference 394

Fortinet Inc.
Parameter Description Type Size Default

Option Description

inspect Scan HTTP traffic as plain-text when unknown content-encoding is

detected.

bypass Bypass scan when unknown content-encoding is detected.

oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned (MB). value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

verify-dns-for- Enable/disable verification of DNS for policy option - enable

policy-matching matching.

Option Description

enable Enable setting.

disable Disable setting.

block-page- Code number returned for blocked HTTP pages. integer Minimum 403
status-code value: 100
Maximum
value: 599

FortiOS 7.4.4 CLI Reference 395

Fortinet Inc.
Parameter Description Type Size Default

retry-count Number of attempts to retry HTTP connection. integer Minimum 0

value: 0
Maximum
value: 100

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

address-ip-rating Enable/disable IP based URL rating. option - enable

FortiOS 7.4.4 CLI Reference 396

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config imap

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

FortiOS 7.4.4 CLI Reference 397

Fortinet Inc.
Parameter Description Type Size Default

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config mail-signature

Parameter Description Type Size Default

status Enable/disable adding an email signature to SMTP option - disable

email messages as they pass through the FortiGate.

Option Description

disable Disable mail signature.

enable Enable mail signature.

signature Email signature to be added to outgoing email (if the string Maximum
signature contains spaces, enclose with quotation length: 1023
marks).

FortiOS 7.4.4 CLI Reference 398

Fortinet Inc.
config mapi

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 399

Fortinet Inc.
config nntp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

splice Enable splice mode.

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606
**

FortiOS 7.4.4 CLI Reference 400

Fortinet Inc.
Parameter Description Type Size Default

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config pop3

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has option - disable
handshake been established (not before).

FortiOS 7.4.4 CLI Reference 401

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 402

Fortinet Inc.
config smtp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config ssh

Parameter Description Type Size Default

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

FortiOS 7.4.4 CLI Reference 404

Fortinet Inc.
Parameter Description Type Size Default

Option Description

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

comfort-interval Interval between successive transmissions of integer Minimum 10

data for client comforting (seconds). value: 1
Maximum
value: 900

comfort-amount Number of bytes to send in each transmission for integer Minimum 1

client comforting (bytes). value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
(MB). value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned (MB). value: 1
Maximum
value: 1606 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config firewall proxy-address

Configure web proxy address.

config firewall proxy-address
Description: Configure web proxy address.
edit <name>
set application <name1>, <name2>, ...
set case-sensitivity [disable|enable]
set category <id1>, <id2>, ...
set color {integer}
set comment {var-string}

FortiOS 7.4.4 CLI Reference 406

Fortinet Inc.
set header {string}
config header-group
Description: HTTP header group.
edit <id>
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
next
end
set header-name {string}
set host {string}
set host-regex {string}
set method {option1}, {option2}, ...
set path {string}
set query {string}
set referrer [enable|disable]
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [host-regex|url|...]
set ua {option1}, {option2}, ...
set ua-max-ver {string}
set ua-min-ver {string}
set uuid {uuid}
next
end

config firewall proxy-address

Parameter Description Type Size Default

application SaaS application. string Maximum

<name> SaaS application name. length: 79

case- Enable to make the pattern case sensitive. option - disable

sensitivity

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

category FortiGuard category ID. integer Minimum

<id> FortiGuard category ID. value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 407

Fortinet Inc.
Parameter Description Type Size Default

color Integer value to determine the color of the icon integer Minimum 0
in the GUI. value: 0
Maximum
value: 32

comment Optional comments. var-string Maximum

length: 255

header HTTP header name as a regular expression. string Maximum

length: 255

header-name Name of HTTP header. string Maximum

length: 79

host Address object for the host. string Maximum

length: 79

host-regex Host name as a regular expression. string Maximum

length: 255

method HTTP request methods to be used. option -

Option Description

get GET method.

post POST method.

put PUT method.

head HEAD method.

connect CONNECT method.

trace TRACE method.

options OPTIONS method.

delete DELETE method.

name Address name. string Maximum

length: 79

path URL path as a regular expression. string Maximum

length: 255

query Match the query part of the URL as a regular string Maximum
expression. length: 255

referrer Enable/disable use of referrer field in the HTTP option - disable

header to match the address.

FortiOS 7.4.4 CLI Reference 408

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

type Proxy address type. option - url

Option Description

host-regex Host regular expression.

url HTTP URL.

category FortiGuard URL catgegory.

method HTTP request method.

ua HTTP request user agent.

header HTTP request header.

src-advanced HTTP advanced source criteria.

dst-advanced HTTP advanced destination criteria.

saas SaaS application.

ua Names of browsers to be used as user agent. option -

Option Description

chrome Google Chrome.

ms Microsoft Internet Explorer or EDGE.

firefox Mozilla Firefox.

safari Apple Safari.

ie Microsoft Internet Explorer.

edge Microsoft Edge.

other Other browsers.

ua-max-ver Maximum version of the user agent specified in string Maximum

dotted notation. For example, use 120 with the length: 63
ua field set to "chrome" to require Google
Chrome's maximum version must be 120.

ua-min-ver Minimum version of the user agent specified in string Maximum

dotted notation. For example, use 90.0.1 with length: 63
the ua field set to "chrome" to require Google
Chrome's minimum version must be 90.0.1.

FortiOS 7.4.4 CLI Reference 409

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config header-group

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

header-name HTTP header. string Maximum

length: 79

header HTTP header regular expression. string Maximum

length: 255

case- Case sensitivity in pattern. option - disable

sensitivity

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall proxy-addrgrp

Configure web proxy address group.

config firewall proxy-addrgrp
Description: Configure web proxy address group.
edit <name>
set color {integer}

FortiOS 7.4.4 CLI Reference 410

Fortinet Inc.
set comment {var-string}
set member <name1>, <name2>, ...
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [src|dst]
set uuid {uuid}
next
end

config firewall proxy-addrgrp

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Optional comments. var-string Maximum

length: 255

member Members of address group. string Maximum

<name> Address name. length: 79

name Address group name. string Maximum

length: 79

type Source or destination address group type. option - src

Option Description

src Source group.

dst Destination group.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 411

Fortinet Inc.
Parameter Description Type Size Default

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy
Description: Configure proxy policies.
edit <policyid>
set access-proxy <name1>, <name2>, ...
set access-proxy6 <name1>, <name2>, ...
set action [accept|deny|...]
set application-list {string}
set av-profile {string}
set block-notification [enable|disable]
set casb-profile {string}
set comments {var-string}
set decrypted-traffic-mirror {string}
set detect-https-in-http-request [enable|disable]
set device-ownership [enable|disable]
set disclaimer [disable|domain|...]
set dlp-profile {string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set emailfilter-profile {string}
set file-filter-profile {string}
set groups <name1>, <name2>, ...
set http-tunnel-auth [enable|disable]
set icap-profile {string}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set ips-sensor {string}
set ips-voip-filter {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set name {string}
set poolname <name1>, <name2>, ...
set profile-group {string}
set profile-protocol-options {string}

FortiOS 7.4.4 CLI Reference 412

Fortinet Inc.
set profile-type [single|group]
set proxy [explicit-web|transparent-web|...]
set redirect-url {var-string}
set replacemsg-override-group {string}
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {integer}
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]
set transparent [enable|disable]
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set waf-profile {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-tags-match-logic [or|and]
next
end

config firewall proxy-policy

Parameter Description Type Size Default

access-proxy IPv4 access proxy. string Maximum

<name> Access Proxy name. length: 79

access-proxy6 IPv6 access proxy. string Maximum

<name> Access proxy name. length: 79

action Accept or deny traffic matching the policy option - deny

parameters.

Option Description

accept Action accept.

deny Action deny.

redirect Action redirect.

FortiOS 7.4.4 CLI Reference 413

Fortinet Inc.
Parameter Description Type Size Default

application-list Name of an existing Application list. string Maximum

length: 35

av-profile Name of an existing Antivirus profile. string Maximum

length: 35

block- Enable/disable block notification. option - disable

notification

Option Description

enable Enable setting.

disable Disable setting.

casb-profile Name of an existing CASB profile. string Maximum

length: 35

comments Optional comments. var-string Maximum

length: 1023

decrypted- Decrypted traffic mirror. string Maximum

traffic-mirror length: 35

detect-https- Enable/disable detection of HTTPS in HTTP option - disable

in-http-request request.

Option Description

enable Enable detection of HTTPS in HTTP request.

disable Disable detection of HTTPS in HTTP request.

device- When enabled, the ownership enforcement will option - disable

ownership be done at policy level.

Option Description

enable Enable device ownership.

disable Disable device ownership.

disclaimer Web proxy disclaimer setting: by domain, option - disable

policy, or user.

Option Description

disable Disable disclaimer.

domain Display disclaimer for domain

policy Display disclaimer for policy

user Display disclaimer for current user

FortiOS 7.4.4 CLI Reference 414

Fortinet Inc.
Parameter Description Type Size Default

dlp-profile Name of an existing DLP profile. string Maximum

length: 35

dstaddr Destination address objects. string Maximum

<name> Address name. length: 79

dstaddr- When enabled, destination addresses match option - disable

negate against any address EXCEPT the specified
destination addresses.

Option Description

enable Enable source address negate.

disable Disable destination address negate.

dstaddr6 IPv6 destination address objects. string Maximum

<name> Address name. length: 79

dstintf <name> Destination interface names. string Maximum

Interface name. length: 79

emailfilter- Name of an existing email filter profile. string Maximum

profile length: 35

file-filter-profile Name of an existing file-filter profile. string Maximum

length: 35

groups Names of group objects. string Maximum

<name> Group name. length: 79

http-tunnel- Enable/disable HTTP tunnel authentication. option - disable

auth

Option Description

enable Enable setting.

disable Disable setting.

icap-profile Name of an existing ICAP profile. string Maximum

length: 35

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

FortiOS 7.4.4 CLI Reference 415

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- When enabled, Internet Services match against option - disable

service-negate any internet service EXCEPT the selected
Internet Service.

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet- Enable/disable use of Internet Services IPv6 for option - disable

service6 this policy. If enabled, destination IPv6 address
and service are not used.

Option Description

enable Enable use of IPv6 Internet Services in policy.

disable Disable use of IPv6 Internet Services in policy.

internet- Custom Internet Service IPv6 name. string Maximum

service6- Custom Internet Service IPv6 name. length: 79
custom
<name>

internet- Custom Internet Service IPv6 group name. string Maximum

service6- Custom Internet Service IPv6 group name. length: 79
custom-group
<name>

internet- Internet Service IPv6 group name. string Maximum

service6-group Internet Service IPv6 group name. length: 79
<name>

FortiOS 7.4.4 CLI Reference 416

Fortinet Inc.
Parameter Description Type Size Default

internet- Internet Service IPv6 name. string Maximum

service6-name Internet Service IPv6 name. length: 79
<name>

internet- When enabled, Internet Services match against option - disable

service6- any internet service IPv6 EXCEPT the selected
negate Internet Service IPv6.

Option Description

enable Enable negated IPv6 Internet Service match.

disable Disable negated IPv6 Internet Service match.

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

ips-voip-filter Name of an existing VoIP (ips) profile. string Maximum

length: 35

logtraffic Enable/disable logging traffic through the option - utm

policy.

Option Description

all Log all sessions.

utm UTM event and matched application traffic log.

disable Disable traffic and application log.

logtraffic-start Enable/disable policy log traffic start. option - disable

Option Description

enable Enable setting.

disable Disable setting.

name Policy name. string Maximum

length: 35

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

poolname Name of IP pool object. string Maximum

<name> IP pool name. length: 79

profile-group Name of profile group. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 417

Fortinet Inc.
Parameter Description Type Size Default

profile- Name of an existing Protocol options profile. string Maximum default

protocol- length: 35
options

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

proxy Type of explicit proxy. option -

Option Description

explicit-web Explicit Web Proxy

transparent-web Transparent Web Proxy

ftp Explicit FTP Proxy

ssh SSH Proxy

ssh-tunnel SSH Tunnel

access-proxy Access Proxy

enable Enable SSH policy redirect.

disable Disable SSH policy redirect.

ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum no-inspection

length: 35

status Enable/disable the active status of the policy. option - enable

Option Description

enable Enable setting.

disable Disable setting.

transparent Enable to use the IP address of the client to option - disable

connect to the server.

FortiOS 7.4.4 CLI Reference 419

Fortinet Inc.
Parameter Description Type Size Default

disable Disable setting.

webcache- Enable/disable web caching for HTTPS option - disable

https * (Requires deep-inspection enabled in ssl-ssh-
profile).

Option Description

disable Disable web cache for HTTPS.

enable Enable web cache for HTTPS.

webfilter- Name of an existing Web filter profile. string Maximum

profile length: 35

webproxy- Web proxy forward server name. string Maximum

forward-server length: 63

webproxy- Name of web proxy profile. string Maximum

profile length: 63

FortiOS 7.4.4 CLI Reference 420

Fortinet Inc.
Parameter Description Type Size Default

ztna-ems-tag ZTNA EMS Tag names. string Maximum

<name> EMS Tag name. length: 79

ztna-tags- ZTNA tag matching logic. option - or

match-logic

Option Description

or Match ZTNA tags using a logical OR operator.

and Match ZTNA tags using a logical AND operator.

* This parameter may not exist in some models.

config firewall region

Define region table.

config firewall region
Description: Define region table.
edit <id>
set city <id1>, <id2>, ...
set name {string}
next
end

config firewall region

Parameter Description Type Size Default

city <id> City ID list. integer Minimum

City ID. value: 0
Maximum
value:
65535

id Region ID. integer Minimum 0

value: 0
Maximum
value:
65535

name Region name. string Maximum

length: 63

config firewall schedule group

Schedule group configuration.

FortiOS 7.4.4 CLI Reference 421

Fortinet Inc.
config firewall schedule group
Description: Schedule group configuration.
edit <name>
set color {integer}
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
next
end

config firewall schedule group

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Schedules added to the schedule group. string Maximum

<name> Schedule name. length: 79

name Schedule group name. string Maximum

length: 31

config firewall schedule onetime

Onetime schedule configuration.

config firewall schedule onetime
Description: Onetime schedule configuration.
edit <name>
set color {integer}
set end {user}
set end-utc {user}
set expiration-days {integer}
set fabric-object [enable|disable]
set start {user}
set start-utc {user}
next
end

FortiOS 7.4.4 CLI Reference 422

Fortinet Inc.
config firewall schedule onetime

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

end Schedule end date and time, format hh:mm user Not
yyyy/mm/dd. Specified

end-utc Schedule end date and time, in epoch format. user Not
Specified

expiration- Write an event log message this many days before the integer Minimum 3
days schedule expires. value: 0
Maximum
value: 100

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Onetime schedule name. string Maximum

length: 31

start Schedule start date and time, format hh:mm user Not
yyyy/mm/dd. Specified

start-utc Schedule start date and time, in epoch format. user Not
Specified

config firewall schedule recurring

Recurring schedule configuration.

config firewall schedule recurring
Description: Recurring schedule configuration.
edit <name>
set color {integer}
set day {option1}, {option2}, ...
set end {user}
set fabric-object [enable|disable]
set start {user}
next
end

FortiOS 7.4.4 CLI Reference 423

Fortinet Inc.
config firewall schedule recurring

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

day One or more days of the week on which the schedule is option - none
valid. Separate the names of the days with a space.

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

none None.

end Time of day to end the schedule, format hh:mm. user Not
Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Recurring schedule name. string Maximum

length: 31

start Time of day to start the schedule, format hh:mm. user Not
Specified

config firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

config firewall security-policy
Description: Configure NGFW IPv4/IPv6 application policies.
edit <policyid>
set action [accept|deny]
set app-category <id1>, <id2>, ...

FortiOS 7.4.4 CLI Reference 424

Fortinet Inc.
set app-group <name1>, <name2>, ...
set application <id1>, <id2>, ...
set application-list {string}
set av-profile {string}
set casb-profile {string}
set cifs-profile {string}
set comments {var-string}
set diameter-filter-profile {string}
set dlp-profile {string}
set dnsfilter-profile {string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstaddr6-negate [enable|disable]
set dstintf <name1>, <name2>, ...
set emailfilter-profile {string}
set enforce-default-app-port [enable|disable]
set file-filter-profile {string}
set fsso-groups <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set icap-profile {string}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set internet-service6-src [enable|disable]
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]
set ips-sensor {string}
set ips-voip-filter {string}
set learning-mode [enable|disable]
set logtraffic [all|utm|...]
set name {string}
set nat46 [enable|disable]
set nat64 [enable|disable]
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set schedule {string}

FortiOS 7.4.4 CLI Reference 425

Fortinet Inc.
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcaddr6-negate [enable|disable]
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssl-ssh-profile {string}
set status [enable|disable]
set url-category {user}
set users <name1>, <name2>, ...
set uuid {uuid}
set videofilter-profile {string}
set virtual-patch-profile {string}
set voip-profile {string}
set webfilter-profile {string}
next
end

config firewall security-policy

Parameter Description Type Size Default

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

dstaddr6- When enabled dstaddr6 specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable IPv6 destination address negate.

disable Disable IPv6 destination address negate.

dstintf Outgoing (egress) interface. string Maximum

<name> Interface name. length: 79

emailfilter- Name of an existing email filter profile. string Maximum

profile length: 35

enforce- Enable/disable default application port option - enable

default-app- enforcement for allowed applications.
port

FortiOS 7.4.4 CLI Reference 427

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

file-filter- Name of an existing file-filter profile. string Maximum

profile length: 35

fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511

groups Names of user groups that can authenticate with string Maximum
<name> this policy. length: 79
User group name.

icap-profile Name of an existing ICAP profile. string Maximum

length: 35

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address, service
and default application port enforcement are not
used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- When enabled internet-service specifies what option - disable

service- the service must NOT be.
negate

FortiOS 7.4.4 CLI Reference 428

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source address
is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group
<name>

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service-src specifies option - disable

service-src- what the service must NOT be.
negate

Option Description

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

internet- Enable/disable use of IPv6 Internet Services for option - disable

service6 this policy. If enabled, destination address,
service and default application port enforcement
are not used.

FortiOS 7.4.4 CLI Reference 429

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable use of IPv6 Internet Services in policy.

disable Disable use of IPv6 Internet Services in policy.

internet- Custom IPv6 Internet Service name. string Maximum

service6- Custom IPv6 Internet Service name. length: 79
custom
<name>

internet- Custom IPv6 Internet Service group name. string Maximum

service6- Custom IPv6 Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service6- Internet Service group name. length: 79
group
<name>

internet- IPv6 Internet Service name. string Maximum

service6- IPv6 Internet Service name. length: 79
name
<name>

internet- When enabled internet-service6 specifies what option - disable

service6- the service must NOT be.
negate

Option Description

enable Enable negated IPv6 Internet Service match.

disable Disable negated IPv6 Internet Service match.

internet- Enable/disable use of IPv6 Internet Services in option - disable

service6-src source for this policy. If enabled, source address
is not used.

Option Description

enable Enable use of IPv6 Internet Services source in policy.

disable Disable use of IPv6 Internet Services source in policy.

internet- Custom IPv6 Internet Service source name. string Maximum

service6-src- Custom Internet Service name. length: 79
custom
<name>

FortiOS 7.4.4 CLI Reference 430

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom Internet Service6 source group name. string Maximum

service6-src- Custom Internet Service6 group name. length: 79
custom-group
<name>

internet- Internet Service6 source group name. string Maximum

service6-src- Internet Service group name. length: 79
group
<name>

internet- IPv6 Internet Service source name. string Maximum

service6-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service6-src specifies option - disable

service6-src- what the service must NOT be.
negate

Option Description

enable Enable negated IPv6 Internet Service source match.

disable Disable negated IPv6 Internet Service source match.

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

ips-voip-filter Name of an existing VoIP (ips) profile. string Maximum

length: 35

learning- Enable to allow everything, but log all of the option - disable
mode meaningful data for security information
gathering. A learning report will be generated.

enable Enable NAT46.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

profile-group Name of profile group. string Maximum

length: 35

profile- Name of an existing Protocol options profile. string Maximum default

protocol- length: 35
options

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

schedule Schedule name. string Maximum

length: 35

sctp-filter- Name of an existing SCTP filter profile. string Maximum

profile length: 35

send-deny- Enable to send a reply when a session is denied option - disable

packet or blocked by a firewall policy.

FortiOS 7.4.4 CLI Reference 432

Fortinet Inc.
Parameter Description Type Size Default

negate source address must NOT be.

Option Description

enable Enable IPv6 source address negate.

disable Disable IPv6 source address negate.

config firewall service category

Configure service categories.

config firewall service category
Description: Configure service categories.
edit <name>
set comment {var-string}
set fabric-object [enable|disable]
next
end

config firewall service category

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

fabric-object Security Fabric global object setting. option - disable

FortiOS 7.4.4 CLI Reference 434

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Service category name. string Maximum

length: 63

config firewall service custom

Configure custom services.

config firewall service custom
Description: Configure custom services.
edit <name>
set app-category <id1>, <id2>, ...
set app-service-type [disable|app-id|...]
set application <id1>, <id2>, ...
set category {string}
set check-reset-range [disable|strict|...]
set color {integer}
set comment {var-string}
set fabric-object [enable|disable]
set fqdn {string}
set helper [auto|disable|...]
set icmpcode {integer}
set icmptype {integer}
set iprange {user}
set protocol [TCP/UDP/SCTP|ICMP|...]
set protocol-number {integer}
set proxy [enable|disable]
set sctp-portrange {user}
set session-ttl {user}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-portrange {user}
set tcp-rst-timer {integer}
set tcp-timewait-timer {integer}
set udp-idle-timer {integer}
set udp-portrange {user}
set uuid {uuid}
next
end

FortiOS 7.4.4 CLI Reference 435

Fortinet Inc.
config firewall service custom

Parameter Description Type Size Default

app-category Application category ID. integer Minimum

<id> Application category id. value: 0
Maximum
value:
4294967295

app-service- Application service type. option - disable

type

Option Description

disable Disable application type.

app-id Application ID.

app-category Applicatin category.

application Application ID. integer Minimum

<id> Application id. value: 0
Maximum
value:
4294967295

category Service category. string Maximum

length: 63

check-reset- Configure the type of ICMP error message option - default

range verification.

Option Description

disable Disable RST range check.

strict Check RST range strictly.

default Using system default setting.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

FortiOS 7.4.4 CLI Reference 436

Fortinet Inc.
Parameter Description Type Size Default

fqdn Fully qualified domain name. string Maximum

length: 255

helper Helper name. option - auto

Option Description

auto Automatically select helper based on protocol and port.

disable Disable helper.

ftp FTP.

tftp TFTP.

ras RAS.

h323 H323.

tns TNS.

mms MMS.

sip SIP.

pptp PPTP.

rtsp RTSP.

dns-udp DNS UDP.

dns-tcp DNS TCP.

pmap PMAP.

rsh RSH.

dcerpc DCERPC.

mgcp MGCP.

icmpcode ICMP code. integer Minimum

value: 0
Maximum
value: 255

icmptype ICMP type. integer Minimum

value: 0
Maximum
value:
4294967295

iprange Start and end of the IP range associated with user Not Specified
service.

FortiOS 7.4.4 CLI Reference 437

Fortinet Inc.
Parameter Description Type Size Default

name Custom service name. string Maximum

length: 79

protocol Protocol type based on IANA numbers. option - TCP/UDP/SCTP

Option Description

TCP/UDP/SCTP TCP, UDP and SCTP.

ICMP ICMP.

ICMP6 ICMP6.

IP IP.

HTTP HTTP - for web proxy.

FTP FTP - for web proxy.

CONNECT Connect - for web proxy.

SOCKS-TCP Socks TCP - for web proxy.

SOCKS-UDP Socks UDP - for web proxy.

ALL All - for web proxy.

protocol- IP protocol number. integer Minimum 0

number value: 0
Maximum
value: 254

proxy Enable/disable web proxy service. option - disable

Option Description

enable Enable setting.

disable Disable setting.

sctp- Multiple SCTP port ranges. user Not Specified

portrange

session-ttl Session TTL. user Not Specified

tcp-halfclose- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered FIN packet. value: 0
Maximum
value: 86400

tcp-halfopen- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered open session packet. value: 0
Maximum
value: 86400

FortiOS 7.4.4 CLI Reference 438

Fortinet Inc.
Parameter Description Type Size Default

tcp-portrange Multiple TCP port ranges. user Not Specified

tcp-rst-timer Set the length of the TCP CLOSE state in integer Minimum 0
seconds. value: 5
Maximum
value: 300

tcp-timewait- Set the length of the TCP TIME-WAIT state in integer Minimum 0
timer seconds. value: 0
Maximum
value: 300

udp-idle-timer Number of seconds before an idle UDP integer Minimum 0

connection times out. value: 0
Maximum
value: 86400

udp-portrange Multiple UDP port ranges. user Not Specified

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config firewall service group

Configure service groups.

config firewall service group
Description: Configure service groups.
edit <name>
set color {integer}
set comment {var-string}
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
set proxy [enable|disable]
set uuid {uuid}
next
end

config firewall service group

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

FortiOS 7.4.4 CLI Reference 439

Fortinet Inc.
Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Service objects contained within the group. string Maximum

<name> Service or service group name. length: 79

name Service group name. string Maximum

length: 79

proxy Enable/disable web proxy service group. option - disable

Option Description

enable Enable setting.

disable Disable setting.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config firewall shaper per-ip-shaper

Configure per-IP traffic shaper.

config firewall shaper per-ip-shaper
Description: Configure per-IP traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set max-bandwidth {integer}
set max-concurrent-session {integer}
set max-concurrent-tcp-session {integer}
set max-concurrent-udp-session {integer}
next
end

FortiOS 7.4.4 CLI Reference 440

Fortinet Inc.
config firewall shaper per-ip-shaper

Parameter Description Type Size Default

bandwidth-unit Unit of measurement for maximum bandwidth for this option - kbps
shaper (Kbps, Mbps or Gbps).

Option Description

kbps Kilobits per second.

mbps Megabits per second.

gbps Gigabits per second.

diffserv- Enable/disable changing the Forward (original) option - disable

forward DiffServ setting applied to traffic accepted by this
shaper.

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable/disable changing the Reverse (reply) DiffServ option - disable

reverse setting applied to traffic accepted by this shaper.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Forward (original) DiffServ setting to be applied to user Not

forward traffic accepted by this shaper. Specified

diffservcode- Reverse (reply) DiffServ setting to be applied to traffic user Not

rev accepted by this shaper. Specified

max-bandwidth Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **

max- Maximum number of concurrent sessions allowed by integer Minimum 0

concurrent- this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000

FortiOS 7.4.4 CLI Reference 441

Fortinet Inc.
Parameter Description Type Size Default

max- Maximum number of concurrent TCP sessions allowed integer Minimum 0

concurrent-tcp- by this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000

max- Maximum number of concurrent UDP sessions integer Minimum 0

concurrent- allowed by this shaper. 0 means no limit. value: 0
udp-session Maximum
value:
2097000

name Traffic shaper name. string Maximum

length: 35

** Values may differ between models.

config firewall shaper traffic-shaper

Configure shared traffic shaper.

config firewall shaper traffic-shaper
Description: Configure shared traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set cos {user}
set cos-marking [enable|disable]
set cos-marking-method [multi-stage|static]
set diffserv [enable|disable]
set diffservcode {user}
set dscp-marking-method [multi-stage|static]
set exceed-bandwidth {integer}
set exceed-class-id {integer}
set exceed-cos {user}
set exceed-dscp {user}
set guaranteed-bandwidth {integer}
set maximum-bandwidth {integer}
set maximum-cos {user}
set maximum-dscp {user}
set overhead {integer}
set per-policy [disable|enable]
set priority [low|medium|...]
next
end

FortiOS 7.4.4 CLI Reference 442

Fortinet Inc.
config firewall shaper traffic-shaper

Parameter Description Type Size Default

bandwidth-unit Unit of measurement for guaranteed and maximum option - kbps

bandwidth for this shaper (Kbps, Mbps or Gbps).

Option Description

kbps Kilobits per second.

mbps Megabits per second.

gbps Gigabits per second.

cos VLAN CoS mark. user Not Specified

cos-marking Enable/disable VLAN CoS marking. option - disable

dscp-marking- Select DSCP marking method. option - static

method

Option Description

multi-stage Multistage marking.

static Static marking.

FortiOS 7.4.4 CLI Reference 443

Fortinet Inc.
Parameter Description Type Size Default

exceed- Exceed bandwidth used for DSCP/VLAN CoS multi- integer Minimum 0
bandwidth stage marking. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **

exceed-class- Class ID for traffic in guaranteed-bandwidth and integer Minimum 0

id maximum-bandwidth. value: 0
Maximum
value:
4294967295

exceed-cos VLAN CoS mark for traffic in [guaranteed-bandwidth, user Not Specified
exceed-bandwidth].

exceed-dscp DSCP mark for traffic in guaranteed-bandwidth and user Not Specified
exceed-bandwidth.

guaranteed- Amount of bandwidth guaranteed for this shaper. integer Minimum 0

bandwidth Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000 **

maximum- Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

bandwidth means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **

maximum-cos VLAN CoS mark for traffic in [exceed-bandwidth, user Not Specified
maximum-bandwidth].

maximum- DSCP mark for traffic in exceed-bandwidth and user Not Specified
dscp maximum-bandwidth.

name Traffic shaper name. string Maximum

length: 35

overhead Per-packet size overhead used in rate computations. integer Minimum 0

value: 0
Maximum
value: 100

per-policy Enable/disable applying a separate shaper for each option - disable

high High priority.

** Values may differ between models.

config firewall shaping-policy

Configure shaping policies.

config firewall shaping-policy
Description: Configure shaping policies.
edit <id>
set app-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set application <id1>, <id2>, ...
set class-id {integer}
set comment {var-string}
set cos {user}
set cos-mask {user}
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set dstaddr <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set ip-version [4|6]
set name {string}

FortiOS 7.4.4 CLI Reference 445

Fortinet Inc.
set per-ip-shaper {string}
set schedule {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set status [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set traffic-type [forwarding|local-in|...]
set url-category <id1>, <id2>, ...
set users <name1>, <name2>, ...
set uuid {uuid}
next
end

config firewall shaping-policy

Parameter Description Type Size Default

app-category IDs of one or more application categories that integer Minimum

<id> this shaper applies application control traffic value: 0
shaping to. Maximum
Category IDs. value:
4294967295

app-group One or more application group names. string Maximum

<name> Application group name. length: 79

application IDs of one or more applications that this shaper integer Minimum
<id> applies application control traffic shaping to. value: 0
Application IDs. Maximum
value:
4294967295

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

comment Comments. var-string Maximum

length: 255

cos VLAN CoS bit pattern. user Not Specified

cos-mask VLAN CoS evaluated bits. user Not Specified

diffserv- Enable to change packet's DiffServ values to option - disable

forward the specified diffservcode-forward value.

FortiOS 7.4.4 CLI Reference 446

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable to change packet's reverse (reply) option - disable

reverse DiffServ values to the specified diffservcode-
rev value.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

diffservcode- Change packet's reverse (reply) DiffServ to this user Not Specified
rev value.

dstaddr IPv4 destination address and address group string Maximum

<name> names. length: 79
Address name.

dstaddr6 IPv6 destination address and address group string Maximum

<name> names. length: 79
Address name.

dstintf <name> One or more outgoing (egress) interfaces. string Maximum

Interface name. length: 79

groups Apply this traffic shaping policy to user groups string Maximum
<name> that have authenticated with the FortiGate. length: 79
Group name.

id Shaping policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Service in shaping-policy.

disable Disable use of Internet Service in shaping-policy.

FortiOS 7.4.4 CLI Reference 447

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom Internet Service name. string Maximum

service-custom Custom Internet Service name. length: 79
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service ID. string Maximum

service-name Internet Service name. length: 79
<name>

internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of Internet Service source in shaping-policy.

disable Disable use of Internet Service source in shaping-policy.

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group <name>

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name <name>

ip-version Apply this traffic shaping policy to IPv4 or IPv6 option - 4

traffic.

Option Description

4 Use IPv4 addressing for Configuration Method.

FortiOS 7.4.4 CLI Reference 448

Fortinet Inc.
Parameter Description Type Size Default

Option Description

6 Use IPv6 addressing for Configuration Method.

name Shaping policy name. string Maximum

length: 35

per-ip-shaper Per-IP traffic shaper to apply with this policy. string Maximum
length: 35

schedule Schedule name. string Maximum

length: 35

service Service and service group names. string Maximum

<name> Service name. length: 79

srcaddr IPv4 source address and address group string Maximum

<name> names. length: 79
Address name.

srcaddr6 IPv6 source address and address group string Maximum

<name> names. length: 79
Address name.

srcintf <name> One or more incoming (ingress) interfaces. string Maximum

Interface name. length: 79

status Enable/disable this traffic shaping policy. option - enable

Option Description

enable Enable traffic shaping policy.

disable Disable traffic shaping policy.

tos ToS (Type of Service) value used for user Not Specified
comparison.

tos-mask Non-zero bit positions are used for comparison user Not Specified
while zero bit positions are ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

traffic-shaper Traffic shaper to apply to traffic forwarded by string Maximum

the firewall policy. length: 35

FortiOS 7.4.4 CLI Reference 449

Fortinet Inc.
Parameter Description Type Size Default

traffic-shaper- Traffic shaper to apply to response traffic string Maximum

reverse received by the firewall policy. length: 35

traffic-type Traffic type. option - forwarding

Option Description

forwarding Forwarding traffic.

local-in Local-in traffic.

local-out Local-out traffic.

url-category IDs of one or more FortiGuard Web Filtering integer Minimum

<id> categories that this shaper applies traffic value: 0
shaping to. Maximum
URL category ID. value:
4294967295

users <name> Apply this traffic shaping policy to individual string Maximum
users that have authenticated with the length: 79
FortiGate.
User name.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config firewall shaping-profile

Configure shaping profiles.

config firewall shaping-profile
Description: Configure shaping profiles.
edit <profile-name>
set comment {var-string}
set default-class-id {integer}
config shaping-entries
Description: Define shaping entries of this shaping profile.
edit <id>
set class-id {integer}
set priority [top|critical|...]
set guaranteed-bandwidth-percentage {integer}
set maximum-bandwidth-percentage {integer}
set limit {integer}
set burst-in-msec {integer}
set cburst-in-msec {integer}
set red-probability {integer}
set min {integer}
set max {integer}
next
end

FortiOS 7.4.4 CLI Reference 450

Fortinet Inc.
set type [policing|queuing]
next
end

config firewall shaping-profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 1023

default-class- Default class ID to handle unclassified packets integer Minimum 0

id (including all local traffic). value: 0
Maximum
value:
4294967295

profile-name Shaping profile name. string Maximum

length: 35

type Select shaping profile type: policing / queuing. option - policing

Option Description

policing Enable policing mode.

queuing Enable queuing mode.

config shaping-entries

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value:
4294967295

class-id Class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

priority Priority. option - high

Option Description

top Top priority.

critical Critical priority.

FortiOS 7.4.4 CLI Reference 451

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high High priority.

medium Medium priority.

low Low priority.

guaranteed- Guaranteed bandwidth in percentage. integer Minimum 0

bandwidth- value: 0
percentage Maximum
value: 100

maximum- Maximum bandwidth in percentage. integer Minimum 1

bandwidth- value: 1
percentage Maximum
value: 100

limit Hard limit on the real queue size in packets. integer Minimum 1000
value: 5
Maximum
value: 10000

burst-in-msec Number of bytes that can be burst at maximum- integer Minimum 0

bandwidth speed. Formula: burst = maximum- value: 0
bandwidth*burst-in-msec. Maximum
value: 2000

cburst-in- Number of bytes that can be burst as fast as the integer Minimum 0
msec interface can transmit. Formula: cburst = maximum- value: 0
bandwidth*cburst-in-msec. Maximum
value: 2000

red-probability Maximum probability (in percentage) for RED integer Minimum 0

marking. value: 0
Maximum
value: 20

min Average queue size in packets at which RED drop integer Minimum 83
becomes a possibility. value: 3
Maximum
value: 3000

max Average queue size in packets at which RED drop integer Minimum 250
probability is maximal. value: 3
Maximum
value: 3000

config firewall sniffer

Configure sniffer.

FortiOS 7.4.4 CLI Reference 452

Fortinet Inc.
config firewall sniffer
Description: Configure sniffer.
edit <id>
config anomaly
Description: Configuration method to edit Denial of Service (DoS) anomaly
settings.
edit <name>
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set dlp-profile {string}
set dlp-profile-status [enable|disable]
set dsri [enable|disable]
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set file-filter-profile {string}
set file-filter-profile-status [enable|disable]
set host {string}
set interface {string}
set ip-threatfeed <name1>, <name2>, ...
set ip-threatfeed-status [enable|disable]
set ips-dos-status [enable|disable]
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set ipv6 [enable|disable]
set logtraffic [all|utm|...]
set non-ip [enable|disable]
set port {string}
set protocol {string}
set status [enable|disable]
set uuid {uuid}
set vlan {string}
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

config firewall sniffer

Parameter Description Type Size Default

enable Enable setting.

disable Disable setting.

dsri Enable/disable DSRI. option - disable

Option Description

enable Enable DSRI.

disable Disable DSRI.

emailfilter- Name of an existing email filter profile. string Maximum

profile length: 35

emailfilter- Enable/disable emailfilter. option - disable

profile-status

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 454

Fortinet Inc.
Parameter Description Type Size Default

file-filter- Name of an existing file-filter profile. string Maximum

profile length: 35

file-filter- Enable/disable file filter. option - disable

profile-status

Option Description

enable Enable setting.

disable Disable setting.

host Hosts to filter for in sniffer traffic. string Maximum

length: 63

id Sniffer ID. integer Minimum 0

value: 0
Maximum
value: 9999

interface Interface name that traffic sniffing will take place string Maximum
on. length: 35

ip-threatfeed Name of an existing IP threat feed. string Maximum

<name> Threat feed name. length: 79

ip-threatfeed- Enable/disable IP threat feed. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

ips-dos-status Enable/disable IPS DoS anomaly detection. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ips-sensor Name of an existing IPS sensor. string Maximum

length: 35

ips-sensor- Enable/disable IPS sensor. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 455

Fortinet Inc.
Parameter Description Type Size Default

ipv6 Enable/disable sniffing IPv6 packets. option - disable

Option Description

enable Enable sniffer for IPv6 packets.

disable Disable sniffer for IPv6 packets.

logtraffic Either log all sessions, only sessions that have a option - utm
security profile applied, or disable all logging for
this policy.

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

non-ip Enable/disable sniffing non-IP packets. option - disable

Option Description

enable Enable sniffer for non-IP packets.

disable Disable sniffer for non-IP packets.

port Ports to sniff. string Maximum

length: 63

protocol Integer value for the protocol type as defined by string Maximum
IANA. length: 63

status Enable/disable the active status of the sniffer. option - enable

Option Description

enable Enable sniffer status.

disable Disable sniffer status.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

vlan List of VLANs to sniff. string Maximum

length: 63

webfilter- Name of an existing web filter profile. string Maximum

profile length: 35

webfilter- Enable/disable web filter profile. option - disable

profile-status

FortiOS 7.4.4 CLI Reference 456

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

config anomaly

Parameter Description Type Size Default

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall ssh host-key

SSH proxy host public keys.

config firewall ssh host-key
Description: SSH proxy host public keys.
edit <name>
set hostname {string}
set ip {ipv4-address-any}
set nid [256|384|...]
set port {integer}
set public-key {var-string}
set status [trusted|revoked]
set type [RSA|DSA|...]
set usage [transparent-proxy|access-proxy]
next
end

config firewall ssh host-key

Parameter Description Type Size Default

hostname Hostname of the SSH server to match SSH string Maximum

certificate principals. length: 255

ip IP address of the SSH server. ipv4- Not Specified 0.0.0.0

address-
any

name SSH public key name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 458

Fortinet Inc.
Parameter Description Type Size Default

nid Set the nid of the ECDSA key. option - 256

Option Description

256 The NID is ecdsa-sha2-nistp256.

384 The NID is ecdsa-sha2-nistp384.

521 The NID is ecdsa-sha2-nistp521.

port Port of the SSH server. integer Minimum 22

value: 0
Maximum
value:
4294967295

public-key SSH public key. var-string Maximum

length: 32768

status Set the trust status of the public key. option - trusted

Option Description

trusted The public key is trusted.

revoked The public key is revoked.

type Set the type of the public key. option - RSA

Option Description

RSA The type of the public key is RSA.

DSA The type of the public key is DSA.

ECDSA The type of the public key is ECDSA.

ED25519 The type of the public key is ED25519.

RSA-CA The type of the public key is from RSA CA.

DSA-CA The type of the public key is from DSA CA.

ECDSA-CA The type of the public key is from ECDSA CA.

ED25519-CA The type of the public key is from ED25519 CA.

usage Usage for this public key. option - transparent-

proxy

Option Description

transparent- Transparent proxy uses this public key to validate server.

proxy

access-proxy Access proxy uses this public key to validate server.

FortiOS 7.4.4 CLI Reference 459

Fortinet Inc.
config firewall ssh local-ca

SSH proxy local CA.

config firewall ssh local-ca
Description: SSH proxy local CA.
edit <name>
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

config firewall ssh local-ca

Parameter Description Type Size Default

name SSH proxy local CA name. string Maximum

length: 35

password Password for SSH private key. password Not

Specified

private-key SSH proxy private key, encrypted with a password. user Not
Specified

public-key SSH proxy public key. user Not

Specified

source SSH proxy local CA source type. option - user

Option Description

built-in Built-in SSH proxy local keys.

user User imported SSH proxy local keys.

config firewall ssh local-key

SSH proxy local keys.

config firewall ssh local-key
Description: SSH proxy local keys.
edit <name>
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

FortiOS 7.4.4 CLI Reference 460

Fortinet Inc.
config firewall ssh local-key

Parameter Description Type Size Default

name SSH proxy local key name. string Maximum

length: 35

password Password for SSH private key. password Not

Specified

private-key SSH proxy private key, encrypted with a password. user Not
Specified

public-key SSH proxy public key. user Not

Specified

source SSH proxy local key source type. option - user

Option Description

built-in Built-in SSH proxy local keys.

user User imported SSH proxy local keys.

config firewall ssh setting

SSH proxy settings.

config firewall ssh setting
Description: SSH proxy settings.
set caname {string}
set host-trusted-checking [enable|disable]
set hostkey-dsa1024 {string}
set hostkey-ecdsa256 {string}
set hostkey-ecdsa384 {string}
set hostkey-ecdsa521 {string}
set hostkey-ed25519 {string}
set hostkey-rsa2048 {string}
set untrusted-caname {string}
end

config firewall ssh setting

Parameter Description Type Size Default

caname CA certificate used by SSH Inspection. string Maximum

length: 35

host-trusted- Enable/disable host trusted checking. option - enable

checking

FortiOS 7.4.4 CLI Reference 461

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable host key trusted checking.

disable Disable host key trusted checking.

hostkey- DSA certificate used by SSH proxy. string Maximum

dsa1024 length: 35

hostkey- ECDSA nid256 certificate used by SSH proxy. string Maximum

ecdsa256 length: 35

hostkey- ECDSA nid384 certificate used by SSH proxy. string Maximum

ecdsa384 length: 35

hostkey- ECDSA nid384 certificate used by SSH proxy. string Maximum

ecdsa521 length: 35

hostkey- ED25519 hostkey used by SSH proxy. string Maximum

ed25519 length: 35

hostkey- RSA certificate used by SSH proxy. string Maximum

rsa2048 length: 35

untrusted- Untrusted CA certificate used by SSH Inspection. string Maximum

caname length: 35

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
Description: Configure SSL servers.
edit <name>
set add-header-x-forwarded-proto [enable|disable]
set ip {ipv4-address-any}
set mapped-port {integer}
set port {integer}
set ssl-algorithm [high|medium|...]
set ssl-cert <name1>, <name2>, ...
set ssl-client-renegotiation [allow|deny|...]
set ssl-dh-bits [768|1024|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-mode [half|full]
set ssl-send-empty-frags [enable|disable]
set url-rewrite [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 462

Fortinet Inc.
config firewall ssl-server

Parameter Description Type Size Default

add-header-x- Enable/disable adding an X-Forwarded-Proto header option - enable

forwarded- to forwarded requests.
proto

Option Description

enable Add X-Forwarded-Proto header.

disable Do not add X-Forwarded-Proto header.

ip IPv4 address of the SSL server. ipv4- Not 0.0.0.0

address- Specified
any

mapped-port Mapped server service port. integer Minimum 80

value: 1
Maximum
value:
65535

name Server name. string Maximum

length: 35

port Server service port. integer Minimum 443

value: 1
Maximum
value:
65535

ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.

Option Description

high High encryption. Allow only AES and ChaCha

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert List of certificate names to use for SSL connections to string Maximum
<name> this server. (default = "Fortinet_SSL"). length: 79
Certificate list.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-min-version Lowest SSL/TLS version to negotiate. option - tls-1.1

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode SSL/TLS mode for encryption and decryption of traffic. option - full

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

FortiOS 7.4.4 CLI Reference 464

Fortinet Inc.
Parameter Description Type Size Default

ssl-send- Enable/disable sending empty fragments to avoid option - enable

empty-frags attack on CBC IV.

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

url-rewrite Enable/disable rewriting the URL. option - disable

Option Description

enable Enable setting.

disable Disable setting.

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set allowlist [enable|disable]
set block-blocklisted-certificates [disable|enable]
set caname {string}
set comment {var-string}
config dot
Description: Configure DNS over TLS options.
set status [disable|deep-inspection]
set quic [inspect|bypass|...]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ech-outer-sni
Description: ClientHelloOuter SNIs to be blocked.
edit <name>
set sni {string}
next
end
config ftps
Description: Configure FTPS options.
set ports {integer}

FortiOS 7.4.4 CLI Reference 465

Fortinet Inc.
set status [disable|deep-inspection]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set quic [inspect|bypass|...]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set encrypted-client-hello [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set mapi-over-https [enable|disable]
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]

FortiOS 7.4.4 CLI Reference 466

Fortinet Inc.
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set rpc-over-https [enable|disable]
set server-cert <name1>, <name2>, ...
set server-cert-mode [re-sign|replace]
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set encrypted-client-hello [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end

FortiOS 7.4.4 CLI Reference 467

Fortinet Inc.
set ssl-anomaly-log [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address {string}
set address6 {string}
set wildcard-fqdn {string}
set regex {string}
next
end
set ssl-exemption-ip-rating [enable|disable]
set ssl-exemption-log [disable|enable]
set ssl-handshake-log [disable|enable]
set ssl-negotiation-log [disable|enable]
config ssl-server
Description: SSL server settings used for client certificate request.
edit <id>
set ip {ipv4-address-any}
set https-client-certificate [bypass|inspect|...]
set smtps-client-certificate [bypass|inspect|...]
set pop3s-client-certificate [bypass|inspect|...]
set imaps-client-certificate [bypass|inspect|...]
set ftps-client-certificate [bypass|inspect|...]
set ssl-other-client-certificate [bypass|inspect|...]
next
end
set ssl-server-cert-log [disable|enable]
set supported-alpn [http1-1|http2|...]
set untrusted-caname {string}
set use-ssl-server [disable|enable]
next
end

config firewall ssl-ssh-profile

Parameter Description Type Size Default

allowlist Enable/disable exempting servers by FortiGuard option - disable

allowlist.

Option Description

enable Enable setting.

disable Disable setting.

block- Enable/disable blocking SSL-based botnet option - enable

blocklisted- communication by FortiGuard certificate blocklist.
certificates

FortiOS 7.4.4 CLI Reference 468

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable FortiGuard certificate blocklist.

enable Enable FortiGuard certificate blocklist.

caname CA certificate used by SSL Inspection. string Maximum Fortinet_

length: 35 CA_SSL

comment Optional comments. var-string Maximum

length: 255

mapi-over- Enable/disable inspection of MAPI over HTTPS. option - disable

https

Option Description

enable Enable inspection of MAPI over HTTPS.

disable Disable inspection of MAPI over HTTPS.

name Name. string Maximum

length: 35

rpc-over-https Enable/disable inspection of RPC over HTTPS. option - disable

Option Description

enable Enable inspection of RPC over HTTPS.

disable Disable inspection of RPC over HTTPS.

server-cert Certificate used by SSL Inspection to replace server string Maximum

<name> certificate. length: 79
Certificate list.

server-cert- Re-sign or replace the server's certificate. option - re-sign

mode

Option Description

re-sign Multiple clients connecting to multiple servers.

replace Protect an SSL server.

ssl-anomaly- Enable/disable logging of SSL anomalies. option - enable

log

Option Description

disable Disable logging of SSL anomalies.

enable Enable logging of SSL anomalies.

disable Disable logging of server certificate information.

enable Enable logging of server certificate information.

supported- Configure ALPN option. option - all

alpn

FortiOS 7.4.4 CLI Reference 470

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http1-1 Enable all ALPN including HTTP1.1 except HTTP2 and SPDY.

http2 Enable all ALPN including HTTP2 except HTTP1.1 and SPDY.

all Allow all ALPN extensions except SPDY.

none Do not use ALPN.

untrusted- Untrusted CA certificate used by SSL Inspection. string Maximum Fortinet_

caname length: 35 CA_
Untrusted

use-ssl-server Enable/disable the use of SSL server table for SSL option - disable
offloading.

Option Description

disable Don't use SSL server configuration.

enable Use SSL server configuration.

config dot

Parameter Description Type Size Default

status Configure protocol inspection status. option - disable

Option Description

disable Disable.

deep-inspection Full SSL inspection.

quic QUIC inspection status. option - inspect

Option Description

inspect Inspect QUIC traffic.

bypass Bypass QUIC traffic.

block Block QUIC traffic.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 471

Fortinet Inc.
Parameter Description Type Size Default

client-certificate Action based on received client certificate. option - bypass

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

Option Description

allow Bypass the session when the negotiation is not supported.

block Block the session when the negotiation is not supported.

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.4.4 CLI Reference 473

Fortinet Inc.
config ech-outer-sni

Parameter Description Type Size Default

name ClientHelloOuter SNI name. string Maximum

length: 79

sni ClientHelloOuter SNI to be blocked. string Maximum

length: 255

config ftps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

FortiOS 7.4.4 CLI Reference 474

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

FortiOS 7.4.4 CLI Reference 475

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

min-allowed- Minimum SSL version to be allowed. Flow-based option - tls-1.1

ssl-version inspection does not support SSL version control.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.4.4 CLI Reference 476

Fortinet Inc.
config https

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

inspection

deep-inspection Full SSL inspection.

quic QUIC inspection status. option - inspect

Option Description

inspect Inspect QUIC traffic.

bypass Bypass QUIC traffic.

block Block QUIC traffic.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - bypass

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

FortiOS 7.4.4 CLI Reference 477

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

Option Description

allow Bypass the session when the negotiation is not supported.

block Block the session when the negotiation is not supported.

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

FortiOS 7.4.4 CLI Reference 479

Fortinet Inc.
Parameter Description Type Size Default

encrypted- Block/allow session based on existence of encrypted- option - block

client-hello client-hello.

Option Description

allow Pass the session when encrypted-client-hello exists.

block Block the session when encrypted-client-hello exists.

min-allowed- Minimum SSL version to be allowed. Flow-based option - tls-1.1

ssl-version inspection does not support SSL version control.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config imaps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

FortiOS 7.4.4 CLI Reference 480

Fortinet Inc.
Parameter Description Type Size Default

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

timeout

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.4.4 CLI Reference 482

Fortinet Inc.
config pop3s

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

cert-validation- Action based on certificate validation failure. option - block

failure

FortiOS 7.4.4 CLI Reference 484

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

config smtps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

FortiOS 7.4.4 CLI Reference 485

Fortinet Inc.
Parameter Description Type Size Default

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

timeout

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.4.4 CLI Reference 487

Fortinet Inc.
config ssh

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - disable

ssh-tun-policy- Enable/disable SSH tunnel policy check. option - disable

check

Option Description

disable Disable SSH tunnel policy check.

enable Enable SSH tunnel policy check.

ssh-algorithm Relative strength of encryption algorithms accepted option - compatible

during negotiation.

FortiOS 7.4.4 CLI Reference 488

Fortinet Inc.
Parameter Description Type Size Default

Option Description

compatible Allow a broader set of encryption algorithms for best compatibility.

high-encryption Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config ssl

Parameter Description Type Size Default

inspect-all Level of SSL inspection. option - disable

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

inspection

deep-inspection Full SSL inspection.

client-certificate Action based on received client certificate. option - bypass

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

FortiOS 7.4.4 CLI Reference 489

FortiOS 7.4.4 CLI Reference 490

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

encrypted- Block/allow session based on existence of encrypted- option - block

client-hello client-hello.

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value: 512

type Type of address object (IPv4 or IPv6) or FortiGuard option - fortiguard-

category. category

Option Description

fortiguard- FortiGuard category.

address Firewall IPv4 address.

address6 Firewall IPv6 address.

wildcard-fqdn Fully Qualified Domain Name with wildcard characters.

regex Regular expression FQDN.

Parameter Description Type Size Default

id SSL server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 494

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable use of SSL abbreviated handshake.

disable Disable use of SSL abbreviated handshake.

cert-cache- Maximum capacity of the host certificate cache. integer Minimum 200
capacity value: 0
Maximum
value: 500

cert-cache- Time limit to keep certificate cache. integer Minimum 10

timeout value: 1
Maximum
value: 120

kxp-queue- Maximum length of the CP KXP queue. When the integer Minimum 16
threshold * queue becomes full, the proxy switches cipher functions value: 0
to the main CPU. Maximum
value: 512

no-matching- Bypass or drop the connection when no matching cipher option - bypass
cipher-action is found.

Option Description

bypass Bypass connection.

drop Drop connection.

proxy- Time limit to make an internal connection to the integer Minimum 30

connect- appropriate proxy process. value: 1
timeout Maximum
value: 60

session- Capacity of the SSL session cache. integer Minimum 500

cache- value: 0
capacity Maximum
value: 1000

session- Time limit to keep SSL session state. integer Minimum 20

cache-timeout value: 1
Maximum
value: 60

ssl-dh-bits Bit-size of Diffie-Hellman. option - 2048

enable Send empty fragments.

disable Do not send empty fragments.

* This parameter may not exist in some models.

config firewall traffic-class

Configure names for shaping classes.

config firewall traffic-class
Description: Configure names for shaping classes.
edit <class-id>
set class-name {string}
next
end

config firewall traffic-class

Parameter Description Type Size Default

class-id Class ID to be named. integer Minimum 0

value: 2
Maximum
value: 31

class-name Define the name for this class-id. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 496

Fortinet Inc.
config firewall ttl-policy

Configure TTL policies.

config firewall ttl-policy
Description: Configure TTL policies.
edit <id>
set action [accept|deny]
set schedule {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set status [enable|disable]
set ttl {user}
next
end

config firewall ttl-policy

Parameter Description Type Size Default

action Action to be performed on traffic matching this policy. option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

schedule Schedule object from available options. string Maximum

length: 35

service Service object(s) from available options. Separate string Maximum

<name> multiple names with a space. length: 79
Service name.

srcaddr Source address object(s) from available options. string Maximum

<name> Separate multiple names with a space. length: 79
Address name.

srcintf Source interface name from available interfaces. string Maximum

length: 35

status Enable/disable this TTL policy. option - enable

FortiOS 7.4.4 CLI Reference 497

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this TTL policy.

disable Disable this TTL policy.

ttl Value/range to match against the packet's Time to user Not Specified
Live value.

config firewall vendor-mac

Show vendor and the MAC address they have.

config firewall vendor-mac
Description: Show vendor and the MAC address they have.
edit <id>
set mac-number {integer}
set name {string}
set obsolete {integer}
next
end

config firewall vendor-mac

Parameter Description Type Size Default

id Vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

mac-number Total number of MAC addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Vendor name. string Maximum

length: 63

obsolete Indicates whether the Vendor ID can be used. integer Minimum 0

value: 0
Maximum
value: 255

config firewall vip

Configure virtual IP for IPv4.

FortiOS 7.4.4 CLI Reference 498

Fortinet Inc.
config firewall vip
Description: Configure virtual IP for IPv4.
edit <name>
set add-nat46-route [disable|enable]
set arp-reply [disable|enable]
set color {integer}
set comment {var-string}
set dns-mapping-ttl {integer}
set extaddr <name1>, <name2>, ...
set extintf {string}
set extip {user}
set extport {user}
set gratuitous-arp-interval {integer}
set gslb-domain-name {string}
set gslb-hostname {string}
config gslb-public-ips
Description: Publicly accessible IP addresses for the FortiGSLB service.
edit <index>
set ip {ipv4-address-any}
next
end
set h2-support [enable|disable]
set h3-support [enable|disable]
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-multiplex-max-concurrent-request {integer}
set http-multiplex-max-request {integer}
set http-multiplex-ttl {integer}
set http-redirect [enable|disable]
set https-cookie-secure [disable|enable]
set id {integer}
set ipv6-mappedip {user}
set ipv6-mappedport {user}
set ldb-method [static|round-robin|...]
set mapped-addr {string}
set mappedip <range1>, <range2>, ...
set mappedport {user}
set max-embryonic-connections {integer}
set monitor <name1>, <name2>, ...
set nat-source-vip [disable|enable]
set nat44 [disable|enable]
set nat46 [disable|enable]
set one-click-gslb-server [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set portmapping-type [1-to-1|m-to-n]
set protocol [tcp|udp|...]
config quic

FortiOS 7.4.4 CLI Reference 499

Fortinet Inc.
Description: QUIC setting.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set type [ip|address]
set address {string}
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set translate-host [enable|disable]
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set server-type [http|https|...]
set service <name1>, <name2>, ...
set src-filter <range1>, <range2>, ...
set src-vip-filter [disable|enable]
set srcintf-filter <interface-name1>, <interface-name2>, ...
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-certificate <name1>, <name2>, ...
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-type [disable|time|...]
set ssl-dh-bits [768|1024|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]

FortiOS 7.4.4 CLI Reference 500

Fortinet Inc.
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-mode [half|full]
set ssl-pfs [require|deny|...]
set ssl-send-empty-frags [enable|disable]
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-renegotiation [enable|disable]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]
set status [disable|enable]
set type [static-nat|load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end

config firewall vip

Parameter Description Type Size Default

add-nat46-route Enable/disable adding NAT46 route. option - enable

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

arp-reply Enable to respond to ARP requests for this option - enable

virtual IP address. Enabled by default.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

FortiOS 7.4.4 CLI Reference 501

Fortinet Inc.
Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

dns-mapping-ttl DNS mapping TTL. integer Minimum 0

value: 0
Maximum
value: 604800

extaddr <name> External FQDN address name. string Maximum

Address name. length: 79

extintf Interface connected to the source network string Maximum

that receives the packets that will be length: 35
forwarded to the destination network.

extip IP address or address range on the external user Not Specified

interface that you want to map to an address
or address range on the destination network.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the
destination network.

gratuitous-arp- Enable to have the VIP send gratuitous integer Minimum 0

interval ARPs. 0=disabled. Set from 5 up to 8640000 value: 5
seconds to enable. Maximum
value:
8640000

gslb-domain- Domain to use when integrating with string Maximum

name FortiGSLB. length: 255

gslb-hostname Hostname to use within the configured string Maximum

FortiGSLB domain. length: 35

h2-support Enable/disable HTTP2 support. option - enable

Option Description

enable Enable HTTP2 support.

disable Disable HTTP2 support.

h3-support Enable/disable HTTP3/QUIC support. option - disable

FortiOS 7.4.4 CLI Reference 502

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable HTTP3/QUIC support.

disable Disable HTTP3/QUIC support.

http-cookie-age Time in minutes that client web browsers integer Minimum 60

should keep a cookie. Default is 60 minutes. value: 0
0 = no time limit. Maximum
value: 525600

http-cookie- Domain that HTTP cookie persistence string Maximum

domain should apply to. length: 35

http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-
cooke-domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie-path Limit HTTP cookie persistence to the string Maximum

specified path. length: 35

http-cookie-share Control sharing of cookies across virtual option - same-ip

servers. Use of same-ip means a cookie from
one virtual server can be used by another.
Disable stops cookie sharing.

Option Description

disable Only allow HTTP cookie to match this virtual server.

same-ip Allow HTTP cookie to match any virtual server with same IP.

http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.

FortiOS 7.4.4 CLI Reference 503

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable adding HTTP header.

disable Disable adding HTTP header.

http-ip-header- For HTTP multiplexing, enter a custom string Maximum

name HTTPS header name. The original client IP length: 35
address is added to this header. If empty, X-
Forwarded-For is used.

http-multiplex Enable/disable HTTP multiplexing. option - disable

Option Description

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

http-multiplex- Maximum number of concurrent requests integer Minimum 0

max-concurrent- that a multiplex server can handle. value: 0
request Maximum
value:
2147483647

http-multiplex- Maximum number of requests that a integer Minimum 0

max-request multiplex server can handle before value: 0
disconnecting sessions. Maximum
value:
2147483647

http-multiplex-ttl Time-to-live for idle connections to servers. integer Minimum 15

value: 0
Maximum
value:
2147483647

http-redirect Enable/disable redirection of HTTP to option - disable

HTTPS.

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.

FortiOS 7.4.4 CLI Reference 504

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

ipv6-mappedip Range of mapped IPv6 addresses. Specify user Not Specified

the start IPv6 address followed by a space
and the end IPv6 address.

ipv6-mappedport IPv6 port number range on the destination user Not Specified
network to which the external port number
range is mapped.

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

least-session Distribute to server with lowest session count.

least-rtt Distribute to server with lowest Round-Trip-Time.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

mapped-addr Mapped FQDN address name. string Maximum

length: 79

mappedip IP address or address range on the string Maximum

disable Disable NAT46.

enable Enable NAT46.

one-click-gslb- Enable/disable one click GSLB server option - disable

server integration with FortiGSLB.

Option Description

disable Disable integration with FortiGSLB.

enable Enable integration with FortiGSLB.

outlook-web- Enable to add the Front-End-Https header option - disable

access for Microsoft Outlook Web Access.

protocol Protocol to use when forwarding packets. option - tcp

Option Description

tcp TCP.

udp UDP.

sctp SCTP.

icmp ICMP.

server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).

FortiOS 7.4.4 CLI Reference 507

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http HTTP.

https HTTPS.

imaps IMAPS.

pop3s POP3S.

smtps SMTPS.

ssl SSL.

tcp TCP.

udp UDP.

ip IP.

service <name> Service name. string Maximum

Service name. length: 79

src-filter Source address filter. Each address must be string Maximum

<range> either an IP/subnet (x.x.x.x/n) or a range length: 79
(x.x.x.x-y.y.y.y). Separate addresses with
spaces.
Source-filter range.

src-vip-filter Enable/disable use of 'src-filter' to match option - disable

destinations for the reverse SNAT rule.

Option Description

disable Match any destination for the reverse SNAT rule.

enable Match only destinations in 'src-filter' for the reverse SNAT rule.

srcintf-filter Interfaces to which the VIP applies. Separate string Maximum

<interface- the names with spaces. length: 79
name> Interface name.

ssl-accept-ffdhe- Enable/disable FFDHE cipher suite for SSL option - enable

groups key exchange.

Option Description

enable Accept FFDHE groups.

disable Do not accept FFDHE groups.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

FortiOS 7.4.4 CLI Reference 508

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use config ssl-cipher-suites to select the cipher suites
that are allowed.

ssl-certificate Name of the certificate to use for SSL string Maximum

<name> handshake. length: 79
Certificate list.

ssl-client-fallback Enable/disable support for preventing option - enable

Downgrade Attacks on client connections
(RFC 7507).

Option Description

disable Disable.

enable Enable.

ssl-client-rekey- Maximum length of data in MB before integer Minimum 0

count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576

ssl-client- Allow, deny, or require secure renegotiation option - secure

renegotiation of client sessions to comply with RFC 5746.

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any client initiated SSL re-negotiation attempt.

secure Abort any client initiated SSL re-negotiation attempt that does not use RFC
5746 Secure Renegotiation.

ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-client- Number of minutes to keep client to integer Minimum 30

session-state- FortiGate SSL session state. value: 1
timeout Maximum
value: 14400

FortiOS 7.4.4 CLI Reference 509

Fortinet Inc.
Parameter Description Type Size Default

ssl-client- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the client and
type the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL
sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-hpkp Enable/disable including HPKP header in option - disable

response.

Option Description

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age Number of seconds the client should honor integer Minimum 5184000
the HPKP setting. value: 60
Maximum
value:
157680000

ssl-hpkp-backup Certificate to generate backup HPKP pin string Maximum

from. length: 79

ssl-hpkp-include- Indicate that HPKP header applies to all option - disable

subdomains subdomains.

FortiOS 7.4.4 CLI Reference 510

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hpkp-primary Certificate to generate primary HPKP pin string Maximum

from. length: 79

ssl-hpkp-report- URL to report HPKP violations to. var-string Maximum

uri length: 255

ssl-hsts Enable/disable including HSTS header in option - disable

response.

Option Description

disable Do not add a HSTS header to each a HTTP response.

enable Match HTTP host in response header.

disable Do not match HTTP host.

FortiOS 7.4.4 CLI Reference 511

Fortinet Inc.
Parameter Description Type Size Default

ssl-max-version Highest SSL/TLS version acceptable from a option - tls-1.3

client.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the
server (full).

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies
to both client and server sessions.

Option Description

require Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.

FortiOS 7.4.4 CLI Reference 512

Fortinet Inc.
Parameter Description Type Size Default

ssl-send-empty- Enable/disable sending empty fragments to option - enable

frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for
compatibility with older systems.

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

ssl-server- Permitted encryption algorithms for the option - client

algorithm server side of SSL full mode sessions
according to encryption strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use ssl-server-cipher-suites to select the cipher suites

that are allowed.

client Use the same encryption algorithms for both client and server sessions.

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

both Expire session states based on time or count, whichever occurs first.

status Enable/disable VIP. option - enable

Option Description

disable Disable the VIP.

enable Enable the VIP.

FortiOS 7.4.4 CLI Reference 514

Fortinet Inc.
Parameter Description Type Size Default

type Configure a static NAT, load balance, server option - static-nat

load balance, access proxy, DNS translation,
or FQDN VIP.

Option Description

static-nat Static NAT.

load-balance Load balance.

server-load- Server load balance.

balance

dns-translation DNS translation.

fqdn Fully qualified domain name.

access-proxy Access proxy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

weblogic-server Enable to add an HTTP header to indicate option - disable

SSL offloading for a WebLogic server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebLogic server.

enable Add HTTP header indicating SSL offload for WebLogic server.

websphere- Enable to add an HTTP header to indicate option - disable

server SSL offloading for a WebSphere server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

config gslb-public-ips

Parameter Description Type Size Default

index Index of this public IP setting. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip The publicly accessible IP address. ipv4- Not Specified 0.0.0.0

address-
any

FortiOS 7.4.4 CLI Reference 515

Fortinet Inc.
config quic

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

Option Description

enable Enable active migration.

disable Disable active migration.

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

Option Description

enable Enable grease QUIC bit.

disable Disable grease QUIC bit.

FortiOS 7.4.4 CLI Reference 516

Fortinet Inc.
config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Type of address. option - ip

Option Description

ip Standard IPv4 address.

address Dynamic address object.

address Dynamic address of the real server. string Maximum

length: 79

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

holddown- Time in seconds that the system waits before re- integer Minimum 300
interval activating a previously down active server in the value: 30
active-standby mode. This is to prevent any flapping Maximum
issues. value: 65535

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

FortiOS 7.4.4 CLI Reference 517

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

Option Description

enable Enable virtual hostname/IP translation.

disable Disable virtual hostname/IP translation.

max- Max number of active connections that can be integer Minimum 0

connections directed to the real server. When reached, sessions value: 0
are sent to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

FortiOS 7.4.4 CLI Reference 518

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 519

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

FortiOS 7.4.4 CLI Reference 520

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

FortiOS 7.4.4 CLI Reference 521

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.4.4 CLI Reference 522

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.4.4 CLI Reference 523

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.4.4 CLI Reference 524

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.4.4 CLI Reference 525

Fortinet Inc.
config ssl-server-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 526

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

FortiOS 7.4.4 CLI Reference 527

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

FortiOS 7.4.4 CLI Reference 528

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.4.4 CLI Reference 529

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.4.4 CLI Reference 530

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.4.4 CLI Reference 531

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6
Description: Configure virtual IP for IPv6.
edit <name>
set add-nat64-route [disable|enable]
set color {integer}

FortiOS 7.4.4 CLI Reference 532

Fortinet Inc.
set comment {var-string}
set embedded-ipv4-address [disable|enable]
set extip {user}
set extport {user}
set h2-support [enable|disable]
set h3-support [enable|disable]
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-redirect [enable|disable]
set https-cookie-secure [disable|enable]
set id {integer}
set ipv4-mappedip {user}
set ipv4-mappedport {user}
set ldb-method [static|round-robin|...]
set mappedip {user}
set mappedport {user}
set max-embryonic-connections {integer}
set monitor <name1>, <name2>, ...
set nat-source-vip [disable|enable]
set nat64 [disable|enable]
set nat66 [disable|enable]
set ndp-reply [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set protocol [tcp|udp|...]
config quic
Description: QUIC setting.
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
set active-connection-id-limit {integer}
set ack-delay-exponent {integer}
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
end
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set translate-host [enable|disable]

FortiOS 7.4.4 CLI Reference 533

Fortinet Inc.
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set server-type [http|https|...]
set src-filter <range1>, <range2>, ...
set src-vip-filter [disable|enable]
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-certificate <name1>, <name2>, ...
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by
priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-type [disable|time|...]
set ssl-dh-bits [768|1024|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-mode [half|full]
set ssl-pfs [require|deny|...]
set ssl-send-empty-frags [enable|disable]
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-renegotiation [enable|disable]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]

FortiOS 7.4.4 CLI Reference 534

Fortinet Inc.
set type [static-nat|server-load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end

config firewall vip6

Parameter Description Type Size Default

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Maximum

length: 255

embedded- Enable/disable use of the lower 32 bits of the option - disable

ipv4-address external IPv6 address as mapped IPv4
address.

Option Description

disable Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

enable Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

extip IPv6 address or address range on the external user Not Specified
interface that you want to map to an address or
address range on the destination network.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the destination
network.

h2-support Enable/disable HTTP2 support. option - enable

enable Enable adding HTTP header.

disable Disable adding HTTP header.

http-ip-header- For HTTP multiplexing, enter a custom HTTPS string Maximum

name header name. The original client IP address is length: 35
added to this header. If empty, X-Forwarded-
For is used.

http-multiplex Enable/disable HTTP multiplexing. option - disable

Option Description

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

http-redirect Enable/disable redirection of HTTP to HTTPS. option - disable

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

ipv4-mappedip Range of mapped IP addresses. Specify the user Not Specified

start IP address followed by a space and the
end IP address.

FortiOS 7.4.4 CLI Reference 537

Fortinet Inc.
Parameter Description Type Size Default

ipv4- IPv4 port number range on the destination user Not Specified
mappedport network to which the external port number
range is mapped.

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute sessions based on source IP.

round-robin Distribute sessions based round robin order.

weighted Distribute sessions based on weight.

least-session Sends new sessions to the server with the lowest session count.

least-rtt Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive Distribute sessions to the first server that is alive.

http-host Distribute sessions to servers based on host field in HTTP header.

mappedip Mapped IPv6 address range in the format user Not Specified
startIP-endIP.

mappedport Port number range on the destination network user Not Specified
to which the external port number range is
mapped.

max- Maximum number of incomplete connections. integer Minimum 1000

embryonic- value: 0
connections Maximum
value: 100000

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.

name Virtual ip6 name. string Maximum

length: 79

nat-source-vip Enable to perform SNAT on traffic from option - disable

mappedip to the extip for all egress interfaces.

Option Description

disable Disable nat-source-vip.

enable Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

nat64 Enable/disable DNAT64. option - disable

FortiOS 7.4.4 CLI Reference 538

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable DNAT64.

enable Enable DNAT64.

nat66 Enable/disable DNAT66. option - enable

Option Description

disable Disable DNAT66.

enable Enable DNAT66.

ndp-reply Enable/disable this FortiGate unit's ability to option - enable

respond to NDP requests for this virtual IP
address.

Option Description

disable Disable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.

enable Enable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.

Option Description

tcp TCP.

udp UDP.

sctp SCTP.

server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).

Option Description

http HTTP.

https HTTPS.

imaps IMAPS.

pop3s POP3S.

smtps SMTPS.

ssl SSL.

tcp TCP.

udp UDP.

ip IP.

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate string Maximum

<range> addresses with spaces. length: 79
Source-filter range.

src-vip-filter Enable/disable use of 'src-filter' to match option - disable

destinations for the reverse SNAT rule.

Option Description

disable Match any destination for the reverse SNAT rule.

enable Match only destinations in 'src-filter' for the reverse SNAT rule.

FortiOS 7.4.4 CLI Reference 540

Fortinet Inc.
Parameter Description Type Size Default

ssl-accept- Enable/disable FFDHE cipher suite for SSL option - enable

ffdhe-groups key exchange.

Option Description

enable Accept FFDHE groups.

disable Do not accept FFDHE groups.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate Name of the certificate to use for SSL string Maximum

<name> handshake. length: 79
Certificate list.

ssl-client- Enable/disable support for preventing option - enable

fallback Downgrade Attacks on client connections
(RFC 7507).

Option Description

disable Disable.

enable Enable.

ssl-client- Maximum length of data in MB before integer Minimum 0

rekey-count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576

ssl-client- Allow, deny, or require secure renegotiation of option - secure

renegotiation client sessions to comply with RFC 5746.

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any SSL connection that attempts to renegotiate.

secure Reject any SSL connection that does not offer a RFC 5746 Secure
Renegotiation Indication.

FortiOS 7.4.4 CLI Reference 541

Fortinet Inc.
Parameter Description Type Size Default

ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-client- Number of minutes to keep client to FortiGate integer Minimum 30

session-state- SSL session state. value: 1
timeout Maximum
value: 14400

ssl-client- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the client and the
type FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-hpkp Enable/disable including HPKP header in option - disable

response.

Option Description

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

FortiOS 7.4.4 CLI Reference 542

Fortinet Inc.
Parameter Description Type Size Default

ssl-hpkp-age Number of minutes the web browser should integer Minimum 5184000
keep HPKP. value: 60
Maximum
value:
157680000

ssl-hpkp- Certificate to generate backup HPKP pin from. string Maximum

backup length: 79

ssl-hpkp- Indicate that HPKP header applies to all option - disable

include- subdomains.
subdomains

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hpkp- Certificate to generate primary HPKP pin from. string Maximum

primary length: 79

ssl-hpkp- URL to report HPKP violations to. var-string Maximum

report-uri length: 255

ssl-hsts Enable/disable including HSTS header in option - disable

response.

Option Description

disable Do not add a HSTS header to each a HTTP response.

enable Add a HSTS header to each HTTP response.

ssl-hsts-age Number of seconds the client should honor the integer Minimum 5184000
HSTS setting. value: 60
Maximum
value:
157680000

ssl-hsts- Indicate that HSTS header applies to all option - disable

include- subdomains.
subdomains

Option Description

disable HSTS header does not apply to subdomains.

enable HSTS header applies to subdomains.

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the server
(full).

FortiOS 7.4.4 CLI Reference 544

Fortinet Inc.
Parameter Description Type Size Default

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies to
both client and server sessions.

Option Description

require Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.

ssl-send- Enable/disable sending empty fragments to option - enable

empty-frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for compatibility
with older systems.

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

ssl-server- Permitted encryption algorithms for the server option - client

algorithm side of SSL full mode sessions according to
encryption strength.

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-server-cipher-suites to select the cipher suites that are
allowed.

client Use the same encryption algorithms for client and server sessions.

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

FortiOS 7.4.4 CLI Reference 545

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server- Enable/disable secure renegotiation to comply option - enable

renegotiation with RFC 5746.

Option Description

enable Enable secure renegotiation.

disable Disable secure renegotiation.

ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-server- Number of minutes to keep FortiGate to Server integer Minimum 60

session-state- SSL session state. value: 1
timeout Maximum
value: 14400

ssl-server- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the server and
type the FortiGate.

FortiOS 7.4.4 CLI Reference 546

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

type Configure a static NAT server load balance option - static-nat

VIP or access proxy.

Option Description

static-nat Static NAT.

server-load- Server load balance.

balance

access-proxy Access proxy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

weblogic- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebLogic server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebLogic server.

enable Add HTTP header indicating SSL offload for WebLogic server.

websphere- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebSphere server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

FortiOS 7.4.4 CLI Reference 547

Fortinet Inc.
config quic

Parameter Description Type Size Default

max-idle- Maximum idle timeout milliseconds. integer Minimum 30000

timeout value: 1
Maximum
value:
60000

max-udp- Maximum UDP payload size in bytes. integer Minimum 1500

payload-size value: 1200
Maximum
value: 1500

active- Active connection ID limit. integer Minimum 2

connection-id- value: 1
limit Maximum
value: 8

ack-delay- ACK delay exponent. integer Minimum 3

exponent value: 1
Maximum
value: 20

max-ack- Maximum ACK delay in milliseconds. integer Minimum 25

delay value: 1
Maximum
value:
16383

max- Maximum datagram frame size in bytes. integer Minimum 1500

datagram- value: 1
frame-size Maximum
value: 1500

active- Enable/disable active migration. option - disable

migration

Option Description

enable Enable active migration.

disable Disable active migration.

grease-quic- Enable/disable grease QUIC bit. option - enable

bit

Option Description

enable Enable grease QUIC bit.

disable Disable grease QUIC bit.

FortiOS 7.4.4 CLI Reference 548

Fortinet Inc.
config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Maximum

length: 63

translate-host Enable/disable translation of hostname/IP from option - enable

virtual server to real server.

FortiOS 7.4.4 CLI Reference 549

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable virtual hostname/IP translation.

disable Disable virtual hostname/IP translation.

max- Max number of active connections that can directed integer Minimum 0
connections to the real server. When reached, sessions are sent value: 0
to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.4.4 CLI Reference 550

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 551

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.4.4 CLI Reference 552

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.4.4 CLI Reference 553

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.4.4 CLI Reference 554

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.4.4 CLI Reference 555

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.4.4 CLI Reference 556

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ssl-server-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

FortiOS 7.4.4 CLI Reference 557

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

FortiOS 7.4.4 CLI Reference 558

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

FortiOS 7.4.4 CLI Reference 559

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

FortiOS 7.4.4 CLI Reference 560

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

FortiOS 7.4.4 CLI Reference 561

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

FortiOS 7.4.4 CLI Reference 562

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

FortiOS 7.4.4 CLI Reference 563

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config firewall vipgrp

Configure IPv4 virtual IP groups.

config firewall vipgrp
Description: Configure IPv4 virtual IP groups.
edit <name>
set color {integer}
set comments {var-string}
set interface {string}
set member <name1>, <name2>, ...
set uuid {uuid}
next
end

FortiOS 7.4.4 CLI Reference 564

Fortinet Inc.
config firewall vipgrp

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comments Comment. var-string Maximum

length: 255

interface Interface. string Maximum

length: 35

member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
VIP name.

name VIP group name. string Maximum

length: 79

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config firewall vipgrp6

Configure IPv6 virtual IP groups.

config firewall vipgrp6
Description: Configure IPv6 virtual IP groups.
edit <name>
set color {integer}
set comments {var-string}
set member <name1>, <name2>, ...
set uuid {uuid}
next
end

config firewall vipgrp6

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comments Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 565

Fortinet Inc.
Parameter Description Type Size Default

member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
IPv6 VIP name.

name IPv6 VIP group name. string Maximum

length: 79

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config firewall wildcard-fqdn custom

Config global/VDOM Wildcard FQDN address.

config firewall wildcard-fqdn custom
Description: Config global/VDOM Wildcard FQDN address.
edit <name>
set color {integer}
set comment {var-string}
set uuid {uuid}
set wildcard-fqdn {string}
next
end

config firewall wildcard-fqdn custom

Parameter Description Type Size Default

config ftp-proxy explicit

Configure explicit FTP proxy settings.

config ftp-proxy explicit
Description: Configure explicit FTP proxy settings.
set incoming-ip {ipv4-address-any}
set incoming-port {user}
set outgoing-ip {ipv4-address-any}
set sec-default-action [accept|deny]
set server-data-mode [client|passive]
set ssl [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-cert <name1>, <name2>, ...
set ssl-dh-bits [768|1024|...]
set status [enable|disable]
end

config ftp-proxy explicit

Parameter Description Type Size Default

incoming-ip Accept incoming FTP requests from this IP address. An ipv4- Not 0.0.0.0
interface must have this IP address. address- Specified
any

incoming-port Accept incoming FTP requests on one or more ports. user Not
Specified

outgoing-ip Outgoing FTP requests will leave from this IP address. ipv4- Not
An interface must have this IP address. address- Specified
any

sec-default- Accept or deny explicit FTP proxy sessions when no option - deny
action FTP proxy firewall policy exists.

Option Description

accept Accept requests. All explicit FTP proxy traffic is accepted whether there is an
explicit FTP proxy policy or not

deny Deny requests unless there is a matching explicit FTP proxy policy.

FortiOS 7.4.4 CLI Reference 568

Fortinet Inc.
Parameter Description Type Size Default

server-data- Determine mode of data session on FTP server side. option - client
mode

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

status Enable/disable the explicit FTP proxy. option - disable

Option Description

enable Enable the explicit FTP proxy.

disable Disable the explicit FTP proxy.

FortiOS 7.4.4 CLI Reference 569

Fortinet Inc.
icap

This section includes syntax for the following commands:

l config icap profile on page 570
l config icap server-group on page 576
l config icap server on page 577

config icap profile

Configure ICAP profiles.

config icap profile
Description: Configure ICAP profiles.
edit <name>
set 204-response [disable|enable]
set 204-size-limit {integer}
set chunk-encap [disable|enable]
set comment {var-string}
set extension-feature {option1}, {option2}, ...
set file-transfer {option1}, {option2}, ...
set file-transfer-failure [error|bypass]
set file-transfer-path {string}
set file-transfer-server {string}
set icap-block-log [disable|enable]
config icap-headers
Description: Configure ICAP forwarded request headers.
edit <id>
set name {string}
set content {string}
set base64-encoding [disable|enable]
next
end
set methods {option1}, {option2}, ...
set preview [disable|enable]
set preview-data-length {integer}
set replacemsg-group {string}
set request [disable|enable]
set request-failure [error|bypass]
set request-path {string}
set request-server {string}
set respmod-default-action [forward|bypass]
config respmod-forward-rules
Description: ICAP response mode forward rules.
edit <name>
set host {string}
config header-group
Description: HTTP header group.
edit <id>
set header-name {string}

FortiOS 7.4.4 CLI Reference 570

Fortinet Inc.
set header {string}
set case-sensitivity [disable|enable]
next
end
set action [forward|bypass]
set http-resp-status-code <code1>, <code2>, ...
next
end
set response [disable|enable]
set response-failure [error|bypass]
set response-path {string}
set response-req-hdr [disable|enable]
set response-server {string}
set scan-progress-interval {integer}
set streaming-content-bypass [disable|enable]
set timeout {integer}
next
end

config icap profile

Parameter Description Type Size Default

file-transfer Configure the file transfer protocols to pass transferred option -

files to an ICAP server as REQMOD.

Option Description

ssh Forward file transfer with SSH protocol to ICAP server for further processing.

ftp Forward file transfer with FTP protocol to ICAP server for further processing.

file-transfer- Action to take if the ICAP server cannot be contacted option - error
failure when processing a file transfer.

Option Description

error Error.

bypass Bypass.

file-transfer- Path component of the ICAP URI that identifies the file string Maximum
path transfer processing service. length: 127

file-transfer- ICAP server to use for a file transfer. string Maximum

server length: 63

icap-block-log Enable/disable UTM log when infection found. option - disable

Option Description

disable Disable UTM log when infection found.

enable Enable UTM log when infection found.

methods The allowed HTTP methods that will be sent to ICAP option - delete get
server for further processing. head
options
post put
trace
connect
other

Option Description

delete Forward HTTP request or response with DELETE method to ICAP server for
further processing.

get Forward HTTP request or response with GET method to ICAP server for
further processing.

head Forward HTTP request or response with HEAD method to ICAP server for
further processing.

FortiOS 7.4.4 CLI Reference 572

Fortinet Inc.
Parameter Description Type Size Default

Option Description

options Forward HTTP request or response with OPTIONS method to ICAP server for
further processing.

post Forward HTTP request or response with POST method to ICAP server for
further processing.

put Forward HTTP request or response with PUT method to ICAP server for
further processing.

trace Forward HTTP request or response with TRACE method to ICAP server for
further processing.

connect Forward HTTP request or response with CONNECT method to ICAP server
for further processing.

other Forward HTTP request or response with All other methods to ICAP server for
further processing.

name ICAP profile name. string Maximum

length: 35

preview Enable/disable preview of data to ICAP server. option - disable

Option Description

disable Disable preview of data to ICAP server.

enable Enable preview of data to ICAP server.

preview-data- Preview data length to be sent to ICAP server. integer Minimum 0

length value: 0
Maximum
value: 4096

replacemsg- Replacement message group. string Maximum

group length: 35

request Enable/disable whether an HTTP request is passed to option - disable

an ICAP server.

Option Description

disable Disable HTTP request passing to ICAP server.

enable Enable HTTP request passing to ICAP server.

request-failure Action to take if the ICAP server cannot be contacted option - error
when processing an HTTP request.

FortiOS 7.4.4 CLI Reference 573

Fortinet Inc.
Parameter Description Type Size Default

Option Description

error Error.

bypass Bypass.

request-path Path component of the ICAP URI that identifies the string Maximum
HTTP request processing service. length: 127

request-server ICAP server to use for an HTTP request. string Maximum

length: 63

respmod- Default action to ICAP response modification (respmod) option - forward

default-action processing.

Option Description

forward Forward response to ICAP server unless a rule specifies not to.

bypass Don't forward request to ICAP server unless a rule specifies to forward the
request.

response Enable/disable whether an HTTP response is passed to option - disable

an ICAP server.

Option Description

disable Disable HTTP response passing to ICAP server.

enable Enable HTTP response passing to ICAP server.

response- Action to take if the ICAP server cannot be contacted option - error
failure when processing an HTTP response.

Option Description

error Error.

bypass Bypass.

response-path Path component of the ICAP URI that identifies the string Maximum
HTTP response processing service. length: 127

response-req- Enable/disable addition of req-hdr for ICAP response option - enable

hdr modification (respmod) processing.

Option Description

disable Do not add req-hdr for response modification (respmod) processing.

enable Add req-hdr for response modification (respmod) processing.

FortiOS 7.4.4 CLI Reference 574

Fortinet Inc.
Parameter Description Type Size Default

response- ICAP server to use for an HTTP response. string Maximum

server length: 63

scan- Scan progress interval value. integer Minimum 10

progress- value: 5
interval Maximum
value: 30

streaming- Enable/disable bypassing of ICAP server for streaming option - disable

content- content.
bypass

Option Description

disable Disable bypassing of ICAP server for streaming content.

enable Enable bypassing of ICAP server for streaming content.

timeout Time (in seconds) that ICAP client waits for the integer Minimum 30
response from ICAP server. value: 30
Maximum
value: 3600

config icap-headers

Parameter Description Type Size Default

id HTTP forwarded header ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name HTTP forwarded header name. string Maximum

length: 79

content HTTP header content. string Maximum

length: 255

base64- Enable/disable use of base64 encoding of HTTP option - disable

encoding content.

Option Description

disable Disable use of base64 encoding of HTTP content.

enable Enable use of base64 encoding of HTTP content.

FortiOS 7.4.4 CLI Reference 575

Fortinet Inc.
config respmod-forward-rules

Parameter Description Type Size Default

name Address name. string Maximum

length: 63

host Address object for the host. string Maximum

length: 79

action Action to be taken for ICAP server. option - forward

Option Description

forward Forward request to ICAP server when this rule is matched.

bypass Don't forward request to ICAP server when this rule is matched.

http-resp- HTTP response status code. integer Minimum

status-code HTTP response status code. value: 100
<code> Maximum
value: 599

config header-group

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

header-name HTTP header. string Maximum

length: 79

header HTTP header regular expression. string Maximum

length: 255

case- Enable/disable case sensitivity when matching option - disable

sensitivity header.

Option Description

disable Ignore case when matching header.

enable Do not ignore case when matching header.

config icap server-group

Configure an ICAP server group consisting of multiple forward servers. Supports failover and load balancing.

FortiOS 7.4.4 CLI Reference 576

Fortinet Inc.
config icap server-group
Description: Configure an ICAP server group consisting of multiple forward servers.
Supports failover and load balancing.
edit <name>
set ldb-method [weighted|least-session|...]
config server-list
Description: Add ICAP servers to a list to form a server group. Optionally
assign weights to each server.
edit <name>
set weight {integer}
next
end
next
end

config icap server-group

Parameter Description Type Size Default

ldb-method Load balance method. option - weighted

Option Description

weighted Load balance traffic to forward servers based on assigned weights.

least-session Send new sessions to the server with lowest session count.

active-passive Send new sessions to active server with high weight.

name Configure an ICAP server group consisting one or string Maximum

multiple forward servers. Supports failover and load length: 63
balancing.

config server-list

Parameter Description Type Size Default

name ICAP server name. string Maximum

length: 63

weight Optionally assign a weight of the forwarding server for integer Minimum 10
weighted load balancing. value: 1
Maximum
value: 100

config icap server

Configure ICAP servers.

config icap server
Description: Configure ICAP servers.
edit <name>

FortiOS 7.4.4 CLI Reference 577

Fortinet Inc.
set addr-type [ip4|ip6|...]
set fqdn {string}
set healthcheck [disable|enable]
set healthcheck-service {string}
set ip-address {ipv4-address-any}
set ip6-address {ipv6-address}
set max-connections {integer}
set port {integer}
set secure [disable|enable]
set ssl-cert {string}
next
end

config icap server

Parameter Description Type Size Default

addr-type Address type of the remote ICAP server: IPv4, IPv6 option - ip4
or FQDN.

Option Description

ip4 Use an IPv4 address for the remote ICAP server.

ip6 Use an IPv6 address for the remote ICAP server.

fqdn Use the FQDN for the forwarding proxy server.

fqdn ICAP remote server Fully Qualified Domain Name string Maximum
(FQDN). length: 255

healthcheck Enable/disable ICAP remote server health checking. option - disable

Attempts to connect to the remote ICAP server to
verify that the server is operating normally.

Option Description

disable Disable health checking.

enable Enable health checking.

healthcheck- ICAP Service name to use for health checks. string Maximum
service length: 127

ip-address IPv4 address of the ICAP server. ipv4- Not Specified 0.0.0.0
address-
any

ip6-address IPv6 address of the ICAP server. ipv6- Not Specified ::

address

FortiOS 7.4.4 CLI Reference 578

Fortinet Inc.
Parameter Description Type Size Default

max- Maximum number of concurrent connections to integer Minimum 100

connections ICAP server. Must not be less than wad-worker- value: 0
count. Maximum
value:
4294967295

name Server name. string Maximum

length: 63

port ICAP server port. integer Minimum 1344

value: 1
Maximum
value: 65535

secure Enable/disable secure connection to ICAP server. option - disable

Option Description

disable Disable connection to secure ICAP server.

enable Enable connection to secure ICAP server.

ssl-cert CA certificate name. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 579

Fortinet Inc.
ips

This section includes syntax for the following commands:

l config ips custom on page 580
l config ips decoder on page 582
l config ips global on page 582
l config ips rule-settings on page 586
l config ips rule on page 587
l config ips sensor on page 589
l config ips settings on page 594
l config ips view-map on page 595

config ips custom

Configure IPS custom signature.

config ips custom
Description: Configure IPS custom signature.
edit <tag>
set action [pass|block]
set application {user}
set comment {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
set os {user}
set protocol {user}
set rule-id {integer}
set severity {user}
set signature {var-string}
set status [disable|enable]
next
end

config ips custom

Parameter Description Type Size Default

action Default action (pass or block) for this signature. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

FortiOS 7.4.4 CLI Reference 580

Fortinet Inc.
Parameter Description Type Size Default

application Applications to be protected. Blank for all user Not Specified

applications.

comment Comment. string Maximum

length: 63

location Protect client or server traffic. user Not Specified

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

os Operating system(s) that the signature protects. user Not Specified

Blank for all operating systems.

protocol Protocol(s) that the signature scans. Blank for all user Not Specified
protocols.

rule-id Signature ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

severity Relative severity of the signature, from info to critical. user Not Specified
Log messages generated by the signature include the
severity.

signature Custom signature enclosed in single quotes. var-string Maximum

length: 4095

status Enable/disable this signature. option - enable

Option Description

disable Disable status.

enable Enable status.

tag Signature tag. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 581

Fortinet Inc.
config ips decoder

Configure IPS decoder.

config ips decoder
Description: Configure IPS decoder.
edit <name>
config parameter
Description: IPS group parameters.
edit <name>
set value {string}
next
end
next
end

config ips decoder

Parameter Description Type Size Default

name Decoder name. string Maximum

length: 63

config parameter

Parameter Description Type Size Default

name Parameter name. string Maximum

length: 31

value Parameter value. string Maximum

length: 199

config ips global

Configure IPS global parameter.

config ips global
Description: Configure IPS global parameter.
set anomaly-mode [periodical|continuous]
set av-mem-limit {integer}
set cp-accel-mode [none|basic|...]
set database [regular|extended]
set deep-app-insp-db-limit {integer}
set deep-app-insp-timeout {integer}
set engine-count {integer}
set exclude-signatures [none|ot]
set fail-open [enable|disable]
set ips-reserve-cpu [disable|enable]
set ngfw-max-scan-range {integer}
set np-accel-mode [none|basic]
set packet-log-queue-depth {integer}

FortiOS 7.4.4 CLI Reference 582

Fortinet Inc.
set session-limit-mode [accurate|heuristic]
set socket-size {integer}
set sync-session-ttl [enable|disable]
config tls-active-probe
Description: TLS active probe configuration.
set interface-select-method [auto|sdwan|...]
set interface {string}
set vdom {string}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
end
set traffic-submit [enable|disable]
end

config ips global

Parameter Description Type Size Default

anomaly- Global blocking mode for rate-based anomalies. option - continuous

mode

Option Description

periodical After an anomaly is detected, allow the number of packets per second
according to the anomaly configuration.

continuous Block packets once an anomaly is detected. Overrides individual anomaly

settings.

av-mem-limit Maximum percentage of system memory allowed for integer Minimum 0

use on AV scanning. To disable set to zero. When value: 10
disabled, there is no limit on the AV memory usage. Maximum
value: 50

cp-accel- IPS Pattern matching acceleration/offloading to CPx option - advanced

mode * processors.

Option Description

none CPx acceleration/offloading disabled.

basic Offload basic pattern matching to CPx processors.

advanced Offload more types of pattern matching resulting in higher throughput than
basic mode. Requires two CP8s or one CP9.

database Regular or extended IPS database. Regular option - extended **

protects against the latest common and in-the-wild
attacks. Extended includes protection from legacy
attacks.

FortiOS 7.4.4 CLI Reference 583

Fortinet Inc.
Parameter Description Type Size Default

Option Description

regular IPS regular database package.

extended IPS extended database package.

deep-app- Limit on number of entries in deep application integer Minimum 0

insp-db-limit inspection database. value: 0
Maximum
value:
2147483647

deep-app- Timeout for Deep application inspection. integer Minimum 0

insp-timeout value: 0
Maximum
value:
2147483647

engine-count Number of IPS engines running. If set to the default integer Minimum 0
value of 0, FortiOS sets the number to optimize value: 0
performance depending on the number of CPU Maximum
cores. value: 255

exclude- Excluded signatures. option - ot

signatures

Option Description

none No signatures excluded.

ot Exclude ot signatures.

fail-open Enable to allow traffic if the IPS buffer is full. Default option - disable
is disable and IPS traffic is blocked when the IPS
buffer is full.

Option Description

enable Enable IPS fail open.

disable Disable IPS fail open.

ips-reserve- Enable/disable IPS daemon's use of CPUs other option - disable

cpu * than CPU 0.

Option Description

disable Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all
CPUs).

enable Enable IPS daemon's use of CPUs other than CPU 0.

FortiOS 7.4.4 CLI Reference 584

Fortinet Inc.
Parameter Description Type Size Default

disable Disable use of kernel session TTL for IPS sessions.

traffic-submit Enable/disable submitting attack data found by this option - disable

FortiGate to FortiGuard.

FortiOS 7.4.4 CLI Reference 585

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable traffic submit.

disable Disable traffic submit.

* This parameter may not exist in some models.

** Values may differ between models.

config tls-active-probe

Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

vdom Virtual domain name for TLS active probe. string Maximum
length: 31

source-ip Source IP address used for TLS active probe. ipv4- Not 0.0.0.0
address Specified

source-ip6 Source IPv6 address used for TLS active probe. ipv6- Not ::
address Specified

config ips rule-settings

Configure IPS rule setting.

config ips rule-settings
Description: Configure IPS rule setting.
edit <id>
next
end

FortiOS 7.4.4 CLI Reference 586

Fortinet Inc.
config ips rule-settings

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config ips rule

Configure IPS rules.

config ips rule
Description: Configure IPS rules.
edit <name>
set action [pass|block]
set application {user}
set date {integer}
set group {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
set os {user}
set rev {integer}
set rule-id {integer}
set service {user}
set severity {user}
next
end

config ips rule

Parameter Description Type Size Default

action Action. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

FortiOS 7.4.4 CLI Reference 587

Fortinet Inc.
Parameter Description Type Size Default

application Vulnerable applications. user Not Specified

date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295

group Group. string Maximum

length: 63

location Vulnerable location. user Not Specified

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

name Rule name. string Maximum

length: 63

os Vulnerable operation systems. user Not Specified

rev Revision. integer Minimum 0

value: 0
Maximum
value:
4294967295

rule-id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service Vulnerable service. user Not Specified

severity Severity. user Not Specified

FortiOS 7.4.4 CLI Reference 588

Fortinet Inc.
config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config ips sensor

Configure IPS sensor.

config ips sensor
Description: Configure IPS sensor.
edit <name>
set block-malicious-url [disable|enable]
set comment {var-string}
config entries
Description: IPS sensor filter.
edit <id>
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set application {user}
set default-action [all|pass|...]
set default-status [all|enable|...]
set cve <cve-entry1>, <cve-entry2>, ...
set vuln-type <id1>, <id2>, ...
set last-modified {user}
set status [disable|enable|...]
set log [disable|enable]
set log-packet [disable|enable]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]

FortiOS 7.4.4 CLI Reference 589

Fortinet Inc.
set rate-track [none|src-ip|...]
config exempt-ip
Description: Traffic from selected source or destination IP addresses is
exempt from this signature.
edit <id>
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
set extended-log [enable|disable]
set replacemsg-group {string}
set scan-botnet-connections [disable|block|...]
next
end

config ips sensor

Parameter Description Type Size Default

block- Enable/disable malicious URL blocking. option - disable

malicious-url

Option Description

disable Disable malicious URL blocking.

enable Enable malicious URL blocking.

comment Comment. var-string Maximum

length: 255

extended-log Enable/disable extended logging. option - disable

Option Description

enable Enable setting.

disable Disable setting.

name Sensor name. string Maximum

length: 35

replacemsg- Replacement message group. string Maximum

group length: 35

scan-botnet- Block or monitor connections to Botnet servers, or option - disable

connections disable Botnet scanning.

FortiOS 7.4.4 CLI Reference 590

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not scan connections to botnet servers.

block Block connections to botnet servers.

monitor Log connections to botnet servers.

config entries

Parameter Description Type Size Default

id Rule ID in IPS database. integer Minimum 0

value: 0
Maximum
value:
4294967295

rule <id> Identifies the predefined or custom IPS signatures integer Minimum
to add to the sensor. value: 0
Rule IPS. Maximum
value:
4294967295

location Protect client or server traffic. user Not Specified all

severity Relative severity of the signature, from info to user Not Specified all
critical. Log messages generated by the signature
include the severity.

protocol Protocols to be examined. Use all for every protocol user Not Specified all
and other for unlisted protocols.

os Operating systems to be protected. Use all for every user Not Specified all
operating system and other for unlisted operating
systems.

application Operating systems to be protected. Use all for every user Not Specified all
application and other for unlisted application.

default-action Signature default action filter. option - all

Option Description

all Selects signatures with any default action.

pass Selects signatures with default action 'pass'.

block Selects signatures with default action 'block'.

default-status Signature default status filter. option - all

FortiOS 7.4.4 CLI Reference 591

Fortinet Inc.
Parameter Description Type Size Default

Option Description

all Selects signatures with any default status.

enable Selects signatures enabled by default.

disable Selects signatures disabled by default.

cve <cve- List of CVE IDs of the signatures to add to the string Maximum
entry> sensor. length: 19
CVE IDs or CVE wildcards.

vuln-type List of signature vulnerability types to filter by. integer Minimum

<id> Vulnerability type ID. value: 0
Maximum
value:
4294967295

last-modified Filter by signature last modified date. Formats: user Not Specified
before <date>, after <date>, between <start-date>
<end-date>.

status Status of the signatures included in filter. Only those option - default
filters with a status to enable are used.

Option Description

disable Disable status of selected rules.

enable Enable status of selected rules.

default Default.

log Enable/disable logging of signatures included in option - enable

filter.

Option Description

disable Disable logging of selected rules.

enable Enable logging of selected rules.

log-packet Enable/disable packet logging. Enable to save the option - disable

packet that triggers the filter. You can download the
packets in pcap format for diagnostic use.

Option Description

disable Disable packet logging of selected rules.

enable Enable packet logging of selected rules.

FortiOS 7.4.4 CLI Reference 592

Fortinet Inc.
Parameter Description Type Size Default

log-attack- Enable/disable logging of attack context: URL option - disable

context buffer, header buffer, body buffer, packet buffer.

Option Description

disable Disable logging of detailed attack context.

enable Enable logging of detailed attack context.

action Action taken with traffic in which signatures are option - default
detected.

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

default Pass or drop matching traffic, depending on the default action of the signature.

rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

FortiOS 7.4.4 CLI Reference 593

Fortinet Inc.
Parameter Description Type Size Default

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config exempt-ip

Parameter Description Type Size Default

id Exempt IP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src-ip Source IP address and netmask (applies to packet ipv4- Not Specified 0.0.0.0
matching the signature). classnet 0.0.0.0

dst-ip Destination IP address and netmask (applies to ipv4- Not Specified 0.0.0.0
packet matching the signature). classnet 0.0.0.0

config ips settings

Configure IPS VDOM parameter.

config ips settings
Description: Configure IPS VDOM parameter.
set ips-packet-quota {integer}
set packet-log-history {integer}
set packet-log-memory {integer}
set packet-log-post-attack {integer}
set proxy-inline-ips [disable|enable]
end

FortiOS 7.4.4 CLI Reference 594

Fortinet Inc.
config ips settings

Parameter Description Type Size Default

ips-packet- Maximum amount of disk space in MB for logged integer Minimum 0

quota packets when logging to disk. Range depends on disk value: 0
size. Maximum
value:
4294967295

packet-log- Number of packets to capture before and including integer Minimum 1

history the one in which the IPS signature is detected. value: 1
Maximum
value: 255

packet-log- Maximum memory can be used by packet log. integer Minimum 256
memory value: 64
Maximum
value: 8192

packet-log- Number of packets to log after the IPS signature is integer Minimum 0
post-attack detected. value: 0
Maximum
value: 255

proxy-inline- Enable/disable proxy-mode policy inline IPS support. option - enable

ips

Option Description

disable Do not allow inline IPS in proxy-mode policy.

enable Allow inline IPS in proxy-mode policy.

config ips view-map

Configure IPS view-map.

config ips view-map
Description: Configure IPS view-map.
edit <id>
set id-policy-id {integer}
set policy-id {integer}
set vdom-id {integer}
set which [firewall|interface|...]
next
end

FortiOS 7.4.4 CLI Reference 595

Fortinet Inc.
config ips view-map

Parameter Description Type Size Default

id View ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

id-policy-id ID-based policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

policy-id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

vdom-id VDOM ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

which Policy. option - firewall

Option Description

firewall Firewall policy.

interface Interface policy.

interface6 Interface policy6.

sniffer Sniffer policy.

sniffer6 Sniffer policy6.

explicit explicit proxy policy.

FortiOS 7.4.4 CLI Reference 596

Fortinet Inc.
log

This section includes syntax for the following commands:

l config log custom-field on page 598
l config log disk filter on page 599
l config log disk setting on page 602
l config log eventfilter on page 608
l config log fortianalyzer-cloud filter on page 611
l config log fortianalyzer-cloud override-filter on page 615
l config log fortianalyzer-cloud override-setting on page 618
l config log fortianalyzer-cloud setting on page 619
l config log fortianalyzer2 filter on page 622
l config log fortianalyzer2 override-filter on page 626
l config log fortianalyzer2 override-setting on page 629
l config log fortianalyzer2 setting on page 633
l config log fortianalyzer3 filter on page 638
l config log fortianalyzer3 override-filter on page 641
l config log fortianalyzer3 override-setting on page 645
l config log fortianalyzer3 setting on page 649
l config log fortianalyzer filter on page 654
l config log fortianalyzer override-filter on page 657
l config log fortianalyzer override-setting on page 661
l config log fortianalyzer setting on page 665
l config log fortiguard filter on page 670
l config log fortiguard override-filter on page 673
l config log fortiguard override-setting on page 677
l config log fortiguard setting on page 678
l config log gui-display on page 681
l config log memory filter on page 682
l config log memory global-setting on page 685
l config log memory setting on page 686
l config log null-device filter on page 687
l config log null-device setting on page 690
l config log setting on page 691
l config log syslogd2 filter on page 695
l config log syslogd2 override-filter on page 699
l config log syslogd2 override-setting on page 702
l config log syslogd2 setting on page 706
l config log syslogd3 filter on page 710
l config log syslogd3 override-filter on page 713

FortiOS 7.4.4 CLI Reference 597

Fortinet Inc.
l config log syslogd3 override-setting on page 717
l config log syslogd3 setting on page 720
l config log syslogd4 filter on page 724
l config log syslogd4 override-filter on page 728
l config log syslogd4 override-setting on page 731
l config log syslogd4 setting on page 735
l config log syslogd filter on page 739
l config log syslogd override-filter on page 742
l config log syslogd override-setting on page 746
l config log syslogd setting on page 749
l config log tacacs+accounting2 filter on page 753
l config log tacacs+accounting2 setting on page 754
l config log tacacs+accounting3 filter on page 755
l config log tacacs+accounting3 setting on page 756
l config log tacacs+accounting filter on page 757
l config log tacacs+accounting setting on page 758
l config log threat-weight on page 759
l config log webtrends filter on page 769
l config log webtrends setting on page 773

config log custom-field

Configure custom log fields.

config log custom-field
Description: Configure custom log fields.
edit <id>
set name {string}
set value {string}
next
end

config log custom-field

Parameter Description Type Size Default

id Field ID string. string Maximum

length: 35

name Field name (max: 15 characters). string Maximum

length: 15

value Field value (max: 15 characters). string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 598

Fortinet Inc.
config log disk filter

Configure filters for local disk logging. Use these filters to determine the log messages to record according to severity
and type.
config log disk filter
Description: Configure filters for local disk logging. Use these filters to determine
the log messages to record according to severity and type.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log disk filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log to disk every message above and including this option - information
severity level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.4.4 CLI Reference 601

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log disk setting

Settings for local disk logging.

config log disk setting
Description: Settings for local disk logging.
set diskfull [overwrite|nolog]
set dlp-archive-quota {integer}
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]

FortiOS 7.4.4 CLI Reference 602

Fortinet Inc.
set ips-archive [enable|disable]
set log-quota {integer}
set max-log-file-size {integer}
set max-policy-packet-capture-size {integer}
set maximum-log-age {integer}
set report-quota {integer}
set roll-day {option1}, {option2}, ...
set roll-schedule [daily|weekly]
set roll-time {user}
set source-ip {ipv4-address}
set status [enable|disable]
set upload [enable|disable]
set upload-delete-files [enable|disable]
set upload-destination {option}
set upload-ssl-conn [default|high|...]
set uploaddir {string}
set uploadip {ipv4-address}
set uploadpass {password}
set uploadport {integer}
set uploadsched [disable|enable]
set uploadtime {user}
set uploadtype {option1}, {option2}, ...
set uploaduser {string}
end

config log disk setting

Parameter Description Type Size Default

diskfull Action to take when disk is full. The system can option - overwrite
overwrite the oldest log messages or stop logging
when the disk is full.

Option Description

overwrite Overwrite the oldest logs when the log disk is full.

nolog Stop logging when the log disk is full.

dlp-archive- DLP archive quota (MB). integer Minimum 0

quota value: 0
Maximum
value:
4294967295

full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

FortiOS 7.4.4 CLI Reference 603

Fortinet Inc.
Parameter Description Type Size Default

full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archiving to the local option - enable

disk.

Option Description

enable Enable IPS packet archiving.

disable Disable IPS packet archiving.

log-quota Disk log quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295

max-log-file- Maximum log file size before rolling. integer Minimum 20

size value: 1
Maximum
value: 100

max-policy- Maximum size of policy sniffer in MB (0 means integer Minimum 100

packet- unlimited). value: 0
capture-size Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 604

Fortinet Inc.
Parameter Description Type Size Default

maximum-log- Delete log files older than (days). integer Minimum 7

age value: 0
Maximum
value: 3650

report-quota * Report db quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295

roll-day Day of week on which to roll log file. option - sunday

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

roll-schedule Frequency to check log file for rolling. option - daily

Option Description

daily Check the log file once a day.

weekly Check the log file once a week.

roll-time Time of day to roll the log file (hh:mm). user Not Specified

source-ip Source IP address to use for uploading disk log ipv4- Not Specified 0.0.0.0
files. address

status Enable/disable local disk logging. option - disable **

Option Description

enable Log to local disk.

disable Do not log to local disk.

upload Enable/disable uploading log files when they are option - disable
rolled.

FortiOS 7.4.4 CLI Reference 605

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable uploading log files when they are rolled.

default FTPS with high and medium encryption algorithms.

high FTPS with high encryption algorithms.

low FTPS with low encryption algorithms.

disable Disable FTPS communication.

uploaddir The remote directory on the FTP server to upload string Maximum
log files to. length: 63

uploadip IP address of the FTP server to upload log files to. ipv4- Not Specified 0.0.0.0
address

uploadpass Password required to log into the FTP server to password Not Specified
upload disk log files.

uploadport TCP port to use for communicating with the FTP integer Minimum 21
server. value: 0
Maximum
value: 65535

uploadsched Set the schedule for uploading log files to the FTP option - disable
server.

FortiOS 7.4.4 CLI Reference 606

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Upload when rolling.

enable Scheduled upload.

uploadtime Time of day at which log files are uploaded if user Not Specified
uploadsched is enabled (hh:mm or hh).

uploadtype Types of log files to upload. Separate multiple option - traffic event
entries with a space. virus
webfilter
IPS
emailfilter
dlp-archive
anomaly
voip dlp
app-ctrl waf
dns ssh ssl
**

Option Description

traffic Upload traffic log.

event Upload event log.

virus Upload anti-virus log.

webfilter Upload web filter log.

IPS Upload IPS log.

emailfilter Upload spam filter log.

dlp-archive Upload DLP archive.

anomaly Upload anomaly log.

voip Upload VoIP log.

dlp Upload DLP log.

app-ctrl Upload application control log.

waf Upload web application firewall log.

dns Upload DNS log.

ssh Upload SSH log.

ssl Upload SSL log.

file-filter Upload file-filter log.

FortiOS 7.4.4 CLI Reference 607

Fortinet Inc.
Parameter Description Type Size Default

Option Description

icap Upload ICAP log.

virtual-patch Upload virtual-patch log.

uploaduser Username required to log into the FTP server to string Maximum
upload disk log files. length: 35

* This parameter may not exist in some models.

** Values may differ between models.

config log eventfilter

Configure log event filters.

config log eventfilter

Parameter Description Type Size Default

cifs Enable/disable CIFS logging. option - enable

Option Description

enable Enable CIFS logging.

disable Disable CIFS logging.

sdwan Enable/disable SD-WAN logging. option - enable

Option Description

enable Enable SD-WAN logging.

disable Disable SD-WAN logging.

security-rating Enable/disable Security Rating result logging. option - enable

Option Description

enable Enable Security Fabric audit result logging.

disable Disable Security Fabric audit result logging.

disable Disable wireless event logging.

config log fortianalyzer-cloud filter

Filters for FortiAnalyzer Cloud.

config log fortianalyzer-cloud filter
Description: Filters for FortiAnalyzer Cloud.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.4.4 CLI Reference 611

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

FortiOS 7.4.4 CLI Reference 612

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 613

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 614

Fortinet Inc.
config log fortianalyzer-cloud override-filter

Override filters for FortiAnalyzer Cloud.

config log fortianalyzer-cloud override-filter
Description: Override filters for FortiAnalyzer Cloud.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer-cloud override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - disable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

FortiOS 7.4.4 CLI Reference 615

Fortinet Inc.
Parameter Description Type Size Default

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 616

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.4.4 CLI Reference 617

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer-cloud override-setting

Override FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud override-setting
Description: Override FortiAnalyzer Cloud settings.
set status [enable|disable]
end

config log fortianalyzer-cloud override-setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

FortiOS 7.4.4 CLI Reference 618

Fortinet Inc.
config log fortianalyzer-cloud setting

Global FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud setting
Description: Global FortiAnalyzer Cloud settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set serial <name1>, <name2>, ...
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortianalyzer-cloud setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - disable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.4.4 CLI Reference 620

Fortinet Inc.
Parameter Description Type Size Default

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Maximum

key FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

source-ip Source IPv4 or IPv6 address used to communicate with string Maximum
FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

FortiOS 7.4.4 CLI Reference 621

Fortinet Inc.
Parameter Description Type Size Default

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortianalyzer2 filter

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 624

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 625

Fortinet Inc.
config log fortianalyzer2 override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer2 override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer2 override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

FortiOS 7.4.4 CLI Reference 626

Fortinet Inc.
Parameter Description Type Size Default

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 627

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.4.4 CLI Reference 628

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer2 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer2 override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set fallback-to-primary [enable|disable]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...

FortiOS 7.4.4 CLI Reference 629

Fortinet Inc.
set server {string}
set server-cert-ca {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

config log fortianalyzer2 override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

FortiOS 7.4.4 CLI Reference 630

Fortinet Inc.
Parameter Description Type Size Default

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac-algorithm OFTP login hash algorithm. option - sha256

FortiOS 7.4.4 CLI Reference 631

Fortinet Inc.
Parameter Description Type Size Default

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared-key Preshared-key used for auto-authorization on string Maximum

FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of string Maximum

server. length: 79

source-ip Source IPv4 or IPv6 address used to communicate string Maximum

with FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiAnalyzer. option - disable

FortiOS 7.4.4 CLI Reference 632

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer2 setting

Global FortiAnalyzer settings.

FortiOS 7.4.4 CLI Reference 633

Fortinet Inc.
config log fortianalyzer2 setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set fallback-to-primary [enable|disable]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set server-cert-ca {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortianalyzer2 setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

FortiOS 7.4.4 CLI Reference 634

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac- OFTP login hash algorithm. option - sha256

algorithm

Option Description

sha256 Use SHA256 as HMAC algorithm.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.4.4 CLI Reference 635

Fortinet Inc.
Parameter Description Type Size Default

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Maximum

key FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of server. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 636

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IPv4 or IPv6 address used to communicate with string Maximum
FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

FortiOS 7.4.4 CLI Reference 637

Fortinet Inc.
Parameter Description Type Size Default

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortianalyzer3 filter

Filters for FortiAnalyzer.

config log fortianalyzer3 filter
Description: Filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer3 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

FortiOS 7.4.4 CLI Reference 638

Fortinet Inc.
Parameter Description Type Size Default

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.4.4 CLI Reference 640

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer3 override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>

FortiOS 7.4.4 CLI Reference 641

Fortinet Inc.
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer3 override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.4.4 CLI Reference 643

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.4.4 CLI Reference 644

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer3 override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set fallback-to-primary [enable|disable]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set server-cert-ca {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}

FortiOS 7.4.4 CLI Reference 645

Fortinet Inc.
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

config log fortianalyzer3 override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

FortiOS 7.4.4 CLI Reference 646

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac-algorithm OFTP login hash algorithm. option - sha256

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

FortiOS 7.4.4 CLI Reference 647

Fortinet Inc.
Parameter Description Type Size Default

preshared-key Preshared-key used for auto-authorization on string Maximum

FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of string Maximum

server. length: 79

source-ip Source IPv4 or IPv6 address used to communicate string Maximum

with FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer3 setting

Global FortiAnalyzer settings.

config log fortianalyzer3 setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}

FortiOS 7.4.4 CLI Reference 649

Fortinet Inc.
set enc-algorithm [high-medium|high|...]
set fallback-to-primary [enable|disable]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set server-cert-ca {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortianalyzer3 setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

FortiOS 7.4.4 CLI Reference 650

Fortinet Inc.
Parameter Description Type Size Default

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac- OFTP login hash algorithm. option - sha256

algorithm

Option Description

sha256 Use SHA256 as HMAC algorithm.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

FortiOS 7.4.4 CLI Reference 651

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Maximum

key FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of server. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 652

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IPv4 or IPv6 address used to communicate with string Maximum
FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

FortiOS 7.4.4 CLI Reference 653

Fortinet Inc.
Parameter Description Type Size Default

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortianalyzer filter

Filters for FortiAnalyzer.

config log fortianalyzer filter
Description: Filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

FortiOS 7.4.4 CLI Reference 654

Fortinet Inc.
Parameter Description Type Size Default

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.4.4 CLI Reference 656

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>

FortiOS 7.4.4 CLI Reference 657

config log fortianalyzer override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.4.4 CLI Reference 659

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.4.4 CLI Reference 660

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer override-setting

Override FortiAnalyzer settings.

config log fortianalyzer override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set fallback-to-primary [enable|disable]
set hmac-algorithm {option}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set server-cert-ca {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}

FortiOS 7.4.4 CLI Reference 661

Fortinet Inc.
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

config log fortianalyzer override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

FortiOS 7.4.4 CLI Reference 662

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac-algorithm OFTP login hash algorithm. option - sha256

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

FortiOS 7.4.4 CLI Reference 663

Fortinet Inc.
Parameter Description Type Size Default

preshared-key Preshared-key used for auto-authorization on string Maximum

FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of string Maximum

server. length: 79

source-ip Source IPv4 or IPv6 address used to communicate string Maximum

with FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer setting

Global FortiAnalyzer settings.

config log fortianalyzer setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set alt-server {string}
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}

FortiOS 7.4.4 CLI Reference 665

config log fortianalyzer setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

alt-server Alternate FortiAnalyzer. string Maximum

length: 127

certificate Certificate used to communicate with FortiAnalyzer. string Maximum

length: 35

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

FortiOS 7.4.4 CLI Reference 666

Fortinet Inc.
Parameter Description Type Size Default

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

fallback-to- Enable/disable this FortiGate unit to fallback to the option - enable

primary primary FortiAnalyzer when it is available.

Option Description

enable Enable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

disable Disable this FortiGate unit to fallback to the primary FortiAnalyzer when it is
available.

hmac- OFTP login hash algorithm. option - sha256

algorithm

Option Description

sha256 Use SHA256 as HMAC algorithm.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

FortiOS 7.4.4 CLI Reference 667

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Maximum

key FortiAnalyzer. length: 63

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Maximum

length: 127

server-cert-ca Mandatory CA on FortiGate in certificate chain of server. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 668

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IPv4 or IPv6 address used to communicate with string Maximum
FortiAnalyzer. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

FortiOS 7.4.4 CLI Reference 669

Fortinet Inc.
Parameter Description Type Size Default

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortiguard filter

Filters for FortiCloud.

config log fortiguard filter
Description: Filters for FortiCloud.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortiguard filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 671

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.4.4 CLI Reference 672

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortiguard override-filter

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 675

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 676

Fortinet Inc.
config log fortiguard override-setting

Override global FortiCloud logging settings for this VDOM.

config log fortiguard override-setting
Description: Override global FortiCloud logging settings for this VDOM.
set access-config [enable|disable]
set max-log-rate {integer}
set override [enable|disable]
set priority [default|low]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortiguard override-setting

low Set FortiCloud log transmission priority to low.

status Enable/disable logging to FortiCloud. option - disable

FortiOS 7.4.4 CLI Reference 677

Configure logging to FortiCloud.

config log fortiguard setting
Description: Configure logging to FortiCloud.
set access-config [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set priority [default|low]
set source-ip {ipv4-address}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]

FortiOS 7.4.4 CLI Reference 678

Fortinet Inc.
set upload-time {user}
end

config log fortiguard setting

Parameter Description Type Size Default

access-config Enable/disable FortiCloud access to configuration and option - enable

data.

Option Description

enable Enable FortiCloud access to configuration and data.

disable Disable FortiCloud access to configuration and data.

conn-timeout FortiGate Cloud connection timeout in seconds. integer Minimum 10

value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiCloud.

Option Description

high-medium Encrypt logs using high and medium encryption.

high Encrypt logs using high encryption.

low Encrypt logs using low encryption.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

priority Set log transmission priority. option - default

FortiOS 7.4.4 CLI Reference 679

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Set FortiCloud log transmission priority to default.

low Set FortiCloud log transmission priority to low.

source-ip Source IP address used to connect FortiCloud. ipv4- Not 0.0.0.0

address Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable logging to FortiCloud. option - disable

Option Description

enable Enable logging to FortiCloud.

disable Disable logging to FortiCloud.

upload-day Day of week to roll logs. user Not

Specified

upload- Frequency of uploading log files to FortiCloud. option - daily

interval

Option Description

daily Upload log files to FortiCloud once a day.

weekly Upload log files to FortiCloud once a week.

monthly Upload log files to FortiCloud once a month.

upload-option Configure how log messages are sent to FortiCloud. option - 5-minute

Option Description

store-and-upload Log to the hard disk and then upload logs to FortiCloud.

FortiOS 7.4.4 CLI Reference 680

Fortinet Inc.
Parameter Description Type Size Default

Option Description

realtime Log directly to FortiCloud in real time.

1-minute Log directly to FortiCloud at 1-minute intervals.

5-minute Log directly to FortiCloud at 5-minute intervals.

upload-time Time of day to roll logs (hh:mm). user Not

Specified

config log gui-display

Configure how log messages are displayed on the GUI.

config log gui-display
Description: Configure how log messages are displayed on the GUI.
set fortiview-unscanned-apps [enable|disable]
set resolve-apps [enable|disable]
set resolve-hosts [enable|disable]
end

config log gui-display

Parameter Description Type Size Default

fortiview- Enable/disable showing unscanned traffic in FortiView option - disable

unscanned- application charts.
apps

Option Description

enable Enable showing unscanned traffic.

disable Disable showing unscanned traffic.

resolve-apps Resolve unknown applications on the GUI using option - enable

Fortinet's remote application database.

Option Description

enable Enable unknown applications on the GUI.

disable Disable unknown applications on the GUI.

resolve-hosts Enable/disable resolving IP addresses to hostname in option - enable

log messages on the GUI using reverse DNS lookup.

FortiOS 7.4.4 CLI Reference 681

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable resolving IP addresses to hostnames.

disable Disable resolving IP addresses to hostnames.

config log memory filter

Filters for memory buffer.

config log memory filter
Description: Filters for memory buffer.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log memory filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

FortiOS 7.4.4 CLI Reference 682

Fortinet Inc.
Parameter Description Type Size Default

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable **

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 683

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

** Values may differ between models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.4.4 CLI Reference 684

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log memory global-setting

Global settings for memory logging.

config log memory global-setting
Description: Global settings for memory logging.
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set max-size {integer}
end

FortiOS 7.4.4 CLI Reference 685

Fortinet Inc.
config log memory global-setting

Parameter Description Type Size Default

full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

max-size Maximum amount of memory that can be used for integer Minimum 168439726 **
memory logging in bytes. value: 0
Maximum
value:
4294967295

** Values may differ between models.

config log memory setting

Settings for memory buffer.

config log memory setting
Description: Settings for memory buffer.
set status [enable|disable]
end

config log memory setting

Parameter Description Type Size Default

status Enable/disable logging to the FortiGate's memory. option - enable **

Option Description

enable Enable logging to memory.

disable Disable logging to memory.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 686

Fortinet Inc.
config log null-device filter

Filters for null device logging.

config log null-device filter
Description: Filters for null device logging.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log null-device filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.4.4 CLI Reference 687

Fortinet Inc.
Parameter Description Type Size Default

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.4.4 CLI Reference 688

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.4.4 CLI Reference 689

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log null-device setting

Settings for null device logging.

config log null-device setting
Description: Settings for null device logging.
set status [enable|disable]
end

config log null-device setting

Parameter Description Type Size Default

status Enable/disable statistics collection for when no external option - disable

logging destination, such as FortiAnalyzer, is present
(data is not saved).

Option Description

enable Enable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

disable Disable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

FortiOS 7.4.4 CLI Reference 690

Fortinet Inc.
config log setting

Configure general log settings.

config log setting
Description: Configure general log settings.
set anonymization-hash {string}
set brief-traffic-format [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set daemon-log [enable|disable]
set expolicy-implicit-log [enable|disable]
set extended-log [enable|disable]
set faz-override [enable|disable]
set fortiview-weekly-data [enable|disable]
set fwpolicy-implicit-log [enable|disable]
set fwpolicy6-implicit-log [enable|disable]
set local-in-allow [enable|disable]
set local-in-deny-broadcast [enable|disable]
set local-in-deny-unicast [enable|disable]
set local-out [enable|disable]
set local-out-ioc-detection [enable|disable]
set log-policy-comment [enable|disable]
set log-user-in-upper [enable|disable]
set long-live-session-stat [enable|disable]
set neighbor-event [enable|disable]
set resolve-ip [enable|disable]
set resolve-port [enable|disable]
set rest-api-get [enable|disable]
set rest-api-set [enable|disable]
set syslog-override [enable|disable]
set user-anonymize [enable|disable]
end

config log setting

Parameter Description Type Size Default

anonymization- User name anonymization hash salt. string Maximum

hash length: 32

brief-traffic-format Enable/disable brief format traffic logging. option - disable

Option Description

enable Enable brief format traffic logging.

disable Disable brief format traffic logging.

custom-log-fields Custom fields to append to all log messages. string Maximum

<field-id> Custom log field. length: 35

faz-override Enable/disable override FortiAnalyzer settings. option - disable

FortiOS 7.4.4 CLI Reference 692

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable implicit firewall policy6 logging.

disable Disable implicit firewall policy6 logging.

local-in-allow Enable/disable local-in-allow logging. option - disable

enable Enable local-out logging.

disable Disable local-out logging.

local-out-ioc- Enable/disable local-out traffic IoC detection. option - enable

detection Requires local-out to be enabled.

Option Description

enable Enable local-out traffic IoC detection. Requires local-out to be enabled.

disable Disable local-out traffic IoC detection.

log-policy- Enable/disable inserting policy comments into traffic option - disable

comment logs.

FortiOS 7.4.4 CLI Reference 693

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable inserting policy comments into traffic logs.

disable Disable inserting policy comments into traffic logs.

log-user-in-upper Enable/disable logs with user-in-upper. option - disable

Option Description

enable Enable logs with user-in-upper.

disable Disable logs with user-in-upper.

long-live-session- Enable/disable long-live-session statistics logging. option - enable

stat

Option Description

enable Enable long-live-session statistics logging.

disable Disable long-live-session statistics logging.

neighbor-event Enable/disable neighbor event logging. option - disable

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable GET REST API logging.

disable Disable GET REST API logging.

rest-api-set Enable/disable REST API POST/PUT/DELETE option - disable

request logging.

Option Description

enable Enable POST/PUT/DELETE REST API logging.

disable Disable POST/PUT/DELETE REST API logging.

syslog-override Enable/disable override Syslog settings. option - disable

Option Description

enable Enable override Syslog settings.

disable Disable override Syslog settings.

user-anonymize Enable/disable anonymizing user names in log option - disable

messages.

Option Description

enable Enable anonymizing user names in log messages.

disable Disable anonymizing user names in log messages.

* This parameter may not exist in some models.

config log syslogd2 filter

Filters for remote system server.

config log syslogd2 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]

FortiOS 7.4.4 CLI Reference 695

FortiOS 7.4.4 CLI Reference 696

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 697

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 698

Fortinet Inc.
config log syslogd2 override-filter

Override filters for remote system server.

config log syslogd2 override-filter
Description: Override filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log syslogd2 override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.4.4 CLI Reference 699

Fortinet Inc.
Parameter Description Type Size Default

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.4.4 CLI Reference 700

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.4.4 CLI Reference 701

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd2 override-setting

Override settings for remote syslog server.

config log syslogd2 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 702

Fortinet Inc.
config log syslogd2 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Maximum

length: 35

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

FortiOS 7.4.4 CLI Reference 703

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

FortiOS 7.4.4 CLI Reference 704

Fortinet Inc.
Parameter Description Type Size Default

Option Description

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

FortiOS 7.4.4 CLI Reference 706

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

FortiOS 7.4.4 CLI Reference 707

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

FortiOS 7.4.4 CLI Reference 708

Fortinet Inc.
Parameter Description Type Size Default

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 709

Fortinet Inc.
Parameter Description Type Size Default

name Field name [A-Za-z0-9_]. string Maximum

length: 35

custom Field custom name [A-Za-z0-9_]. string Maximum

length: 35

config log syslogd3 filter

Filters for remote system server.

config log syslogd3 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log syslogd3 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

FortiOS 7.4.4 CLI Reference 710

Fortinet Inc.
Parameter Description Type Size Default

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 711

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.4.4 CLI Reference 712

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd3 override-filter

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 715

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 716

Fortinet Inc.
config log syslogd3 override-setting

Override settings for remote syslog server.

config log syslogd3 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd3 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Maximum

length: 35

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

FortiOS 7.4.4 CLI Reference 717

Fortinet Inc.
Parameter Description Type Size Default

Option Description

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 719

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name [A-Za-z0-9_]. string Maximum

length: 35

custom Field custom name [A-Za-z0-9_]. string Maximum

length: 35

config log syslogd3 setting

Global settings for remote syslog server.

config log syslogd3 setting
Description: Global settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>

FortiOS 7.4.4 CLI Reference 720

Fortinet Inc.
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd3 setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Maximum

length: 35

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

FortiOS 7.4.4 CLI Reference 722

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

FortiOS 7.4.4 CLI Reference 723

Fortinet Inc.
Parameter Description Type Size Default

Option Description

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name [A-Za-z0-9_]. string Maximum

length: 35

custom Field custom name [A-Za-z0-9_]. string Maximum

length: 35

config log syslogd4 filter

Filters for remote system server.

config log syslogd4 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end

FortiOS 7.4.4 CLI Reference 724

FortiOS 7.4.4 CLI Reference 725

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 726

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 727

Fortinet Inc.
config log syslogd4 override-filter

Override filters for remote system server.

config log syslogd4 override-filter
Description: Override filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log syslogd4 override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.4.4 CLI Reference 728

Fortinet Inc.
Parameter Description Type Size Default

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.4.4 CLI Reference 729

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.4.4 CLI Reference 730

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd4 override-setting

Override settings for remote syslog server.

config log syslogd4 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 731

Fortinet Inc.
config log syslogd4 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Maximum

length: 35

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

FortiOS 7.4.4 CLI Reference 732

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

FortiOS 7.4.4 CLI Reference 733

Fortinet Inc.
Parameter Description Type Size Default

Option Description

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

FortiOS 7.4.4 CLI Reference 735

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

FortiOS 7.4.4 CLI Reference 736

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

FortiOS 7.4.4 CLI Reference 737

Fortinet Inc.
Parameter Description Type Size Default

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 738

Fortinet Inc.
Parameter Description Type Size Default

name Field name [A-Za-z0-9_]. string Maximum

length: 35

custom Field custom name [A-Za-z0-9_]. string Maximum

length: 35

config log syslogd filter

Filters for remote system server.

config log syslogd filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log syslogd filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

FortiOS 7.4.4 CLI Reference 739

Fortinet Inc.
Parameter Description Type Size Default

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.4.4 CLI Reference 740

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.4.4 CLI Reference 741

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd override-filter

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 744

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.4.4 CLI Reference 745

Fortinet Inc.
config log syslogd override-setting

Override settings for remote syslog server.

config log syslogd override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Maximum

length: 35

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

FortiOS 7.4.4 CLI Reference 746

Fortinet Inc.
Parameter Description Type Size Default

Option Description

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 748

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

json JSON (JavaScript Object Notation) format.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

FortiOS 7.4.4 CLI Reference 751

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Maximum

length: 127

source-ip Source IP address of syslog. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

FortiOS 7.4.4 CLI Reference 752

Fortinet Inc.
Parameter Description Type Size Default

Option Description

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name [A-Za-z0-9_]. string Maximum

length: 35

custom Field custom name [A-Za-z0-9_]. string Maximum

length: 35

config log tacacs+accounting2 filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting2 filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

FortiOS 7.4.4 CLI Reference 753

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting2 setting

Settings for TACACS+ accounting.

config log tacacs+accounting2 setting
Description: Settings for TACACS+ accounting.
set interface {string}
set interface-select-method [auto|sdwan|...]
set server {string}
set server-key {password}
set source-ip {string}
set status [enable|disable]
end

config log tacacs+accounting2 setting

Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 754

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

server Address of TACACS+ server. string Maximum

length: 63

server-key Key to access the TACACS+ server. password Not

Specified

source-ip Source IP address for communication to TACACS+ string Maximum

server. length: 63

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log tacacs+accounting3 filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting3 filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

config log tacacs+accounting3 filter

Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - disable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

FortiOS 7.4.4 CLI Reference 755

Fortinet Inc.
Parameter Description Type Size Default

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting3 setting

Settings for TACACS+ accounting.

config log tacacs+accounting3 setting
Description: Settings for TACACS+ accounting.
set interface {string}
set interface-select-method [auto|sdwan|...]
set server {string}
set server-key {password}
set source-ip {string}
set status [enable|disable]
end

config log tacacs+accounting3 setting

Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.4.4 CLI Reference 756

Fortinet Inc.
Parameter Description Type Size Default

server Address of TACACS+ server. string Maximum

length: 63

server-key Key to access the TACACS+ server. password Not

Specified

source-ip Source IP address for communication to TACACS+ string Maximum

server. length: 63

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log tacacs+accounting filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

config log tacacs+accounting filter

Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - disable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

FortiOS 7.4.4 CLI Reference 757

Fortinet Inc.
Parameter Description Type Size Default

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting setting

Settings for TACACS+ accounting.

config log tacacs+accounting setting
Description: Settings for TACACS+ accounting.
set interface {string}
set interface-select-method [auto|sdwan|...]
set server {string}
set server-key {password}
set source-ip {string}
set status [enable|disable]
end

config log tacacs+accounting setting

Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

server Address of TACACS+ server. string Maximum

length: 63

server-key Key to access the TACACS+ server. password Not

Specified

source-ip Source IP address for communication to TACACS+ string Maximum

server. length: 63

status Enable/disable TACACS+ accounting. option - disable

FortiOS 7.4.4 CLI Reference 758

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log threat-weight

Configure threat weight settings.

config log threat-weight
Description: Configure threat weight settings.
config application
Description: Application-control threat weight settings.
edit <id>
set category {integer}
set level [disable|low|...]
next
end
set blocked-connection [disable|low|...]
set botnet-connection-detected [disable|low|...]
set failed-connection [disable|low|...]
config geolocation
Description: Geolocation-based threat weight settings.
edit <id>
set country {string}
set level [disable|low|...]
next
end
config ips
Description: IPS threat weight settings.
set info-severity [disable|low|...]
set low-severity [disable|low|...]
set medium-severity [disable|low|...]
set high-severity [disable|low|...]
set critical-severity [disable|low|...]
end
config level
Description: Score mapping for threat weight levels.
set low {integer}
set medium {integer}
set high {integer}
set critical {integer}
end
config malware
Description: Anti-virus malware threat weight settings.
set virus-infected [disable|low|...]
set inline-block [disable|low|...]
set file-blocked [disable|low|...]
set command-blocked [disable|low|...]
set oversized [disable|low|...]
set virus-scan-error [disable|low|...]

FortiOS 7.4.4 CLI Reference 759

Fortinet Inc.
set switch-proto [disable|low|...]
set mimefragmented [disable|low|...]
set virus-file-type-executable [disable|low|...]
set virus-outbreak-prevention [disable|low|...]
set content-disarm [disable|low|...]
set malware-list [disable|low|...]
set ems-threat-feed [disable|low|...]
set fsa-malicious [disable|low|...]
set fsa-high-risk [disable|low|...]
set fsa-medium-risk [disable|low|...]
end
set status [enable|disable]
set url-block-detected [disable|low|...]
config web
Description: Web filtering threat weight settings.
edit <id>
set category {integer}
set level [disable|low|...]
next
end
end

config log threat-weight

Parameter Description Type Size Default

blocked- Threat weight score for blocked connections. option - high

connection

Option Description

disable Disable threat weight scoring for blocked connections.

low Use the low level score for blocked connections.

medium Use the medium level score for blocked connections.

high Use the high level score for blocked connections.

critical Use the critical level score for blocked connections.

botnet- Threat weight score for detected botnet connections. option - critical
connection-
detected

Option Description

disable Disable threat weight scoring for detected botnet connections.

low Use the low level score for detected botnet connections.

medium Use the medium level score for detected botnet connections.

high Use the high level score for detected botnet connections.

critical Use the critical level score for detected botnet connections.

FortiOS 7.4.4 CLI Reference 760

Fortinet Inc.
Parameter Description Type Size Default

failed- Threat weight score for failed connections. option - low

connection

Option Description

disable Disable threat weight scoring for failed connections.

low Use the low level score for failed connections.

medium Use the medium level score for failed connections.

high Use the high level score for failed connections.

critical Use the critical level score for failed connections.

status Enable/disable the threat weight feature. option - enable

Option Description

enable Enable the threat weight feature.

disable Disable the threat weight feature.

url-block- Threat weight score for URL blocking. option - high

detected

Option Description

disable Disable threat weight scoring for URL blocking.

low Use the low level score for URL blocking.

medium Use the medium level score for URL blocking.

high Use the high level score for URL blocking.

critical Use the critical level score for URL blocking.

config application

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

category Application category. integer Minimum 0

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 761

Fortinet Inc.
Parameter Description Type Size Default

level Threat weight score for Application events. option - low

Option Description

disable Disable threat weight scoring for Application events.

low Use the low level score for Application events.

medium Use the medium level score for Application events.

high Use the high level score for Application events.

critical Use the critical level score for Application events.

config geolocation

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

country Country code. string Maximum

length: 2

level Threat weight score for Geolocation-based events. option - low

Option Description

disable Disable threat weight scoring for Geolocation-based events.

low Use the low level score for Geolocation-based events.

medium Use the medium level score for Geolocation-based events.

high Use the high level score for Geolocation-based events.

critical Use the critical level score for Geolocation-based events.

config ips

Parameter Description Type Size Default

info-severity Threat weight score for IPS info severity events. option - disable

Option Description

disable Disable threat weight scoring for IPS info severity events.

low Use the low level score for IPS info severity events.

FortiOS 7.4.4 CLI Reference 762

Fortinet Inc.
Parameter Description Type Size Default

Option Description

medium Use the medium level score for IPS info severity events.

high Use the high level score for IPS info severity events.

critical Use the critical level score for IPS info severity events.

low-severity Threat weight score for IPS low severity events. option - low

Option Description

disable Disable threat weight scoring for IPS low severity events.

low Use the low level score for IPS low severity events.

medium Use the medium level score for IPS low severity events.

high Use the high level score for IPS low severity events.

critical Use the critical level score for IPS low severity events.

medium- Threat weight score for IPS medium severity events. option - medium
severity

Option Description

disable Disable threat weight scoring for IPS medium severity events.

low Use the low level score for IPS medium severity events.

medium Use the medium level score for IPS medium severity events.

high Use the high level score for IPS medium severity events.

critical Use the critical level score for IPS medium severity events.

high-severity Threat weight score for IPS high severity events. option - high

Option Description

disable Disable threat weight scoring for IPS high severity events.

low Use the low level score for IPS high severity events.

medium Use the medium level score for IPS high severity events.

high Use the high level score for IPS high severity events.

critical Use the critical level score for IPS high severity events.

critical- Threat weight score for IPS critical severity events. option - critical
severity

FortiOS 7.4.4 CLI Reference 763

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for IPS critical severity events.

low Use the low level score for IPS critical severity events.

medium Use the medium level score for IPS critical severity events.

high Use the high level score for IPS critical severity events.

critical Use the critical level score for IPS critical severity events.

config level

Parameter Description Type Size Default

low Low level score value. integer Minimum 5

value: 1
Maximum
value: 100

medium Medium level score value. integer Minimum 10

value: 1
Maximum
value: 100

high High level score value. integer Minimum 30

value: 1
Maximum
value: 100

critical Critical level score value. integer Minimum 50

value: 1
Maximum
value: 100

config malware

Parameter Description Type Size Default

virus-infected Threat weight score for virus (infected) detected. option - critical

Option Description

disable Disable threat weight scoring for virus (infected) detected.

low Use the low level score for virus (infected) detected.

medium Use the medium level score for virus (infected) detected.

high Use the high level score for virus (infected) detected.

FortiOS 7.4.4 CLI Reference 764

Fortinet Inc.
Parameter Description Type Size Default

Option Description

critical Use the critical level score for virus (infected) detected.

inline-block Threat weight score for malware detected by inline option - critical
block.

Option Description

disable Disable threat weight scoring for virus detected by inline block.

low Use the low level score for virus detected by inline block.

medium Use the medium level score for virus detected by inline block.

high Use the high level score for virus detected by inline block.

critical Use the critical level score for virus detected by inline block.

file-blocked Threat weight score for blocked file detected. option - low

Option Description

disable Disable threat weight scoring for blocked file detected.

low Use the low level score for blocked file detected.

medium Use the medium level score for blocked file detected.

high Use the high level score for blocked file detected.

critical Use the critical level score for blocked file detected.

command-blocked Threat weight score for blocked command detected. option - disable

Option Description

disable Disable threat weight scoring for blocked command detected.

low Use the low level score for blocked command detected.

medium Use the medium level score for blocked command detected.

high Use the high level score for blocked command detected.

critical Use the critical level score for blocked command detected.

oversized Threat weight score for oversized file detected. option - disable

Option Description

disable Disable threat weight scoring for oversized file detected.

low Use the low level score for oversized file detected.

FortiOS 7.4.4 CLI Reference 765

Fortinet Inc.
Parameter Description Type Size Default

Option Description

medium Use the medium level score for oversized file detected.

high Use the high level score for oversized file detected.

critical Use the critical level score for oversized file detected.

virus-scan-error Threat weight score for virus (scan error) detected. option - high

Option Description

disable Disable threat weight scoring for virus (scan error) detected.

low Use the low level score for virus (scan error) detected.

medium Use the medium level score for virus (scan error) detected.

high Use the high level score for virus (scan error) detected.

critical Use the critical level score for virus (scan error) detected.

switch-proto Threat weight score for switch proto detected. option - disable

Option Description

disable Disable threat weight scoring for switch proto detected.

low Use the low level score for switch proto detected.

medium Use the medium level score for switch proto detected.

high Use the high level score for switch proto detected.

critical Use the critical level score for switch proto detected.

mimefragmented Threat weight score for mimefragmented detected. option - disable

Option Description

disable Disable threat weight scoring for mimefragmented detected.

low Use the low level score for mimefragmented detected.

medium Use the medium level score for mimefragmented detected.

high Use the high level score for mimefragmented detected.

critical Use the critical level score for mimefragmented detected.

virus-file-type- Threat weight score for virus (file type executable) option - medium
executable detected.

FortiOS 7.4.4 CLI Reference 766

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for virus (filetype executable) detected.

low Use the low level score for virus (filetype executable) detected.

medium Use the medium level score for virus (filetype executable) detected.

high Use the high level score for virus (filetype executable) detected.

critical Use the critical level score for virus (filetype executable) detected.

virus-outbreak- Threat weight score for virus (outbreak prevention) option - critical
prevention event.

Option Description

disable Disable threat weight scoring for virus (outbreak prevention) event.

low Use the low level score for virus (outbreak prevention) event.

medium Use the medium level score for virus (outbreak prevention) event.

high Use the high level score for virus (outbreak prevention) event.

critical Use the critical level score for virus (outbreak prevention) event.

content-disarm Threat weight score for virus (content disarm) option - medium
detected.

Option Description

disable Disable threat weight scoring for virus (content disarm) detected.

low Use the low level score for virus (content disarm) detected.

medium Use the medium level score for virus (content disarm) detected.

high Use the high level score for virus (content disarm) detected.

critical Use the critical level score for virus (content disarm) detected.

malware-list Threat weight score for virus (malware list) detected. option - medium

Option Description

disable Disable threat weight scoring for virus (malware list) detected.

low Use the low level score for virus (malware list) detected.

medium Use the medium level score for virus (malware list) detected.

high Use the high level score for virus (malware list) detected.

critical Use the critical level score for virus (malware list) detected.

FortiOS 7.4.4 CLI Reference 767

Fortinet Inc.
Parameter Description Type Size Default

ems-threat-feed Threat weight score for virus (EMS threat feed) option - medium
detected.

Option Description

disable Disable threat weight scoring for virus (EMS threat feed) detected.

low Use the low level score for virus (EMS threat feed) detected.

medium Use the medium level score for virus (EMS threat feed) detected.

high Use the high level score for virus (EMS threat feed) detected.

critical Use the critical level score for virus (EMS threat feed) detected.

fsa-malicious Threat weight score for FortiSandbox malicious option - critical

malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox malicious malware

detected.

low Use the low level score for FortiSandbox malicious malware detected.

medium Use the medium level score for FortiSandbox malicious malware
detected.

high Use the high level score for FortiSandbox malicious malware detected.

critical Use the critical level score for FortiSandbox malicious malware detected.

fsa-high-risk Threat weight score for FortiSandbox high risk option - high
malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox high risk malware
detected.

low Use the low level score for FortiSandbox high risk malware detected.

medium Use the medium level score for FortiSandbox high risk malware detected.

high Use the high level score for FortiSandbox high risk malware detected.

critical Use the critical level score for FortiSandbox high risk malware detected.

fsa-medium-risk Threat weight score for FortiSandbox medium risk option - medium
malware detected.

FortiOS 7.4.4 CLI Reference 768

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for FortiSandbox medium risk malware
detected.

low Use the low level score for FortiSandbox medium risk malware detected.

medium Use the medium level score for FortiSandbox medium risk malware
detected.

high Use the high level score for FortiSandbox medium risk malware detected.

critical Use the critical level score for FortiSandbox medium risk malware
detected.

config web

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

category Threat weight score for web category filtering matches. integer Minimum 0
value: 0
Maximum
value: 255

level Threat weight score for web category filtering matches. option - low

Option Description

disable Disable threat weight scoring for web category filtering matches.

low Use the low level score for web category filtering matches.

medium Use the medium level score for web category filtering matches.

high Use the high level score for web category filtering matches.

critical Use the critical level score for web category filtering matches.

config log webtrends filter

Filters for WebTrends.

config log webtrends filter
Description: Filters for WebTrends.
set anomaly [enable|disable]
set forti-switch [enable|disable]
set forward-traffic [enable|disable]

FortiOS 7.4.4 CLI Reference 769

Fortinet Inc.
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log webtrends filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forti-switch Enable/disable Forti-Switch logging. option - enable

Option Description

enable Enable Forti-Switch logging.

disable Disable Forti-Switch logging.

forward-traffic Enable/disable forward traffic logging. option - enable

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

virtual-patch Virtual patch log.

FortiOS 7.4.4 CLI Reference 772

Fortinet Inc.
Parameter Description Type Size Default

filter Free style filter string. string Maximum

length: 1023

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log webtrends setting

Settings for WebTrends.

config log webtrends setting
Description: Settings for WebTrends.
set server {string}
set status [enable|disable]
end

config log webtrends setting

Parameter Description Type Size Default

server Address of the remote WebTrends server. string Maximum

length: 63

status Enable/disable logging to WebTrends. option - disable

Option Description

enable Enable logging to WebTrends.

disable Disble logging to WebTrends.

FortiOS 7.4.4 CLI Reference 773

Fortinet Inc.
monitoring

This section includes syntax for the following commands:

l config monitoring np6-ipsec-engine on page 774
l config monitoring npu-hpe on page 775

config monitoring np6-ipsec-engine

This command is available for model(s): FortiGate 1000D, FortiGate 1100E, FortiGate 1101E,
FortiGate 2000E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate
400E, FortiGate 401E, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 601E, FortiGate 800D, FortiGate 900D.
It is not available for: FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2600F, FortiGate 2601F,
FortiGate 3000F, FortiGate 3001F, FortiGate 3200F, FortiGate 3201F, FortiGate 3500F,
FortiGate 3501F, FortiGate 3700F, FortiGate 3701F, FortiGate 400F, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 600F, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate
80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate
81F, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.

Configure NP6 IPsec engine status monitoring.

config monitoring np6-ipsec-engine
Description: Configure NP6 IPsec engine status monitoring.
set interval {integer}
set status [enable|disable]
set threshold {user}
end

FortiOS 7.4.4 CLI Reference 774

Fortinet Inc.
config monitoring np6-ipsec-engine

Parameter Description Type Size Default

interval IPsec engine status check interval. integer Minimum 1

value: 1
Maximum
value: 60

status Enable/disable NP6 IPsec engine status monitoring. option - disable

Option Description

enable Enable setting.

disable Disable setting.

threshold IPsec engine status check threshold. Example: Log is user Not
generated if IPsec engine 0 is busy each of every 15 Specified
consecutive interval checks.

config monitoring npu-hpe

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1800F,
FortiGate 1801F, FortiGate 2000E, FortiGate 200F, FortiGate 201F, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E,
FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E,
FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E,
FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate
60F, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80F Bypass,
FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61F,
FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 140E-POE, FortiGate 140E, FortiGate 200E, FortiGate 201E,
FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E,
FortiGate 80E-POE, FortiGate 80E, FortiGate 81E-POE, FortiGate 81E, FortiGate 90E,
FortiGate 91E, FortiGate VM64, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 61E.

Configure npu-hpe status monitoring.

config monitoring npu-hpe
Description: Configure npu-hpe status monitoring.

FortiOS 7.4.4 CLI Reference 775

Fortinet Inc.
set interval {integer}
set multipliers {user}
set status [enable|disable]
end

config monitoring npu-hpe

Parameter Description Type Size Default

interval HPE status check interval. integer Minimum 1

value: 1
Maximum
value: 60

multipliers HPE type interval multipliers. An event log is generated user Not
after every (interval * multiplier)seconds as configured Specified
for any HPE type when drops occur for that HPE type.
An attack log is generated after every (4 * multiplier)
number of continuous event logs.

status Enable/disable HPE status monitoring. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 776

Fortinet Inc.
nsxt

This section includes syntax for the following commands:

l config nsxt service-chain on page 777
l config nsxt setting on page 779

config nsxt service-chain

This command is available for model(s): FortiGate VM64.

Configure NSX-T service chain.

config nsxt service-chain
Description: Configure NSX-T service chain.
edit <id>
set name {string}
config service-index
Description: Configure service index.
edit <id>
set reverse-index {integer}
set name {string}
set vd {string}
next
end

FortiOS 7.4.4 CLI Reference 777

Fortinet Inc.
next
end

config nsxt service-chain

Parameter Description Type Size Default

id Chain ID. integer Minimum 0

value: 0
Maximum
value: 1023

name Chain name. string Maximum

length: 63

config service-index

Parameter Description Type Size Default

id Service index. integer Minimum 0

value: 0
Maximum
value: 255

reverse-index Reverse service index. integer Minimum 1

value: 1
Maximum
value: 255

name Index name. string Maximum

length: 63

vd VDOM name. string Maximum

length: 31

FortiOS 7.4.4 CLI Reference 778

Fortinet Inc.
config nsxt setting

This command is available for model(s): FortiGate VM64.

Configure NSX-T setting.

config nsxt setting
Description: Configure NSX-T setting.
set liveness [enable|disable]
set service {string}
end

config nsxt setting

Parameter Description Type Size Default

liveness Enable/disable liveness detection packet forwarding. option - disable

Option Description

enable Enable liveness detection packet forwarding.

disable Disable liveness detection packet forwarding.

service Service name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 779

Fortinet Inc.
report

This section includes syntax for the following commands:

l config report layout on page 780
l config report setting on page 789

config report layout

This command is available for model(s): FortiGate 1000D, FortiGate 1001F, FortiGate 101F,
FortiGate 1101E, FortiGate 1801F, FortiGate 2000E, FortiGate 201E, FortiGate 201F,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 3001F, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3201F,
FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E, FortiGate 3700D,
FortiGate 3701F, FortiGate 401E, FortiGate 401F, FortiGate 4201F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 501E, FortiGate 601E, FortiGate 601F, FortiGate 61E, FortiGate
61F, FortiGate 71F, FortiGate 800D, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE,
FortiGate 81F, FortiGate 900D, FortiGate 91E, FortiGate VM64, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000F, FortiGate 100F, FortiGate 1100E, FortiGate 140E-
POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F, FortiGate 2200E,
FortiGate 3000F, FortiGate 300E, FortiGate 3200F, FortiGate 3300E, FortiGate 3400E,
FortiGate 3500F, FortiGate 3600E, FortiGate 3700F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E,
FortiGate 600F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E,
FortiGate 60F, FortiGate 70F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass,
FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 80F 2R.

Report layout configuration.

config report layout
Description: Report layout configuration.
edit <name>
config body-item
Description: Configure report body item.
edit <id>
set description {string}
set type [text|image|...]
set style {string}
set top-n {integer}
config parameters
Description: Parameters.
edit <id>

FortiOS 7.4.4 CLI Reference 780

Fortinet Inc.
set name {string}
set value {string}
next
end
set text-component [text|heading1|...]
set content {string}
set img-src {string}
set chart {string}
set chart-options {option1}, {option2}, ...
set misc-component [hline|page-break|...]
set title {string}
next
end
set cutoff-option [run-time|custom]
set cutoff-time {user}
set day [sunday|monday|...]
set description {string}
set email-recipients {string}
set email-send [enable|disable]
set format {option1}, {option2}, ...
set max-pdf-report {integer}
set options {option1}, {option2}, ...
config page
Description: Configure report page.
set paper [a4|letter]
set column-break-before {option1}, {option2}, ...
set page-break-before {option1}, {option2}, ...
set options {option1}, {option2}, ...
config header
Description: Configure report page header.
set style {string}
config header-item
Description: Configure report header item.
edit <id>
set description {string}
set type [text|image]
set style {string}
set content {string}
set img-src {string}
next
end
end
config footer
Description: Configure report page footer.
set style {string}
config footer-item
Description: Configure report footer item.
edit <id>
set description {string}
set type [text|image]
set style {string}
set content {string}
set img-src {string}
next
end
end

FortiOS 7.4.4 CLI Reference 781

Fortinet Inc.
end
set schedule-type [demand|daily|...]
set style-theme {string}
set subtitle {string}
set time {user}
set title {string}
next
end

config report layout

Parameter Description Type Size Default

cutoff-option Cutoff-option is either run-time or custom. option - run-time

Option Description

run-time Run time.

custom Custom.

cutoff-time Custom cutoff time to generate report (format = user Not

hh:mm). Specified

day Schedule days of week to generate report. option - sunday

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

description Description. string Maximum

length: 127

email- Email recipients for generated reports. string Maximum

recipients length: 511

email-send Enable/disable sending emails after reports are option - disable

generated.

Option Description

enable Enable sending emails after generating reports.

disable Disable sending emails after generating reports.

FortiOS 7.4.4 CLI Reference 782

Fortinet Inc.
Parameter Description Type Size Default

format Report format. option - pdf

Option Description

pdf PDF.

max-pdf- Maximum number of PDF reports to keep at one time integer Minimum 31
report (oldest report is overwritten). value: 1
Maximum
value: 365

name Report layout name. string Maximum

length: 35

options Report layout options. option - include-table-

of-content
auto-
numbering-
heading view-
chart-as-
heading

Option Description

include-table-of- Include table of content in the report.

content

auto-numbering- Prepend heading with auto numbering.

heading

view-chart-as- Auto add heading for each chart.

heading

show-html- Show HTML navigation bar before each heading.

navbar-before-
heading

dummy-option Use this option if you need none of the above options.

schedule-type Report schedule type. option - daily

Option Description

demand Run on demand.

daily Schedule daily.

weekly Schedule weekly.

style-theme Report style theme. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 783

Fortinet Inc.
Parameter Description Type Size Default

subtitle Report subtitle. string Maximum

length: 127

time Schedule time to generate report (format = hh:mm). user Not

Specified

title Report title. string Maximum

length: 127

config body-item

Parameter Description Type Size Default

id Report item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

description Description. string Maximum

length: 63

type Report item type. option - text

Option Description

text Text.

image Image.

chart Chart.

misc Miscellaneous.

style Report item style. string Maximum

length: 71

top-n Value of top. integer Minimum 0

value: 0
Maximum
value:
4294967295

text- Report item text component. option - text

component

Option Description

text Normal text.

heading1 Heading 1.

FortiOS 7.4.4 CLI Reference 784

Fortinet Inc.
Parameter Description Type Size Default

Option Description

heading2 Heading 2.

heading3 Heading 3.

content Report item text content. string Maximum

length: 511

img-src Report item image file name. string Maximum

length: 127

chart Report item chart name. string Maximum

length: 71

chart-options Report chart options. option - include-no-

data hide-
title show-
caption

Option Description

include-no-data Include chart with no data.

hide-title Hide chart title.

show-caption Show chart caption.

misc- Report item miscellaneous component. option - hline

component

Option Description

hline Horizontal line.

page-break Page break.

column-break Column break.

section-start Section start.

title Report section title. string Maximum

length: 511

config parameters

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 785

Fortinet Inc.
Parameter Description Type Size Default

name Field name that match field of parameters defined in string Maximum
dataset. length: 127

value Value to replace corresponding field of parameters string Maximum

defined in dataset. length: 1023

config page

Parameter Description Type Size Default

paper Report page paper. option - a4

Option Description

a4 A4 paper.

letter Letter paper.

column- Report page auto column break before heading. option -

break-before

Option Description

heading1 Column break before heading 1.

heading2 Column break before heading 2.

heading3 Column break before heading 3.

page-break- Report page auto page break before heading. option -

before

Option Description

heading1 Page break before heading 1.

heading2 Page break before heading 2.

heading3 Page break before heading 3.

options Report page options. option -

Option Description

header-on-first- Show header on first page.

page

footer-on-first- Show footer on first page.

page

FortiOS 7.4.4 CLI Reference 786

Fortinet Inc.
config header

Parameter Description Type Size Default

Parameter Description Type Size Default

id Report item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

description Description. string Maximum

length: 63

type Report item type. option - text

Option Description

text Text.

image Image.

style Report item style. string Maximum

length: 71

content Report item text content. string Maximum

length: 511

img-src Report item image file name. string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 788

Fortinet Inc.
config report setting

This command is available for model(s): FortiGate 1000D, FortiGate 1001F, FortiGate 101F,
FortiGate 1101E, FortiGate 1801F, FortiGate 2000E, FortiGate 201E, FortiGate 201F,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 3001F, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3201F,
FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E, FortiGate 3700D,
FortiGate 3701F, FortiGate 401E, FortiGate 401F, FortiGate 4201F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 501E, FortiGate 601E, FortiGate 601F, FortiGate 61E, FortiGate
61F, FortiGate 71F, FortiGate 800D, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE,
FortiGate 81F, FortiGate 900D, FortiGate 91E, FortiGate VM64, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000F, FortiGate 100F, FortiGate 1100E, FortiGate 140E-
POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F, FortiGate 2200E,
FortiGate 3000F, FortiGate 300E, FortiGate 3200F, FortiGate 3300E, FortiGate 3400E,
FortiGate 3500F, FortiGate 3600E, FortiGate 3700F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E,
FortiGate 600F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E,
FortiGate 60F, FortiGate 70F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass,
FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 80F 2R.

Report setting configuration.

config report setting
Description: Report setting configuration.
set fortiview [enable|disable]
set pdf-report [enable|disable]
set report-source {option1}, {option2}, ...
set top-n {integer}
set web-browsing-threshold {integer}
end

config report setting

Parameter Description Type Size Default

fortiview Enable/disable historical FortiView. option - enable **

Option Description

enable Enable historical FortiView.

disable Disable historical FortiView.

pdf-report Enable/disable PDF report. option - enable **

FortiOS 7.4.4 CLI Reference 789

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable PDF report.

disable Disable PDF report.

report-source Report log source. option - forward-

traffic

Option Description

forward-traffic Report includes forward traffic logs.

sniffer-traffic Report includes sniffer traffic logs.

local-deny-traffic Report includes local deny traffic logs.

top-n Number of items to populate. integer Minimum 1000

value: 1000
Maximum
value:
20000

web- Web browsing time calculation threshold. integer Minimum 3

browsing- value: 3
threshold Maximum
value: 15

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 790

Fortinet Inc.
router

This section includes syntax for the following commands:

l config router access-list on page 791
l config router access-list6 on page 792
l config router aspath-list on page 794
l config router auth-path on page 795
l config router bfd on page 795
l config router bfd6 on page 797
l config router bgp on page 798
l config router community-list on page 861
l config router extcommunity-list on page 862
l config router isis on page 863
l config router key-chain on page 877
l config router multicast-flow on page 878
l config router multicast on page 879
l config router multicast6 on page 888
l config router ospf on page 890
l config router ospf6 on page 907
l config router policy on page 922
l config router policy6 on page 925
l config router prefix-list on page 928
l config router prefix-list6 on page 929
l config router rip on page 930
l config router ripng on page 937
l config router route-map on page 943
l config router setting on page 949
l config router static on page 950
l config router static6 on page 953

config router access-list

Configure access lists.

config router access-list
Description: Configure access lists.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]

FortiOS 7.4.4 CLI Reference 791

Fortinet Inc.
set prefix {user}
set wildcard {user}
set exact-match [enable|disable]
next
end
next
end

config router access-list

Parameter Description Type Size Default

comments Comment. string Maximum

length: 127

name Name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix IPv4 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

wildcard Wildcard to define Cisco-style wildcard filter criteria. user Not Specified

exact-match Enable/disable exact match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

config router access-list6

Configure IPv6 access lists.

FortiOS 7.4.4 CLI Reference 792

Fortinet Inc.
config router access-list6
Description: Configure IPv6 access lists.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]
set prefix6 {user}
set exact-match [enable|disable]
set flags {integer}
next
end
next
end

config router access-list6

Parameter Description Type Size Default

comments Comment. string Maximum

length: 127

name Name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

exact-match Enable/disable exact prefix match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

FortiOS 7.4.4 CLI Reference 793

Fortinet Inc.
Parameter Description Type Size Default

flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router aspath-list

Configure Autonomous System (AS) path lists.

config router aspath-list
Description: Configure Autonomous System (AS) path lists.
edit <name>
config rule
Description: AS path list rule.
edit <id>
set action [deny|permit]
set regexp {string}
next
end
next
end

config router aspath-list

Parameter Description Type Size Default

name AS path list name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny route-based operations, based on the option -

route's AS_PATH attribute.

Option Description

deny Deny route-based operations.

permit Permit route-based operations.

FortiOS 7.4.4 CLI Reference 794

Fortinet Inc.
Parameter Description Type Size Default

regexp Regular-expression to match the Border Gateway string Maximum

Protocol (BGP) AS paths. length: 63

config router auth-path

Configure authentication based routing.

config router auth-path
Description: Configure authentication based routing.
edit <name>
set device {string}
set gateway {ipv4-address}
next
end

config router auth-path

Parameter Description Type Size Default

device Outgoing interface. string Maximum

length: 35

gateway Gateway IP address. ipv4- Not 0.0.0.0

address Specified

name Name of the entry. string Maximum

length: 15

config router bfd

Configure BFD.
config router bfd
Description: Configure BFD.
config multihop-template
Description: BFD multi-hop template table.
edit <id>
set src {ipv4-classnet}
set dst {ipv4-classnet}
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Neighbor.
edit <ip>

FortiOS 7.4.4 CLI Reference 795

Fortinet Inc.
set interface {string}
next
end
end

config multihop-template

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src Source prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

dst Destination prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000

bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000

bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50

auth-mode Authentication mode. option - none

Option Description

none None.

md5 Meticulous MD5 mode.

md5-key MD5 key of key ID 1. password Not Specified

config neighbor

Parameter Description Type Size Default

ip IPv4 address of the BFD neighbor. ipv4- Not 0.0.0.0

address Specified

interface Interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 796

Fortinet Inc.
config router bfd6

Configure IPv6 BFD.

config router bfd6
Description: Configure IPv6 BFD.
config multihop-template
Description: BFD IPv6 multi-hop template table.
edit <id>
set src {ipv6-network}
set dst {ipv6-network}
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Configure neighbor of IPv6 BFD.
edit <ip6-address>
set interface {string}
next
end
end

config multihop-template

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src Source prefix. ipv6- Not Specified ::/0

network

dst Destination prefix. ipv6- Not Specified ::/0

network

bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000

bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000

FortiOS 7.4.4 CLI Reference 797

Fortinet Inc.
Parameter Description Type Size Default

bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50

auth-mode Authentication mode. option - none

Option Description

none None.

md5 Meticulous MD5 mode.

md5-key MD5 key of key ID 1. password Not Specified

config neighbor

Parameter Description Type Size Default

ip6-address IPv6 address of the BFD neighbor. ipv6- Not ::

address Specified

interface Interface to the BFD neighbor. string Maximum

length: 15

config router bgp

Configure BGP.
config router bgp
Description: Configure BGP.
set additional-path [enable|disable]
set additional-path-select {integer}
set additional-path-select-vpnv4 {integer}
set additional-path-select-vpnv6 {integer}
set additional-path-select6 {integer}
set additional-path-vpnv4 [enable|disable]
set additional-path-vpnv6 [enable|disable]
set additional-path6 [enable|disable]
config admin-distance
Description: Administrative distance modifications.
edit <id>
set neighbour-prefix {ipv4-classnet}
set route-list {string}
set distance {integer}
next
end
config aggregate-address
Description: BGP aggregate address table.
edit <id>
set prefix {ipv4-classnet-any}
set as-set [enable|disable]

FortiOS 7.4.4 CLI Reference 798

Fortinet Inc.
set summary-only [enable|disable]
next
end
config aggregate-address6
Description: BGP IPv6 aggregate address table.
edit <id>
set prefix6 {ipv6-prefix}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
set always-compare-med [enable|disable]
set as {user}
set bestpath-as-path-ignore [enable|disable]
set bestpath-cmp-confed-aspath [enable|disable]
set bestpath-cmp-routerid [enable|disable]
set bestpath-med-confed [enable|disable]
set bestpath-med-missing-as-worst [enable|disable]
set client-to-client-reflection [enable|disable]
set cluster-id {ipv4-address-any}
set confederation-identifier {integer}
set confederation-peers <peer1>, <peer2>, ...
set cross-family-conditional-adv [enable|disable]
set dampening [enable|disable]
set dampening-max-suppress-time {integer}
set dampening-reachability-half-life {integer}
set dampening-reuse {integer}
set dampening-route-map {string}
set dampening-suppress {integer}
set dampening-unreachability-half-life {integer}
set default-local-preference {integer}
set deterministic-med [enable|disable]
set distance-external {integer}
set distance-internal {integer}
set distance-local {integer}
set ebgp-multipath [enable|disable]
set enforce-first-as [enable|disable]
set fast-external-failover [enable|disable]
set graceful-end-on-timer [enable|disable]
set graceful-restart [enable|disable]
set graceful-restart-time {integer}
set graceful-stalepath-time {integer}
set graceful-update-delay {integer}
set holdtime-timer {integer}
set ibgp-multipath [enable|disable]
set ignore-optional-capability [enable|disable]
set keepalive-timer {integer}
set log-neighbour-changes [enable|disable]
set multipath-recursive-distance [enable|disable]
config neighbor
Description: BGP neighbor table.
edit <ip>
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in-enable-vpnv4 [enable|disable]

FortiOS 7.4.4 CLI Reference 799

Fortinet Inc.
set allowas-in-enable-vpnv6 [enable|disable]
set allowas-in-enable-evpn [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set allowas-in-vpnv4 {integer}
set allowas-in-vpnv6 {integer}
set allowas-in-evpn {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set attribute-unchanged-vpnv4 {option1}, {option2}, ...
set attribute-unchanged-vpnv6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set activate-vpnv4 [enable|disable]
set activate-vpnv6 [enable|disable]
set activate-evpn [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-graceful-restart-vpnv4 [enable|disable]
set capability-graceful-restart-vpnv6 [enable|disable]
set capability-graceful-restart-evpn [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set next-hop-self-vpnv4 [enable|disable]
set next-hop-self-vpnv6 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set remove-private-as-vpnv4 [enable|disable]
set remove-private-as-vpnv6 [enable|disable]
set remove-private-as-evpn [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-reflector-client-vpnv4 [enable|disable]
set route-reflector-client-vpnv6 [enable|disable]
set route-reflector-client-evpn [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set route-server-client-vpnv4 [enable|disable]
set route-server-client-vpnv6 [enable|disable]
set route-server-client-evpn [enable|disable]
set shutdown [enable|disable]

FortiOS 7.4.4 CLI Reference 800

Fortinet Inc.
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set soft-reconfiguration-vpnv4 [enable|disable]
set soft-reconfiguration-vpnv6 [enable|disable]
set soft-reconfiguration-evpn [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}
set distribute-list-in-vpnv4 {string}
set distribute-list-in-vpnv6 {string}
set distribute-list-out {string}
set distribute-list-out6 {string}
set distribute-list-out-vpnv4 {string}
set distribute-list-out-vpnv6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-in-vpnv4 {string}
set filter-list-in-vpnv6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set filter-list-out-vpnv4 {string}
set filter-list-out-vpnv6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-vpnv4 {integer}
set maximum-prefix-vpnv6 {integer}
set maximum-prefix-evpn {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-threshold-vpnv4 {integer}
set maximum-prefix-threshold-vpnv6 {integer}
set maximum-prefix-threshold-evpn {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set maximum-prefix-warning-only-vpnv4 [enable|disable]
set maximum-prefix-warning-only-vpnv6 [enable|disable]
set maximum-prefix-warning-only-evpn [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-in-vpnv4 {string}
set prefix-list-in-vpnv6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set prefix-list-out-vpnv4 {string}
set prefix-list-out-vpnv6 {string}
set remote-as {user}
set local-as {user}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]

FortiOS 7.4.4 CLI Reference 801

Fortinet Inc.
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-in-vpnv4 {string}
set route-map-in-vpnv6 {string}
set route-map-in-evpn {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set route-map-out-vpnv4 {string}
set route-map-out-vpnv6 {string}
set route-map-out-vpnv4-preferable {string}
set route-map-out-vpnv6-preferable {string}
set route-map-out-evpn {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set send-community-vpnv4 [standard|extended|...]
set send-community-vpnv6 [standard|extended|...]
set send-community-evpn [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set additional-path-vpnv4 [send|receive|...]
set additional-path-vpnv6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
set adv-additional-path-vpnv4 {integer}
set adv-additional-path-vpnv6 {integer}
set password {password}
set auth-options {string}
config conditional-advertise
Description: Conditional advertisement.
edit <advertise-routemap>
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
config conditional-advertise6
Description: IPv6 conditional advertisement.
edit <advertise-routemap>
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
next
end
config neighbor-group
Description: BGP neighbor group table.

FortiOS 7.4.4 CLI Reference 802

Fortinet Inc.
edit <name>
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in-enable-vpnv4 [enable|disable]
set allowas-in-enable-vpnv6 [enable|disable]
set allowas-in-enable-evpn [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set allowas-in-vpnv4 {integer}
set allowas-in-vpnv6 {integer}
set allowas-in-evpn {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set attribute-unchanged-vpnv4 {option1}, {option2}, ...
set attribute-unchanged-vpnv6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set activate-vpnv4 [enable|disable]
set activate-vpnv6 [enable|disable]
set activate-evpn [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-graceful-restart-vpnv4 [enable|disable]
set capability-graceful-restart-vpnv6 [enable|disable]
set capability-graceful-restart-evpn [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set next-hop-self-vpnv4 [enable|disable]
set next-hop-self-vpnv6 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set remove-private-as-vpnv4 [enable|disable]
set remove-private-as-vpnv6 [enable|disable]
set remove-private-as-evpn [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-reflector-client-vpnv4 [enable|disable]
set route-reflector-client-vpnv6 [enable|disable]
set route-reflector-client-evpn [enable|disable]
set route-server-client [enable|disable]

FortiOS 7.4.4 CLI Reference 803

Fortinet Inc.
set route-server-client6 [enable|disable]
set route-server-client-vpnv4 [enable|disable]
set route-server-client-vpnv6 [enable|disable]
set route-server-client-evpn [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set soft-reconfiguration-vpnv4 [enable|disable]
set soft-reconfiguration-vpnv6 [enable|disable]
set soft-reconfiguration-evpn [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}
set distribute-list-in-vpnv4 {string}
set distribute-list-in-vpnv6 {string}
set distribute-list-out {string}
set distribute-list-out6 {string}
set distribute-list-out-vpnv4 {string}
set distribute-list-out-vpnv6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-in-vpnv4 {string}
set filter-list-in-vpnv6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set filter-list-out-vpnv4 {string}
set filter-list-out-vpnv6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-vpnv4 {integer}
set maximum-prefix-vpnv6 {integer}
set maximum-prefix-evpn {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-threshold-vpnv4 {integer}
set maximum-prefix-threshold-vpnv6 {integer}
set maximum-prefix-threshold-evpn {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set maximum-prefix-warning-only-vpnv4 [enable|disable]
set maximum-prefix-warning-only-vpnv6 [enable|disable]
set maximum-prefix-warning-only-evpn [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-in-vpnv4 {string}
set prefix-list-in-vpnv6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set prefix-list-out-vpnv4 {string}

FortiOS 7.4.4 CLI Reference 804

Fortinet Inc.
set prefix-list-out-vpnv6 {string}
set remote-as {user}
set remote-as-filter {string}
set local-as {user}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-in-vpnv4 {string}
set route-map-in-vpnv6 {string}
set route-map-in-evpn {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set route-map-out-vpnv4 {string}
set route-map-out-vpnv6 {string}
set route-map-out-vpnv4-preferable {string}
set route-map-out-vpnv6-preferable {string}
set route-map-out-evpn {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set send-community-vpnv4 [standard|extended|...]
set send-community-vpnv6 [standard|extended|...]
set send-community-evpn [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set additional-path-vpnv4 [send|receive|...]
set additional-path-vpnv6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
set adv-additional-path-vpnv4 {integer}
set adv-additional-path-vpnv6 {integer}
set password {password}
set auth-options {string}
next
end
config neighbor-range
Description: BGP neighbor range table.
edit <id>
set prefix {ipv4-classnet}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config neighbor-range6
Description: BGP IPv6 neighbor range table.

FortiOS 7.4.4 CLI Reference 805

Fortinet Inc.
edit <id>
set prefix6 {ipv6-network}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config network
Description: BGP network table.
edit <id>
set prefix {ipv4-classnet}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
set network-import-check [enable|disable]
config network6
Description: BGP IPv6 network table.
edit <id>
set prefix6 {ipv6-network}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
set recursive-inherit-priority [enable|disable]
set recursive-next-hop [enable|disable]
config redistribute
Description: BGP IPv4 redistribute table.
edit <name>
set status [enable|disable]
set route-map {string}
next
end
config redistribute6
Description: BGP IPv6 redistribute table.
edit <name>
set status [enable|disable]
set route-map {string}
next
end
set router-id {ipv4-address-any}
set scan-time {integer}
set synchronization [enable|disable]
set tag-resolve-mode [disable|preferred|...]
config vrf
Description: BGP VRF leaking table.
edit <vrf>
set role [standalone|ce|...]
set rd {string}
set export-rt <route-target1>, <route-target2>, ...
set import-rt <route-target1>, <route-target2>, ...
set import-route-map {string}
config leak-target
Description: Target VRF table.
edit <vrf>

FortiOS 7.4.4 CLI Reference 806

Fortinet Inc.
set route-map {string}
set interface {string}
next
end
next
end
config vrf6
Description: BGP IPv6 VRF leaking table.
edit <vrf>
set role [standalone|ce|...]
set rd {string}
set export-rt <route-target1>, <route-target2>, ...
set import-rt <route-target1>, <route-target2>, ...
set import-route-map {string}
config leak-target
Description: Target VRF table.
edit <vrf>
set route-map {string}
set interface {string}
next
end
next
end
end

config router bgp

Parameter Description Type Size Default

additional-path Enable/disable selection of BGP IPv4 additional option - disable

paths.

Option Description

enable Enable setting.

disable Disable setting.

additional-path- Number of additional paths to be selected for integer Minimum 2

select each IPv4 NLRI. value: 2
Maximum
value: 255

additional-path- Number of additional paths to be selected for integer Minimum 2

select-vpnv4 each VPNv4 NLRI. value: 2
Maximum
value: 255

additional-path- Number of additional paths to be selected for integer Minimum 2

select-vpnv6 each VPNv6 NLRI. value: 2
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 807

bestpath-as-path- Enable/disable ignore AS path. option - disable

ignore

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

cluster-id Route reflector cluster ID. ipv4- Not Specified 0.0.0.0

address-
any

FortiOS 7.4.4 CLI Reference 809

Fortinet Inc.
Parameter Description Type Size Default

confederation- Confederation identifier. integer Minimum 0

identifier value: 1
Maximum
value:
4294967295

confederation- Confederation peers. string Maximum

peers <peer> Peer ID. length: 79

cross-family- Enable/disable cross address family conditional option - disable

conditional-adv advertisement.

Option Description

enable Enable setting.

disable Disable setting.

dampening Enable/disable route-flap dampening. option - disable

Option Description

enable Enable setting.

disable Disable setting.

dampening-max- Maximum minutes a route can be suppressed. integer Minimum 60

suppress-time value: 1
Maximum
value: 255

dampening- Reachability half-life time for penalty (min). integer Minimum 15

reachability-half- value: 1
life Maximum
value: 45

dampening-reuse Threshold to reuse routes. integer Minimum 750

value: 1
Maximum
value: 20000

dampening-route- Criteria for dampening. string Maximum

map length: 35

dampening- Threshold to suppress routes. integer Minimum 2000

suppress value: 1
Maximum
value: 20000

FortiOS 7.4.4 CLI Reference 810

Fortinet Inc.
Parameter Description Type Size Default

dampening- Unreachability half-life time for penalty (min). integer Minimum 15

unreachability- value: 1
half-life Maximum
value: 45

default-local- Default local preference. integer Minimum 100

preference value: 0
Maximum
value:
4294967295

deterministic-med Enable/disable enforce deterministic comparison option - disable

of MED.

Option Description

enable Enable setting.

disable Disable setting.

distance-external Distance for routes external to the AS. integer Minimum 20

value: 1
Maximum
value: 255

distance-internal Distance for routes internal to the AS. integer Minimum 200
value: 1
Maximum
value: 255

distance-local Distance for routes local to the AS. integer Minimum 200
value: 1
Maximum
value: 255

ebgp-multipath Enable/disable EBGP multi-path. option - disable

Option Description

enable Enable setting.

disable Disable setting.

enforce-first-as Enable/disable enforce first AS for EBGP routes. option - enable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 811

Fortinet Inc.
Parameter Description Type Size Default

fast-external- Enable/disable reset peer BGP session if link option - enable

failover goes down.

Option Description

enable Enable setting.

graceful-update- Route advertisement/selection delay after restart integer Minimum 120

delay (sec). value: 1
Maximum
value: 3600

holdtime-timer Number of seconds to mark peer as dead. integer Minimum 180

value: 3
Maximum
value: 65535

ibgp-multipath Enable/disable IBGP multi-path. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 812

Fortinet Inc.
Parameter Description Type Size Default

ignore-optional- Do not send unknown optional capability option - enable

capability notification message.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

recursive-next- Enable/disable recursive resolution of next-hop option - disable

hop using BGP route.

FortiOS 7.4.4 CLI Reference 813

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

router-id Router ID. ipv4- Not Specified

address-
any

scan-time Background scanner interval (sec), 0 to disable it. integer Minimum 60

value: 5
Maximum
value: 60

synchronization Enable/disable only advertise routes from iBGP if option - disable

routes present in an IGP.

Option Description

enable Enable setting.

disable Disable setting.

tag-resolve-mode Configure tag-match mode. Resolves BGP routes option - disable

with other routes containing the same tag.

Option Description

disable Disable tag-match mode.

preferred Use tag-match if a BGP route resolution with another route containing the
same tag is successful.

merge Merge tag-match with best-match if they are using different routes. The
result will exclude the next hops of tag-match whose interfaces have
appeared in best-match.

config admin-distance

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

neighbour- Neighbor address prefix. ipv4- Not Specified 0.0.0.0

prefix classnet 0.0.0.0

FortiOS 7.4.4 CLI Reference 814

Fortinet Inc.
Parameter Description Type Size Default

route-list Access list of routes to apply new distance to. string Maximum
length: 35

distance Administrative distance to apply. integer Minimum 0

value: 1
Maximum
value: 255

config aggregate-address

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Aggregate prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

as-set Enable/disable generate AS set path information. option - disable

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from option - disable

updates.

Option Description

enable Enable setting.

disable Disable setting.

config aggregate-address6

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 Aggregate IPv6 prefix. ipv6-prefix Not Specified ::/0

FortiOS 7.4.4 CLI Reference 815

Fortinet Inc.
Parameter Description Type Size Default

as-set Enable/disable generate AS set path information. option - disable

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from option - disable

updates.

Option Description

enable Enable setting.

disable Disable setting.

config neighbor

Parameter Description Type Size Default

ip IP/IPv6 address of neighbor. string Maximum

length: 45

advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600

allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in-enable- Enable/disable to allow my AS in AS path for option - disable

vpnv4 VPNv4 route.

allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

allowas-in-vpnv4 The maximum number of occurrence of my integer Minimum 3

AS number allowed for VPNv4 route. value: 1
Maximum
value: 10

allowas-in-vpnv6 The maximum number of occurrence of my integer Minimum 3

AS number allowed for VPNv6 route. value: 1
Maximum
value: 10

allowas-in-evpn The maximum number of occurrence of my integer Minimum 3

AS number allowed for L2VPN EVPN route. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

activate6 Enable/disable address family IPv6 for this option - enable

neighbor.

to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability-orf Accept/Send IPv4 ORF lists to/from this option - none

neighbor.

FortiOS 7.4.4 CLI Reference 819

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none None.

receive Receive ORF lists.

disable Disable setting.

capability- Enable/disable advertise VPNv4 graceful option - disable

graceful-restart- restart capability to this neighbor.
vpnv4

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

dont-capability- Do not negotiate capabilities with this option - disable

negotiate neighbor.

FortiOS 7.4.4 CLI Reference 821

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 824

Fortinet Inc.
Parameter Description Type Size Default

client6

Option Description

enable Enable setting.

disable Disable setting.

Option Description

enable Enable setting.

disable Disable setting.

soft- Enable/disable allow IPv6 inbound soft option - disable

reconfiguration6 reconfiguration.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

strict-capability- Enable/disable strict capability matching. option - disable

match

FortiOS 7.4.4 CLI Reference 827

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

default-originate- Route map to specify criteria to originate IPv4 string Maximum

routemap default. length: 35

default-originate- Route map to specify criteria to originate IPv6 string Maximum

routemap6 default. length: 35

description Description. string Maximum

length: 63

distribute-list-in Filter for IPv4 updates from this neighbor. string Maximum
length: 35

distribute-list-in6 Filter for IPv6 updates from this neighbor. string Maximum
length: 35

distribute-list-in- Filter for VPNv4 updates from this neighbor. string Maximum
vpnv4 length: 35

distribute-list-in- Filter for VPNv6 updates from this neighbor. string Maximum
vpnv6 length: 35

distribute-list-out Filter for IPv4 updates to this neighbor. string Maximum

length: 35

distribute-list-out6 Filter for IPv6 updates to this neighbor. string Maximum

length: 35

distribute-list-out- Filter for VPNv4 updates to this neighbor. string Maximum

vpnv4 length: 35

distribute-list-out- Filter for VPNv6 updates to this neighbor. string Maximum

maximum-prefix- Maximum L2VPN EVPN prefix threshold integer Minimum 75

threshold-evpn value. value: 1
Maximum
value: 100

maximum-prefix- Enable/disable IPv4 Only give warning option - disable

warning-only message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable IPv6 Only give warning option - disable

warning-only6 message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable only giving warning message option - disable

warning-only- when limit is exceeded for VPNv4 routes.
vpnv4

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable warning message when limit option - disable

warning-only- is exceeded for VPNv6 routes.
vpnv6

FortiOS 7.4.4 CLI Reference 830

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable only sending warning option - disable

warning-only-evpn message when exceeding limit of L2VPN
EVPN routes.

Option Description

enable Enable setting.

disable Disable setting.

prefix-list-in IPv4 Inbound filter for updates from this string Maximum
neighbor. length: 35

prefix-list-in6 IPv6 Inbound filter for updates from this string Maximum
neighbor. length: 35

prefix-list-in-vpnv4 Inbound filter for VPNv4 updates from this string Maximum
neighbor. length: 35

prefix-list-in-vpnv6 Inbound filter for VPNv6 updates from this string Maximum
neighbor. length: 35

prefix-list-out IPv4 Outbound filter for updates to this string Maximum

neighbor. length: 35

prefix-list-out6 IPv6 Outbound filter for updates to this string Maximum

neighbor. length: 35

prefix-list-out- Outbound filter for VPNv4 updates to this string Maximum

vpnv4 neighbor. length: 35

prefix-list-out- Outbound filter for VPNv6 updates to this string Maximum

vpnv6 neighbor. length: 35

remote-as AS number of neighbor. user Not Specified

local-as Local AS number of neighbor. user Not Specified

local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend

Option Description

enable Enable setting.

disable Disable setting.

local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.

FortiOS 7.4.4 CLI Reference 831

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

route-map-out IPv4 outbound route map filter. string Maximum

length: 35

route-map-out- IPv4 outbound route map filter if the peer is string Maximum
preferable preferred. length: 35

route-map-out6 IPv6 Outbound route map filter. string Maximum

length: 35

route-map-out6- IPv6 outbound route map filter if the peer is string Maximum
preferable preferred. length: 35

route-map-out- VPNv4 outbound route map filter. string Maximum

vpnv4 length: 35

route-map-out- VPNv6 outbound route map filter. string Maximum

vpnv6 length: 35

route-map-out- VPNv4 outbound route map filter if the peer is string Maximum
vpnv4-preferable preferred. length: 35

route-map-out- VPNv6 outbound route map filter if this string Maximum

vpnv6-preferable neighbor is preferred. length: 35

route-map-out- L2VPN EVPN outbound route map filter. string Maximum

disable Disable

send-community- Enable/disable sending community attribute option - both

evpn to neighbor for L2VPN EVPN address family.

Option Description

standard Standard.

FortiOS 7.4.4 CLI Reference 833

Fortinet Inc.
Parameter Description Type Size Default

Option Description

extended Extended.

both Both.

disable Disable

keep-alive-timer Keep alive timer interval (sec). integer Minimum 4294967295

value: 0
Maximum
value: 65535

holdtime-timer Interval (sec) before peer considered dead. integer Minimum 4294967295
value: 3
Maximum
value: 65535

connect-timer Interval (sec) for connect timer. integer Minimum 4294967295

value: 1
Maximum
value: 65535

unsuppress-map IPv4 Route map to selectively unsuppress string Maximum

suppressed routes. length: 35

unsuppress-map6 IPv6 Route map to selectively unsuppress string Maximum

suppressed routes. length: 35

update-source Interface to use as source IP/IPv6 address of string Maximum

TCP connections. length: 15

weight Neighbor weight. integer Minimum 4294967295

value: 0
Maximum
value: 65535

restart-time Graceful restart delay time. integer Minimum 0

value: 0
Maximum
value: 3600

additional-path Enable/disable IPv4 additional-path option - disable

capability.

Option Description

send Enable sending additional paths.

receive Enable receiving additional paths.

both Enable sending and receiving additional paths.

FortiOS 7.4.4 CLI Reference 834

Fortinet Inc.
Parameter Description Type Size Default

both Enable sending and receiving additional paths.

disable Disable additional paths.

adv-additional- Number of IPv4 additional paths that can be integer Minimum 2

path advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of IPv6 additional paths that can be integer Minimum 2

path6 advertised to this neighbor. value: 2
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 835

Fortinet Inc.
Parameter Description Type Size Default

adv-additional- Number of VPNv4 additional paths that can integer Minimum 2

path-vpnv4 be advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of VPNv6 additional paths that can integer Minimum 2

path-vpnv6 be advertised to this neighbor. value: 2
Maximum
value: 255

password Password used in MD5 authentication. password Not Specified

auth-options Key-chain name for TCP authentication string Maximum

options. length: 35

config conditional-advertise

Parameter Description Type Size Default

advertise- Name of advertising route map. string Maximum

routemap length: 35

condition- List of conditional route maps. string Maximum

routemap Route map. length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

config conditional-advertise6

Parameter Description Type Size Default

advertise- Name of advertising route map. string Maximum

routemap length: 35

condition- List of conditional route maps. string Maximum

routemap Route map. length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

FortiOS 7.4.4 CLI Reference 836

Fortinet Inc.
config neighbor-group

Parameter Description Type Size Default

name Neighbor group name. string Maximum

allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

allowas-in-vpnv4 The maximum number of occurrence of my integer Minimum 3

AS number allowed for VPNv4 route. value: 1
Maximum
value: 10

allowas-in-vpnv6 The maximum number of occurrence of my integer Minimum 3

AS number allowed for VPNv6 route. value: 1
Maximum
value: 10

allowas-in-evpn The maximum number of occurrence of my integer Minimum 3

AS number allowed for L2VPN EVPN route. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

Option Description

as-path AS path.

med MED.

next-hop Next hop.

attribute- IPv6 List of attributes that should be option -

unchanged6 unchanged.

Option Description

as-path AS path.

med MED.

next-hop Next hop.

attribute- List of attributes that should be unchanged option -

unchanged-vpnv4 for VPNv4 route.

FortiOS 7.4.4 CLI Reference 838

Fortinet Inc.
Parameter Description Type Size Default

FortiOS 7.4.4 CLI Reference 839

Fortinet Inc.
Parameter Description Type Size Default

activate-evpn Enable/disable address family L2VPN EVPN option - enable

for this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

bfd Enable/disable BFD for this neighbor. option - disable

Option Description

enable Enable setting.

disable Disable setting.

capability-dynamic Enable/disable advertise dynamic capability option - disable

to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability-orf Accept/Send IPv4 ORF lists to/from this option - none

neighbor.

Option Description

none None.

receive Receive ORF lists.

send Send ORF list.

both Send and receive ORF lists.

capability-orf6 Accept/Send IPv6 ORF lists to/from this option - none

neighbor.

Option Description

none None.

receive Receive ORF lists.

send Send ORF list.

both Send and receive ORF lists.

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 841

Fortinet Inc.
Parameter Description Type Size Default

down.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

route-reflector- Enable/disable L2VPN EVPN AS route option - disable

client-evpn reflector client for this neighbor.

FortiOS 7.4.4 CLI Reference 845

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

route-server-client Enable/disable IPv4 AS route server client. option - disable

disable Disable setting.

default-originate- Route map to specify criteria to originate IPv4 string Maximum

routemap default. length: 35

default-originate- Route map to specify criteria to originate IPv6 string Maximum

routemap6 default. length: 35

description Description. string Maximum

length: 63

distribute-list-in Filter for IPv4 updates from this neighbor. string Maximum
length: 35

distribute-list-in6 Filter for IPv6 updates from this neighbor. string Maximum
length: 35

distribute-list-in- Filter for VPNv4 updates from this neighbor. string Maximum
vpnv4 length: 35

distribute-list-in- Filter for VPNv6 updates from this neighbor. string Maximum
vpnv6 length: 35

distribute-list-out Filter for IPv4 updates to this neighbor. string Maximum

length: 35

distribute-list-out6 Filter for IPv6 updates to this neighbor. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 848

Fortinet Inc.
Parameter Description Type Size Default

distribute-list-out- Filter for VPNv4 updates to this neighbor. string Maximum

vpnv4 length: 35

distribute-list-out- Filter for VPNv6 updates to this neighbor. string Maximum

maximum-prefix- Enable/disable IPv4 Only give warning option - disable

warning-only message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

prefix-list-in IPv4 Inbound filter for updates from this string Maximum
neighbor. length: 35

prefix-list-in6 IPv6 Inbound filter for updates from this string Maximum
neighbor. length: 35

prefix-list-in-vpnv4 Inbound filter for VPNv4 updates from this string Maximum
neighbor. length: 35

prefix-list-in-vpnv6 Inbound filter for VPNv6 updates from this string Maximum
neighbor. length: 35

prefix-list-out IPv4 Outbound filter for updates to this string Maximum

neighbor. length: 35

FortiOS 7.4.4 CLI Reference 851

Fortinet Inc.
Parameter Description Type Size Default

prefix-list-out6 IPv6 Outbound filter for updates to this string Maximum

neighbor. length: 35

prefix-list-out- Outbound filter for VPNv4 updates to this string Maximum

vpnv4 neighbor. length: 35

prefix-list-out- Outbound filter for VPNv6 updates to this string Maximum

vpnv6 neighbor. length: 35

remote-as AS number of neighbor. user Not Specified

remote-as-filter BGP filter for remote AS. string Maximum

length: 35

local-as Local AS number of neighbor. user Not Specified

local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend

Option Description

enable Enable setting.

disable Disable setting.

local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.

Option Description

enable Enable setting.

disable Disable setting.

route-map-out- IPv4 outbound route map filter if the peer is string Maximum
preferable preferred. length: 35

route-map-out6 IPv6 Outbound route map filter. string Maximum

length: 35

route-map-out6- IPv6 outbound route map filter if the peer is string Maximum
preferable preferred. length: 35

route-map-out- VPNv4 outbound route map filter. string Maximum

vpnv4 length: 35

route-map-out- VPNv6 outbound route map filter. string Maximum

vpnv6 length: 35

route-map-out- VPNv4 outbound route map filter if the peer is string Maximum
vpnv4-preferable preferred. length: 35

route-map-out- VPNv6 outbound route map filter if this string Maximum

vpnv6-preferable neighbor is preferred. length: 35

route-map-out- L2VPN EVPN outbound route map filter. string Maximum

evpn length: 35

send-community IPv4 Send community attribute to neighbor. option - both

Option Description

standard Standard.

extended Extended.

both Both.

disable Disable

send-community6 IPv6 Send community attribute to neighbor. option - both

Option Description

Fortinet Inc.
Parameter Description Type Size Default

unsuppress-map6 IPv6 Route map to selectively unsuppress string Maximum

suppressed routes. length: 35

update-source Interface to use as source IP/IPv6 address of string Maximum

TCP connections. length: 15

weight Neighbor weight. integer Minimum 4294967295

value: 0
Maximum
value: 65535

both Enable sending and receiving additional paths.

disable Disable additional paths.

FortiOS 7.4.4 CLI Reference 855

Fortinet Inc.
Parameter Description Type Size Default

additional-path- Enable/disable VPNv6 additional-path option - disable

vpnv6 capability.

Option Description

send Enable sending additional paths.

receive Enable receiving additional paths.

both Enable sending and receiving additional paths.

disable Disable additional paths.

adv-additional- Number of IPv4 additional paths that can be integer Minimum 2

path advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of IPv6 additional paths that can be integer Minimum 2

path6 advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of VPNv4 additional paths that can integer Minimum 2

path-vpnv4 be advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of VPNv6 additional paths that can integer Minimum 2

path-vpnv6 be advertised to this neighbor. value: 2
Maximum
value: 255

password Password used in MD5 authentication. password Not Specified

auth-options Key-chain name for TCP authentication string Maximum

options. length: 35

config neighbor-range

Parameter Description Type Size Default

id Neighbor range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Neighbor range prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

FortiOS 7.4.4 CLI Reference 856

Fortinet Inc.
Parameter Description Type Size Default

max- Maximum number of neighbors. integer Minimum 0

neighbor-num value: 1
Maximum
value: 1000

neighbor- Neighbor group name. string Maximum

group length: 63

config neighbor-range6

Parameter Description Type Size Default

id IPv6 neighbor range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 IPv6 prefix. ipv6- Not Specified ::/0

network

max- Maximum number of neighbors. integer Minimum 0

neighbor-num value: 1
Maximum
value: 1000

neighbor- Neighbor group name. string Maximum

group length: 63

config network

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Network prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

disable Disable setting.

route-map Route map to modify generated route. string Maximum

length: 35

config network6

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 Network IPv6 prefix. ipv6- Not Specified ::/0

network

network- Configure insurance of BGP network route existence option - global

import-check in IGP.

Option Description

global Use global network sync value.

enable Enable network sync per prefix.

disable Disable network sync per prefix.

backdoor Enable/disable route as backdoor. option - disable

Option Description

enable Enable setting.

disable Disable setting.

route-map Route map to modify generated route. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 858

Fortinet Inc.
config redistribute

Parameter Description Type Size Default

name Distribute list entry name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

route-map Route map name. string Maximum

length: 35

config redistribute6

Parameter Description Type Size Default

name Distribute list entry name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

route-map Route map name. string Maximum

length: 35

config vrf

Parameter Description Type Size Default

vrf Origin VRF ID. string Maximum

length: 7

role VRF role. option - standalone

Option Description

standalone Stand-alone VRF.

ce CE VRF.

pe PE VRF.

rd Route Distinguisher: AA:NN|A.B.C.D:NN. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 859

Fortinet Inc.
Parameter Description Type Size Default

export-rt List of export route target. string Maximum

<route- Attribute: AA:NN|A.B.C.D:NN. length: 79
target>

import-rt List of import route target. string Maximum

<route- Attribute: AA:NN|A.B.C.D:NN length: 79
target>

import-route- Import route map. string Maximum

map length: 35

config leak-target

Parameter Description Type Size Default

vrf Target VRF ID. string Maximum

length: 7

route-map Route map of VRF leaking. string Maximum

length: 35

interface Interface which is used to leak routes to target VRF. string Maximum
length: 15

config vrf6

Parameter Description Type Size Default

vrf Origin VRF ID. string Maximum

length: 7

role VRF role. option - standalone

Option Description

standalone Stand-alone VRF.

ce CE VRF.

pe PE VRF.

rd Route Distinguisher: AA:NN|A.B.C.D:NN. string Maximum

length: 79

export-rt List of export route target. string Maximum

<route- Attribute: AA:NN|A.B.C.D:NN. length: 79
target>

import-rt List of import route target. string Maximum

<route- Attribute: AA:NN|A.B.C.D:NN length: 79
target>

FortiOS 7.4.4 CLI Reference 860

Fortinet Inc.
Parameter Description Type Size Default

import-route- Import route map. string Maximum

map length: 35

config leak-target

Parameter Description Type Size Default

vrf Target VRF ID. string Maximum

length: 7

route-map Route map of VRF leaking. string Maximum

length: 35

interface Interface which is used to leak routes to target VRF. string Maximum
length: 15

config router community-list

Configure community lists.

config router community-list
Description: Configure community lists.
edit <name>
config rule
Description: Community list rule.
edit <id>
set action [deny|permit]
set regexp {string}
set match {string}
next
end
set type [standard|expanded]
next
end

config router community-list

Parameter Description Type Size Default

name Community list name. string Maximum

length: 35

type Community list type (standard or expanded). option - standard

Option Description

standard Standard community list type.

expanded Expanded community list type.

FortiOS 7.4.4 CLI Reference 861

Fortinet Inc.
config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny route-based operations, based on the option -

route's COMMUNITY attribute.

Option Description

deny Deny route-based operations.

permit Permit or allow route-based operations.

regexp Ordered list of COMMUNITY attributes as a regular string Maximum

expression. length: 255

match Community specifications for matching a reserved string Maximum

community. length: 255

config router extcommunity-list

Configure extended community lists.

config router extcommunity-list
Description: Configure extended community lists.
edit <name>
config rule
Description: Extended community list rule.
edit <id>
set action [deny|permit]
set regexp {string}
set type [rt|soo]
set match {string}
next
end
set type [standard|expanded]
next
end

config router extcommunity-list

Parameter Description Type Size Default

name Extended community list name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 862

Fortinet Inc.
Parameter Description Type Size Default

type Extended community list type (standard or expanded). option - standard

Option Description

standard Standard extended community list type.

expanded Expanded extended community list type.

config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny route-based operations, based on the option -

route's EXTENDED COMMUNITY attribute.

Option Description

deny Deny route-based operations.

permit Permit or allow route-based operations.

regexp Ordered list of EXTENDED COMMUNITY attributes string Maximum

as a regular expression. length: 255

type Type of extended community. option - rt

Option Description

rt Route Target.

soo Site of Origin.

match Extended community specifications for matching a string Maximum

reserved extended community. length: 255

config router isis

Configure IS-IS.
config router isis
Description: Configure IS-IS.
set adjacency-check [enable|disable]
set adjacency-check6 [enable|disable]
set adv-passive-only [enable|disable]
set adv-passive-only6 [enable|disable]
set auth-keychain-l1 {string}

FortiOS 7.4.4 CLI Reference 863

Fortinet Inc.
set auth-keychain-l2 {string}
set auth-mode-l1 [password|md5]
set auth-mode-l2 [password|md5]
set auth-password-l1 {password}
set auth-password-l2 {password}
set auth-sendonly-l1 [enable|disable]
set auth-sendonly-l2 [enable|disable]
set default-originate [enable|disable]
set default-originate6 [enable|disable]
set dynamic-hostname [enable|disable]
set ignore-lsp-errors [enable|disable]
set is-type [level-1-2|level-1|...]
config isis-interface
Description: IS-IS interface configuration.
edit <name>
set status [enable|disable]
set status6 [enable|disable]
set network-type [broadcast|point-to-point|...]
set circuit-type [level-1-2|level-1|...]
set csnp-interval-l1 {integer}
set csnp-interval-l2 {integer}
set hello-interval-l1 {integer}
set hello-interval-l2 {integer}
set hello-multiplier-l1 {integer}
set hello-multiplier-l2 {integer}
set hello-padding [enable|disable]
set lsp-interval {integer}
set lsp-retransmit-interval {integer}
set metric-l1 {integer}
set metric-l2 {integer}
set wide-metric-l1 {integer}
set wide-metric-l2 {integer}
set auth-password-l1 {password}
set auth-password-l2 {password}
set auth-keychain-l1 {string}
set auth-keychain-l2 {string}
set auth-send-only-l1 [enable|disable]
set auth-send-only-l2 [enable|disable]
set auth-mode-l1 [md5|password]
set auth-mode-l2 [md5|password]
set priority-l1 {integer}
set priority-l2 {integer}
set mesh-group [enable|disable]
set mesh-group-id {integer}
next
end
config isis-net
Description: IS-IS net configuration.
edit <id>
set net {user}
next
end
set lsp-gen-interval-l1 {integer}
set lsp-gen-interval-l2 {integer}
set lsp-refresh-interval {integer}
set max-lsp-lifetime {integer}

FortiOS 7.4.4 CLI Reference 864

Fortinet Inc.
set metric-style [narrow|wide|...]
set overload-bit [enable|disable]
set overload-bit-on-startup {integer}
set overload-bit-suppress {option1}, {option2}, ...
config redistribute
Description: IS-IS redistribute protocols.
edit <protocol>
set status [enable|disable]
set metric {integer}
set metric-type [external|internal]
set level [level-1-2|level-1|...]
set routemap {string}
next
end
set redistribute-l1 [enable|disable]
set redistribute-l1-list {string}
set redistribute-l2 [enable|disable]
set redistribute-l2-list {string}
config redistribute6
Description: IS-IS IPv6 redistribution for routing protocols.
edit <protocol>
set status [enable|disable]
set metric {integer}
set metric-type [external|internal]
set level [level-1-2|level-1|...]
set routemap {string}
next
end
set redistribute6-l1 [enable|disable]
set redistribute6-l1-list {string}
set redistribute6-l2 [enable|disable]
set redistribute6-l2-list {string}
set spf-interval-exp-l1 {user}
set spf-interval-exp-l2 {user}
config summary-address
Description: IS-IS summary addresses.
edit <id>
set prefix {ipv4-classnet-any}
set level [level-1-2|level-1|...]
next
end
config summary-address6
Description: IS-IS IPv6 summary address.
edit <id>
set prefix6 {ipv6-prefix}
set level [level-1-2|level-1|...]
next
end
end

FortiOS 7.4.4 CLI Reference 865

enable Advertise passive interfaces only.

disable Advertise all IS-IS enabled interfaces.

auth-keychain- Authentication key-chain for level 1 PDUs. string Maximum

l1 length: 35

auth-keychain- Authentication key-chain for level 2 PDUs. string Maximum

l2 length: 35

auth-mode-l1 Level 1 authentication mode. option - password

Option Description

password Password.

md5 MD5.

auth-mode-l2 Level 2 authentication mode. option - password

FortiOS 7.4.4 CLI Reference 866

Fortinet Inc.
Parameter Description Type Size Default

Option Description

password Password.

md5 MD5.

auth-password- Authentication password for level 1 PDUs. password Not

l1 Specified

auth-password- Authentication password for level 2 PDUs. password Not

l2 Specified

auth-sendonly- Enable/disable level 1 authentication send-only. option - disable

Option Description

enable Enable level 1 authentication send-only.

disable Disable level 1 authentication send-only.

auth-sendonly- Enable/disable level 2 authentication send-only. option - disable

lsp-gen- Minimum interval for level 1 LSP regenerating. integer Minimum 30

interval-l1 value: 1
Maximum
value: 120

lsp-gen- Minimum interval for level 2 LSP regenerating. integer Minimum 30

interval-l2 value: 1
Maximum
value: 120

lsp-refresh- LSP refresh time in seconds. integer Minimum 900

interval value: 1
Maximum
value:
65535

max-lsp- Maximum LSP lifetime in seconds. integer Minimum 1200

lifetime value: 350
Maximum
value:
65535

metric-style Use old-style (ISO 10589) or new-style packet option - narrow

formats.

FortiOS 7.4.4 CLI Reference 868

Fortinet Inc.
Parameter Description Type Size Default

Option Description

narrow Use old style of TLVs with narrow metric.

wide Use new style of TLVs to carry wider metric.

transition Send and accept both styles of TLVs during transition.

narrow-transition Narrow and accept both styles of TLVs during transition.

narrow- Narrow-transition level-1 only.

transition-l1

narrow- Narrow-transition level-2 only.

transition-l2

wide-l1 Wide level-1 only.

wide-l2 Wide level-2 only.

wide-transition Wide and accept both styles of TLVs during transition.

wide-transition-l1 Wide-transition level-1 only.

wide-transition-l2 Wide-transition level-2 only.

transition-l1 Transition level-1 only.

transition-l2 Transition level-2 only.

overload-bit Enable/disable signal other routers not to use us in option - disable

SPF.

Option Description

enable Enable overload bit.

disable Disable overload bit.

overload-bit- Overload-bit only temporarily after reboot. integer Minimum 0

on-startup value: 5
Maximum
value:
86400

overload-bit- Suppress overload-bit for the specific prefixes. option -

suppress

Option Description

external External.

disable Disable redistribution of level 1 IPv6 routes into level 2.

redistribute6-l1- Access-list for IPv6 route redistribution from l1 to l2. string Maximum
list length: 35

redistribute6-l2 Enable/disable redistribution of level 2 IPv6 routes option - disable

into level 1.

Option Description

enable Enable redistribution of level 2 IPv6 routes into level 1.

disable Disable redistribution of level 2 IPv6 routes into level 1.

redistribute6-l2- Access-list for IPv6 route redistribution from l2 to l1. string Maximum
list length: 35

spf-interval- Level 1 SPF calculation delay. user Not

exp-l1 Specified

spf-interval- Level 2 SPF calculation delay. user Not

exp-l2 Specified

FortiOS 7.4.4 CLI Reference 870

Fortinet Inc.
config isis-interface

Parameter Description Type Size Default

broadcast Broadcast.

point-to-point Point-to-point.

loopback Loopback.

circuit-type IS-IS interface's circuit type. option - level-1-2

Option Description

level-1-2 Level 1 and 2.

level-1 Level 1.

level-2 Level 2.

csnp-interval- Level 1 CSNP interval. integer Minimum 10

l1 value: 1
Maximum
value: 65535

csnp-interval- Level 2 CSNP interval. integer Minimum 10

l2 value: 1
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 871

Fortinet Inc.
Parameter Description Type Size Default

hello-interval- Level 1 hello interval. integer Minimum 10

l1 value: 0
Maximum
value: 65535

hello-interval- Level 2 hello interval. integer Minimum 10

l2 value: 0
Maximum
value: 65535

hello- Level 1 multiplier for Hello holding time. integer Minimum 3

multiplier-l1 value: 2
Maximum
value: 100

hello- Level 2 multiplier for Hello holding time. integer Minimum 3

multiplier-l2 value: 2
Maximum
value: 100

hello-padding Enable/disable padding to IS-IS hello packets. option - enable

Option Description

enable Enable padding to IS-IS hello packets.

disable Disable padding to IS-IS hello packets.

lsp-interval LSP transmission interval (milliseconds). integer Minimum 33

value: 1
Maximum
value:
4294967295

lsp- LSP retransmission interval (sec). integer Minimum 5

retransmit- value: 1
interval Maximum
value: 65535

metric-l1 Level 1 metric for interface. integer Minimum 10

value: 1
Maximum
value: 63

metric-l2 Level 2 metric for interface. integer Minimum 10

value: 1
Maximum
value: 63

FortiOS 7.4.4 CLI Reference 872

Fortinet Inc.
Parameter Description Type Size Default

wide-metric-l1 Level 1 wide metric for interface. integer Minimum 10

value: 1
Maximum
value:
16777214

wide-metric-l2 Level 2 wide metric for interface. integer Minimum 10

value: 1
Maximum
value:
16777214

auth- Authentication password for level 1 PDUs. password Not Specified

password-l1

auth- Authentication password for level 2 PDUs. password Not Specified

password-l2

auth- Authentication key-chain for level 1 PDUs. string Maximum

md5 MD5.

password Password.

auth-mode-l2 Level 2 authentication mode. option - password

FortiOS 7.4.4 CLI Reference 873

Fortinet Inc.
Parameter Description Type Size Default

Option Description

md5 MD5.

password Password.

priority-l1 Level 1 priority. integer Minimum 64

value: 0
Maximum
value: 127

priority-l2 Level 2 priority. integer Minimum 64

value: 0
Maximum
value: 127

mesh-group Enable/disable IS-IS mesh group. option - disable

Option Description

enable Enable IS-IS mesh group.

disable Disable IS-IS mesh group.

mesh-group- Mesh group ID <0-4294967295>, 0: mesh-group integer Minimum 0

id blocked. value: 0
Maximum
value:
4294967295

config isis-net

Parameter Description Type Size Default

id ISIS network ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

net IS-IS networks (format = xx.xxxx. .xxxx.xx.). user Not Specified

config redistribute

Parameter Description Type Size Default

protocol Protocol name. string Maximum

length: 35

status Status. option - disable

FortiOS 7.4.4 CLI Reference 874

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable.

disable Disable.

metric Metric. integer Minimum 0

value: 0
Maximum
value:
4261412864

metric-type Metric type. option - internal

Option Description

external External.

internal Internal.

level Level. option - level-2

Option Description

level-1-2 Level 1 and 2.

level-1 Level 1.

level-2 Level 2.

routemap Route map name. string Maximum

length: 35

config redistribute6

Parameter Description Type Size Default

protocol Protocol name. string Maximum

length: 35

status Enable/disable redistribution. option - disable

Option Description

enable Enable redistribution.

disable Disable redistribution.

FortiOS 7.4.4 CLI Reference 875

Fortinet Inc.
Parameter Description Type Size Default

metric Metric. integer Minimum 0

value: 0
Maximum
value:
4261412864

metric-type Metric type. option - internal

Option Description

external External metric type.

internal Internal metric type.

level Level. option - level-2

Option Description

level-1-2 Level 1 and 2.

level-1 Level 1.

level-2 Level 2.

routemap Route map name. string Maximum

length: 35

config summary-address

Parameter Description Type Size Default

id Summary address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

level Level. option - level-2

Option Description

level-1-2 Level 1 and 2.

level-1 Level 1.

level-2 Level 2.

FortiOS 7.4.4 CLI Reference 876

Fortinet Inc.
config summary-address6

Parameter Description Type Size Default

id Prefix entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 IPv6 prefix. ipv6-prefix Not Specified ::/0

level Level. option - level-2

Option Description

level-1-2 Level 1 and 2.

level-1 Level 1.

level-2 Level 2.

config router key-chain

Configure key-chain.
config router key-chain
Description: Configure key-chain.
edit <name>
config key
Description: Configuration method to edit key settings.
edit <id>
set accept-lifetime {user}
set send-lifetime {user}
set key-string {password}
set algorithm [md5|hmac-sha1|...]
next
end
next
end

config router key-chain

Parameter Description Type Size Default

name Key-chain name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 877

Fortinet Inc.
config key

Parameter Description Type Size Default

id Key ID. string Maximum

length: 10

accept- Lifetime of received authentication key (format: user Not

lifetime hh:mm:ss day month year). Specified

send-lifetime Lifetime of sent authentication key (format: hh:mm:ss user Not

day month year). Specified

key-string Password for the key (maximum = 64 characters). password Not

Specified

algorithm Cryptographic algorithm. option - md5

Option Description

md5 MD5.

hmac-sha1 HMAC-SHA1.

hmac-sha256 HMAC-SHA256.

hmac-sha384 HMAC-SHA384.

hmac-sha512 HMAC-SHA512.

cmac-aes128 CMAC-AES128.

config router multicast-flow

Configure multicast-flow.
config router multicast-flow
Description: Configure multicast-flow.
edit <name>
set comments {string}
config flows
Description: Multicast-flow entries.
edit <id>
set group-addr {ipv4-address-any}
set source-addr {ipv4-address-any}
next
end
next
end

FortiOS 7.4.4 CLI Reference 878

Fortinet Inc.
config router multicast-flow

Parameter Description Type Size Default

comments Comment. string Maximum

length: 127

name Name. string Maximum

length: 35

config flows

Parameter Description Type Size Default

id Flow ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

group-addr Multicast group IP address. ipv4- Not Specified 0.0.0.0

address-
any

source-addr Multicast source IP address. ipv4- Not Specified 0.0.0.0

address-
any

config router multicast

Configure router multicast.

config router multicast
Description: Configure router multicast.
config interface
Description: PIM interfaces.
edit <name>
set ttl-threshold {integer}
set pim-mode [sparse-mode|dense-mode]
set passive [enable|disable]
set bfd [enable|disable]
set neighbour-filter {string}
set hello-interval {integer}
set hello-holdtime {integer}
set cisco-exclude-genid [enable|disable]
set dr-priority {integer}
set propagation-delay {integer}
set state-refresh-interval {integer}
set rp-candidate [enable|disable]
set rp-candidate-group {string}
set rp-candidate-priority {integer}
set rp-candidate-interval {integer}

FortiOS 7.4.4 CLI Reference 879

Fortinet Inc.
set multicast-flow {string}
set static-group {string}
set rpf-nbr-fail-back [enable|disable]
set rpf-nbr-fail-back-filter {string}
config join-group
Description: Join multicast groups.
edit <address>
next
end
config igmp
Description: IGMP configuration options.
set access-group {string}
set version [3|2|...]
set immediate-leave-group {string}
set last-member-query-interval {integer}
set last-member-query-count {integer}
set query-max-response-time {integer}
set query-interval {integer}
set query-timeout {integer}
set router-alert-check [enable|disable]
end
next
end
set multicast-routing [enable|disable]
config pim-sm-global
Description: PIM sparse-mode global settings.
set message-interval {integer}
set join-prune-holdtime {integer}
set accept-register-list {string}
set accept-source-list {string}
set bsr-candidate [enable|disable]
set bsr-interface {string}
set bsr-priority {integer}
set bsr-hash {integer}
set bsr-allow-quick-refresh [enable|disable]
set cisco-register-checksum [enable|disable]
set cisco-register-checksum-group {string}
set cisco-crp-prefix [enable|disable]
set cisco-ignore-rp-set-priority [enable|disable]
set register-rp-reachability [enable|disable]
set register-source [disable|interface|...]
set register-source-interface {string}
set register-source-ip {ipv4-address}
set register-supression {integer}
set null-register-retries {integer}
set rp-register-keepalive {integer}
set spt-threshold [enable|disable]
set spt-threshold-group {string}
set ssm [enable|disable]
set ssm-range {string}
set register-rate-limit {integer}
set pim-use-sdwan [enable|disable]
config rp-address
Description: Statically configure RP addresses.
edit <id>
set ip-address {ipv4-address}

FortiOS 7.4.4 CLI Reference 880

Fortinet Inc.
set group {string}
next
end
end
set route-limit {integer}
set route-threshold {integer}
end

config router multicast

Parameter Description Type Size Default

multicast- Enable/disable IP multicast routing. option - disable

routing

Option Description

enable Enable IP multicast routing.

disable Disable IP multicast routing.

route-limit Maximum number of multicast routes. integer Minimum 2147483647

value: 1
Maximum
value:
2147483647

route- Generate warnings when the number of multicast integer Minimum

threshold routes exceeds this number, must not be greater value: 1
than route-limit. Maximum
value:
2147483647

config interface

Parameter Description Type Size Default

name Interface name. string Maximum

length: 15

ttl-threshold Minimum TTL of multicast packets that will be integer Minimum 1

forwarded. value: 1
Maximum
value: 255

pim-mode PIM operation mode. option - sparse-

mode

Option Description

sparse-mode sparse-mode

dense-mode dense-mode

FortiOS 7.4.4 CLI Reference 881

Fortinet Inc.
Parameter Description Type Size Default

passive Enable/disable listening to IGMP but not participating option - disable

in PIM.

Option Description

enable Listen only.

disable Participate in PIM.

bfd Enable/disable Protocol Independent Multicast (PIM) option - disable

Bidirectional Forwarding Detection (BFD).

Option Description

enable Enable Protocol Independent Multicast (PIM) Bidirectional Forwarding

Detection (BFD).

disable Disable Protocol Independent Multicast (PIM) Bidirectional Forwarding

Detection (BFD).

neighbour-filter Routers acknowledged as neighbor routers. string Maximum

length: 35

hello-interval Interval between sending PIM hello messages. integer Minimum 30

value: 1
Maximum
value: 65535

hello-holdtime Time before old neighbor information expires. integer Minimum 105
value: 1
Maximum
value: 65535

cisco-exclude- Exclude GenID from hello packets (compatibility with option - disable
genid old Cisco IOS).

Option Description

enable Do not send GenID.

disable Send GenID according to standard.

dr-priority DR election priority. integer Minimum 1

value: 1
Maximum
value:
4294967295

propagation- Delay flooding packets on this interface. integer Minimum 500

delay value: 100
Maximum
value: 5000

FortiOS 7.4.4 CLI Reference 882

Fortinet Inc.
Parameter Description Type Size Default

state-refresh- Interval between sending state-refresh packets. integer Minimum 60

interval value: 1
Maximum
value: 100

rp-candidate Enable/disable compete to become RP in elections. option - disable

Option Description

enable Compete for RP elections.

disable Do not compete for RP elections.

rp-candidate- Multicast groups managed by this RP. string Maximum

group length: 35

rp-candidate- Router's priority as RP. integer Minimum 192

priority value: 0
Maximum
value: 255

rp-candidate- RP candidate advertisement interval. integer Minimum 60

interval value: 1
Maximum
value: 16383

multicast-flow Acceptable source for multicast group. string Maximum

length: 35

static-group Statically set multicast groups to forward out. string Maximum

length: 35

rpf-nbr-fail- Enable/disable fail back for RPF neighbor query. option - disable
back

Option Description

enable Enable fail back for RPF neighbor query.

disable Disable fail back for RPF neighbor query.

rpf-nbr-fail- Filter for fail back RPF neighbors. string Maximum

back-filter length: 35

config join-group

Parameter Description Type Size Default

address Multicast group IP address. ipv4- Not 0.0.0.0

address- Specified
any

FortiOS 7.4.4 CLI Reference 883

Fortinet Inc.
config igmp

Parameter Description Type Size Default

access-group Groups IGMP hosts are allowed to join. string Maximum

length: 35

version Maximum version of IGMP to support. option - 3

Option Description

3 Version 3 and lower.

2 Version 2 and lower.

1 Version 1.

immediate- Groups to drop membership for immediately after string Maximum

leave-group receiving IGMPv2 leave. length: 35

last-member- Timeout between IGMPv2 leave and removing group. integer Minimum 1000
query-interval value: 1
Maximum
value:
65535

last-member- Number of group specific queries before removing integer Minimum 2

query-count group. value: 2
Maximum
value: 7

query-max- Maximum time to wait for a IGMP query response. integer Minimum 10
response- value: 1
time Maximum
value: 25

query-interval Interval between queries to IGMP hosts. integer Minimum 125

value: 1
Maximum
value:
65535

query-timeout Timeout between queries before becoming querying integer Minimum 255
unit for network. value: 60
Maximum
value: 900

router-alert- Enable/disable require IGMP packets contain router option - disable

check alert option.

Option Description

enable Require Router Alert option in IGMP packets.

disable don't require Router Alert option in IGMP packets

FortiOS 7.4.4 CLI Reference 884

Fortinet Inc.
config pim-sm-global

Parameter Description Type Size Default

message- Period of time between sending periodic PIM join/prune integer Minimum 60
interval messages in seconds. value: 1
Maximum
value:
65535

join-prune- Join/prune holdtime. integer Minimum 210

holdtime value: 1
Maximum
value:
65535

accept- Sources allowed to register packets with this string Maximum

accept- Sources allowed to send multicast traffic. string Maximum

source-list length: 35

bsr-candidate Enable/disable allowing this router to become a option - disable

bootstrap router (BSR).

Option Description

enable Allow this router to function as a BSR.

disable Do not allow this router to function as a BSR.

bsr-interface Interface to advertise as candidate BSR. string Maximum

length: 15

Option Description

disable Use source address of RPF interface.

interface Use primary IP of an interface.

ip-address Use a local IP address.

register- Override with primary interface address. string Maximum

source- length: 15
interface

FortiOS 7.4.4 CLI Reference 886

Fortinet Inc.
Parameter Description Type Size Default

register- Override with local IP address. ipv4- Not 0.0.0.0

source-ip address Specified

register- Period of time to honor register-stop message. integer Minimum 60

supression value: 1
Maximum
value:
65535

null-register- Maximum retries of null register. integer Minimum 1

retries value: 1
Maximum
value: 20

rp-register- Timeout for RP receiving data on. integer Minimum 185

keepalive value: 1
Maximum
value:
65535

spt-threshold Enable/disable switching to source specific trees. option - enable

Option Description

enable Switch to Source tree when available.

disable Do not switch to Source tree when available.

spt-threshold- Groups allowed to switch to source tree. string Maximum

group length: 35

ssm Enable/disable source specific multicast. option - disable

Option Description

enable Allow source specific multicast.

disable Do not allow source specific multicast.

ssm-range Groups allowed to source specific multicast. string Maximum

length: 35

register-rate- Limit of packets/sec per source registered through this integer Minimum 0
limit RP. value: 0
Maximum
value:
65535

pim-use- Enable/disable use of SDWAN when checking RPF option - disable

sdwan neighbor and sending of REG packet.

FortiOS 7.4.4 CLI Reference 887

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable use of SDWAN when checking RPF neighbor and sending of REG
packet.

disable Disable use of SDWAN when checking RPF neighbor and sending of REG
packet.

config rp-address

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-address RP router address. ipv4- Not Specified 0.0.0.0

address

group Groups to use this RP. string Maximum

length: 35

config router multicast6

Configure IPv6 multicast.

config router multicast6
Description: Configure IPv6 multicast.
config interface
Description: Protocol Independent Multicast (PIM) interfaces.
edit <name>
set hello-interval {integer}
set hello-holdtime {integer}
next
end
set multicast-pmtu [enable|disable]
set multicast-routing [enable|disable]
config pim-sm-global
Description: PIM sparse-mode global settings.
set register-rate-limit {integer}
config rp-address
Description: Statically configured RP addresses.
edit <id>
set ip6-address {ipv6-address}
next
end
end
end

FortiOS 7.4.4 CLI Reference 888

Fortinet Inc.
config router multicast6

Parameter Description Type Size Default

multicast-pmtu Enable/disable PMTU for IPv6 multicast. option - disable

Option Description

enable Enable PMTU for IPv6 multicast.

disable Disable PMTU for IPv6 multicast.

multicast-routing Enable/disable IPv6 multicast routing. option - disable

Option Description

enable Enable IPv6 multicast routing.

disable Disable IPv6 multicast routing.

config interface

Parameter Description Type Size Default

name Interface name. string Maximum

length: 15

hello-interval Interval between sending PIM hello messages in integer Minimum 30

seconds. value: 1
Maximum
value:
65535

hello-holdtime Time before old neighbor information expires in integer Minimum

seconds. value: 1
Maximum
value:
65535

config pim-sm-global

Parameter Description Type Size Default

register-rate- Limit of packets/sec per source registered through this integer Minimum 0
limit RP (0 means unlimited). value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 889

Fortinet Inc.
config rp-address

Parameter Description Type Size Default

id ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip6-address RP router IPv6 address. ipv6- Not Specified ::

address

config router ospf

Configure OSPF.
config router ospf
Description: Configure OSPF.
set abr-type [cisco|ibm|...]
config area
Description: OSPF area configuration.
edit <id>
set shortcut [disable|enable|...]
set authentication [none|text|...]
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|always|...]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]
set nssa-redistribution [enable|disable]
set comments {var-string}
config range
Description: OSPF area range configuration.
edit <id>
set prefix {ipv4-classnet-any}
set advertise [disable|enable]
set substitute {ipv4-classnet-any}
set substitute-status [enable|disable]
next
end
config virtual-link
Description: OSPF virtual link configuration.
edit <name>
set authentication [none|text|...]
set authentication-key {password}
set keychain {string}
set dead-interval {integer}
set hello-interval {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set peer {ipv4-address-any}

FortiOS 7.4.4 CLI Reference 890

Fortinet Inc.
config md5-keys
Description: MD5 key.
edit <id>
set key-string {password}
next
end
next
end
config filter-list
Description: OSPF area filter-list configuration.
edit <id>
set list {string}
set direction [in|out]
next
end
next
end
set auto-cost-ref-bandwidth {integer}
set bfd [enable|disable]
set database-overflow [enable|disable]
set database-overflow-max-lsas {integer}
set database-overflow-time-to-recover {integer}
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-originate [enable|always|...]
set default-information-route-map {string}
set default-metric {integer}
set distance {integer}
set distance-external {integer}
set distance-inter-area {integer}
set distance-intra-area {integer}
config distribute-list
Description: Distribute list configuration.
edit <id>
set access-list {string}
set protocol [connected|static|...]
next
end
set distribute-list-in {string}
set distribute-route-map-in {string}
set log-neighbour-changes [enable|disable]
config neighbor
Description: OSPF neighbor configuration are used when OSPF runs on non-broadcast
media.
edit <id>
set ip {ipv4-address}
set poll-interval {integer}
set cost {integer}
set priority {integer}
next
end
config network
Description: OSPF network configuration.
edit <id>
set prefix {ipv4-classnet}
set area {ipv4-address-any}

FortiOS 7.4.4 CLI Reference 891

Fortinet Inc.
set comments {var-string}
next
end
config ospf-interface
Description: OSPF interface configuration.
edit <name>
set comments {var-string}
set interface {string}
set ip {ipv4-address}
set authentication [none|text|...]
set authentication-key {password}
set keychain {string}
set prefix-length {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set cost {integer}
set priority {integer}
set dead-interval {integer}
set hello-interval {integer}
set hello-multiplier {integer}
set database-filter-out [enable|disable]
set mtu {integer}
set mtu-ignore [enable|disable]
set network-type [broadcast|non-broadcast|...]
set bfd [global|enable|...]
set status [disable|enable]
set resync-timeout {integer}
config md5-keys
Description: MD5 key.
edit <id>
set key-string {password}
next
end
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
set metric-type [1|2]
set tag {integer}
next
end
set restart-mode [none|lls|...]
set restart-on-topology-change [enable|disable]
set restart-period {integer}
set rfc1583-compatible [enable|disable]
set router-id {ipv4-address-any}
set spf-timers {user}
config summary-address
Description: IP address summary configuration.
edit <id>
set prefix {ipv4-classnet}

FortiOS 7.4.4 CLI Reference 892

Fortinet Inc.
set tag {integer}
set advertise [disable|enable]
next
end
end

config router ospf

Parameter Description Type Size Default

abr-type Area border router type. option - standard

Option Description

cisco Cisco.

ibm IBM.

shortcut Shortcut.

standard Standard.

auto-cost-ref- Reference bandwidth in terms of megabits per integer Minimum 1000

bandwidth second. value: 1
Maximum
value:
1000000

bfd Bidirectional Forwarding Detection (BFD). option - disable

Option Description

enable Enable setting.

disable Disable setting.

database- Enable/disable database overflow. option - disable

overflow

Option Description

enable Enable setting.

disable Disable setting.

database- Database overflow maximum LSAs. integer Minimum 10000

overflow-max- value: 0
lsas Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 893

Fortinet Inc.
Parameter Description Type Size Default

database- Database overflow time to recover (sec). integer Minimum 300

overflow-time- value: 0
to-recover Maximum
value: 65535

default- Default information metric. integer Minimum 10

information- value: 1
metric Maximum
value:
16777214

default- Default information metric type. option - 2

information-
metric-type

Option Description

1 Type 1.

2 Type 2.

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

always Always advertise the default router.

disable Disable setting.

default- Default information route map. string Maximum

information- length: 35
route-map

default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214

distance Distance of the route. integer Minimum 110

value: 1
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 894

Fortinet Inc.
Parameter Description Type Size Default

distance- Administrative external distance. integer Minimum 110

external value: 1
Maximum
value: 255

distance-inter- Administrative inter-area distance. integer Minimum 110

area value: 1
Maximum
value: 255

distance-intra- Administrative intra-area distance. integer Minimum 110

area value: 1
Maximum
value: 255

distribute-list- Filter incoming routes. string Maximum

in length: 35

distribute- Filter incoming external routes by route-map. string Maximum

route-map-in length: 35

log- Log of OSPF neighbor changes. option - enable

neighbour-
changes

Option Description

enable Enable setting.

disable Disable setting.

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

restart-mode OSPF restart mode (graceful or LLS). option - none

Option Description

none Hitless restart disabled.

lls LLS mode.

graceful-restart Graceful Restart Mode.

restart-on- Enable/disable continuing graceful restart upon option - disable

topology- topology change.
change

Option Description

enable Continue graceful restart upon topology change.

FortiOS 7.4.4 CLI Reference 895

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Exit graceful restart upon topology change.

restart-period Graceful restart period. integer Minimum 120

value: 1
Maximum
value: 3600

rfc1583- Enable/disable RFC1583 compatibility. option - disable

compatible

Option Description

enable Enable setting.

disable Disable setting.

router-id Router ID. ipv4- Not Specified 0.0.0.0

address-
any

spf-timers SPF calculation frequency. user Not Specified

config area

Parameter Description Type Size Default

id Area entry IP address. ipv4- Not Specified 0.0.0.0

address-
any

shortcut Enable/disable shortcut option. option - disable

Option Description

disable Disable shortcut option.

enable Enable shortcut option.

default Default shortcut option.

authentication Authentication type. option - none

Option Description

none None.

text Text.

message-digest Message digest.

FortiOS 7.4.4 CLI Reference 896

nssa-default- Redistribute, advertise, or do not originate Type-7 option - disable

information- default route into NSSA area.
originate

Option Description

enable Redistribute Type-7 default route from routing table.

always Advertise a self-originated Type-7 default route.

disable Do not advertise Type-7 default route.

nssa-default- OSPF default metric. integer Minimum 10

information- value: 0
originate-metric Maximum
value:
16777214

FortiOS 7.4.4 CLI Reference 897

Fortinet Inc.
Parameter Description Type Size Default

nssa-default- OSPF metric type for default routes. option - 2

information-
originate-metric-
type

Option Description

1 Type 1.

2 Type 2.

nssa- Enable/disable redistribute into NSSA area. option - enable

redistribution

Option Description

enable Enable redistribute into NSSA area.

disable Disable redistribute into NSSA area.

comments Comment. var-string Maximum

length: 255

config range

Parameter Description Type Size Default

id Range entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

advertise Enable/disable advertise status. option - enable

Option Description

disable Disable advertise status.

enable Enable advertise status.

substitute Substitute prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

substitute- Enable/disable substitute status. option - disable

status

FortiOS 7.4.4 CLI Reference 898

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable substitute status.

disable Disable substitute status.

config virtual-link

Parameter Description Type Size Default

name Virtual link entry name. string Maximum

length: 35

authentication Authentication type. option - none

Option Description

none None.

text Text.

message-digest Message digest.

authentication- Authentication key. password Not

key Specified

keychain Message-digest key-chain name. string Maximum

length: 35

dead-interval Dead interval. integer Minimum 40

value: 1
Maximum
value:
65535

hello-interval Hello interval. integer Minimum 10

value: 1
Maximum
value:
65535

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 899

Fortinet Inc.
Parameter Description Type Size Default

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

peer Peer IP. ipv4- Not 0.0.0.0

address- Specified
any

config md5-keys

Parameter Description Type Size Default

id Key ID. integer Minimum 0

value: 1
Maximum
value: 255

key-string Password for the key. password Not

Specified

config md5-keys

Parameter Description Type Size Default

id Key ID. integer Minimum 0

value: 1
Maximum
value: 255

key-string Password for the key. password Not

Specified

config filter-list

Parameter Description Type Size Default

id Filter list entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

list Access-list or prefix-list name. string Maximum

length: 35

direction Direction. option - out

FortiOS 7.4.4 CLI Reference 900

Fortinet Inc.
Parameter Description Type Size Default

Option Description

in In.

out Out.

config distribute-list

Parameter Description Type Size Default

id Distribute list entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

access-list Access list name. string Maximum

length: 35

protocol Protocol type. option - connected

Option Description

connected Connected type.

static Static type.

rip RIP type.

config neighbor

Parameter Description Type Size Default

id Neighbor entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip Interface IP address of the neighbor. ipv4- Not Specified 0.0.0.0

address

poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 901

Fortinet Inc.
Parameter Description Type Size Default

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value: 65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

config network

Parameter Description Type Size Default

id Network entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

area Attach the network to area. ipv4- Not Specified 0.0.0.0

address-
any

comments Comment. var-string Maximum

length: 255

config ospf-interface

Parameter Description Type Size Default

name Interface entry name. string Maximum

length: 35

comments Comment. var-string Maximum

length: 255

interface Configuration interface name. string Maximum

length: 15

ip IP address. ipv4- Not 0.0.0.0

address Specified

authentication Authentication type. option - none

FortiOS 7.4.4 CLI Reference 902

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none None.

text Text.

message-digest Message digest.

authentication- Authentication key. password Not

key Specified

keychain Message-digest key-chain name. string Maximum

length: 35

prefix-length Prefix length. integer Minimum 0

value: 0
Maximum
value: 32

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

dead-interval Dead interval. integer Minimum 0

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 903

Fortinet Inc.
Parameter Description Type Size Default

hello-interval Hello interval. integer Minimum 0

value: 0
Maximum
value:
65535

hello-multiplier Number of hello packets within dead interval. integer Minimum 0

value: 3
Maximum
value: 10

database-filter- Enable/disable control of flooding out LSAs. option - disable

out

Option Description

enable Enable setting.

disable Disable setting.

mtu MTU for database description packets. integer Minimum 0

value: 576
Maximum
value:
65535

mtu-ignore Enable/disable ignore MTU. option - disable

Option Description

enable Enable setting.

disable Disable setting.

network-type Network type. option - broadcast

Option Description

broadcast Broadcast.

non-broadcast Non-broadcast.

point-to-point Point-to-point.

point-to- Point-to-multipoint.
multipoint

point-to- Point-to-multipoint and non-broadcast.

multipoint-non-
broadcast

bfd Bidirectional Forwarding Detection (BFD). option - global

FortiOS 7.4.4 CLI Reference 904

Fortinet Inc.
Parameter Description Type Size Default

Option Description

global Follow global configuration.

enable Enable BFD on this interface.

disable Disable BFD on this interface.

status Enable/disable status. option - enable

Option Description

disable Disable status.

enable Enable status.

resync-timeout Graceful restart neighbor resynchronization timeout. integer Minimum 40

value: 1
Maximum
value: 3600

config md5-keys

Parameter Description Type Size Default

id Key ID. integer Minimum 0

value: 1
Maximum
value: 255

key-string Password for the key. password Not

Specified

config md5-keys

Parameter Description Type Size Default

id Key ID. integer Minimum 0

value: 1
Maximum
value: 255

key-string Password for the key. password Not

Specified

FortiOS 7.4.4 CLI Reference 905

Fortinet Inc.
config redistribute

Parameter Description Type Size Default

name Redistribute name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 0
Maximum
value:
16777214

routemap Route map name. string Maximum

length: 35

metric-type Metric type. option - 2

Option Description

1 Type 1.

2 Type 2.

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

config summary-address

Parameter Description Type Size Default

id Summary address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

FortiOS 7.4.4 CLI Reference 906

Fortinet Inc.
Parameter Description Type Size Default

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

advertise Enable/disable advertise status. option - enable

Option Description

disable Disable advertise status.

enable Enable advertise status.

config router ospf6

Configure IPv6 OSPF.

config router ospf6
Description: Configure IPv6 OSPF.
set abr-type [cisco|ibm|...]
config area
Description: OSPF6 area configuration.
edit <id>
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|disable]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]
set nssa-redistribution [enable|disable]
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end
config range
Description: OSPF6 area range configuration.
edit <id>
set prefix6 {ipv6-network}
set advertise [disable|enable]
next
end
config virtual-link
Description: OSPF6 virtual link configuration.

FortiOS 7.4.4 CLI Reference 907

Fortinet Inc.
edit <name>
set dead-interval {integer}
set hello-interval {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set peer {ipv4-address-any}
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end
next
end
next
end
set auto-cost-ref-bandwidth {integer}
set bfd [enable|disable]
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-originate [enable|always|...]
set default-information-route-map {string}
set default-metric {integer}
set log-neighbour-changes [enable|disable]
config ospf6-interface
Description: OSPF6 interface configuration.
edit <name>
set area-id {ipv4-address-any}
set interface {string}
set retransmit-interval {integer}
set transmit-delay {integer}
set cost {integer}
set priority {integer}
set dead-interval {integer}
set hello-interval {integer}
set status [disable|enable]
set network-type [broadcast|point-to-point|...]
set bfd [global|enable|...]
set mtu {integer}
set mtu-ignore [enable|disable]
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end

FortiOS 7.4.4 CLI Reference 908

Fortinet Inc.
config neighbor
Description: OSPFv3 neighbors are used when OSPFv3 runs on non-broadcast
media.
edit <ip6>
set poll-interval {integer}
set cost {integer}
set priority {integer}
next
end
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
set metric-type [1|2]
next
end
set restart-mode [none|graceful-restart]
set restart-on-topology-change [enable|disable]
set restart-period {integer}
set router-id {ipv4-address-any}
set spf-timers {user}
config summary-address
Description: IPv6 address summary configuration.
edit <id>
set prefix6 {ipv6-network}
set advertise [disable|enable]
set tag {integer}
next
end
end

config router ospf6

Parameter Description Type Size Default

abr-type Area border router type. option - standard

Option Description

cisco Cisco.

ibm IBM.

standard Standard.

auto-cost-ref- Reference bandwidth in terms of megabits per second. integer Minimum 1000
bandwidth value: 1
Maximum
value:
1000000

FortiOS 7.4.4 CLI Reference 909

Fortinet Inc.
Parameter Description Type Size Default

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

default- Default information metric. integer Minimum 10

information- value: 1
metric Maximum
value:
16777214

default- Default information metric type. option - 2

information-
metric-type

Option Description

1 Type 1.

2 Type 2.

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

always Always advertise the default router.

disable Disable setting.

default- Default information route map. string Maximum

information- length: 35
route-map

default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214

log- Log OSPFv3 neighbor changes. option - enable

neighbour-
changes

FortiOS 7.4.4 CLI Reference 910

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

restart-mode OSPFv3 restart mode (graceful or none). option - none

Option Description

none Disable hitless restart.

graceful-restart Enable graceful restart mode.

restart-on- Enable/disable continuing graceful restart upon option - disable

topology- topology change.
change

Option Description

enable Continue graceful restart upon topology change.

disable Exit graceful restart upon topology change.

restart-period Graceful restart period in seconds. integer Minimum 120

value: 1
Maximum
value: 3600

router-id A.B.C.D, in IPv4 address format. ipv4- Not 0.0.0.0

address- Specified
any

spf-timers SPF calculation frequency. user Not

Specified

config area

Parameter Description Type Size Default

id Area entry IP address. ipv4- Not 0.0.0.0

address- Specified
any

FortiOS 7.4.4 CLI Reference 911

nssa-default- Enable/disable originate type 7 default into NSSA option - disable

information- area.
originate

Option Description

enable Enable originate type 7 default into NSSA area.

disable Disable originate type 7 default into NSSA area.

nssa-default- OSPFv3 default metric. integer Minimum 10

none Disable authentication.

ah Authentication Header.

esp Encapsulating Security Payload.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

FortiOS 7.4.4 CLI Reference 913

Fortinet Inc.
Parameter Description Type Size Default

Option Description

null No encryption.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

enc-key Encryption key. password Not Specified

config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

enc-key Encryption key. password Not Specified

FortiOS 7.4.4 CLI Reference 914

Fortinet Inc.
config range

Parameter Description Type Size Default

id Range entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 IPv6 prefix. ipv6- Not Specified ::/0

network

advertise Enable/disable advertise status. option - enable

Option Description

disable disable

enable enable

config virtual-link

ah Authentication Header.

esp Encapsulating Security Payload.

area Use the routing area's authentication configuration.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

Option Description

null No encryption.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

FortiOS 7.4.4 CLI Reference 916

Fortinet Inc.
config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

enc-key Encryption key. password Not Specified

config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

enc-key Encryption key. password Not Specified

config ospf6-interface

Parameter Description Type Size Default

name Interface entry name. string Maximum

length: 35

area-id A.B.C.D, in IPv4 address format. ipv4- Not 0.0.0.0

address- Specified
any

interface Configuration interface name. string Maximum

length: 15

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 917

Fortinet Inc.
Parameter Description Type Size Default

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

dead-interval Dead interval. integer Minimum 0

value: 1
Maximum
value:
65535

hello-interval Hello interval. integer Minimum 0

value: 1
Maximum
value:
65535

status Enable/disable OSPF6 routing on this interface. option - enable

Option Description

disable Disable OSPF6 routing.

enable Enable OSPF6 routing.

network-type Network type. option - broadcast

Option Description

broadcast broadcast

point-to-point point-to-point

non-broadcast non-broadcast

point-to- point-to-multipoint
multipoint

enable Ignore MTU field in DBD packets.

disable Do not ignore MTU field in DBD packets.

authentication Authentication mode. option - area

Option Description

none Disable authentication.

ah Authentication Header.

esp Encapsulating Security Payload.

area Use the routing area's authentication configuration.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

FortiOS 7.4.4 CLI Reference 919

Fortinet Inc.
Parameter Description Type Size Default

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

Option Description

null No encryption.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

enc-key Encryption key. password Not Specified

config ipsec-keys

Parameter Description Type Size Default

spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295

auth-key Authentication key. password Not Specified

FortiOS 7.4.4 CLI Reference 920

Fortinet Inc.
Parameter Description Type Size Default

enc-key Encryption key. password Not Specified

config neighbor

Parameter Description Type Size Default

ip6 IPv6 link local address of the neighbor. ipv6- Not ::

address Specified

poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

config redistribute

Parameter Description Type Size Default

name Redistribute name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 0
Maximum
value:
16777214

routemap Route map name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 921

Fortinet Inc.
Parameter Description Type Size Default

metric-type Metric type. option - 2

Option Description

1 Type 1.

2 Type 2.

config summary-address

Parameter Description Type Size Default

id Summary address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 IPv6 prefix. ipv6- Not Specified ::/0

network

advertise Enable/disable advertise status. option - enable

Option Description

disable disable

enable enable

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router policy

Configure IPv4 routing policies.

config router policy
Description: Configure IPv4 routing policies.
edit <seq-num>
set action [deny|permit]
set comments {var-string}
set dst <subnet1>, <subnet2>, ...
set dst-negate [enable|disable]
set dstaddr <name1>, <name2>, ...
set end-port {integer}
set end-source-port {integer}
set gateway {ipv4-address}
set input-device <name1>, <name2>, ...

FortiOS 7.4.4 CLI Reference 922

Fortinet Inc.
set input-device-negate [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-id <id1>, <id2>, ...
set output-device {string}
set protocol {integer}
set src <subnet1>, <subnet2>, ...
set src-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set start-port {integer}
set start-source-port {integer}
set status [enable|disable]
set tos {user}
set tos-mask {user}
next
end

config router policy

Parameter Description Type Size Default

action Action of the policy route. option - permit

Option Description

deny Do not search policy route table.

permit Use this policy route for forwarding.

comments Optional comments. var-string Maximum

length: 255

dst Destination IP and mask (x.x.x.x/x). string Maximum

<subnet> IP and mask. length: 79

dst-negate Enable/disable negating destination address match. option - disable

Option Description

enable Enable destination address negation.

disable Disable destination address negation.

dstaddr Destination address name. string Maximum

<name> Address/group name. length: 79

end-port End destination port number. integer Minimum 65535

value: 0
Maximum
value: 65535

end-source- End source port number. integer Minimum 65535

port value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 923

Fortinet Inc.
Parameter Description Type Size Default

gateway IP address of the gateway. ipv4- Not Specified 0.0.0.0

address

input-device Incoming interface name. string Maximum

<name> Interface name. length: 79

input-device- Enable/disable negation of input device match. option - disable

negate

Option Description

enable Enable negation of input device match.

disable Disable negation of input device match.

internet- Custom Destination Internet Service name. string Maximum

service- Custom Destination Internet Service name. length: 79
custom
<name>

internet- Destination Internet Service ID. integer Minimum

service-id Destination Internet Service ID. value: 0
<id> Maximum
value:
4294967295

output-device Outgoing interface name. string Maximum

length: 35

protocol Protocol number. integer Minimum 0

value: 0
Maximum
value: 255

seq-num Sequence number. integer Minimum 0

value: 1
Maximum
value: 65535

src Source IP and mask (x.x.x.x/x). string Maximum

<subnet> IP and mask. length: 79

src-negate Enable/disable negating source address match. option - disable

Option Description

enable Enable source address negation.

disable Disable source address negation.

srcaddr Source address name. string Maximum

<name> Address/group name. length: 79

FortiOS 7.4.4 CLI Reference 924

Fortinet Inc.
Parameter Description Type Size Default

start-port Start destination port number. integer Minimum 0

value: 0
Maximum
value: 65535

<name> Address/group name. length: 79

end-port End destination port number. integer Minimum 65535

value: 1
Maximum
value: 65535

end-source- End source port number. integer Minimum 65535

port value: 1
Maximum
value: 65535

gateway IPv6 address of the gateway. ipv6- Not Specified ::

address

input-device Incoming interface name. string Maximum

<name> Interface name. length: 79

input-device- Enable/disable negation of input device match. option - disable

negate

Option Description

enable Enable negation of input device match.

disable Disable negation of input device match.

FortiOS 7.4.4 CLI Reference 926

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom Destination Internet Service name. string Maximum

service- Custom Destination Internet Service name. length: 79
custom
<name>

internet- Destination Internet Service ID. integer Minimum

service-id Destination Internet Service ID. value: 0
<id> Maximum
value:
4294967295

output-device Outgoing interface name. string Maximum

length: 35

protocol Protocol number. integer Minimum 0

value: 0
Maximum
value: 255

seq-num Sequence number. integer Minimum 0

value: 1
Maximum
value: 65535

src <addr6> Source IPv6 prefix. string Maximum

IPv6 address prefix. length: 79

src-negate Enable/disable negating source address match. option - disable

Option Description

enable Enable source address negation.

disable Disable source address negation.

srcaddr Source address name. string Maximum

<name> Address/group name. length: 79

start-port Start destination port number. integer Minimum 1

value: 1
Maximum
value: 65535

start-source- Start source port number. integer Minimum 1

port value: 1
Maximum
value: 65535

status Enable/disable this policy route. option - enable

FortiOS 7.4.4 CLI Reference 927

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this policy route.

disable Disable this policy route.

tos Type of service bit pattern. user Not Specified

tos-mask Type of service evaluated bits. user Not Specified

config router prefix-list

Configure IPv4 prefix lists.

config router prefix-list
Description: Configure IPv4 prefix lists.
edit <name>
set comments {string}
config rule
Description: IPv4 prefix list rule.
edit <id>
set action [permit|deny]
set prefix {user}
set ge {integer}
set le {integer}
next
end
next
end

config router prefix-list

Parameter Description Type Size Default

comments Comment. string Maximum

length: 127

name Name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 928

Fortinet Inc.
Parameter Description Type Size Default

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Allow or permit packets that match this rule.

deny Deny packets that match this rule.

prefix IPv4 prefix to define regular filter criteria, such as user Not Specified 0.0.0.0
"any" or subnets. 0.0.0.0

ge Minimum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 32

le Maximum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 32

config router prefix-list6

Configure IPv6 prefix lists.

config router prefix-list6
Description: Configure IPv6 prefix lists.
edit <name>
set comments {string}
config rule
Description: IPv6 prefix list rule.
edit <id>
set action [permit|deny]
set prefix6 {user}
set ge {integer}
set le {integer}
set flags {integer}
next
end
next
end

config router prefix-list6

Parameter Description Type Size Default

comments Comment. string Maximum

length: 127

name Name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 929

Fortinet Inc.
config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny packets that match this rule. option - permit

Option Description

permit Allow or permit packets that match this rule.

deny Deny packets that match this rule.

prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

ge Minimum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 128

le Maximum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 128

flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router rip

Configure RIP.
config router rip
Description: Configure RIP.
set default-information-originate [enable|disable]
set default-metric {integer}
config distance
Description: Distance.
edit <id>
set prefix {ipv4-classnet-any}
set distance {integer}
set access-list {string}
next
end
config distribute-list

FortiOS 7.4.4 CLI Reference 930

Fortinet Inc.
Description: Distribute list.
edit <id>
set status [enable|disable]
set direction [in|out]
set listname {string}
set interface {string}
next
end
set garbage-timer {integer}
config interface
Description: RIP interface configuration.
edit <name>
set auth-keychain {string}
set auth-mode [none|text|...]
set auth-string {password}
set receive-version {option1}, {option2}, ...
set send-version {option1}, {option2}, ...
set send-version2-broadcast [disable|enable]
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
set max-out-metric {integer}
config neighbor
Description: Neighbor.
edit <id>
set ip {ipv4-address}
next
end
config network
Description: Network.
edit <id>
set prefix {ipv4-classnet}
next
end
config offset-list
Description: Offset list.
edit <id>
set status [enable|disable]
set direction [in|out]
set access-list {string}
set offset {integer}
set interface {string}
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
next
end
set timeout-timer {integer}

FortiOS 7.4.4 CLI Reference 931

Fortinet Inc.
set update-timer {integer}
set version [1|2]
end

config router rip

Parameter Description Type Size Default

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

disable Disable setting.

default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16

garbage-timer Garbage timer in seconds. integer Minimum 120

value: 5
Maximum
value:
2147483647

max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

timeout-timer Timeout timer in seconds. integer Minimum 180

value: 5
Maximum
value:
2147483647

update-timer Update timer in seconds. integer Minimum 30

value: 1
Maximum
value:
2147483647

version RIP version. option - 2

FortiOS 7.4.4 CLI Reference 932

Fortinet Inc.
Parameter Description Type Size Default

Option Description

1 Version 1.

2 Version 2.

config distance

Parameter Description Type Size Default

id Distance ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Distance prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

distance Distance. integer Minimum 0

value: 1
Maximum
value: 255

access-list Access list for route destination. string Maximum

length: 35

config distribute-list

Parameter Description Type Size Default

id Distribute list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

direction Distribute list direction. option - out

FortiOS 7.4.4 CLI Reference 933

Fortinet Inc.
Parameter Description Type Size Default

Option Description

in Filter incoming packets.

out Filter outgoing packets.

listname Distribute access/prefix list name. string Maximum

length: 35

interface Distribute list interface name. string Maximum

length: 15

config interface

Parameter Description Type Size Default

name Interface name. string Maximum

length: 35

auth-keychain Authentication key-chain name. string Maximum

length: 35

auth-mode Authentication mode. option - none

Option Description

none None.

text Text.

md5 MD5.

auth-string Authentication string/password. password Not

Specified

receive- Receive version. option -

version

Option Description

1 Version 1.

2 Version 2.

send-version Send version. option -

Option Description

1 Version 1.

2 Version 2.

FortiOS 7.4.4 CLI Reference 934

Fortinet Inc.
Parameter Description Type Size Default

send- Enable/disable broadcast version 1 compatible packets. option - disable

version2-
broadcast

Option Description

disable Disable broadcasting.

enable Enable broadcasting.

split-horizon- Enable/disable split horizon. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

split-horizon Enable/disable split horizon. option - poisoned

Option Description

poisoned Poisoned.

regular Regular.

flags Flags. integer Minimum 8

value: 0
Maximum
value: 255

config neighbor

Parameter Description Type Size Default

id Neighbor entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IP address. ipv4- Not Specified 0.0.0.0

address

FortiOS 7.4.4 CLI Reference 935

Fortinet Inc.
config network

Parameter Description Type Size Default

id Network entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Network prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

config offset-list

Parameter Description Type Size Default

id Offset-list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

direction Offset list direction. option - out

Option Description

in Filter incoming packets.

out Filter outgoing packets.

access-list Access list name. string Maximum

length: 35

offset Offset. integer Minimum 0

value: 1
Maximum
value: 16

interface Interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 936

Fortinet Inc.
config redistribute

Parameter Description Type Size Default

name Redistribute name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 1
Maximum
value: 16

routemap Route map name. string Maximum

length: 35

config router ripng

Configure RIPng.
config router ripng
Description: Configure RIPng.
config aggregate-address
Description: Aggregate address.
edit <id>
set prefix6 {ipv6-prefix}
next
end
set default-information-originate [enable|disable]
set default-metric {integer}
config distance
Description: Distance.
edit <id>
set distance {integer}
set prefix6 {ipv6-prefix}
set access-list6 {string}
next
end
config distribute-list
Description: Distribute list.
edit <id>
set status [enable|disable]
set direction [in|out]
set listname {string}
set interface {string}
next
end
set garbage-timer {integer}

FortiOS 7.4.4 CLI Reference 937

Fortinet Inc.
config interface
Description: RIPng interface configuration.
edit <name>
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
set max-out-metric {integer}
config neighbor
Description: Neighbor.
edit <id>
set ip6 {ipv6-address}
set interface {string}
next
end
config network
Description: Network.
edit <id>
set prefix {ipv6-prefix}
next
end
config offset-list
Description: Offset list.
edit <id>
set status [enable|disable]
set direction [in|out]
set access-list6 {string}
set offset {integer}
set interface {string}
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
next
end
set timeout-timer {integer}
set update-timer {integer}
end

config router ripng

Parameter Description Type Size Default

default- Enable/disable generation of default route. option - disable

information-
originate

FortiOS 7.4.4 CLI Reference 938

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16

garbage-timer Garbage timer. integer Minimum 120

value: 5
Maximum
value:
2147483647

max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

timeout-timer Timeout timer. integer Minimum 180

value: 5
Maximum
value:
2147483647

update-timer Update timer. integer Minimum 30

value: 5
Maximum
value:
2147483647

config aggregate-address

Parameter Description Type Size Default

id Aggregate address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 Aggregate address prefix. ipv6-prefix Not Specified ::/0

FortiOS 7.4.4 CLI Reference 939

Fortinet Inc.
config distance

Parameter Description Type Size Default

id Distance ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

distance Distance. integer Minimum 0

value: 1
Maximum
value: 255

prefix6 Distance prefix6. ipv6-prefix Not Specified ::/0

access-list6 Access list for route destination. string Maximum

length: 35

config distribute-list

Parameter Description Type Size Default

id Distribute list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

direction Distribute list direction. option - out

Option Description

in Filter incoming packets.

out Filter outgoing packets.

listname Distribute access/prefix list name. string Maximum

length: 35

interface Distribute list interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 940

Fortinet Inc.
config interface

Parameter Description Type Size Default

name Interface name. string Maximum

length: 35

split-horizon- Enable/disable split horizon. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

split-horizon Enable/disable split horizon. option - poisoned

Option Description

poisoned Poisoned.

regular Regular.

flags Flags. integer Minimum 8

value: 0
Maximum
value: 255

config neighbor

Parameter Description Type Size Default

id Neighbor entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip6 IPv6 link-local address. ipv6- Not Specified ::

address

interface Interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 941

Fortinet Inc.
config network

Parameter Description Type Size Default

id Network entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Network IPv6 link-local prefix. ipv6-prefix Not Specified ::/0

config offset-list

Parameter Description Type Size Default

id Offset-list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

direction Offset list direction. option - out

Option Description

in Filter incoming packets.

out Filter outgoing packets.

access-list6 IPv6 access list name. string Maximum

length: 35

offset Offset. integer Minimum 0

value: 1
Maximum
value: 16

interface Interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 942

Fortinet Inc.
config redistribute

Parameter Description Type Size Default

name Redistribute name. string Maximum

length: 35

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 1
Maximum
value: 16

routemap Route map name. string Maximum

length: 35

config router route-map

Configure route maps.

config router route-map
Description: Configure route maps.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]
set match-as-path {string}
set match-community {string}
set match-extcommunity {string}
set match-community-exact [enable|disable]
set match-extcommunity-exact [enable|disable]
set match-origin [none|egp|...]
set match-interface {string}
set match-ip-address {string}
set match-ip6-address {string}
set match-ip-nexthop {string}
set match-ip6-nexthop {string}
set match-metric {integer}
set match-route-type [external-type1|external-type2|...]
set match-tag {integer}
set match-vrf {integer}
set set-aggregator-as {integer}
set set-aggregator-ip {ipv4-address-any}
set set-aspath-action [prepend|replace]
set set-aspath <as1>, <as2>, ...
set set-atomic-aggregate [enable|disable]

FortiOS 7.4.4 CLI Reference 943

Fortinet Inc.
set set-community-delete {string}
set set-community <community1>, <community2>, ...
set set-community-additive [enable|disable]
set set-dampening-reachability-half-life {integer}
set set-dampening-reuse {integer}
set set-dampening-suppress {integer}
set set-dampening-max-suppress {integer}
set set-dampening-unreachability-half-life {integer}
set set-extcommunity-rt <community1>, <community2>, ...
set set-extcommunity-soo <community1>, <community2>, ...
set set-ip-nexthop {ipv4-address}
set set-ip-prefsrc {ipv4-address}
set set-vpnv4-nexthop {ipv4-address}
set set-ip6-nexthop {ipv6-address}
set set-ip6-nexthop-local {ipv6-address}
set set-vpnv6-nexthop {ipv6-address}
set set-vpnv6-nexthop-local {ipv6-address}
set set-local-preference {integer}
set set-metric {integer}
set set-metric-type [external-type1|external-type2|...]
set set-originator-id {ipv4-address-any}
set set-origin [none|egp|...]
set set-tag {integer}
set set-weight {integer}
set set-route-tag {integer}
set set-priority {integer}
next
end
next
end

config router route-map

Parameter Description Type Size Default

comments Optional comments. string Maximum

length: 127

name Name. string Maximum

length: 35

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Action. option - permit

FortiOS 7.4.4 CLI Reference 944

Fortinet Inc.
Parameter Description Type Size Default

Option Description

permit Permit.

deny Deny.

match-as-path Match BGP AS path list. string Maximum

length: 35

match- Match BGP community list. string Maximum

none None.

egp Remote EGP.

igp Local IGP.

incomplete Unknown heritage.

match-interface Match interface configuration. string Maximum

length: 15

match-ip-address Match IP address permitted by access-list or string Maximum

prefix-list. length: 35

match-ip6- Match IPv6 address permitted by access-list6 or string Maximum

address prefix-list6. length: 35

FortiOS 7.4.4 CLI Reference 945

Fortinet Inc.
Parameter Description Type Size Default

match-ip-nexthop Match next hop IP address passed by access-list string Maximum

or prefix-list. length: 35

match-ip6- Match next hop IPv6 address passed by access- string Maximum
nexthop list6 or prefix-list6. length: 35

match-metric Match metric for redistribute routes. integer Minimum

value: 0
Maximum
value:
4294967295

match-route-type Match route type. option -

Option Description

external-type1 External type 1.

external-type2 External type 2.

none No type specified.

match-tag Match tag. integer Minimum

value: 0
Maximum
value:
4294967295

match-vrf Match VRF ID. integer Minimum

value: 0
Maximum
value: 251

set-aggregator- BGP aggregator AS. integer Minimum 0

as value: 0
Maximum
value:
4294967295

set-aggregator-ip BGP aggregator IP. ipv4- Not Specified 0.0.0.0

address-
any

set-aspath-action Specify preferred action of set-aspath. option - prepend

Option Description

prepend Prepend.

replace Replace.

set-aspath <as> Prepend BGP AS path attribute. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 946

Fortinet Inc.
Parameter Description Type Size Default

AS number (0 - 4294967295). Use quotes for

repeating numbers, For example, "1 1 2".

set-atomic- Enable/disable BGP atomic aggregate attribute. option - disable

aggregate

Option Description

enable Enable BGP atomic aggregate attribute.

disable Disable BGP atomic aggregate attribute.

set-community- Delete communities matching community list. string Maximum

delete length: 35

set-community BGP community attribute. string Maximum

set-community- Enable/disable adding set-community to existing option - disable

additive community.

value: 0
Maximum
value:
4294967295

set-metric-type Metric type. option -

Option Description

external-type1 External type 1.

external-type2 External type 2.

none No type specified.

FortiOS 7.4.4 CLI Reference 948

Fortinet Inc.
Parameter Description Type Size Default

set-originator-id BGP originator ID attribute. ipv4- Not Specified

address-
any

set-origin BGP origin code. option - none

Option Description

none None.

egp Remote EGP.

igp Local IGP.

incomplete Unknown heritage.

set-tag Tag value. integer Minimum

value: 0
Maximum
value:
4294967295

set-weight BGP weight for routing table. integer Minimum

value: 0
Maximum
value:
4294967295

set-route-tag Route tag for routing table. integer Minimum

value: 0
Maximum
value:
4294967295

set-priority Priority for routing table. integer Minimum

value: 1
Maximum
value: 65535

config router setting

Configure router settings.

config router setting
Description: Configure router settings.
set hostname {string}
set show-filter {string}
end

FortiOS 7.4.4 CLI Reference 949

Fortinet Inc.
config router setting

Parameter Description Type Size Default

hostname Hostname for this virtual domain router. string Maximum

length: 14

show-filter Prefix-list as filter for showing routes. string Maximum

length: 35

config router static

Configure IPv4 static routing tables.

config router static
Description: Configure IPv4 static routing tables.
edit <seq-num>
set bfd [enable|disable]
set blackhole [enable|disable]
set comment {var-string}
set device {string}
set distance {integer}
set dst {ipv4-classnet}
set dstaddr {string}
set dynamic-gateway [enable|disable]
set gateway {ipv4-address}
set internet-service {integer}
set internet-service-custom {string}
set link-monitor-exempt [enable|disable]
set preferred-source {ipv4-address}
set priority {integer}
set sdwan-zone <name1>, <name2>, ...
set src {ipv4-classnet}
set status [enable|disable]
set tag {integer}
set vrf {integer}
set weight {integer}
next
end

config router static

Parameter Description Type Size Default

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

FortiOS 7.4.4 CLI Reference 950

Fortinet Inc.
Parameter Description Type Size Default

blackhole Enable/disable black hole. option - disable

Option Description

enable Enable black hole.

disable Disable black hole.

comment Optional comments. var-string Maximum

length: 255

device Gateway out interface or tunnel. string Maximum

length: 35

distance Administrative distance. integer Minimum 10

value: 1
Maximum
value: 255

dst Destination IP and mask for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0

dstaddr Name of firewall address or address group. string Maximum

length: 79

dynamic- Enable use of dynamic gateway retrieved from a option - disable

gateway DHCP or PPP server.

Option Description

enable Enable dynamic gateway.

disable Disable dynamic gateway.

gateway Gateway IP for this route. ipv4- Not Specified 0.0.0.0

address

internet- Application ID in the Internet service database. integer Minimum 0

service value: 0
Maximum
value:
4294967295

internet- Application name in the Internet service custom string Maximum

service- database. length: 64
custom

link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.

FortiOS 7.4.4 CLI Reference 951

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Keep this static route when link monitor or health check is down.

disable Withdraw this static route when link monitor or health check is down. (default)

preferred- Preferred source IP for this route. ipv4- Not Specified 0.0.0.0
source address

priority Administrative priority. integer Minimum 1

value: 1
Maximum
value: 65535

sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

seq-num Sequence number. integer Minimum 0

value: 0
Maximum
value:
4294967295

src Source prefix for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0

status Enable/disable this static route. option - enable

Option Description

enable Enable static route.

disable Disable static route.

tag Route tag. integer Minimum 0

value: 0
Maximum
value:
4294967295

vrf Virtual Routing Forwarding ID. integer Minimum unspecified

value: 0
Maximum
value: 251

weight Administrative weight. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 952

Fortinet Inc.
config router static6

Configure IPv6 static routing tables.

config router static6
Description: Configure IPv6 static routing tables.
edit <seq-num>
set bfd [enable|disable]
set blackhole [enable|disable]
set comment {var-string}
set device {string}
set devindex {integer}
set distance {integer}
set dst {ipv6-network}
set dstaddr {string}
set dynamic-gateway [enable|disable]
set gateway {ipv6-address}
set link-monitor-exempt [enable|disable]
set priority {integer}
set sdwan-zone <name1>, <name2>, ...
set status [enable|disable]
set vrf {integer}
set weight {integer}
next
end

config router static6

Parameter Description Type Size Default

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

blackhole Enable/disable black hole. option - disable

Option Description

enable Enable black hole.

disable Disable black hole.

comment Optional comments. var-string Maximum

length: 255

device Gateway out interface or tunnel. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 953

Fortinet Inc.
Parameter Description Type Size Default

devindex Device index. integer Minimum 0

value: 0
Maximum
value:
4294967295

distance Administrative distance. integer Minimum 10

value: 1
Maximum
value: 255

dst Destination IPv6 prefix. ipv6- Not Specified ::/0

network

dstaddr Name of firewall address or address group. string Maximum

length: 79

dynamic- Enable use of dynamic gateway retrieved from option - disable

gateway Router Advertisement (RA).

Option Description

enable Enable dynamic gateway.

disable Disable dynamic gateway.

gateway IPv6 address of the gateway. ipv6- Not Specified ::

address

link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.

Option Description

enable Keep this static route when link monitor or health check is down.

disable Withdraw this static route when link monitor or health check is down. (default)

priority Administrative priority. integer Minimum 1024

value: 1
Maximum
value: 65535

sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

seq-num Sequence number. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 954

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable this static route. option - enable

Option Description

enable Enable static route.

disable Disable static route.

vrf Virtual Routing Forwarding ID. integer Minimum unspecified

value: 0
Maximum
value: 251

weight Administrative weight. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 955

Fortinet Inc.
rule

This section includes syntax for the following commands:

l config rule fmwp on page 956
l config rule otdt on page 958
l config rule otvp on page 960

config rule fmwp

Show FMWP signatures.

config rule fmwp
Description: Show FMWP signatures.
edit <name>
set action [pass|block]
set application {user}
set date {integer}
set group {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
set os {user}
set rev {integer}
set rule-id {integer}
set service {user}
set severity {user}
next
end

config rule fmwp

Parameter Description Type Size Default

action Action. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

FortiOS 7.4.4 CLI Reference 956

Fortinet Inc.
Parameter Description Type Size Default

application Vulnerable applications. user Not Specified

date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295

group Group. string Maximum

length: 63

location Vulnerable location. user Not Specified

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

name Rule name. string Maximum

length: 63

os Vulnerable operation systems. user Not Specified

rev Revision. integer Minimum 0

value: 0
Maximum
value:
4294967295

rule-id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service Vulnerable service. user Not Specified

severity Severity. user Not Specified

FortiOS 7.4.4 CLI Reference 957

Fortinet Inc.
config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config rule otdt

Show OT detection signatures.

config rule otdt
Description: Show OT detection signatures.
edit <name>
set behavior {user}
set category {integer}
set id {integer}
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
config parameters
Description: Application parameters.
edit <name>
set default value {string}
next
end
set popularity {integer}
set protocol {user}
set risk {integer}
set technology {user}
set vendor {user}
set weight {integer}
next
end

FortiOS 7.4.4 CLI Reference 958

Fortinet Inc.
config rule otdt

Parameter Description Type Size Default

behavior Application behavior. user Not Specified

category Application category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

id Application ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Application name. string Maximum

length: 63

popularity Application popularity. integer Minimum 0

value: 0
Maximum
value: 255

protocol Application protocol. user Not Specified

risk Application risk. integer Minimum 0

value: 0
Maximum
value: 255

technology Application technology. user Not Specified

vendor Application vendor. user Not Specified

weight Application weight. integer Minimum 0

value: 0
Maximum
value: 255

config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 959

Fortinet Inc.
Parameter Description Type Size Default

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config parameters

Parameter Description Type Size Default

name Parameter name. string Maximum

length: 31

default value Parameter default value. string Maximum

length: 199

config rule otvp

Show OT patch signatures.

config rule otvp
Description: Show OT patch signatures.
edit <name>
set action [pass|block]
set application {user}
set date {integer}
set group {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
set os {user}
set rev {integer}
set rule-id {integer}
set service {user}
set severity {user}
next
end

FortiOS 7.4.4 CLI Reference 960

Fortinet Inc.
config rule otvp

Parameter Description Type Size Default

action Action. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

application Vulnerable applications. user Not Specified

date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295

group Group. string Maximum

length: 63

location Vulnerable location. user Not Specified

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

name Rule name. string Maximum

length: 63

os Vulnerable operation systems. user Not Specified

rev Revision. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 961

Fortinet Inc.
Parameter Description Type Size Default

rule-id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service Vulnerable service. user Not Specified

severity Severity. user Not Specified

config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 962

Fortinet Inc.
sctp-filter

This section includes syntax for the following commands:

l config sctp-filter profile on page 963

config sctp-filter profile

Configure SCTP filter profiles.

config sctp-filter profile
Description: Configure SCTP filter profiles.
edit <name>
set comment {var-string}
config ppid-filters
Description: PPID filters list.
edit <id>
set ppid {integer}
set action [pass|reset|...]
set comment {var-string}
next
end
next
end

config sctp-filter profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

name Profile name. string Maximum

length: 35

config ppid-filters

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 963

Fortinet Inc.
Parameter Description Type Size Default

ppid Payload protocol identifier. integer Minimum

value: 0
Maximum
value:
4294967295

action Action taken when PPID is matched. option - reset

Option Description

pass Pass data chunk.

reset Reset SCTP session.

replace Replace data chunk.

comment Comment. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 964

Fortinet Inc.
ssh-filter

This section includes syntax for the following commands:

l config ssh-filter profile on page 965

config ssh-filter profile

Configure SSH filter profile.

config ssh-filter profile
Description: Configure SSH filter profile.
edit <name>
set block {option1}, {option2}, ...
set default-command-log [enable|disable]
set log {option1}, {option2}, ...
config shell-commands
Description: SSH command filter.
edit <id>
set type [simple|regex]
set pattern {string}
set action [block|allow]
set log [enable|disable]
set alert [enable|disable]
set severity [low|medium|...]
next
end
next
end

config ssh-filter profile

Parameter Description Type Size Default

block SSH blocking options. option -

Option Description

x11 X server forwarding.

shell SSH shell.

exec SSH execution.

port-forward Port forwarding.

tun-forward Tunnel forwarding.

sftp SFTP.

FortiOS 7.4.4 CLI Reference 965

Fortinet Inc.
Parameter Description Type Size Default

exec SSH execution.

port-forward Port forwarding.

tun-forward Tunnel forwarding.

sftp SFTP.

scp SCP.

unknown Unknown channel.

name SSH filter profile name. string Maximum

length: 35

config shell-commands

Parameter Description Type Size Default

id Id. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Matching type. option - simple

Option Description

simple Match single command.

FortiOS 7.4.4 CLI Reference 966

Fortinet Inc.
Parameter Description Type Size Default

Option Description

regex Match command line using regular expression.

pattern SSH shell command pattern. string Maximum

length: 128

high Severity high.

critical Severity critical.

FortiOS 7.4.4 CLI Reference 967

Fortinet Inc.
switch-controller

This section includes syntax for the following commands:

l config switch-controller 802-1X-settings on page 969
l config switch-controller acl group on page 972
l config switch-controller acl ingress on page 973
l config switch-controller auto-config custom on page 975
l config switch-controller auto-config default on page 976
l config switch-controller auto-config policy on page 977
l config switch-controller custom-command on page 979
l config switch-controller dsl policy on page 980
l config switch-controller dynamic-port-policy on page 983
l config switch-controller flow-tracking on page 986
l config switch-controller fortilink-settings on page 989
l config switch-controller global on page 992
l config switch-controller igmp-snooping on page 998
l config switch-controller initial-config template on page 999
l config switch-controller initial-config vlans on page 1001
l config switch-controller lldp-profile on page 1002
l config switch-controller lldp-settings on page 1007
l config switch-controller location on page 1008
l config switch-controller mac-policy on page 1013
l config switch-controller managed-switch on page 1015
l config switch-controller network-monitor-settings on page 1057
l config switch-controller ptp interface-policy on page 1058
l config switch-controller ptp profile on page 1059
l config switch-controller qos dot1p-map on page 1061
l config switch-controller qos ip-dscp-map on page 1065
l config switch-controller qos qos-policy on page 1068
l config switch-controller qos queue-policy on page 1069
l config switch-controller quarantine on page 1072
l config switch-controller remote-log on page 1073
l config switch-controller security-policy 802-1X on page 1076
l config switch-controller security-policy local-access on page 1080
l config switch-controller sflow on page 1082
l config switch-controller snmp-community on page 1083
l config switch-controller snmp-sysinfo on page 1086
l config switch-controller snmp-trap-threshold on page 1087
l config switch-controller snmp-user on page 1089
l config switch-controller storm-control-policy on page 1091

FortiOS 7.4.4 CLI Reference 968

Fortinet Inc.
l config switch-controller storm-control on page 1093
l config switch-controller stp-instance on page 1095
l config switch-controller stp-settings on page 1096
l config switch-controller switch-group on page 1098
l config switch-controller switch-interface-tag on page 1099
l config switch-controller switch-log on page 1100
l config switch-controller switch-profile on page 1101
l config switch-controller system on page 1103
l config switch-controller traffic-policy on page 1106
l config switch-controller traffic-sniffer on page 1108
l config switch-controller virtual-port-pool on page 1110
l config switch-controller vlan-policy on page 1111

config switch-controller 802-1X-settings

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate
601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE,
FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F,
FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 5001E1, FortiGate 5001E.

Configure global 802.1X settings.

FortiOS 7.4.4 CLI Reference 969

Fortinet Inc.
set mac-password-delimiter [colon|hyphen|...]
set mac-username-delimiter [colon|hyphen|...]
set max-reauth-attempt {integer}
set reauth-period {integer}
set tx-period {integer}
end

config switch-controller 802-1X-settings

Parameter Description Type Size Default

link-down- Interface-reauthentication state to set if a link is down. option - set-unauth

auth

Option Description

set-unauth Interface set to unauth when down. Reauthentication is needed.

no-action Interface reauthentication is not needed.

mab-reauth Enable/disable MAB re-authentication. option - disable

Option Description

disable Disable MAB re-authentication.

enable Enable MAB re-authentication.

mac-called- MAC called station delimiter. option - hyphen

station-
delimiter

Option Description

colon Use colon as delimiter for called station.

hyphen Use hyphen as delimiter for called station.

none No delimiter for called station.

single-hyphen Use single hyphen as delimiter for called station.

mac-calling- MAC calling station delimiter. option - hyphen

station-
delimiter

Option Description

colon Use colon as delimiter for calling station.

hyphen Use hyphen as delimiter for calling station.

none No delimiter for calling station.

single-hyphen Use single hyphen as delimiter for calling station.

FortiOS 7.4.4 CLI Reference 970

reauth-period Period of time to allow for reauthentication. integer Minimum 60

value: 0
Maximum
value: 1440

tx-period 802.1X Tx period. integer Minimum 30

value: 12
Maximum
value: 60

FortiOS 7.4.4 CLI Reference 971

Fortinet Inc.
config switch-controller acl group

Configure ACL groups to be applied on managed FortiSwitch ports.

config switch-controller acl group
Description: Configure ACL groups to be applied on managed FortiSwitch ports.
edit <name>
set ingress <id1>, <id2>, ...
next
end

config switch-controller acl group

Parameter Description Type Size Default

ingress <id> Configure ingress ACL policies in group. integer Minimum

ACL ID. value: 0
Maximum
value:
4294967295

name Group name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 972

Fortinet Inc.
config switch-controller acl ingress

Configure ingress ACL policies to be applied on managed FortiSwitch ports.

config switch-controller acl ingress
Description: Configure ingress ACL policies to be applied on managed FortiSwitch ports.
edit <id>
config action
Description: ACL actions.
set drop [enable|disable]
set count [enable|disable]
end
config classifier
Description: ACL classifiers.
set dst-ip-prefix {ipv4-classnet}
set dst-mac {mac-address}
set src-ip-prefix {ipv4-classnet}
set src-mac {mac-address}
set vlan {integer}
end
set description {string}
next
end

FortiOS 7.4.4 CLI Reference 973

Fortinet Inc.
config switch-controller acl ingress

Parameter Description Type Size Default

description Description for the ACL policy. string Maximum

length: 63

id ACL ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config action

Parameter Description Type Size Default

drop Enable/disable drop. option - disable

Option Description

enable Enable drop.

disable Disable drop.

count Enable/disable count. option - disable

Option Description

enable Enable count.

disable Disable count.

config classifier

Parameter Description Type Size Default

dst-ip-prefix Destination IP address to be matched. ipv4- Not 0.0.0.0 0.0.0.0

classnet Specified

dst-mac Destination MAC address to be matched. mac- Not 00:00:00:00:00:00

address Specified

src-ip-prefix Source IP address to be matched. ipv4- Not 0.0.0.0 0.0.0.0

classnet Specified

src-mac Source MAC address to be matched. mac- Not 00:00:00:00:00:00

address Specified

vlan VLAN ID to be matched. integer Minimum 0

value: 1
Maximum
value: 4094

FortiOS 7.4.4 CLI Reference 974

Fortinet Inc.
config switch-controller auto-config custom

Policies which can override the 'default' for specific ISL/ICL/FortiLink interface.
config switch-controller auto-config custom
Description: Policies which can override the 'default' for specific ISL/ICL/FortiLink
interface.
edit <name>
config switch-binding
Description: Switch binding list.
edit <switch-id>
set policy {string}
next
end
next
end

config switch-controller auto-config custom

Parameter Description Type Size Default

name Auto-Config FortiLink or ISL/ICL interface name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 975

Fortinet Inc.
config switch-binding

Parameter Description Type Size Default

switch-id Switch name. string Maximum

length: 16

policy Custom auto-config policy. string Maximum default

length: 63

config switch-controller auto-config default

Policies which are applied automatically to all ISL/ICL/FortiLink interfaces.

config switch-controller auto-config default
Description: Policies which are applied automatically to all ISL/ICL/FortiLink
interfaces.
set fgt-policy {string}
set icl-policy {string}
set isl-policy {string}
end

FortiOS 7.4.4 CLI Reference 976

Fortinet Inc.
config switch-controller auto-config default

Parameter Description Type Size Default

igmp-flood- Enable/disable IGMP flood report. option - disable

report

Option Description

enable Enable IGMP flood report.

disable Disable IGMP flood report.

igmp-flood- Enable/disable IGMP flood traffic. option - disable

traffic

Option Description

enable Enable IGMP flood traffic.

disable Disable IGMP flood traffic.

name Auto-config policy name. string Maximum

length: 63

poe-status Enable/disable PoE status. option - enable

Option Description

enable Enable PoE status.

disable Disable PoE status.

qos-policy Auto-Config QoS policy. string Maximum default

length: 63

storm-control- Auto-Config storm control policy. string Maximum auto-config

policy length: 63

FortiOS 7.4.4 CLI Reference 978

Fortinet Inc.
config switch-controller custom-command

Configure the FortiGate switch controller to send custom commands to managed FortiSwitch devices.
config switch-controller custom-command
Description: Configure the FortiGate switch controller to send custom commands to
managed FortiSwitch devices.
edit <command-name>
set command {var-string}
set description {string}
next
end

config switch-controller custom-command

Parameter Description Type Size Default

command String of commands to send to FortiSwitch devices (For var-string Maximum

example (%0a = return key): config switch trunk %0a length: 4095
edit myTrunk %0a set members port1 port2 %0a end
%0a).

command- Command name called by the FortiGate switch string Maximum

name controller in the execute command. length: 35

description Description. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 979

Fortinet Inc.
config switch-controller dsl policy

This command is available for model(s): FortiGate 40F 3G4G, FortiGate 60F, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate
601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE,
FortiGate 60E, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D,
FortiGate 80E-POE, FortiGate 80E, FortiGate 81E-POE, FortiGate 81E, FortiGate 900D,
FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi
60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F,
FortiWiFi 80F 2R, FortiWiFi 81F 2R.

DSL policy.
config switch-controller dsl policy
Description: DSL policy.
edit <name>
set append_padding [disable|enable]
set cpe-aele [disable|enable]
set cpe-aele-mode [ELE_M0|ELE_DS|...]
set cs {option1}, {option2}, ...
set ds-bitswap [disable|enable]
set pause-frame [disable|enable]
set profile [auto-30a|auto-17a|...]
set type {option}
set us-bitswap [disable|enable]
next
end

config switch-controller dsl policy

Parameter Description Type Size Default

append_ Device pause frame configuration. option - enable

padding

FortiOS 7.4.4 CLI Reference 980

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

enable Enable.

cpe-aele CPE AELE. option - enable

Option Description

disable Disable.

enable Enable.

cpe-aele- CPE AELE-Mode with given string. option - ELE_MIN

mode

Option Description

ELE_M0 cpe AELE-Mode with given string.

ELE_DS cpe AELE-Mode with given string.

ELE_PB cpe AELE-Mode with given string.

ELE_MIN cpe AELE-Mode with given string.

cs CPE carrier set. option - A43 B43

A43C

Option Description

A43 CPE carrier set.

B43 CPE carrier set.

disable Disable.

enable Enable.

FortiOS 7.4.4 CLI Reference 982

Fortinet Inc.
config switch-controller dynamic-port-policy

Configure Dynamic port policy to be applied on the managed FortiSwitch ports through DPP device.
config switch-controller dynamic-port-policy
Description: Configure Dynamic port policy to be applied on the managed FortiSwitch
ports through DPP device.
edit <name>
set description {string}
set fortilink {string}
config policy
Description: Port policies with matching criteria and actions.
edit <name>
set description {string}
set status [enable|disable]
set category [device|interface-tag]
set match-type [dynamic|override]
set match-period {integer}
set interface-tags <tag-name1>, <tag-name2>, ...
set mac {string}
set hw-vendor {string}
set type {string}
set family {string}
set host {string}
set lldp-profile {string}
set qos-policy {string}
set 802-1x {string}
set vlan-policy {string}
set bounce-port-link [disable|enable]

FortiOS 7.4.4 CLI Reference 983

Fortinet Inc.
next
end
next
end

config switch-controller dynamic-port-policy

Parameter Description Type Size Default

description Description for the Dynamic port policy. string Maximum

length: 63

fortilink FortiLink interface for which this Dynamic port policy string Maximum
belongs to. length: 15

name Dynamic port policy name. string Maximum

length: 63

config policy

Parameter Description Type Size Default

name Policy name. string Maximum

length: 63

description Description for the policy. string Maximum

length: 63

status Enable/disable policy. option - enable

Option Description

enable Enable policy.

disable Disable policy.

category Category of Dynamic port policy. option - device

Option Description

device Device category.

interface-tag Interface Tag category.

match-type Match and retain the devices based on the type. option - dynamic

Option Description

dynamic Matched devices will be removed on dynamic events like link-down,device-

inactivity,switch-offline.

override Matched devices will be retained until the match-period.

FortiOS 7.4.4 CLI Reference 984

Fortinet Inc.
Parameter Description Type Size Default

match-period Number of days the matched devices will be retained. integer Minimum 0
value: 0
Maximum
value: 120

interface-tags Match policy based on the FortiSwitch interface object string Maximum
<tag-name> tags. length: 63
FortiSwitch port tag name.

mac Match policy based on MAC address. string Maximum

length: 17

hw-vendor Match policy based on hardware vendor. string Maximum

length: 15

type Match policy based on type. string Maximum

length: 15

family Match policy based on family. string Maximum

length: 31

host Match policy based on host. string Maximum

length: 64

lldp-profile LLDP profile to be applied when using this policy. string Maximum
length: 63

qos-policy QoS policy to be applied when using this policy. string Maximum
length: 63

802-1x 802.1x security policy to be applied when using this string Maximum
policy. length: 31

vlan-policy VLAN policy to be applied when using this policy. string Maximum
length: 63

bounce-port- Enable/disable bouncing (administratively bring the link option - enable

link down, up) of a switch port where this policy is applied.
Helps to clear and reassign VLAN from lldp-profile.

Option Description

disable Disable bouncing (administratively bring the link down, up) of a switch port
where this policy is applied.

enable Enable bouncing (administratively bring the link down, up) of a switch port
where this policy is applied.

FortiOS 7.4.4 CLI Reference 985

Fortinet Inc.
config switch-controller flow-tracking

Configure FortiSwitch flow tracking and export via ipfix/netflow.

config switch-controller flow-tracking
Description: Configure FortiSwitch flow tracking and export via ipfix/netflow.
config aggregates
Description: Configure aggregates in which all traffic sessions matching the IP
Address will be grouped into the same flow.
edit <id>
set ip {ipv4-classnet}
next
end
config collectors
Description: Configure collectors for the flow.
edit <name>
set ip {ipv4-address-any}
set port {integer}
set transport [udp|tcp|...]
next
end
set format [netflow1|netflow5|...]
set level [vlan|ip|...]
set max-export-pkt-size {integer}
set sample-mode [local|perimeter|...]
set sample-rate {integer}
set template-export-period {integer}
set timeout-general {integer}
set timeout-icmp {integer}

FortiOS 7.4.4 CLI Reference 986

Fortinet Inc.
set timeout-max {integer}
set timeout-tcp {integer}
set timeout-tcp-fin {integer}
set timeout-tcp-rst {integer}
set timeout-udp {integer}
end

config switch-controller flow-tracking

Parameter Description Type Size Default

format Configure flow tracking protocol. option - netflow9

Option Description

netflow1 Netflow version 1 sampling.

netflow5 Netflow version 5 sampling.

netflow9 Netflow version 9 sampling.

ipfix Ipfix sampling.

level Configure flow tracking level. option - ip

Option Description

vlan Collects srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet.

ip Collects srcip/dstip from the sample packet.

port Collects srcip/dstip/srcport/dstport/protocol from the sample packet.

proto Collects srcip/dstip/protocol from the sample packet.

mac Collects smac/dmac from the sample packet.

max-export- Configure flow max export packet size. integer Minimum value: 512
pkt-size 512 Maximum
value: 9216

sample-mode Configure sample mode for the flow tracking. option - perimeter

Option Description

local Set local mode which samples on the specific switch port.

perimeter Set perimeter mode which samples on all switch fabric ports and fortilink port
at the ingress.

device-ingress Set device -ingress mode which samples across all switch ports at the ingress.

sample-rate Configure sample rate for the perimeter and integer Minimum value: 512
device-ingress sampling. 0 Maximum
value: 99999

FortiOS 7.4.4 CLI Reference 987

Fortinet Inc.
Parameter Description Type Size Default

template- Configure template export period. integer Minimum value: 5

export-period 1 Maximum
value: 60

timeout- Configure flow session general timeout. integer Minimum value: 3600
general 60 Maximum
value: 604800

timeout-icmp Configure flow session ICMP timeout. integer Minimum value: 300
60 Maximum
value: 604800

timeout-max Configure flow session max timeout. integer Minimum value: 604800
60 Maximum
value: 604800

timeout-tcp Configure flow session TCP timeout. integer Minimum value: 3600
60 Maximum
value: 604800

timeout-tcp- Configure flow session TCP FIN timeout. integer Minimum value: 300
fin 60 Maximum
value: 604800

timeout-tcp- Configure flow session TCP RST timeout. integer Minimum value: 120
rst 60 Maximum
value: 604800

timeout-udp Configure flow session UDP timeout. integer Minimum value: 300
60 Maximum
value: 604800

config aggregates

Parameter Description Type Size Default

id Aggregate id. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IP address to group all matching traffic sessions to a ipv4- Not Specified 0.0.0.0
flow. classnet 0.0.0.0

FortiOS 7.4.4 CLI Reference 988

Fortinet Inc.
config collectors

Parameter Description Type Size Default

name Collector name. string Maximum

length: 63

ip Collector IP address. ipv4- Not 0.0.0.0

address- Specified
any

port Collector port number. integer Minimum 0

value: 0
Maximum
value:
65535

transport Collector L4 transport protocol for exporting packets. option - udp

Option Description

udp UDP protocol.

tcp TCP protocol.

sctp SCTP protocol.

config switch-controller fortilink-settings

FortiOS 7.4.4 CLI Reference 989

Fortinet Inc.
Configure integrated FortiLink settings for FortiSwitch.
config switch-controller fortilink-settings
Description: Configure integrated FortiLink settings for FortiSwitch.
edit <name>
set access-vlan-mode [legacy|fail-open|...]
set fortilink {string}
set inactive-timer {integer}
set link-down-flush [disable|enable]
config nac-ports
Description: NAC specific configuration.
set onboarding-vlan {string}
set lan-segment [enabled|disabled]
set nac-lan-interface {string}
set nac-segment-vlans <vlan-name1>, <vlan-name2>, ...
set parent-key {string}
set member-change {integer}
end
next
end

config switch-controller fortilink-settings

Parameter Description Type Size Default

access-vlan- Intra VLAN traffic behavior with loss of connection to the option - legacy
mode FortiGate.

name FortiLink settings name. string Maximum

length: 35

config nac-ports

Parameter Description Type Size Default

onboarding- Default NAC Onboarding VLAN when NAC devices are string Maximum
vlan discovered. length: 15

lan-segment Enable/disable LAN segment feature on the FortiLink option - disabled

interface.

Option Description

enabled Enable lan-segment on this interface.

disabled Disable lan-segment on this interface.

nac-lan- Configure NAC LAN interface. string Maximum

interface length: 15

nac-segment- Configure NAC segment VLANs. string Maximum

vlans <vlan- VLAN interface name. length: 79
name>

parent-key Parent key name. string Maximum

length: 35

member- Member change flag. integer Minimum 0

change value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 991

Fortinet Inc.
config switch-controller global

Configure FortiSwitch global settings.

config switch-controller global
Description: Configure FortiSwitch global settings.
set bounce-quarantined-link [disable|enable]
config custom-command
Description: List of custom commands to be pushed to all FortiSwitches in the VDOM.
edit <command-entry>
set command-name {string}
next
end
set default-virtual-switch-vlan {string}
set dhcp-option82-circuit-id {option1}, {option2}, ...
set dhcp-option82-format [ascii|legacy]
set dhcp-option82-remote-id {option1}, {option2}, ...
set dhcp-server-access-list [enable|disable]
set dhcp-snoop-client-db-exp {integer}
set dhcp-snoop-client-req [drop-untrusted|forward-untrusted]
set dhcp-snoop-db-per-port-learn-limit {integer}
set disable-discovery <name1>, <name2>, ...
set fips-enforce [disable|enable]
set firmware-provision-on-authorization [enable|disable]
set https-image-push [enable|disable]
set log-mac-limit-violations [enable|disable]
set mac-aging-interval {integer}
set mac-event-logging [enable|disable]
set mac-retention-period {integer}

FortiOS 7.4.4 CLI Reference 992

Fortinet Inc.
set mac-violation-timer {integer}
set quarantine-mode [by-vlan|by-redirect]
set sn-dns-resolution [enable|disable]
set update-user-device {option1}, {option2}, ...
set vlan-all-mode [all|defined]
set vlan-identity [description|name]
set vlan-optimization [enable|disable]
end

config switch-controller global

Parameter Description Type Size Default

bounce- Enable/disable bouncing (administratively option - disable

quarantined- bring the link down, up) of a switch port
link where a quarantined device was seen last.
Helps to re-initiate the DHCP process for a
device.

Option Description

forward- Broadcast packets on all ports in the VLAN.

untrusted

dhcp-snoop- Per Interface dhcp-server entries learn integer Minimum value: 64

db-per-port- limit. 0 Maximum
learn-limit value: 2048

disable- Prevent this FortiSwitch from discovering. string Maximum

discovery Managed device ID. length: 79
<name>

fips-enforce Enable/disable enforcement of FIPS on option - enable

managed FortiSwitch devices.

FortiOS 7.4.4 CLI Reference 994

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable enforcement of FIPS on managed FortiSwitch devices.

enable Enable enforcement of FIPS on managed FortiSwitch devices.

firmware- Enable/disable automatic provisioning of option - disable

provision-on- latest firmware on authorization.
authorization

Option Description

enable Enable firmware provision on authorization.

disable Disable firmware provision on authorization.

https-image- Enable/disable image push to FortiSwitch option - enable

push using HTTPS.

Option Description

enable Enable image push to FortiSwitch using HTTPS.

disable Disable image push to FortiSwitch using HTTPS.

log-mac-limit- Enable/disable logs for Learning Limit option - disable

violations Violations.

Option Description

enable Enable Learn Limit Violation.

disable Disable Learn Limit Violation.

mac-aging- Time after which an inactive MAC is aged integer Minimum value: 300
interval out. 10 Maximum
value: 1000000

mac-event- Enable/disable MAC address event option - disable

logging logging.

Option Description

enable Enable MAC address event logging.

disable Disable MAC address event logging.

mac-retention- Time in hours after which an inactive MAC integer Minimum value: 24
period is removed from client DB (0 = aged out 0 Maximum
based on mac-aging-interval). value: 168

FortiOS 7.4.4 CLI Reference 995

Fortinet Inc.
Parameter Description Type Size Default

mac-violation- Set timeout for Learning Limit Violations (0 integer Minimum value: 0
timer = disabled). 0 Maximum
value:
4294967295

quarantine- Quarantine mode. option - by-vlan

mode

Option Description

by-vlan Quarantined device traffic is sent to FortiGate on a separate quarantine

VLAN.

by-redirect Quarantined device traffic is redirected only to the FortiGate on the received
VLAN.

sn-dns- Enable/disable DNS resolution of the option - enable

resolution FortiSwitch unit's IP address with switch
name.

Option Description

enable Enable DNS resolution of the FortiSwitch unit's IP address with switch name.

disable Disable DNS resolution of the FortiSwitch unit's IP address with switch name.

update-user- Control which sources update the device option - mac-cache lldp
device user list. dhcp-snooping
l2-db l3-db

Option Description

mac-cache Update MAC address from switch-controller mac-cache.

lldp Update from FortiSwitch LLDP neighbor database.

dhcp-snooping Update from FortiSwitch DHCP snooping client and server databases.

l2-db Update from FortiSwitch Network-monitor Layer 2 tracking database.

l3-db Update from FortiSwitch Network-monitor Layer 3 tracking database.

vlan-all-mode VLAN configuration mode, user-defined- option - defined

vlans or all-possible-vlans.

Option Description

all Include all possible VLANs (1-4093).

defined Include user defined VLANs.

vlan-identity Identity of the VLAN. Commonly used for option - name

RADIUS Tunnel-Private-Group-Id.

FortiOS 7.4.4 CLI Reference 996

Fortinet Inc.
Parameter Description Type Size Default

Option Description

description Configure the VLAN description to that of the FortiOS interface description if
available; otherwise use the interface name.

name Configure the VLAN description to that of the FortiOS interface name.

vlan- FortiLink VLAN optimization. option - enable

optimization

Option Description

enable Enable VLAN optimization on FortiSwitch units for auto-generated trunks.

disable Disable VLAN optimization on FortiSwitch units for auto-generated trunks.

config custom-command

Parameter Description Type Size Default

command- List of FortiSwitch commands. string Maximum

entry length: 35

command- Name of custom command to push to all FortiSwitches string Maximum

name in VDOM. length: 35

FortiOS 7.4.4 CLI Reference 997

Fortinet Inc.
config switch-controller igmp-snooping

Configure FortiSwitch IGMP snooping global settings.

config switch-controller igmp-snooping
Description: Configure FortiSwitch IGMP snooping global settings.
set aging-time {integer}
set flood-unknown-multicast [enable|disable]
set query-interval {integer}
end

config switch-controller igmp-snooping

Parameter Description Type Size Default

aging-time Maximum number of seconds to retain a multicast integer Minimum 300

snooping entry for which no packets have been seen. value: 15
Maximum
value: 3600

flood- Enable/disable unknown multicast flooding. option - disable

unknown-
multicast

FortiOS 7.4.4 CLI Reference 998

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable unknown multicast flooding.

disable Disable unknown multicast flooding.

query-interval Maximum time after which IGMP query will be sent. integer Minimum 125
value: 10
Maximum
value: 1200

config switch-controller initial-config template

Configure template for auto-generated VLANs.

config switch-controller initial-config template
Description: Configure template for auto-generated VLANs.
edit <name>
set allowaccess {option1}, {option2}, ...
set auto-ip [enable|disable]
set dhcp-server [enable|disable]
set ip {ipv4-classnet-host}
set vlanid {integer}
next
end

FortiOS 7.4.4 CLI Reference 999

Fortinet Inc.
config switch-controller initial-config template

Parameter Description Type Size Default

allowaccess Permitted types of management access to this option -

interface.

Option Description

ping PING access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

fgfm FortiManager access.

radius-acct RADIUS accounting access.

probe-response Probe access.

fabric Security Fabric access.

ftm FTM access.

auto-ip Automatically allocate interface address and subnet option - enable

block.

Option Description

enable Enable auto-ip status.

disable Disable auto-ip status.

dhcp-server Enable/disable a DHCP server on this interface. option - disable

Option Description

enable Enable DHCP server.

disable Disable DHCP server.

ip Interface IPv4 address and subnet mask. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

name Initial config template name. string Maximum

length: 63

vlanid Unique VLAN ID. integer Minimum 0

value: 1
Maximum
value: 4094

FortiOS 7.4.4 CLI Reference 1000

Fortinet Inc.
config switch-controller initial-config vlans

Configure initial template for auto-generated VLAN interfaces.

config switch-controller initial-config vlans
Description: Configure initial template for auto-generated VLAN interfaces.
set default-vlan {string}
set nac {string}
set nac-segment {string}
set quarantine {string}
set rspan {string}
set video {string}
set voice {string}
end

config switch-controller initial-config vlans

Parameter Description Type Size Default

default-vlan Default VLAN (native) assigned to all switch ports string Maximum _default
upon discovery. length: 63

nac VLAN for NAC onboarding devices. string Maximum onboarding

length: 63

Configure FortiSwitch LLDP profiles.

config switch-controller lldp-profile
Description: Configure FortiSwitch LLDP profiles.
edit <name>
set 802 1-tlvs {option1}, {option2}, ...
set 802 3-tlvs {option1}, {option2}, ...
set auto-isl [disable|enable]
set auto-isl-auth [legacy|strict|...]
set auto-isl-auth-encrypt [none|mixed|...]
set auto-isl-auth-identity {string}
set auto-isl-auth-macsec-profile {string}

FortiOS 7.4.4 CLI Reference 1002

Fortinet Inc.
set auto-isl-auth-reauth {integer}
set auto-isl-auth-user {string}
set auto-isl-hello-timer {integer}
set auto-isl-port-group {integer}
set auto-isl-receive-timeout {integer}
set auto-mclag-icl [disable|enable]
config custom-tlvs
Description: Configuration method to edit custom TLV entries.
edit <name>
set oui {user}
set subtype {integer}
set information-string {user}
next
end
config med-location-service
Description: Configuration method to edit Media Endpoint Discovery (MED)
location service type-length-value (TLV) categories.
edit <name>
set status [disable|enable]
set sys-location-id {string}
next
end
config med-network-policy
Description: Configuration method to edit Media Endpoint Discovery (MED) network
policy type-length-value (TLV) categories.
edit <name>
set status [disable|enable]
set vlan-intf {string}
set assign-vlan [disable|enable]
set priority {integer}
set dscp {integer}
next
end
set med-tlvs {option1}, {option2}, ...
next
end

config switch-controller lldp-profile

Parameter Description Type Size Default

802 1-tlvs Transmitted IEEE 802.1 TLVs. option -

Option Description

port-vlan-id Port native VLAN TLV.

802 3-tlvs Transmitted IEEE 802.3 TLVs. option -

Option Description

max-frame-size Maximum frame size TLV.

FortiOS 7.4.4 CLI Reference 1003

Fortinet Inc.
Parameter Description Type Size Default

auto-isl-auth- Auto inter-switch LAG encryption mode. option - none

encrypt

Option Description

none No auto inter-switch-LAG encryption.

mixed Mixed auto inter-switch-LAG encryption.

must Must auto inter-switch-LAG encryption.

auto-isl-auth- Auto inter-switch LAG authentication identity. string Maximum

identity length: 63

auto-isl-auth- Auto inter-switch LAG macsec profile for encryption. string Maximum
macsec- length: 63
profile

auto-isl-auth- Auto inter-switch LAG authentication reauth period in integer Minimum 3600
reauth seconds. value: 180
Maximum
value: 3600

auto-isl-auth- Auto inter-switch LAG authentication user certificate. string Maximum

user length: 63

auto-isl-hello- Auto inter-switch LAG hello timer duration. integer Minimum 3

timer value: 1
Maximum
value: 30

FortiOS 7.4.4 CLI Reference 1004

Fortinet Inc.
Parameter Description Type Size Default

auto-isl-port- Auto inter-switch LAG port group ID. integer Minimum 0

group value: 0
Maximum
value: 9

auto-isl- Auto inter-switch LAG timeout if no response is integer Minimum 60

receive- received. value: 0
timeout Maximum
value: 90

auto-mclag-icl Enable/disable MCLAG inter chassis link. option - disable

Option Description

disable Disable auto inter-switch-LAG.

enable Enable auto inter-switch-LAG.

med-tlvs Transmitted LLDP-MED TLVs (type-length-value option -

descriptions).

Option Description

inventory- Inventory management TLVs.

management

network-policy Network policy TLVs.

power- Power manangement TLVs.

management

location- Location identificaion TLVs.

identification

name Profile name. string Maximum

length: 63

config custom-tlvs

Parameter Description Type Size Default

name TLV name (not sent). string Maximum

length: 63

oui Organizationally unique identifier (OUI), a 3-byte user Not 000000

hexadecimal number, for this TLV. Specified

subtype Organizationally defined subtype. integer Minimum 0

value: 0
Maximum
value: 255

information- Organizationally defined information string. user Not

string Specified

status Enable or disable this TLV. option - disable

Option Description

disable Do not transmit this network policy TLV.

enable Transmit this TLV if a VLAN has been addded to the port.

vlan-intf VLAN interface to advertise; if configured on port. string Maximum

length: 15

assign-vlan Enable/disable VLAN assignment when this profile is option - disable

applied on managed FortiSwitch port.

Option Description

disable Disable VLAN assignment when this profile is applied on port.

enable Enable VLAN assignment when this profile is applied on port.

priority Advertised Layer 2 priority. integer Minimum 0

value: 0
Maximum
value: 7

dscp Advertised Differentiated Services Code Point (DSCP) integer Minimum 0

value, a packet header value indicating the level of value: 0
service requested for traffic, such as high priority or best Maximum
effort delivery. value: 63

FortiOS 7.4.4 CLI Reference 1006

Fortinet Inc.
config switch-controller lldp-settings

Configure FortiSwitch LLDP settings.

config switch-controller lldp-settings
Description: Configure FortiSwitch LLDP settings.
set device-detection [disable|enable]
set fast-start-interval {integer}
set management-interface [internal|mgmt]
set tx-hold {integer}
set tx-interval {integer}
end

config switch-controller lldp-settings

Parameter Description Type Size Default

device-detection Enable/disable dynamic detection of LLDP neighbor option - enable

devices for VLAN assignment.

Option Description

disable Disable dynamic detection of LLDP neighbor devices.

enable Enable dynamic detection of LLDP neighbor devices.

FortiOS 7.4.4 CLI Reference 1007

Fortinet Inc.
Parameter Description Type Size Default

fast-start- Frequency of LLDP PDU transmission from integer Minimum 2

interval FortiSwitch for the first 4 packets when the link is up. value: 0
Maximum
value: 255

management- Primary management interface to be advertised in option - internal

interface LLDP and CDP PDUs.

Option Description

internal Use internal interface.

mgmt Use management interface.

tx-hold Number of tx-intervals before local LLDP data expires. integer Minimum 4
Packet TTL is tx-hold * tx-interval. value: 1
Maximum
value: 16

tx-interval Frequency of LLDP PDU transmission from integer Minimum 30

FortiSwitch. Packet TTL is tx-hold * tx-interval. value: 5
Maximum
value: 4095

config switch-controller location

FortiOS 7.4.4 CLI Reference 1008

Fortinet Inc.
Configure FortiSwitch location services.
config switch-controller location
Description: Configure FortiSwitch location services.
edit <name>
config address-civic
Description: Configure location civic address.
set additional {string}
set additional-code {string}
set block {string}
set branch-road {string}
set building {string}
set city {string}
set city-division {string}
set country {string}
set country-subdivision {string}
set county {string}
set direction {string}
set floor {string}
set landmark {string}
set language {string}
set name {string}
set number {string}
set number-suffix {string}
set place-type {string}
set post-office-box {string}
set postal-community {string}
set primary-road {string}
set road-section {string}
set room {string}
set script {string}
set seat {string}
set street {string}
set street-name-post-mod {string}
set street-name-pre-mod {string}
set street-suffix {string}
set sub-branch-road {string}
set trailing-str-suffix {string}
set unit {string}
set zip {string}
set parent-key {string}
end
config coordinates
Description: Configure location GPS coordinates.
set altitude {string}
set altitude-unit [m|f]
set datum [WGS84|NAD83|...]
set latitude {string}
set longitude {string}
set parent-key {string}
end
config elin-number
Description: Configure location ELIN number.
set elin-num {string}
set parent-key {string}
end

FortiOS 7.4.4 CLI Reference 1009

Fortinet Inc.
next
end

config switch-controller location

Parameter Description Type Size Default

name Unique location item name. string Maximum

length: 63

config address-civic

Parameter Description Type Size Default

city-division Location city division details. string Maximum

length: 47

length: 63

config coordinates

Parameter Description Type Size Default

altitude Plus or minus floating point number. For example, string Maximum
117.47. length: 15

altitude-unit Configure the unit for which the altitude is to (m = option - m

meters, f = floors of a building).

Option Description

m set altitude unit meters

f set altitude unit floors

datum WGS84, NAD83, NAD83/MLLW. option - WGS84

Option Description

WGS84 set coordinates datum WGS84

NAD83 set coordinates datum NAD83

NAD83/MLLW set coordinates datum NAD83/MLLW

latitude Floating point starting with +/- or ending with (N or S). string Maximum
For example, +/-16.67 or 16.67N. length: 15

longitude Floating point starting with +/- or ending with (N or S). string Maximum
For example, +/-26.789 or 26.789E. length: 15

parent-key Parent key name. string Maximum

length: 63

config elin-number

Parameter Description Type Size Default

elin-num Configure ELIN callback number. string Maximum

length: 31

parent-key Parent key name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1012

Fortinet Inc.
config switch-controller mac-policy

Configure MAC policy to be applied on the managed FortiSwitch devices through NAC device.
config switch-controller mac-policy
Description: Configure MAC policy to be applied on the managed FortiSwitch devices
through NAC device.
edit <name>
set bounce-port-link [disable|enable]
set count [disable|enable]
set description {string}
set fortilink {string}
set traffic-policy {string}
set vlan {string}
next
end

config switch-controller mac-policy

Parameter Description Type Size Default

bounce-port- Enable/disable bouncing (administratively bring the link option - enable

link down, up) of a switch port where this mac-policy is
applied.

FortiOS 7.4.4 CLI Reference 1013

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable bouncing (administratively bring the link down, up) of a switch port
where this mac-policy is applied.

enable Enable bouncing (administratively bring the link down, up) of a switch port
where this mac-policy is applied.

count Enable/disable packet count on the NAC device. option - disable

Option Description

disable Enable packet count on the NAC device.

enable Disable packet count on the NAC device.

description Description for the MAC policy. string Maximum

length: 63

fortilink FortiLink interface for which this MAC policy belongs to. string Maximum
length: 15

name MAC policy name. string Maximum

length: 63

traffic-policy Traffic policy to be applied when using this MAC policy. string Maximum
length: 63

vlan Ingress traffic VLAN assignment for the MAC address string Maximum
matching this MAC policy. length: 15

FortiOS 7.4.4 CLI Reference 1014

Fortinet Inc.
config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch
Description: Configure FortiSwitch devices that are managed by this FortiGate.
edit <switch-id>
config 802-1X-settings
Description: Configuration method to edit FortiSwitch 802.1X global settings.
set local-override [enable|disable]
set link-down-auth [set-unauth|no-action]
set reauth-period {integer}
set max-reauth-attempt {integer}
set tx-period {integer}
set mab-reauth [disable|enable]
set mac-username-delimiter [colon|hyphen|...]
set mac-password-delimiter [colon|hyphen|...]
set mac-calling-station-delimiter [colon|hyphen|...]
set mac-called-station-delimiter [colon|hyphen|...]
set mac-case [lowercase|uppercase]
end
set access-profile {string}
config custom-command
Description: Configuration method to edit FortiSwitch commands to be pushed to
this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
edit <command-entry>
set command-name {string}
next
end

FortiOS 7.4.4 CLI Reference 1015

Fortinet Inc.
set delayed-restart-trigger {integer}
set description {string}
set dhcp-server-access-list [global|enable|...]
config dhcp-snooping-static-client
Description: Configure FortiSwitch DHCP snooping static clients.
edit <name>
set vlan {string}
set ip {ipv4-address}
set mac {mac-address}
set port {string}
next
end
set directly-connected {integer}
set dynamic-capability {user}
set dynamically-discovered {integer}
set firmware-provision [enable|disable]
set firmware-provision-latest [disable|once]
set firmware-provision-version {string}
set flow-identity {user}
set fsw-wan1-admin [discovered|disable|...]
set fsw-wan1-peer {string}
config igmp-snooping
Description: Configure FortiSwitch IGMP snooping global settings.
set local-override [enable|disable]
set aging-time {integer}
set flood-unknown-multicast [enable|disable]
config vlans
Description: Configure IGMP snooping VLAN.
edit <vlan-name>
set proxy [disable|enable|...]
set querier [disable|enable]
set querier-addr {ipv4-address}
set version {integer}
next
end
end
config ip-source-guard
Description: IP source guard.
edit <port>
set description {string}
config binding-entry
Description: IP and MAC address configuration.
edit <entry-name>
set ip {ipv4-address-any}
set mac {mac-address}
next
end
next
end
set l3-discovered {integer}
set max-allowed-trunk-members {integer}
set mclag-igmp-snooping-aware [enable|disable]
set mgmt-mode {integer}
config mirror
Description: Configuration method to edit FortiSwitch packet mirror.
edit <name>

FortiOS 7.4.4 CLI Reference 1016

Fortinet Inc.
set status [active|inactive]
set switching-packet [enable|disable]
set dst {string}
set src-ingress <name1>, <name2>, ...
set src-egress <name1>, <name2>, ...
next
end
set override-snmp-community [enable|disable]
set override-snmp-sysinfo [disable|enable]
set override-snmp-trap-threshold [enable|disable]
set override-snmp-user [enable|disable]
set owner-vdom {string}
set poe-detection-type {integer}
set poe-pre-standard-detection [enable|disable]
config ports
Description: Managed-switch port list.
edit <port-name>
set port-owner {string}
set switch-id {string}
set speed [10half|10full|...]
set status [up|down]
set poe-status [enable|disable]
set ip-source-guard [disable|enable]
set ptp-status [disable|enable]
set ptp-policy {string}
set aggregator-mode [bandwidth|count]
set flapguard [enable|disable]
set flap-rate {integer}
set flap-duration {integer}
set flap-timeout {integer}
set rpvst-port [disabled|enabled]
set poe-pre-standard-detection [enable|disable]
set port-number {integer}
set port-prefix-type {integer}
set fortilink-port {integer}
set poe-capable {integer}
set stacking-port {integer}
set p2p-port {integer}
set mclag-icl-port {integer}
set authenticated-port {integer}
set restricted-auth-port {integer}
set encrypted-port {integer}
set fiber-port {integer}
set media-type {string}
set poe-standard {string}
set poe-max-power {string}
set poe-mode-bt-cabable {integer}
set poe-port-mode [ieee802-3af|ieee802-3at|...]
set poe-port-priority [critical-priority|high-priority|...]
set poe-port-power [normal|perpetual|...]
set flags {integer}
set isl-local-trunk-name {string}
set isl-peer-port-name {string}
set isl-peer-device-name {string}
set isl-peer-device-sn {string}
set fgt-peer-port-name {string}

FortiOS 7.4.4 CLI Reference 1017

Fortinet Inc.
set fgt-peer-device-name {string}
set vlan {string}
set allowed-vlans-all [enable|disable]
set allowed-vlans <vlan-name1>, <vlan-name2>, ...
set untagged-vlans <vlan-name1>, <vlan-name2>, ...
set type [physical|trunk]
set access-mode [dynamic|nac|...]
set matched-dpp-policy {string}
set matched-dpp-intf-tags {string}
set acl-group <name1>, <name2>, ...
set fortiswitch-acls <id1>, <id2>, ...
set dhcp-snooping [untrusted|trusted]
set dhcp-snoop-option82-trust [enable|disable]
config dhcp-snoop-option82-override
Description: Configure DHCP snooping option 82 override.
edit <vlan-name>
set circuit-id {string}
set remote-id {string}
next
end
set arp-inspection-trust [untrusted|trusted]
set igmp-snooping-flood-reports [enable|disable]
set mcast-snooping-flood-traffic [enable|disable]
set stp-state [enabled|disabled]
set stp-root-guard [enabled|disabled]
set stp-bpdu-guard [enabled|disabled]
set stp-bpdu-guard-timeout {integer}
set edge-port [enable|disable]
set discard-mode [none|all-untagged|...]
set packet-sampler [enabled|disabled]
set packet-sample-rate {integer}
set sflow-counter-interval {integer}
set sample-direction [tx|rx|...]
set fec-capable {integer}
set fec-state [disabled|cl74|...]
set flow-control [disable|tx|...]
set pause-meter {integer}
set pause-meter-resume [75%|50%|...]
set loop-guard [enabled|disabled]
set loop-guard-timeout {integer}
set port-policy {string}
set qos-policy {string}
set storm-control-policy {string}
set port-security-policy {string}
set export-to-pool {string}
set interface-tags <tag-name1>, <tag-name2>, ...
set learning-limit {integer}
set sticky-mac [enable|disable]
set lldp-status [disable|rx-only|...]
set lldp-profile {string}
set export-to {string}
set mac-addr {mac-address}
set allow-arp-monitor [disable|enable]
set port-selection-criteria [src-mac|dst-mac|...]
set description {string}
set lacp-speed [slow|fast]

FortiOS 7.4.4 CLI Reference 1018

Fortinet Inc.
set mode [static|lacp-passive|...]
set bundle [enable|disable]
set member-withdrawal-behavior [forward|block]
set mclag [enable|disable]
set min-bundle {integer}
set max-bundle {integer}
set members <member-name1>, <member-name2>, ...
set fallback-port {string}
next
end
set pre-provisioned {integer}
set ptp-profile {string}
set ptp-status [disable|enable]
set purdue-level [1|1.5|...]
set qos-drop-policy [taildrop|random-early-detection]
set qos-red-probability {integer}
set radius-nas-ip {ipv4-address}
set radius-nas-ip-override [disable|enable]
config remote-log
Description: Configure logging by FortiSwitch device to a remote syslog server.
edit <name>
set status [enable|disable]
set server {string}
set port {integer}
set severity [emergency|alert|...]
set csv [enable|disable]
set facility [kernel|user|...]
next
end
set route-offload [disable|enable]
set route-offload-mclag [disable|enable]
config route-offload-router
Description: Configure route offload MCLAG IP address.
edit <vlan-name>
set router-ip {ipv4-address}
next
end
set sn {string}
config snmp-community
Description: Configuration method to edit Simple Network Management Protocol
(SNMP) communities.
edit <id>
set name {string}
set status [disable|enable]
config hosts
Description: Configure IPv4 SNMP managers (hosts).
edit <id>
set ip {user}
next
end
set query-v1-status [disable|enable]
set query-v1-port {integer}
set query-v2c-status [disable|enable]
set query-v2c-port {integer}
set trap-v1-status [disable|enable]
set trap-v1-lport {integer}

FortiOS 7.4.4 CLI Reference 1019

Fortinet Inc.
set trap-v1-rport {integer}
set trap-v2c-status [disable|enable]
set trap-v2c-lport {integer}
set trap-v2c-rport {integer}
set events {option1}, {option2}, ...
next
end
config snmp-sysinfo
Description: Configuration method to edit Simple Network Management Protocol
(SNMP) system info.
set status [disable|enable]
set engine-id {string}
set description {string}
set contact-info {string}
set location {string}
end
config snmp-trap-threshold
Description: Configuration method to edit Simple Network Management Protocol
(SNMP) trap threshold values.
set trap-high-cpu-threshold {integer}
set trap-low-memory-threshold {integer}
set trap-log-full-threshold {integer}
end
config snmp-user
Description: Configuration method to edit Simple Network Management Protocol
(SNMP) users.
edit <name>
set queries [disable|enable]
set query-port {integer}
set security-level [no-auth-no-priv|auth-no-priv|...]
set auth-proto [md5|sha1|...]
set auth-pwd {password}
set priv-proto [aes128|aes192|...]
set priv-pwd {password}
next
end
set staged-image-version {string}
config static-mac
Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
edit <id>
set type [static|sticky]
set vlan {string}
set mac {mac-address}
set interface {string}
set description {string}
next
end
config storm-control
Description: Configuration method to edit FortiSwitch storm control for
measuring traffic activity using data rates to prevent traffic disruption.
set local-override [enable|disable]
set rate {integer}
set unknown-unicast [enable|disable]
set unknown-multicast [enable|disable]
set broadcast [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1020

Fortinet Inc.
config stp-instance
Description: Configuration method to edit Spanning Tree Protocol (STP)
instances.
edit <id>
set priority [0|4096|...]
next
end
config stp-settings
Description: Configuration method to edit Spanning Tree Protocol (STP) settings
used to prevent bridge loops.
set local-override [enable|disable]
set name {string}
set revision {integer}
set hello-time {integer}
set forward-time {integer}
set max-age {integer}
set max-hops {integer}
set pending-timer {integer}
end
set switch-device-tag {string}
set switch-dhcp_opt43_key {string}
config switch-log
Description: Configuration method to edit FortiSwitch logging settings (logs are
transferred to and inserted into the FortiGate event log).
set local-override [enable|disable]
set status [enable|disable]
set severity [emergency|alert|...]
end
set switch-profile {string}
set tdr-supported {string}
set tunnel-discovered {integer}
set type [virtual|physical]
set version {integer}
config vlan
Description: Configure VLAN assignment priority.
edit <vlan-name>
set assignment-priority {integer}
next
end
next
end

config switch-controller managed-switch

Parameter Description Type Size Default

access-profile FortiSwitch access string Maximum default

profile. length: 31

delayed- Delayed restart integer Minimum 0

restart-trigger triggered for this value: 0
FortiSwitch. Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1021

Fortinet Inc.
Parameter Description Type Size Default

description Description. string Maximum

length: 63

dhcp-server- DHCP snooping option - global

access-list server access list.

Option Description

global Use global setting for DHCP snooping server access list.

enable Override global setting and enable DHCP server access list.

disable Override global setting and disable DHCP server access list.

directly- Directly connected integer Minimum 0

connected FortiSwitch. value: 0
Maximum
value: 1

dynamic- List of features this user Not 0x00000000000000000000000000000000

capability FortiSwitch supports Specified
(not configurable) that
is sent to the FortiGate
device for subsequent
configuration initiated
by the FortiGate
device.

dynamically- Dynamically integer Minimum 0

discovered discovered value: 0
FortiSwitch. Maximum
value: 1

firmware- Enable/disable option - disable

provision provisioning of
firmware to
FortiSwitches on join
connection.

Option Description

enable Enable firmware-provision.

disable Disable firmware-provision.

firmware- Enable/disable one- option - disable

provision- time automatic
latest provisioning of the
latest firmware
version.

FortiOS 7.4.4 CLI Reference 1022

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not automatically provision the latest available firmware.

once Automatically attempt a one-time upgrade to the latest available firmware

version.

firmware- Firmware version to string Maximum

provision- provision to this length: 35
version FortiSwitch on bootup
(major.minor.build, i.e.
6.2.1234).

flow-identity Flow-tracking netflow user Not 00000000

ipfix switch identity in Specified
hex format.

fsw-wan1- FortiSwitch WAN1 option - discovered

admin admin status; enable
to authorize the
FortiSwitch as a
managed switch.

Option Description

discovered Link waiting to be authorized.

disable Link unauthorized.

enable Link authorized.

fsw-wan1-peer FortiSwitch WAN1 string Maximum

peer port. length: 35

l3-discovered Layer 3 management integer Minimum 0

discovered. value: 0
Maximum
value: 1

max-allowed- FortiSwitch maximum integer Minimum 0

trunk- allowed trunk value: 0
members members. Maximum
value: 255

mclag-igmp- Enable/disable option - enable

snooping- MCLAG IGMP-
aware snooping awareness.

Option Description

enable Enable MCLAG IGMP-snooping awareness.

FortiOS 7.4.4 CLI Reference 1023

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable MCLAG IGMP-snooping awareness.

enable Override the global SNMPv3 users.

disable Use the global SNMPv3 users.

FortiOS 7.4.4 CLI Reference 1024

Fortinet Inc.
Parameter Description Type Size Default

owner-vdom VDOM which owner of string Maximum

port belongs to. length: 31

poe-detection- PoE detection type for integer Minimum 0

type FortiSwitch. value: 0
Maximum
value: 255

poe-pre- Enable/disable PoE option - disable

standard- pre-standard
detection detection.

Option Description

enable Enable PoE pre-standard detection.

disable Disable PoE pre-standard detection.

pre- Pre-provisioned integer Minimum 0

provisioned managed switch. value: 0
Maximum
value: 255

ptp-profile PTP profile string Maximum default

configuration. length: 63

ptp-status Enable/disable PTP option - disable

profile on this
FortiSwitch.

Option Description

disable Disable PTP profile.

enable Enable PTP profile.

purdue-level Purdue Level of this option - 3

FortiSwitch.

Option Description

1 Level 1 - Basic Control

1.5 Level 1.5

2 Level 2 - Area Supervisory Control

2.5 Level 2.5

3 Level 3 - Operations & Control

3.5 Level 3.5

4 Level 4 - Business Planning & Logistics

FortiOS 7.4.4 CLI Reference 1025

Fortinet Inc.
Parameter Description Type Size Default

Option Description

5 Level 5 - Enterprise Network

5.5 Level 5.5

qos-drop- Set QoS drop-policy. option - taildrop

policy

Option Description

taildrop Taildrop policy.

random-early- Random early detection drop policy.

detection

qos-red- Set QoS RED/WRED integer Minimum 12

probability drop probability. value: 0
Maximum
value: 100

radius-nas-ip NAS-IP address. ipv4- Not 0.0.0.0

address Specified

radius-nas-ip- Use locally defined option - disable

override NAS-IP.

Option Description

disable Disable radius-nas-ip-override.

enable Enable radius-nas-ip-override.

route-offload Enable/disable route option - disable

offload on this
FortiSwitch.

Option Description

disable Disable route offload.

enable Enable route offload.

route-offload- Enable/disable route option - disable

mclag offload MCLAG on this
FortiSwitch.

Option Description

disable Disable route offload MCLAG.

enable Enable route offload MCLAG.

FortiOS 7.4.4 CLI Reference 1026

Fortinet Inc.
Parameter Description Type Size Default

sn Managed-switch serial string Maximum

number. length: 16

staged-image- Staged image version string Maximum

version for FortiSwitch. length: 127

switch-device- User definable string Maximum

tag label/tag. length: 32

switch-dhcp_ DHCP option43 key. string Maximum

opt43_key length: 63

switch-id Managed-switch string Maximum

name. length: 16

switch-profile FortiSwitch profile. string Maximum default

length: 35

tdr-supported TDR supported. string Maximum

length: 31

tunnel- SOCKS tunnel integer Minimum 0

discovered management value: 0
discovered. Maximum
value: 1

type Indication of switch option - physical

type, physical or
virtual.

Option Description

virtual Switch is of type virtual.

physical Switch is of type physical.

version FortiSwitch version. integer Minimum 0

value: 0
Maximum
value: 255

config 802-1X-settings

Parameter Description Type Size Default

local-override Enable to override global 802.1X settings on individual option - disable

FortiSwitches.

Option Description

enable Override global 802.1X settings.

disable Use global 802.1X settings.

FortiOS 7.4.4 CLI Reference 1027

Fortinet Inc.
Parameter Description Type Size Default

link-down- Authentication state to set if a link is down. option - set-unauth

auth

Option Description

set-unauth Interface set to unauth when down. Reauthentication is needed.

no-action Interface reauthentication is not needed.

reauth-period Reauthentication time interval. integer Minimum 60

value: 0
Maximum
value: 1440

max-reauth- Maximum number of authentication attempts. integer Minimum 3

attempt value: 0
Maximum
value: 15

tx-period 802.1X Tx period. integer Minimum 30

value: 12
Maximum
value: 60

mab-reauth Enable or disable MAB reauthentication settings. option - disable

Option Description

disable Disable MAB re-authentication setttings.

enable Enable MAB re-authentication setttings.

mac- MAC authentication username delimiter. option - hyphen

username-
delimiter

Option Description

colon Use colon as delimiter for MAC auth username.

hyphen Use hyphen as delimiter for MAC auth username.

colon Use colon as delimiter for called station.

hyphen Use hyphen as delimiter for called station.

none No delimiter for called station.

single-hyphen Use single hyphen as delimiter for called station.

mac-case MAC case. option - lowercase

Option Description

lowercase Use lowercase MAC.

uppercase Use uppercase MAC.

config custom-command

Parameter Description Type Size Default

command- List of FortiSwitch commands. string Maximum

entry length: 35

FortiOS 7.4.4 CLI Reference 1029

Fortinet Inc.
Parameter Description Type Size Default

command- Names of commands to be pushed to this FortiSwitch string Maximum

name device, as configured under config switch-controller length: 35
custom-command.

config dhcp-snooping-static-client

Parameter Description Type Size Default

name Client name. string Maximum

length: 35

vlan VLAN name. string Maximum

length: 15

ip Client static IP address. ipv4- Not 0.0.0.0

address Specified

mac Client MAC address. mac- Not 00:00:00:00:00:00

address Specified

port Interface name. string Maximum

length: 15

config igmp-snooping

Parameter Description Type Size Default

local-override Enable/disable overriding the global IGMP snooping option - disable

configuration.

Option Description

enable Override the global IGMP snooping configuration.

disable Use the global IGMP snooping configuration.

aging-time Maximum time to retain a multicast snooping entry for integer Minimum 300
which no packets have been seen. value: 15
Maximum
value: 3600

flood- Enable/disable unknown multicast flooding. option - disable

unknown-
multicast

Option Description

enable Enable unknown multicast flooding.

disable Disable unknown multicast flooding.

FortiOS 7.4.4 CLI Reference 1030

Fortinet Inc.
config vlans

Parameter Description Type Size Default

vlan-name List of FortiSwitch VLANs. string Maximum default

length: 15

proxy IGMP snooping proxy for the VLAN interface. option - global

Option Description

disable Disable IGMP snooping proxy on VLAN interface.

enable Enable IGMP snooping proxy on VLAN interface.

global Use global setting for IGMP snooping proxy on VLAN interface.

querier Enable/disable IGMP snooping querier for the VLAN option - disable
interface.

Option Description

disable Disable IGMP snooping querier on VLAN interface.

enable Enable IGMP snooping querier on VLAN interface.

querier-addr IGMP snooping querier address. ipv4- Not 0.0.0.0

address Specified

version IGMP snooping querying version. integer Minimum 2

value: 2
Maximum
value: 3

config ip-source-guard

Parameter Description Type Size Default

port Ingress interface to which source guard is bound. string Maximum

length: 15

description Description. string Maximum

length: 63

config binding-entry

Parameter Description Type Size Default

entry-name Configure binding pair. string Maximum

length: 16

FortiOS 7.4.4 CLI Reference 1031

Fortinet Inc.
Parameter Description Type Size Default

ip Source IP for this rule. ipv4- Not 0.0.0.0

address- Specified
any

mac MAC address for this rule. mac- Not 00:00:00:00:00:00

address Specified

config mirror

Parameter Description Type Size Default

name Mirror name. string Maximum

length: 63

status Active/inactive mirror configuration. option - inactive

Option Description

active Activate mirror configuration.

inactive Deactivate mirror configuration.

switching- Enable/disable switching functionality when mirroring. option - disable

packet

Option Description

enable Enable switching functionality when mirroring.

disable Disable switching functionality when mirroring.

dst Destination port. string Maximum

length: 63

src-ingress Source ingress interfaces. string Maximum

<name> Interface name. length: 79

src-egress Source egress interfaces. string Maximum

<name> Interface name. length: 79

config ports

Parameter Description Type Size Default

port-name Switch port name. string Maximum

length: 15

port-owner Switch port name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 1032

Fortinet Inc.
Parameter Description Type Size Default

switch-id Switch id. string Maximum

length: 16

speed Switch port speed; default and available option - auto

settings depend on hardware.

Option Description

10half 10M half-duplex.

10full 10M full-duplex.

100half 100M half-duplex.

100full 100M full-duplex.

1000full 1G full-duplex

10000full 10G full-duplex

auto Auto-negotiation.

1000auto Auto-negotiation (1G full-duplex only).

1000full-fiber 1G full-duplex (fiber SFPs only)

40000full 40G full-duplex

auto-module Auto Module.

100FX-half 100Mbps half-duplex.100Base-FX.

100FX-full 100Mbps full-duplex.100Base-FX.

100000full 100Gbps full-duplex.

2500auto Auto-Negotiation (2.5Gbps Only).

2500full 2.5Gbps full-duplex.

25000full 25Gbps full-duplex.

50000full 50Gbps full-duplex.

10000cr 10Gbps copper interface.

10000sr 10Gbps SFI interface.

100000sr4 100Gbps SFI interface.

100000cr4 100Gbps copper interface.

40000sr4 40Gbps SFI interface.

40000cr4 40Gbps copper interface.

40000auto Auto-Negotiation (40Gbps Only).

FortiOS 7.4.4 CLI Reference 1033

Fortinet Inc.
Parameter Description Type Size Default

Option Description

25000cr 25Gbps copper interface.

25000sr 25Gbps SFI interface.

50000cr 50Gbps copper interface.

50000sr 50Gbps SFI interface.

5000auto 5Gbps full-duplex.

status Switch port admin status: up or down. option - up

Option Description

up Set admin status up.

down Set admin status down.

poe-status Enable/disable PoE status. option - enable

flap-duration Period over which flap events are integer Minimum 30

calculated (seconds). value: 5
Maximum
value: 300

flap-timeout Flap guard disabling protection (min). integer Minimum 0

value: 0
Maximum
value: 120

rpvst-port Enable/disable inter-operability with rapid option - disabled

PVST on this interface.

Option Description

disabled Disable inter-operability with rapid PVST on this interface.

enabled Enable inter-operability with rapid PVST on this interface.

poe-pre- Enable/disable PoE pre-standard option - disable

standard- detection.
detection

cabable value: 0
Maximum
value: 1

poe-port-mode Configure PoE port mode. option - ieee802-3at

Option Description

ieee802-3af IEEE802.3 AF.

ieee802-3at IEEE802.3 AT.

ieee802-3bt IEEE802.3 BT.

poe-port-priority Configure PoE port priority. option - low-priority

Option Description

critical-priority Critical Priority.

high-priority High Priority.

low-priority Low Priority.

medium-priority Medium Priority.

poe-port-power Configure PoE port power. option - normal

Option Description

normal Power not delivered during boot.

vlan Assign switch ports to a VLAN. string Maximum

length: 15

allowed-vlans-all Enable/disable all defined vlans on this option - disable

port.

Option Description

enable Enable all defined VLANs on this port.

disable Disable all defined VLANs on this port.

allowed-vlans Configure switch port tagged VLANs. string Maximum

<vlan-name> VLAN name. length: 79

untagged-vlans Configure switch port untagged VLANs. string Maximum

<vlan-name> VLAN name. length: 79

type Interface type: physical or trunk port. option - physical

Option Description

physical Physical port.

trunk Trunk port.

access-mode Access mode of the port. option - static

Option Description

dynamic Dynamic mode.

nac NAC mode.

static Static mode.

matched-dpp- Matched child policy in the dynamic port string Maximum

policy policy. length: 63

FortiOS 7.4.4 CLI Reference 1038

Fortinet Inc.
Parameter Description Type Size Default

matched-dpp- Matched interface tags in the dynamic string Maximum

intf-tags port policy. length: 63

acl-group ACL groups on this port. string Maximum

<name> ACL group name. length: 79

fortiswitch-acls ACLs on this port. integer Minimum

<id> ACL ID. value: 0
Maximum
value:
4294967295

dhcp-snooping Trusted or untrusted DHCP-snooping option - untrusted

interface.

Option Description

untrusted Untrusted DHCP snooping interface.

trusted Trusted DHCP snooping interface.

dhcp-snoop- Enable/disable allowance of DHCP with option - disable

option82-trust option-82 on untrusted interface.

Option Description

enable Enable allowance of DHCP with option-82 on untrusted interface.

disable Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection- Trusted or untrusted dynamic ARP option - untrusted

trust inspection.

Option Description

untrusted Untrusted dynamic ARP inspection.

trusted Trusted dynamic ARP inspection.

igmp-snooping- Enable/disable flooding of IGMP reports option - disable

flood-reports to this interface when igmp-snooping
enabled.

Option Description

enable Enable flooding of IGMP snooping reports to this interface.

disable Disable flooding of IGMP snooping reports to this interface.

mcast-snooping- Enable/disable flooding of IGMP option - disable

flood-traffic snooping traffic to this interface.

disabled Disable packet sampling on this interface.

packet-sample- Packet sampling rate. integer Minimum 512

rate value: 0
Maximum
value: 99999

sflow-counter- sFlow sampling counter polling interval in integer Minimum 0

interval seconds. value: 0
Maximum
value: 255

sample-direction Packet sampling direction. option - both

Option Description

tx Monitor transmitted traffic.

rx Monitor received traffic.

both Monitor transmitted and received traffic.

fec-capable FEC capable. integer Minimum 0

value: 0
Maximum
value: 1

fec-state State of forward error correction. option - detect-by-module

Option Description

disabled Disable forward error correction.

cl74 Enable Clause 74 FC-FEC, which only applies to 25Gbps.

cl91 Enable Clause 91 RS-FEC, which only applies to 100Gbps.

detect-by- FEC supported by module.

module

FortiOS 7.4.4 CLI Reference 1041

Fortinet Inc.
Parameter Description Type Size Default

flow-control Flow control direction. option - disable

Option Description

disable Disable flow control.

tx Enable flow control for transmission pause control frames.

rx Enable flow control for receive pause control frames.

both Enable flow control for both transmission and receive pause control frames.

pause-meter Configure ingress pause metering rate, in integer Minimum 0

kbps. value: 128
Maximum
value:
2147483647

pause-meter- Resume threshold for resuming traffic on option - 50%

resume ingress port.

Option Description

75% Back pressure state won't be cleared until bucket count falls below 75% of
pause threshold.

50% Back pressure state won't be cleared until bucket count falls below 50% of
pause threshold.

tx-rx Enable LLDP TX and RX.

lldp-profile LLDP port TLV profile. string Maximum default-auto-isl

length: 63

export-to Export managed-switch port to a tenant string Maximum

VDOM. length: 31

mac-addr Port/Trunk MAC. mac- Not Specified 00:00:00:00:00:00

address

FortiOS 7.4.4 CLI Reference 1043

Fortinet Inc.
Parameter Description Type Size Default

allow-arp- Enable/Disable allow ARP monitor. option - disable

monitor

Option Description

disable Disable allow ARP monitor.

enable Enable allow ARP monitor.

port-selection- Algorithm for aggregate port selection. option - src-dst-ip

criteria

Option Description

src-mac Source MAC address.

dst-mac Destination MAC address.

src-dst-mac Source and destination MAC address.

src-ip Source IP address.

dst-ip Destination IP address.

src-dst-ip Source and destination IP address.

description Description for port. string Maximum

length: 63

lacp-speed End Link Aggregation Control Protocol option - slow

(LACP) messages every 30 seconds
(slow) or every second (fast).

Option Description

slow Send LACP message every 30 seconds.

fast Send LACP message every second.

mode LACP mode: ignore and do not send option - static

control messages, or negotiate 802.3ad
aggregation passively or actively.

Option Description

static Static aggregation, do not send and ignore any control messages.

lacp-passive Passively use LACP to negotiate 802.3ad aggregation.

lacp-active Actively use LACP to negotiate 802.3ad aggregation.

enable Enable MCLAG.

disable Disable MCLAG.

min-bundle Minimum size of LAG bundle. integer Minimum 1

value: 1
Maximum
value: 24

max-bundle Maximum size of LAG bundle. integer Minimum 24

value: 1
Maximum
value: 24

members Aggregated LAG bundle interfaces. string Maximum

<member- Interface name from available options. length: 79
name>

fallback-port LACP fallback port. string Maximum

length: 79

config dhcp-snoop-option82-override

Parameter Description Type Size Default

vlan-name DHCP snooping option 82 VLAN. string Maximum

length: 15

circuit-id Circuit ID string. string Maximum

length: 254

FortiOS 7.4.4 CLI Reference 1045

Fortinet Inc.
Parameter Description Type Size Default

remote-id Remote ID string. string Maximum

length: 254

config remote-log

Parameter Description Type Size Default

name Remote log name. string Maximum

length: 35

status Enable/disable logging by FortiSwitch device to a option - disable

remote syslog server.

Option Description

enable Enable logging by FortiSwitch device to a remote syslog server.

disable Disable logging by FortiSwitch device to a remote syslog server.

server IPv4 address of the remote syslog server. string Maximum

length: 63

port Remote syslog server listening port. integer Minimum 514

value: 0
Maximum
value:
65535

severity Severity of logs to be transferred to remote log server. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

csv Enable/disable comma-separated value (CSV) strings. option - disable

Option Description

enable Enable comma-separated value (CSV) strings.

disable Disable comma-separated value (CSV) strings.

FortiOS 7.4.4 CLI Reference 1046

Fortinet Inc.
Parameter Description Type Size Default

facility Facility to log to remote syslog server. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslogd.

lpr Line printer subsystem.

news Network news subsystem.

uucp UUCP server messages.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

config route-offload-router

Parameter Description Type Size Default

vlan-name VLAN name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 1047

Fortinet Inc.
Parameter Description Type Size Default

router-ip Router IP address. ipv4- Not 0.0.0.0

address Specified

config snmp-community

Parameter Description Type Size Default

id SNMP community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name SNMP community name. string Maximum

length: 35

status Enable/disable this SNMP community. option - enable

Option Description

disable Disable SNMP community.

enable Enable SNMP community.

query-v1- Enable/disable SNMP v1 queries. option - enable

status

Option Description

disable Disable SNMP v1 queries.

enable Enable SNMP v1 queries.

query-v1-port SNMP v1 query port. integer Minimum 161

value: 0
Maximum
value: 65535

query-v2c- Enable/disable SNMP v2c queries. option - enable

status

Option Description

disable Disable SNMP v2c queries.

enable Enable SNMP v2c queries.

query-v2c- SNMP v2c query port. integer Minimum 161

port value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1048

Fortinet Inc.
Parameter Description Type Size Default

trap-v1-status Enable/disable SNMP v1 traps. option - enable

Option Description

disable Disable SNMP v1 traps.

enable Enable SNMP v1 traps.

trap-v1-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535

trap-v1-rport SNMP v2c trap remote port. integer Minimum 162

value: 0
Maximum
value: 65535

trap-v2c- Enable/disable SNMP v2c traps. option - enable

status

Option Description

disable Disable SNMP v2c traps.

enable Enable SNMP v2c traps.

trap-v2c-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535

trap-v2c-rport SNMP v2c trap remote port. integer Minimum 162

value: 0
Maximum
value: 65535

events SNMP notifications (traps) to send. option - cpu-high

mem-low
log-full intf-
ip ent-conf-
change

Option Description

cpu-high Send a trap when CPU usage too high.

mem-low Send a trap when available memory is low.

log-full Send a trap when log disk space becomes low.

intf-ip Send a trap when an interface IP address is changed.

ent-conf-change Send a trap when an entity MIB change occurs (RFC4133).

FortiOS 7.4.4 CLI Reference 1049

Fortinet Inc.
config hosts

Parameter Description Type Size Default

id Host entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IPv4 address of the SNMP manager (host). user Not Specified

config snmp-sysinfo

Parameter Description Type Size Default

status Enable/disable SNMP. option - disable

Option Description

disable Disable SNMP.

enable Enable SNMP.

engine-id Local SNMP engine ID string (max 24 char). string Maximum

length: 24

description System description. string Maximum

length: 35

contact-info Contact information. string Maximum

length: 35

location System location. string Maximum

length: 35

config snmp-trap-threshold

Parameter Description Type Size Default

trap-high-cpu- CPU usage when trap is sent. integer Minimum 80

threshold value: 0
Maximum
value:
4294967295

trap-low- Memory usage when trap is sent. integer Minimum 80

memory- value: 0
threshold Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1050

Fortinet Inc.
Parameter Description Type Size Default

trap-log-full- Log disk usage when trap is sent. integer Minimum 90

threshold value: 0
Maximum
value:
4294967295

config snmp-user

Parameter Description Type Size Default

name SNMP user name. string Maximum

length: 32

queries Enable/disable SNMP queries for this user. option - enable

Option Description

disable Disable SNMP queries for this user.

enable Enable SNMP queries for this user.

query-port SNMPv3 query port. integer Minimum 161

value: 0
Maximum
value:
65535

security-level Security level for message authentication and option - no-auth-no-

encryption. priv

Option Description

no-auth-no-priv Message with no authentication and no privacy (encryption).

auth-no-priv Message with authentication but no privacy (encryption).

auth-priv Message with authentication and privacy (encryption).

auth-proto Authentication protocol. option - sha256

Option Description

md5 HMAC-MD5-96 authentication protocol.

sha1 HMAC-SHA-1 authentication protocol.

sha224 HMAC-SHA-224 authentication protocol.

sha256 HMAC-SHA-256 authentication protocol.

sha384 HMAC-SHA-384 authentication protocol.

sha512 HMAC-SHA-512 authentication protocol.

FortiOS 7.4.4 CLI Reference 1051

Fortinet Inc.
Parameter Description Type Size Default

auth-pwd Password for authentication protocol. password Not

Specified

priv-proto Privacy (encryption) protocol. option - aes128

Option Description

aes128 CFB128-AES-128 symmetric encryption protocol.

aes192 CFB128-AES-192 symmetric encryption protocol.

aes192c CFB128-AES-192-C symmetric encryption protocol.

aes256 CFB128-AES-256 symmetric encryption protocol.

aes256c CFB128-AES-256-C symmetric encryption protocol.

des CBC-DES symmetric encryption protocol.

priv-pwd Password for privacy (encryption) protocol. password Not

Specified

config static-mac

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Type. option - static

Option Description

static Static MAC.

sticky Sticky MAC.

vlan Vlan. string Maximum

length: 15

mac MAC address. mac- Not Specified 00:00:00:00:00:00

address

interface Interface name. string Maximum

length: 35

description Description. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1052

Fortinet Inc.
config storm-control

Parameter Description Type Size Default

local-override Enable to override global FortiSwitch storm control option - disable

settings for this FortiSwitch.

Option Description

enable Override global storm control settings.

disable Use global storm control settings.

rate Rate in packets per second at which storm control integer Minimum 500
drops excess traffic. value: 0
Maximum
value:
10000000

unknown- Enable/disable storm control to drop unknown unicast option - disable

unicast traffic.

Option Description

enable Drop unknown unicast traffic.

disable Allow unknown unicast traffic.

unknown- Enable/disable storm control to drop unknown multicast option - disable

multicast traffic.

Option Description

enable Drop unknown multicast traffic.

disable Allow unknown multicast traffic.

broadcast Enable/disable storm control to drop broadcast traffic. option - disable

Option Description

enable Drop broadcast traffic.

disable Allow broadcast traffic.

config stp-instance

Parameter Description Type Size Default

id Instance ID. string Maximum

length: 2

priority Priority. option - 32768

FortiOS 7.4.4 CLI Reference 1053

Fortinet Inc.
Parameter Description Type Size Default

Option Description

0 0.

4096 4096.

8192 8192.

12288 12288.

16384 16384.

20480 20480.

24576 24576.

28672 28672.

32768 32768.

36864 36864.

40960 40960.

45056 45056.

49152 49152.

53248 53248.

57344 57344.

61440 61440.

config stp-settings

Parameter Description Type Size Default

local-override Enable to configure local STP settings that override option - disable
global STP settings.

Option Description

enable Override global STP settings.

disable Use global STP settings.

name Name of local STP settings configuration. string Maximum

length: 31

revision STP revision number. integer Minimum 0

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1054

Fortinet Inc.
Parameter Description Type Size Default

hello-time Period of time between successive STP frame Bridge integer Minimum 2
Protocol Data Units. value: 1
Maximum
value: 10

forward-time Period of time a port is in listening and learning state. integer Minimum 15
value: 4
Maximum
value: 30

max-age Maximum time before a bridge port saves its integer Minimum 20
configuration BPDU information. value: 6
Maximum
value: 40

max-hops Maximum number of hops between the root bridge and integer Minimum 20
the furthest bridge. value: 1
Maximum
value: 40

pending-timer Pending time. integer Minimum 4

value: 1
Maximum
value: 15

config switch-log

Parameter Description Type Size Default

local-override Enable to configure local logging settings that override option - disable
global logging settings.

Option Description

enable Override global logging settings.

disable Use global logging settings.

status Enable/disable adding FortiSwitch logs to the FortiGate option - enable

event log.

Option Description

enable Add FortiSwitch logs to the FortiGate event log.

disable Do not add FortiSwitch logs to the FortiGate event log.

severity Severity of FortiSwitch logs that are added to the option - notification
FortiGate event log.

FortiOS 7.4.4 CLI Reference 1055

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

config vlan

Parameter Description Type Size Default

vlan-name VLAN name. string Maximum

length: 15

assignment- 802.1x Radius (Tunnel-Private-Group-Id) VLANID integer Minimum 128

priority assign-by-name priority. A smaller value has a higher value: 1
priority. Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1056

Fortinet Inc.
config switch-controller network-monitor-settings

Configure network monitor settings.

config switch-controller network-monitor-settings
Description: Configure network monitor settings.
set network-monitoring [enable|disable]
end

config switch-controller network-monitor-settings

Parameter Description Type Size Default

network- Enable/disable passive gathering of information by option - disable

monitoring FortiSwitch units concerning other network devices.

Option Description

enable Enable network monitoring on FortiSwitch.

disable Disable network monitoring on FortiSwitch.

FortiOS 7.4.4 CLI Reference 1057

Fortinet Inc.
config switch-controller ptp interface-policy

PTP interface-policy configuration.

config switch-controller ptp interface-policy
Description: PTP interface-policy configuration.
edit <name>
set description {string}
set vlan {string}
set vlan-pri {integer}
next
end

config switch-controller ptp interface-policy

Parameter Description Type Size Default

description Description. string Maximum

length: 63

name Policy name. string Maximum

length: 63

vlan PTP VLAN. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 1058

Fortinet Inc.
Parameter Description Type Size Default

vlan-pri Configure PTP VLAN priority. integer Minimum 4

value: 0
Maximum
value: 7

config switch-controller ptp profile

Global PTP profile.

config switch-controller ptp profile
Description: Global PTP profile.
edit <name>
set description {string}
set domain {integer}
set mode [transparent-e2e|transparent-p2p]
set pdelay-req-interval [1sec|2sec|...]
set ptp-profile {option}
set transport {option}
next
end

FortiOS 7.4.4 CLI Reference 1059

Fortinet Inc.
config switch-controller ptp profile

Parameter Description Type Size Default

description Description. string Maximum

length: 63

domain Configure PTP domain value. integer Minimum 254

value: 0
Maximum
value: 255

mode Select PTP mode. option - transparent-

e2e

Option Description

transparent-e2e End-to-end transparent clock.

transparent-p2p Peer-to-peer transparent clock.

name Profile name. string Maximum

length: 63

pdelay-req- Configure PTP peer delay request interval. option - 1sec

interval

Option Description

1sec 1 sec.

2sec 2 sec.

4sec 4 sec.

8sec 8 sec.

16sec 16 sec.

32sec 32 sec.

ptp-profile Configure PTP power profile. option - C37.238-2017

Option Description

C37.238-2017 C37.238-2017 power profile.

transport Configure PTP transport mode. option - l2-mcast

Option Description

l2-mcast L2 multicast.

FortiOS 7.4.4 CLI Reference 1060

Fortinet Inc.
config switch-controller qos dot1p-map

Configure FortiSwitch QoS 802.1p.

config switch-controller qos dot1p-map
Description: Configure FortiSwitch QoS 802.1p.
edit <name>
set description {string}
set egress-pri-tagging [disable|enable]
set priority-0 [queue-0|queue-1|...]
set priority-1 [queue-0|queue-1|...]
set priority-2 [queue-0|queue-1|...]
set priority-3 [queue-0|queue-1|...]
set priority-4 [queue-0|queue-1|...]
set priority-5 [queue-0|queue-1|...]
set priority-6 [queue-0|queue-1|...]
set priority-7 [queue-0|queue-1|...]
next
end

config switch-controller qos dot1p-map

Parameter Description Type Size Default

description Description of the 802.1p name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1061

Fortinet Inc.
Parameter Description Type Size Default

egress-pri- Enable/disable egress priority-tag frame. option - disable

tagging

queue-1 COS queue 1.

priority-5 COS queue mapped to dot1p priority number. option - queue-0

Option Description

queue-0 COS queue 0 (lowest priority).

queue-1 COS queue 1.

queue-2 COS queue 2.

queue-3 COS queue 3.

queue-4 COS queue 4.

queue-5 COS queue 5.

queue-6 COS queue 6.

queue-7 COS queue 7 (highest priority).

priority-6 COS queue mapped to dot1p priority number. option - queue-0

Option Description

queue-0 COS queue 0 (lowest priority).

queue-1 COS queue 1.

queue-2 COS queue 2.

queue-3 COS queue 3.

queue-4 COS queue 4.

queue-5 COS queue 5.

queue-6 COS queue 6.

queue-7 COS queue 7 (highest priority).

priority-7 COS queue mapped to dot1p priority number. option - queue-0

Option Description

queue-0 COS queue 0 (lowest priority).

queue-1 COS queue 1.

queue-2 COS queue 2.

queue-3 COS queue 3.

queue-4 COS queue 4.

queue-5 COS queue 5.

queue-6 COS queue 6.

queue-7 COS queue 7 (highest priority).

AF13 DSCP AF13.

CS2 DSCP CS2.

AF21 DSCP AF21.

AF22 DSCP AF22.

AF23 DSCP AF23.

CS3 DSCP CS3.

AF31 DSCP AF31.

AF32 DSCP AF32.

AF33 DSCP AF33.

CS4 DSCP CS4.

AF41 DSCP AF41.

AF42 DSCP AF42.

AF43 DSCP AF43.

CS5 DSCP CS5.

EF DSCP EF.

FortiOS 7.4.4 CLI Reference 1066

Fortinet Inc.
Parameter Description Type Size Default

Option Description

CS6 DSCP CS6.

CS7 DSCP CS7.

ip-precedence IP Precedence. option -

Option Description

network-control Network control.

internetwork- Internetwork control.

control

critic-ecp Critic ECP.

flashoverride Flash override.

flash Flash.

immediate Immediate.

priority Priority.

routine Routine.

value Raw values of DSCP. user Not

Specified

FortiOS 7.4.4 CLI Reference 1067

Fortinet Inc.
config switch-controller qos qos-policy

Configure FortiSwitch QoS policy.

config switch-controller qos qos-policy
Description: Configure FortiSwitch QoS policy.
edit <name>
set default-cos {integer}
set queue-policy {string}
set trust-dot1p-map {string}
set trust-ip-dscp-map {string}
next
end

config switch-controller qos qos-policy

Parameter Description Type Size Default

default-cos Default cos queue for untagged packets. integer Minimum 0

value: 0
Maximum
value: 7

name QoS policy name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1068

Fortinet Inc.
Parameter Description Type Size Default

queue-policy QoS egress queue policy. string Maximum default

length: 63

trust-dot1p- QoS trust 802.1p map. string Maximum

map length: 63

trust-ip-dscp- QoS trust ip dscp map. string Maximum

map length: 63

config switch-controller qos queue-policy

Configure FortiSwitch QoS egress queue policy.

config switch-controller qos queue-policy
Description: Configure FortiSwitch QoS egress queue policy.
edit <name>
config cos-queue
Description: COS queue configuration.
edit <name>
set description {string}
set min-rate {integer}
set max-rate {integer}
set min-rate-percent {integer}
set max-rate-percent {integer}
set drop-policy [taildrop|weighted-random-early-detection]
set ecn [disable|enable]

FortiOS 7.4.4 CLI Reference 1069

Fortinet Inc.
set weight {integer}
next
end
set rate-by [kbps|percent]
set schedule [strict|round-robin|...]
next
end

config switch-controller qos queue-policy

Parameter Description Type Size Default

name QoS policy name. string Maximum

length: 63

rate-by COS queue rate by kbps or percent. option - kbps

Option Description

kbps Rate by kbps.

percent Rate by percent.

schedule COS queue scheduling. option - round-robin

Option Description

strict Strict scheduling (queue7: highest priority, queue0: lowest priority).

round-robin Round robin scheduling.

weighted Weighted round robin scheduling.

config cos-queue

Parameter Description Type Size Default

name Cos queue ID. string Maximum

length: 63

description Description of the COS queue. string Maximum

length: 63

min-rate Minimum rate. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1070

Fortinet Inc.
Parameter Description Type Size Default

max-rate Maximum rate. integer Minimum 0

value: 0
Maximum
value:
4294967295

min-rate- Minimum rate (% of link speed). integer Minimum 0

percent value: 0
Maximum
value:
4294967295

max-rate- Maximum rate (% of link speed). integer Minimum 0

percent value: 0
Maximum
value:
4294967295

drop-policy COS queue drop policy. option - taildrop

Option Description

taildrop Taildrop policy.

weighted- Weighted random early detection drop policy.

random-early-
detection

ecn Enable/disable ECN packet marking to drop eligible option - disable

packets.

Option Description

disable Disable ECN packet marking to drop eligible packets.

enable Enable ECN packet marking to drop eligible packets.

weight Weight of weighted round robin scheduling. integer Minimum 1

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1071

Fortinet Inc.
config switch-controller quarantine

Configure FortiSwitch quarantine support.

config switch-controller quarantine
Description: Configure FortiSwitch quarantine support.
set quarantine [enable|disable]
config targets
Description: Quarantine MACs.
edit <mac>
set description {string}
set tag <tags1>, <tags2>, ...
next
end
end

config switch-controller quarantine

Parameter Description Type Size Default

quarantine Enable/disable quarantine. option - disable

Option Description

enable Enable quarantine.

disable Disable quarantine.

FortiOS 7.4.4 CLI Reference 1072

Fortinet Inc.
config targets

Parameter Description Type Size Default

mac Quarantine MAC. mac- Not 00:00:00:00:00:00

address Specified

description Description for the quarantine MAC. string Maximum

length: 63

tag <tags> Tags for the quarantine MAC. string Maximum

Tag string. For example, string1 string2 string3. length: 63

config switch-controller remote-log

Configure logging by FortiSwitch device to a remote syslog server.

config switch-controller remote-log
Description: Configure logging by FortiSwitch device to a remote syslog server.
edit <name>
set csv [enable|disable]
set facility [kernel|user|...]
set port {integer}
set server {string}
set severity [emergency|alert|...]
set status [enable|disable]

FortiOS 7.4.4 CLI Reference 1073

Fortinet Inc.
next
end

config switch-controller remote-log

Parameter Description Type Size Default

csv Enable/disable comma-separated value (CSV) strings. option - disable

Option Description

enable Enable comma-separated value (CSV) strings.

disable Disable comma-separated value (CSV) strings.

facility Facility to log to remote syslog server. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslogd.

lpr Line printer subsystem.

news Network news subsystem.

uucp UUCP server messages.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

FortiOS 7.4.4 CLI Reference 1074

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

name Remote log name. string Maximum

length: 35

port Remote syslog server listening port. integer Minimum 514

value: 0
Maximum
value:
65535

server IPv4 address of the remote syslog server. string Maximum

length: 63

severity Severity of logs to be transferred to remote log server. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

status Enable/disable logging by FortiSwitch device to a option - disable

remote syslog server.

Option Description

enable Enable logging by FortiSwitch device to a remote syslog server.

disable Disable logging by FortiSwitch device to a remote syslog server.

FortiOS 7.4.4 CLI Reference 1075

Fortinet Inc.
config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X
Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
edit <name>
set auth-fail-vlan [disable|enable]
set auth-fail-vlan-id {string}
set authserver-timeout-period {integer}
set authserver-timeout-tagged [disable|lldp-voice|...]
set authserver-timeout-tagged-vlanid {string}
set authserver-timeout-vlan [disable|enable]
set authserver-timeout-vlanid {string}
set dacl [disable|enable]
set eap-auto-untagged-vlans [disable|enable]
set eap-passthru [disable|enable]
set framevid-apply [disable|enable]
set guest-auth-delay {integer}
set guest-vlan [disable|enable]
set guest-vlan-id {string}
set mac-auth-bypass [disable|enable]
set open-auth [disable|enable]
set policy-type {option}
set radius-timeout-overwrite [disable|enable]
set security-mode [802.1X|802.1X-mac-based]
set user-group <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 1076

Fortinet Inc.
config switch-controller security-policy 802-1X

Parameter Description Type Size Default

auth-fail-vlan Enable to allow limited access to clients that cannot option - disable
authenticate.

Option Description

disable Disable authentication fail VLAN on this interface.

enable Enable authentication fail VLAN on this interface.

auth-fail-vlan- VLAN ID on which authentication failed. string Maximum

id length: 15

authserver- Authentication server timeout period. integer Minimum 3

timeout- value: 3
period Maximum
value: 15

authserver- Configure timeout option for the tagged VLAN which option - disable
timeout- allows limited access when the authentication server is
tagged unavailable.

Option Description

disable Disable authentication server timeout on this interface.

lldp-voice LLDP voice timeout for the tagged VLAN on this interface.

static Static timeout for the tagged VLAN on this interface.

authserver- Tagged VLAN name for which the timeout option is string Maximum
timeout- applied to (only one VLAN ID). length: 15
tagged-vlanid

authserver- Enable/disable the authentication server timeout VLAN option - disable

timeout-vlan to allow limited access when RADIUS is unavailable.

Option Description

disable Disable authentication server timeout VLAN on this interface.

enable Enable authentication server timeout VLAN on this interface.

authserver- Authentication server timeout VLAN name. string Maximum

timeout-vlanid length: 15

dacl Enable/disable dynamic access control list on this option - disable

interface.

FortiOS 7.4.4 CLI Reference 1077

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable dynamic access control list on this interface.

enable Enable dynamic access control on this interface.

eap-auto- Enable/disable automatic inclusion of untagged VLANs. option - enable

untagged-
vlans

Option Description

disable Disable automatic inclusion of untagged VLANs.

enable Enable automatic inclusion of untagged VLANs.

eap-passthru Enable/disable EAP pass-through mode, allowing option - enable

protocols (such as LLDP) to pass through ports for more
flexible authentication.

Option Description

disable Disable EAP pass-through mode on this interface.

enable Enable EAP pass-through mode on this interface.

framevid- Enable/disable the capability to apply the EAP/MAB option - enable

apply frame VLAN to the port native VLAN.

Option Description

disable Disable the capability to apply the EAP/MAB frame VLAN to the port native
VLAN.

enable Enable the capability to apply the EAP/MAB frame VLAN to the port native
VLAN.

guest-auth- Guest authentication delay. integer Minimum 30

delay value: 1
Maximum
value: 900

guest-vlan Enable the guest VLAN feature to allow limited access option - disable
to non-802.1X-compliant clients.

Option Description

disable Disable guest VLAN on this interface.

enable Enable guest VLAN on this interface.

FortiOS 7.4.4 CLI Reference 1078

Fortinet Inc.
Parameter Description Type Size Default

guest-vlan-id Guest VLAN name. string Maximum

length: 15

mac-auth- Enable/disable MAB for this policy. option - disable

bypass

Option Description

disable Disable MAB.

enable Enable MAB.

name Policy name. string Maximum

length: 31

open-auth Enable/disable open authentication for this policy. option - disable

Option Description

disable Disable open authentication.

enable Enable open authentication.

policy-type Policy type. option - 802.1X

Option Description

802.1X 802.1X security policy.

radius- Enable to override the global RADIUS session timeout. option - disable
timeout-
overwrite

Option Description

disable Override the global RADIUS session timeout.

enable Use the global RADIUS session timeout.

security-mode Port or MAC based 802.1X security mode. option - 802.1X

Option Description

802.1X 802.1X port based authentication.

802.1X-mac- 802.1X MAC based authentication.

based

user-group Name of user-group to assign to this MAC string Maximum

<name> Authentication Bypass (MAB) policy. length: 79
Group name.

FortiOS 7.4.4 CLI Reference 1079

Fortinet Inc.
config switch-controller security-policy local-access

Configure allowaccess list for mgmt and internal interfaces on managed FortiSwitch units.
config switch-controller security-policy local-access
Description: Configure allowaccess list for mgmt and internal interfaces on managed
FortiSwitch units.
edit <name>
set internal-allowaccess {option1}, {option2}, ...
set mgmt-allowaccess {option1}, {option2}, ...
next
end

config switch-controller security-policy local-access

Parameter Description Type Size Default

internal- Allowed access on the switch internal interface. option - https ping
allowaccess ssh

Option Description

https HTTPS access.

ping PING access.

FortiOS 7.4.4 CLI Reference 1080

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

radius-acct RADIUS accounting access.

mgmt- Allowed access on the switch management interface. option - https ping
allowaccess ssh

Option Description

https HTTPS access.

ping PING access.

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

radius-acct RADIUS accounting access.

name Policy name. string Maximum

length: 31

FortiOS 7.4.4 CLI Reference 1081

Fortinet Inc.
config switch-controller sflow

Configure FortiSwitch sFlow.

config switch-controller sflow
Description: Configure FortiSwitch sFlow.
set collector-ip {ipv4-address}
set collector-port {integer}
end

config switch-controller sflow

Parameter Description Type Size Default

collector-ip Collector IP. ipv4- Not 0.0.0.0

address Specified

collector-port SFlow collector port. integer Minimum 6343

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1082

Fortinet Inc.
config switch-controller snmp-community

Configure FortiSwitch SNMP v1/v2c communities globally.

config switch-controller snmp-community
Description: Configure FortiSwitch SNMP v1/v2c communities globally.
edit <id>
set events {option1}, {option2}, ...
config hosts
Description: Configure IPv4 SNMP managers (hosts).
edit <id>
set ip {user}
next
end
set name {string}
set query-v1-port {integer}
set query-v1-status [disable|enable]
set query-v2c-port {integer}
set query-v2c-status [disable|enable]
set status [disable|enable]
set trap-v1-lport {integer}
set trap-v1-rport {integer}
set trap-v1-status [disable|enable]
set trap-v2c-lport {integer}
set trap-v2c-rport {integer}
set trap-v2c-status [disable|enable]
next
end

FortiOS 7.4.4 CLI Reference 1083

Fortinet Inc.
config switch-controller snmp-community

Parameter Description Type Size Default

events SNMP notifications (traps) to send. option - cpu-high

mem-low
log-full intf-
ip ent-conf-
change

Option Description

cpu-high Send a trap when CPU usage too high.

mem-low Send a trap when available memory is low.

log-full Send a trap when log disk space becomes low.

intf-ip Send a trap when an interface IP address is changed.

ent-conf-change Send a trap when an entity MIB change occurs (RFC4133).

id SNMP community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name SNMP community name. string Maximum

length: 35

query-v1-port SNMP v1 query port. integer Minimum 161

value: 0
Maximum
value: 65535

query-v1- Enable/disable SNMP v1 queries. option - enable

status

Option Description

disable Disable SNMP v1 queries.

enable Enable SNMP v1 queries.

query-v2c- SNMP v2c query port. integer Minimum 161

port value: 0
Maximum
value: 65535

query-v2c- Enable/disable SNMP v2c queries. option - enable

status

FortiOS 7.4.4 CLI Reference 1084

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable SNMP v2c queries.

enable Enable SNMP v2c queries.

status Enable/disable this SNMP community. option - enable

Option Description

disable Disable SNMP community.

enable Enable SNMP community.

trap-v1-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535

trap-v1-rport SNMP v2c trap remote port. integer Minimum 162

disable Disable SNMP v2c traps.

enable Enable SNMP v2c traps.

FortiOS 7.4.4 CLI Reference 1085

Fortinet Inc.
config hosts

Parameter Description Type Size Default

id Host entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IPv4 address of the SNMP manager (host). user Not Specified

config switch-controller snmp-sysinfo

Configure FortiSwitch SNMP system information globally.

config switch-controller snmp-sysinfo
Description: Configure FortiSwitch SNMP system information globally.
set contact-info {string}
set description {string}
set engine-id {string}
set location {string}
set status [disable|enable]
end

FortiOS 7.4.4 CLI Reference 1086

Fortinet Inc.
config switch-controller snmp-sysinfo

Parameter Description Type Size Default

contact-info Contact information. string Maximum

length: 35

description System description. string Maximum

length: 35

engine-id Local SNMP engine ID string (max 24 char). string Maximum

length: 24

location System location. string Maximum

length: 35

status Enable/disable SNMP. option - disable

Option Description

disable Disable SNMP.

enable Enable SNMP.

config switch-controller snmp-trap-threshold

Configure FortiSwitch SNMP trap threshold values globally.

FortiOS 7.4.4 CLI Reference 1087

Fortinet Inc.
config switch-controller snmp-trap-threshold
Description: Configure FortiSwitch SNMP trap threshold values globally.
set trap-high-cpu-threshold {integer}
set trap-log-full-threshold {integer}
set trap-low-memory-threshold {integer}
end

config switch-controller snmp-trap-threshold

Parameter Description Type Size Default

trap-high-cpu- CPU usage when trap is sent. integer Minimum 80

threshold value: 0
Maximum
value:
4294967295

trap-log-full- Log disk usage when trap is sent. integer Minimum 90

threshold value: 0
Maximum
value:
4294967295

trap-low- Memory usage when trap is sent. integer Minimum 80

memory- value: 0
threshold Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1088

Fortinet Inc.
config switch-controller snmp-user

Configure FortiSwitch SNMP v3 users globally.

config switch-controller snmp-user
Description: Configure FortiSwitch SNMP v3 users globally.
edit <name>
set auth-proto [md5|sha1|...]
set auth-pwd {password}
set priv-proto [aes128|aes192|...]
set priv-pwd {password}
set queries [disable|enable]
set query-port {integer}
set security-level [no-auth-no-priv|auth-no-priv|...]
next
end

config switch-controller snmp-user

Parameter Description Type Size Default

auth-proto Authentication protocol. option - sha256

Option Description

md5 HMAC-MD5-96 authentication protocol.

FortiOS 7.4.4 CLI Reference 1089

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sha1 HMAC-SHA-1 authentication protocol.

sha224 HMAC-SHA-224 authentication protocol.

sha256 HMAC-SHA-256 authentication protocol.

sha384 HMAC-SHA-384 authentication protocol.

sha512 HMAC-SHA-512 authentication protocol.

auth-pwd Password for authentication protocol. password Not

Specified

name SNMP user name. string Maximum

length: 32

priv-proto Privacy (encryption) protocol. option - aes128

Option Description

aes128 CFB128-AES-128 symmetric encryption protocol.

aes192 CFB128-AES-192 symmetric encryption protocol.

aes192c CFB128-AES-192-C symmetric encryption protocol.

aes256 CFB128-AES-256 symmetric encryption protocol.

aes256c CFB128-AES-256-C symmetric encryption protocol.

des CBC-DES symmetric encryption protocol.

priv-pwd Password for privacy (encryption) protocol. password Not

Specified

queries Enable/disable SNMP queries for this user. option - enable

Option Description

disable Disable SNMP queries for this user.

enable Enable SNMP queries for this user.

query-port SNMPv3 query port. integer Minimum 161

value: 0
Maximum
value:
65535

security-level Security level for message authentication and option - no-auth-no-

encryption. priv

FortiOS 7.4.4 CLI Reference 1090

Fortinet Inc.
Parameter Description Type Size Default

Option Description

no-auth-no-priv Message with no authentication and no privacy (encryption).

auth-no-priv Message with authentication but no privacy (encryption).

auth-priv Message with authentication and privacy (encryption).

config switch-controller storm-control-policy

Configure FortiSwitch storm control policy to be applied on managed-switch ports.

config switch-controller storm-control-policy
Description: Configure FortiSwitch storm control policy to be applied on managed-switch
ports.
edit <name>
set broadcast [enable|disable]
set description {string}
set rate {integer}
set storm-control-mode [global|override|...]
set unknown-multicast [enable|disable]
set unknown-unicast [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 1091

Fortinet Inc.
config switch-controller storm-control-policy

Parameter Description Type Size Default

broadcast Enable/disable storm control to drop/allow broadcast option - disable

traffic in override mode.

Option Description

enable Enable storm control for broadcast traffic to drop packets which exceed
configured rate limits.

disable Disable storm control for broadcast traffic to allow all packets.

description Description of the storm control policy. string Maximum

length: 63

name Storm control policy name. string Maximum

length: 63

rate Threshold rate in packets per second at which storm integer Minimum 500
traffic is controlled in override mode. value: 0
Maximum
value:
10000000

storm-control- Set Storm control mode. option - global

mode

Option Description

global Apply Global or switch level storm control configuration.

override Override global and switch level storm control to use port level configuration.

disabled Disable storm control on the port entirely overriding global and switch level
storm control.

unknown- Enable/disable storm control to drop/allow unknown option - disable

multicast multicast traffic in override mode.

Option Description

enable Enable storm control for unknown multicast traffic to drop packets which
exceed configured rate limits.

disable Disable storm control for unknown multicast traffic to allow all packets.

unknown- Enable/disable storm control to drop/allow unknown option - disable

unicast unicast traffic in override mode.

FortiOS 7.4.4 CLI Reference 1092

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable storm control for unknown unicast traffic to drop packets which exceed
configured rate limits.

disable Disable storm control for unknown unicast traffic to allow all packets.

config switch-controller storm-control

Configure FortiSwitch storm control.

config switch-controller storm-control
Description: Configure FortiSwitch storm control.
set broadcast [enable|disable]
set rate {integer}
set unknown-multicast [enable|disable]
set unknown-unicast [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1093

Fortinet Inc.
config switch-controller storm-control

Parameter Description Type Size Default

broadcast Enable/disable storm control to drop broadcast traffic. option - disable

Option Description

enable Enable broadcast storm control.

disable Disable broadcast storm control.

rate Rate in packets per second at which storm control drops integer Minimum 500
excess traffic. value: 0
Maximum
value:
10000000

unknown- Enable/disable storm control to drop unknown multicast option - disable

multicast traffic.

Option Description

enable Enable unknown multicast storm control.

disable Disable unknown multicast storm control.

unknown- Enable/disable storm control to drop unknown unicast option - disable

unicast traffic.

Option Description

enable Enable unknown unicast storm control.

disable Disable unknown unicast storm control.

FortiOS 7.4.4 CLI Reference 1094

Fortinet Inc.
config switch-controller stp-instance

Configure FortiSwitch multiple spanning tree protocol (MSTP) instances.

config switch-controller stp-instance
Description: Configure FortiSwitch multiple spanning tree protocol (MSTP) instances.
edit <id>
set vlan-range <vlan-name1>, <vlan-name2>, ...
next
end

config switch-controller stp-instance

Parameter Description Type Size Default

id Instance ID. string Maximum

length: 2

vlan-range Configure VLAN range for STP instance. string Maximum

<vlan- VLAN name. length: 79
name>

FortiOS 7.4.4 CLI Reference 1095

Fortinet Inc.
config switch-controller stp-settings

Configure FortiSwitch spanning tree protocol (STP).

config switch-controller stp-settings
Description: Configure FortiSwitch spanning tree protocol (STP).
set forward-time {integer}
set hello-time {integer}
set max-age {integer}
set max-hops {integer}
set name {string}
set pending-timer {integer}
set revision {integer}
end

config switch-controller stp-settings

Parameter Description Type Size Default

forward-time Period of time a port is in listening and learning state. integer Minimum 15
value: 4
Maximum
value: 30

FortiOS 7.4.4 CLI Reference 1096

Fortinet Inc.
Parameter Description Type Size Default

hello-time Period of time between successive STP frame Bridge integer Minimum 2
Protocol Data Units. value: 1
Maximum
value: 10

max-age Maximum time before a bridge port expires its integer Minimum 20
configuration BPDU information. value: 6
Maximum
value: 40

max-hops Maximum number of hops between the root bridge and integer Minimum 20
the furthest bridge. value: 1
Maximum
value: 40

name Name of global STP settings configuration. string Maximum

length: 31

pending-timer Pending time. integer Minimum 4

value: 1
Maximum
value: 15

revision STP revision number. integer Minimum 0

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1097

Fortinet Inc.
config switch-controller switch-group

Configure FortiSwitch switch groups.

config switch-controller switch-group
Description: Configure FortiSwitch switch groups.
edit <name>
set description {string}
set fortilink {string}
set members <switch-id1>, <switch-id2>, ...
next
end

config switch-controller switch-group

Parameter Description Type Size Default

description Optional switch group description. string Maximum

length: 63

fortilink FortiLink interface to which switch group members string Maximum

belong. length: 15

members FortiSwitch members belonging to this switch group. string Maximum

<switch- Managed device ID. length: 79
id>

FortiOS 7.4.4 CLI Reference 1098

Fortinet Inc.
Parameter Description Type Size Default

name Switch group name. string Maximum

length: 35

config switch-controller switch-interface-tag

Configure switch object tags.

config switch-controller switch-interface-tag
Description: Configure switch object tags.
edit <name>
next
end

config switch-controller switch-interface-tag

Parameter Description Type Size Default

name Tag name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1099

Fortinet Inc.
config switch-controller switch-log

Configure FortiSwitch logging (logs are transferred to and inserted into FortiGate event log).
config switch-controller switch-log
Description: Configure FortiSwitch logging (logs are transferred to and inserted into
FortiGate event log).
set severity [emergency|alert|...]
set status [enable|disable]
end

config switch-controller switch-log

Parameter Description Type Size Default

severity Severity of FortiSwitch logs that are added to the option - notification
FortiGate event log.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

FortiOS 7.4.4 CLI Reference 1100

Fortinet Inc.
Parameter Description Type Size Default

Option Description

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

status Enable/disable adding FortiSwitch logs to FortiGate option - enable

event log.

Option Description

enable Add FortiSwitch logs to FortiGate event log.

disable Do not add FortiSwitch logs to FortiGate event log.

config switch-controller switch-profile

Configure FortiSwitch switch profile.

FortiOS 7.4.4 CLI Reference 1101

Fortinet Inc.
config switch-controller switch-profile
Description: Configure FortiSwitch switch profile.
edit <name>
set login [enable|disable]
set login-passwd {password}
set login-passwd-override [enable|disable]
set revision-backup-on-logout [enable|disable]
set revision-backup-on-upgrade [enable|disable]
next
end

config switch-controller switch-profile

FortiOS 7.4.4 CLI Reference 1102

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable automatic revision backup upon FortiSwitch image upgrade.

disable Disable automatic revision backup upon FortiSwitch image upgrade.

config switch-controller system

Configure system-wide switch controller settings.

config switch-controller system
Description: Configure system-wide switch controller settings.
set caputp-echo-interval {integer}
set caputp-max-retransmit {integer}
set data-sync-interval {integer}
set dynamic-periodic-interval {integer}
set iot-holdoff {integer}
set iot-mac-idle {integer}
set iot-scan-interval {integer}
set iot-weight-threshold {integer}
set nac-periodic-interval {integer}
set parallel-process {integer}
set parallel-process-override [disable|enable]
set tunnel-mode [compatible|moderate|...]
end

FortiOS 7.4.4 CLI Reference 1103

Fortinet Inc.
config switch-controller system

Parameter Description Type Size Default

caputp-echo- Echo interval for the caputp echo requests from swtp. integer Minimum 30
interval value: 8
Maximum
value: 600

caputp-max- Maximum retransmission count for the caputp tunnel integer Minimum 5
retransmit packets. value: 0
Maximum
value: 64

data-sync- Time interval between collection of switch data. integer Minimum 60

interval value: 30
Maximum
value: 1800

dynamic- Periodic time interval to run Dynamic port policy integer Minimum 60
periodic- engine. value: 5
interval Maximum
value: 180

iot-holdoff MAC entry's creation time. Time must be greater than integer Minimum 5
this value for an entry to be created. value: 0
Maximum
value:
10080

iot-mac-idle MAC entry's idle time. MAC entry is removed after this integer Minimum 1440
value. value: 0
Maximum
value:
10080

iot-scan- IoT scan interval. integer Minimum 60

interval value: 2
Maximum
value:
10080

iot-weight- MAC entry's confidence value. Value is re-queried integer Minimum 1

threshold when below this value. value: 0
Maximum
value: 255

nac-periodic- Periodic time interval to run NAC engine. integer Minimum 60

interval value: 5
Maximum
value: 180

FortiOS 7.4.4 CLI Reference 1104

Fortinet Inc.
Parameter Description Type Size Default

parallel- Maximum number of parallel processes. integer Minimum 1

process value: 1
Maximum
value: 128
**

parallel- Enable/disable parallel process override. option - disable

process-
override

Option Description

disable Disable maximum parallel process override.

enable Enable maximum parallel process override.

tunnel-mode Compatible/strict tunnel mode. option - compatible

Option Description

compatible Least restrictive. Supports the widest variety of hardware and software
versions.

moderate Moderate level of security. Supports recent generations of hardware and

latest software versions.

strict Highest level of security. Supports only the latest generation of hardware and
latest software version.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 1105

Fortinet Inc.
config switch-controller traffic-policy

Configure FortiSwitch traffic policy.

config switch-controller traffic-policy
Description: Configure FortiSwitch traffic policy.
edit <name>
set cos-queue {integer}
set description {string}
set guaranteed-bandwidth {integer}
set guaranteed-burst {integer}
set maximum-burst {integer}
set policer-status [enable|disable]
set type [ingress|egress]
next
end

config switch-controller traffic-policy

Parameter Description Type Size Default

cos-queue COS queue, or unset to disable. integer Minimum

value: 0
Maximum
value: 7

FortiOS 7.4.4 CLI Reference 1106

Fortinet Inc.
Parameter Description Type Size Default

description Description of the traffic policy. string Maximum

length: 63

guaranteed- Guaranteed bandwidth in kbps (max value = integer Minimum 10000

bandwidth 524287000). value: 0
Maximum
value:
524287000

guaranteed- Guaranteed burst size in bytes (max value = integer Minimum 45000
burst 4294967295). value: 0
Maximum
value:
4294967295

maximum- Maximum burst size in bytes (max value = integer Minimum 67500
burst 4294967295). value: 0
Maximum
value:
4294967295

name Traffic policy name. string Maximum

length: 63

policer-status Enable/disable policer config on the traffic policy. option - enable

Option Description

enable Enable policer config on the traffic policy.

disable Disable policer config on the traffic policy.

type Configure type of policy(ingress/egress). option - ingress

Option Description

ingress Ingress policy.

egress Egress policy.

FortiOS 7.4.4 CLI Reference 1107

Fortinet Inc.
config switch-controller traffic-sniffer

Configure FortiSwitch RSPAN/ERSPAN traffic sniffing parameters.

config switch-controller traffic-sniffer
Description: Configure FortiSwitch RSPAN/ERSPAN traffic sniffing parameters.
set erspan-ip {ipv4-address}
set mode [erspan-auto|rspan|...]
config target-ip
Description: Sniffer IPs to filter.
edit <ip>
set description {string}
next
end
config target-mac
Description: Sniffer MACs to filter.
edit <mac>
set description {string}
next
end
config target-port
Description: Sniffer ports to filter.
edit <switch-id>
set description {string}
set in-ports <name1>, <name2>, ...
set out-ports <name1>, <name2>, ...
next
end
end

FortiOS 7.4.4 CLI Reference 1108

Fortinet Inc.
config switch-controller traffic-sniffer

Parameter Description Type Size Default

erspan-ip Configure ERSPAN collector IP address. ipv4- Not 0.0.0.0

address Specified

mode Configure traffic sniffer mode. option - erspan-

auto

Option Description

erspan-auto Mirror traffic using a GRE tunnel.

rspan Mirror traffic on a layer2 VLAN.

none Disable traffic mirroring (sniffer).

config target-ip

Parameter Description Type Size Default

ip Sniffer IP. ipv4- Not 0.0.0.0

address Specified

description Description for the sniffer IP. string Maximum

length: 63

config target-mac

Parameter Description Type Size Default

mac Sniffer MAC. mac- Not 00:00:00:00:00:00

address Specified

description Description for the sniffer MAC. string Maximum

length: 63

config target-port

Parameter Description Type Size Default

switch-id Managed-switch ID. string Maximum

length: 16

description Description for the sniffer port entry. string Maximum

length: 63

in-ports Configure source ingress port interfaces. string Maximum

<name> Interface name. length: 79

out-ports Configure source egress port interfaces. string Maximum

<name> Interface name. length: 79

FortiOS 7.4.4 CLI Reference 1109

Fortinet Inc.
config switch-controller virtual-port-pool

Configure virtual pool.

config switch-controller virtual-port-pool
Description: Configure virtual pool.
edit <name>
set description {string}
next
end

config switch-controller virtual-port-pool

Parameter Description Type Size Default

description Virtual switch pool description. string Maximum

length: 63

name Virtual switch pool name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1110

Fortinet Inc.
config switch-controller vlan-policy

Configure VLAN policy to be applied on the managed FortiSwitch ports through dynamic-port-policy.
config switch-controller vlan-policy
Description: Configure VLAN policy to be applied on the managed FortiSwitch ports
through dynamic-port-policy.
edit <name>
set allowed-vlans <vlan-name1>, <vlan-name2>, ...
set allowed-vlans-all [enable|disable]
set description {string}
set discard-mode [none|all-untagged|...]
set fortilink {string}
set untagged-vlans <vlan-name1>, <vlan-name2>, ...
set vlan {string}
next
end

config switch-controller vlan-policy

Parameter Description Type Size Default

allowed-vlans Allowed VLANs to be applied when using this VLAN string Maximum
<vlan- policy. length: 79
name> VLAN name.

FortiOS 7.4.4 CLI Reference 1111

Fortinet Inc.
Parameter Description Type Size Default

allowed- Enable/disable all defined VLANs when using this VLAN option - disable
vlans-all policy.

Option Description

enable Enable all defined VLANs.

disable Disable all defined VLANs.

description Description for the VLAN policy. string Maximum

length: 63

discard-mode Discard mode to be applied when using this VLAN option - none
policy.

Option Description

none Discard disabled.

all-untagged Discard all frames that are untagged.

all-tagged Discard all frames that are tagged.

fortilink FortiLink interface for which this VLAN policy belongs to. string Maximum
length: 15

name VLAN policy name. string Maximum

length: 63

untagged- Untagged VLANs to be applied when using this VLAN string Maximum
vlans <vlan- policy. length: 79
name> VLAN name.

vlan Native VLAN to be applied when using this VLAN policy. string Maximum
length: 15

FortiOS 7.4.4 CLI Reference 1112

Fortinet Inc.
system

This section includes syntax for the following commands:

l config system 3g-modem custom on page 1117
l config system accprofile on page 1118
l config system acme on page 1130
l config system admin on page 1131
l config system affinity-interrupt on page 1138
l config system affinity-packet-redistribution on page 1139
l config system alarm on page 1140
l config system alias on page 1143
l config system api-user on page 1144
l config system arp-table on page 1145
l config system auto-install on page 1146
l config system auto-script on page 1147
l config system automation-action on page 1148
l config system automation-destination on page 1153
l config system automation-stitch on page 1154
l config system automation-trigger on page 1155
l config system autoupdate schedule on page 1160
l config system autoupdate tunneling on page 1161
l config system bypass on page 1162
l config system central-management on page 1163
l config system console on page 1169
l config system csf on page 1169
l config system custom-language on page 1175
l config system ddns on page 1175
l config system dedicated-mgmt on page 1178
l config system device-upgrade on page 1179
l config system dhcp6 server on page 1182
l config system dhcp server on page 1185
l config system dnp3-proxy on page 1197
l config system dns-database on page 1198
l config system dns-server on page 1202
l config system dns on page 1203
l config system dns64 on page 1206
l config system dscp-based-priority on page 1207
l config system elbc on page 1208
l config system email-server on page 1209
l config system evpn on page 1211

FortiOS 7.4.4 CLI Reference 1113

Fortinet Inc.
l config system external-resource on page 1212
l config system fabric-vpn on page 1215
l config system federated-upgrade on page 1219
l config system fips-cc on page 1222
l config system fortiguard on page 1223
l config system fortindr on page 1232
l config system fortisandbox on page 1233
l config system fsso-polling on page 1235
l config system ftm-push on page 1236
l config system geneve on page 1237
l config system geoip-override on page 1238
l config system global on page 1239
l config system gre-tunnel on page 1284
l config system ha-monitor on page 1287
l config system ha on page 1288
l config system icond on page 1302
l config system ike on page 1306
l config system interface on page 1320
l config system ipam on page 1385
l config system ipip-tunnel on page 1388
l config system ips-urlfilter-dns on page 1389
l config system ips-urlfilter-dns6 on page 1390
l config system ips on page 1391
l config system ipsec-aggregate on page 1391
l config system ipv6-neighbor-cache on page 1392
l config system ipv6-tunnel on page 1393
l config system isf-queue-profile on page 1394
l config system link-monitor on page 1396
l config system lldp network-policy on page 1401
l config system lte-modem on page 1409
l config system mac-address-table on page 1417
l config system management-tunnel on page 1417
l config system mobile-tunnel on page 1419
l config system modem on page 1421
l config system nd-proxy on page 1428
l config system netflow on page 1429
l config system network-visibility on page 1430
l config system np6 on page 1432
l config system np6xlite on page 1444
l config system npu-post on page 1458
l config system npu-setting prp on page 1459
l config system npu-vlink on page 1460
l config system npu on page 1461

FortiOS 7.4.4 CLI Reference 1114

Fortinet Inc.
l config system ntp on page 1551
l config system object-tagging on page 1555
l config system password-policy-guest-admin on page 1556
l config system password-policy on page 1558
l config system pcp-server on page 1560
l config system physical-switch on page 1563
l config system pppoe-interface on page 1564
l config system probe-response on page 1566
l config system proxy-arp on page 1567
l config system ptp on page 1568
l config system replacemsg-group on page 1570
l config system replacemsg-image on page 1582
l config system replacemsg admin on page 1583
l config system replacemsg alertmail on page 1584
l config system replacemsg auth on page 1585
l config system replacemsg automation on page 1586
l config system replacemsg custom-message on page 1587
l config system replacemsg fortiguard-wf on page 1587
l config system replacemsg ftp on page 1588
l config system replacemsg http on page 1589
l config system replacemsg icap on page 1590
l config system replacemsg mail on page 1591
l config system replacemsg nac-quar on page 1592
l config system replacemsg spam on page 1593
l config system replacemsg sslvpn on page 1593
l config system replacemsg traffic-quota on page 1594
l config system replacemsg utm on page 1595
l config system replacemsg webproxy on page 1596
l config system resource-limits on page 1597
l config system saml on page 1600
l config system sdn-connector on page 1603
l config system sdn-proxy on page 1612
l config system sdwan on page 1613
l config system serial-port on page 1638
l config system session-helper on page 1638
l config system session-ttl on page 1640
l config system settings on page 1641
l config system sflow on page 1665
l config system sit-tunnel on page 1666
l config system smc-ntp on page 1668
l config system sms-server on page 1669
l config system snmp community on page 1670
l config system snmp mib-view on page 1678

FortiOS 7.4.4 CLI Reference 1115

Fortinet Inc.
l config system snmp sysinfo on page 1678
l config system snmp user on page 1680
l config system speed-test-schedule on page 1686
l config system speed-test-server on page 1689
l config system speed-test-setting on page 1690
l config system ssh-config on page 1691
l config system sso-admin on page 1694
l config system sso-forticloud-admin on page 1695
l config system sso-fortigate-cloud-admin on page 1695
l config system standalone-cluster on page 1696
l config system storage on page 1699
l config system stp on page 1701
l config system switch-interface on page 1703
l config system timezone on page 1704
l config system tos-based-priority on page 1705
l config system vdom-dns on page 1706
l config system vdom-exception on page 1707
l config system vdom-link on page 1709
l config system vdom-netflow on page 1710
l config system vdom-property on page 1711
l config system vdom-radius-server on page 1713
l config system vdom-sflow on page 1714
l config system vdom on page 1715
l config system vin-alarm on page 1716
l config system virtual-switch on page 1718
l config system virtual-wire-pair on page 1720
l config system vne-tunnel on page 1721
l config system vxlan on page 1722
l config system wccp on page 1724
l config system wireless ap-status on page 1728
l config system wireless settings on page 1729
l config system zone on page 1732

FortiOS 7.4.4 CLI Reference 1116

Fortinet Inc.
config system 3g-modem custom

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate
80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE,
FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate
91E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate VM64.

3G MODEM custom.
config system 3g-modem custom
Description: 3G MODEM custom.
edit <id>
set class-id {user}
set init-string {string}
set model {string}
set modeswitch-string {string}
set product-id {user}
set vendor {string}
set vendor-id {user}
next
end

config system 3g-modem custom

Parameter Description Type Size Default

class-id USB interface class in hexadecimal format (00-ff). user Not Specified

FortiOS 7.4.4 CLI Reference 1117

Fortinet Inc.
Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

init-string Init string in hexadecimal format (even length). string Maximum

length: 127

model MODEM model name. string Maximum

length: 35

modeswitch- USB modeswitch arguments. For example: '-v 1410 - string Maximum
string p 9030 -V 1410 -P 9032 -u 3'. length: 127

product-id USB product ID in hexadecimal format (0000-ffff). user Not Specified

vendor MODEM vendor name. string Maximum

length: 35

vendor-id USB vendor ID in hexadecimal format (0000-ffff). user Not Specified

config system accprofile

Configure access profiles for system administrators.

config system accprofile
Description: Configure access profiles for system administrators.
edit <name>
set admintimeout {integer}
set admintimeout-override [enable|disable]
set authgrp [none|read|...]
set cli-config [enable|disable]
set cli-diagnose [enable|disable]
set cli-exec [enable|disable]
set cli-get [enable|disable]
set cli-show [enable|disable]
set comments {var-string}
set ftviewgrp [none|read|...]
set fwgrp [none|read|...]
config fwgrp-permission
Description: Custom firewall permission.
set policy [none|read|...]
set address [none|read|...]
set service [none|read|...]
set schedule [none|read|...]
set others [none|read|...]
end
set loggrp [none|read|...]
config loggrp-permission
Description: Custom Log & Report permission.
set config [none|read|...]
set data-access [none|read|...]

FortiOS 7.4.4 CLI Reference 1118

FortiOS 7.4.4 CLI Reference 1119

Fortinet Inc.
config system accprofile

Parameter Description Type Size Default

admintimeout Administrator timeout for this access profile. integer Minimum 10

value: 1
Maximum
value: 480

Option Description

enable Enable permission to run show commands.

disable Disable permission to run show commands.

comments Comment. var-string Maximum

length: 255

ftviewgrp FortiView. option - none

length: 35

FortiOS 7.4.4 CLI Reference 1121

Fortinet Inc.
Parameter Description Type Size Default

custom Customized access.

system-execute- Enable/disable permission to execute SSH option - enable

ssh commands.

Option Description

enable Enable permission to execute SSH commands.

disable Disable permission to execute SSH commands.

none No access.

read Read access.

read-write Read/write access.

wanoptgrp * Administrator access to WAN Opt & Cache. option - none

read-write Read/write access.

config netgrp-permission

Parameter Description Type Size Default

cfg Network Configuration. option - none

Option Description

none No access.

read Read access.

read-write Read/write access.

FortiOS 7.4.4 CLI Reference 1125

Fortinet Inc.
Parameter Description Type Size Default

packet-capture Packet Capture Configuration. option - none

Option Description

none No access.

read Read access.

read-write Read/write access.

route-cfg Router Configuration. option - none

Option Description

none No access.

read Read access.

read-write Read/write access.

read Read access.

read-write Read/write access.

FortiOS 7.4.4 CLI Reference 1126

Fortinet Inc.
Parameter Description Type Size Default

mnt Maintenance. option - none

Option Description

none No access.

read Read access.

read-write Read/write access.

read Read access.

read-write Read/write access.

Fortinet Inc.
Parameter Description Type Size Default

videofilter Video filter profiles and settings. option - none

Option Description

none No access.

read Read access.

read Read access.

read-write Read/write access.

config system acme

Configure ACME client.

config system acme
Description: Configure ACME client.
config accounts
Description: ACME accounts list.
edit <id>
set status {string}
set url {string}
set ca_url {string}
set email {string}
set privatekey {string}
next
end
set interface <interface-name1>, <interface-name2>, ...
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
set use-ha-direct [enable|disable]
end

config system acme

Parameter Description Type Size Default

interface Interface(s) on which the ACME client will listen for string Maximum
<interface- challenges. length: 79
name> Interface name.

source-ip Source IPv4 address used to connect to the ACME ipv4- Not 0.0.0.0
server. address Specified

source-ip6 Source IPv6 address used to connect to the ACME ipv6- Not ::
server. address Specified

use-ha-direct Enable the use of 'ha-mgmt' interface to connect to option - disable

the ACME server when 'ha-direct' is enabled in HA
configuration

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 1130

Fortinet Inc.
config accounts

Parameter Description Type Size Default

id Account id. string Maximum

length: 255

status Account status. string Maximum

length: 127

url Account url. string Maximum

length: 511

ca_url Account ca_url. string Maximum

length: 255

email Account email. string Maximum

length: 255

privatekey Account Private Key. string Maximum

length: 8191

config system admin

Configure admin users.

config system admin
Description: Configure admin users.
edit <name>
set accprofile {string}
set accprofile-override [enable|disable]
set allow-remove-admin-session [enable|disable]
set comments {var-string}
set email-to {string}
set force-password-change [enable|disable]
set fortitoken {string}
set guest-auth [disable|enable]
set guest-lang {string}
set guest-usergroups <name1>, <name2>, ...
set ip6-trusthost1 {ipv6-prefix}
set ip6-trusthost10 {ipv6-prefix}
set ip6-trusthost2 {ipv6-prefix}
set ip6-trusthost3 {ipv6-prefix}
set ip6-trusthost4 {ipv6-prefix}
set ip6-trusthost5 {ipv6-prefix}
set ip6-trusthost6 {ipv6-prefix}
set ip6-trusthost7 {ipv6-prefix}
set ip6-trusthost8 {ipv6-prefix}
set ip6-trusthost9 {ipv6-prefix}
set password {password-2}
set password-expire {user}
set peer-auth [enable|disable]
set peer-group {string}
set remote-auth [enable|disable]
set remote-group {string}

FortiOS 7.4.4 CLI Reference 1131

Fortinet Inc.
set schedule {string}
set sms-custom-server {string}
set sms-phone {string}
set sms-server [fortiguard|custom]
set ssh-certificate {string}
set ssh-public-key1 {user}
set ssh-public-key2 {user}
set ssh-public-key3 {user}
set trusthost1 {ipv4-classnet}
set trusthost10 {ipv4-classnet}
set trusthost2 {ipv4-classnet}
set trusthost3 {ipv4-classnet}
set trusthost4 {ipv4-classnet}
set trusthost5 {ipv4-classnet}
set trusthost6 {ipv4-classnet}
set trusthost7 {ipv4-classnet}
set trusthost8 {ipv4-classnet}
set trusthost9 {ipv4-classnet}
set two-factor [disable|fortitoken|...]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set vdom <name1>, <name2>, ...
set vdom-override [enable|disable]
set wildcard [enable|disable]
next
end

config system admin

Parameter Description Type Size Default

accprofile Access profile for this administrator. Access profiles string Maximum
control administrator access to FortiGate features. length: 35

accprofile- Enable to use the name of an access profile option - disable

override provided by the remote authentication server to
control the FortiGate features that this administrator
can access.

Option Description

enable Enable access profile override.

disable Disable access profile override.

allow-remove- Enable/disable allow admin session to be removed option - enable

admin-session by privileged admin users.

Option Description

enable Enable allow-remove option.

disable Disable allow-remove option.

FortiOS 7.4.4 CLI Reference 1132

Fortinet Inc.
Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 255

email-to This administrator's email address. string Maximum

length: 63

force-password- Enable/disable force password change on next option - disable

change login.

Option Description

enable Enable force password change on next login.

disable Disable force password change on next login.

fortitoken This administrator's FortiToken serial number. string Maximum

length: 16

guest-auth Enable/disable guest authentication. option - disable

Option Description

disable Disable guest authentication.

enable Enable guest authentication.

guest-lang Guest management portal language. string Maximum

length: 35

guest- Select guest user groups. string Maximum

usergroups Select guest user groups. length: 79
<name>

ip6-trusthost1 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost10 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost2 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost3 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost4 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

FortiOS 7.4.4 CLI Reference 1133

Fortinet Inc.
Parameter Description Type Size Default

ip6-trusthost5 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost6 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost7 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost8 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

ip6-trusthost9 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.

name User name. string Maximum

length: 64

password Admin user password. password-2 Not

Specified

password-expire Password expire time. user Not

Specified

peer-auth Set to enable peer certificate authentication (for option - disable

HTTPS admin access).

Option Description

enable Enable peer.

disable Disable peer.

peer-group Name of peer group defined under config user group string Maximum
which has PKI members. Used for peer certificate length: 35
authentication (for HTTPS admin access).

remote-auth Enable/disable authentication using a remote option - disable

RADIUS, LDAP, or TACACS+ server.

Option Description

enable Enable remote authentication.

disable Disable remote authentication.

remote-group User group name used for remote auth. string Maximum
length: 35

FortiOS 7.4.4 CLI Reference 1134

Fortinet Inc.
Parameter Description Type Size Default

schedule Firewall schedule used to restrict when the string Maximum

administrator can log in. No schedule means no length: 35
restrictions.

sms-custom- Custom SMS server to send SMS messages to. string Maximum
server length: 35

sms-phone Phone number on which the administrator receives string Maximum

SMS messages. length: 15

sms-server Send SMS messages using the FortiGuard SMS option - fortiguard
server or a custom server.

Option Description

fortiguard Send SMS by FortiGuard.

custom Send SMS by custom server.

ssh-certificate Select the certificate to be used by the FortiGate for string Maximum
authentication with an SSH client. length: 35

ssh-public-key1 Public key of an SSH client. The client is user Not

authenticated without being asked for credentials. Specified
Create the public-private key pair in the SSH client
application.

ssh-public-key2 Public key of an SSH client. The client is user Not

authenticated without being asked for credentials. Specified
Create the public-private key pair in the SSH client
application.

ssh-public-key3 Public key of an SSH client. The client is user Not

authenticated without being asked for credentials. Specified
Create the public-private key pair in the SSH client
application.

trusthost1 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost10 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost2 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

FortiOS 7.4.4 CLI Reference 1135

Fortinet Inc.
Parameter Description Type Size Default

trusthost3 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost4 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost5 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost6 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost7 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost8 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

trusthost9 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.

two-factor Enable/disable two-factor authentication. option - disable

Option Description

disable Disable two-factor authentication.

fortitoken Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud FortiToken Cloud Service.

email Send a two-factor authentication code to the configured email-to email

address.

sms Send a two-factor authentication code to the configured sms-server and

sms-phone.

FortiOS 7.4.4 CLI Reference 1136

Fortinet Inc.
Parameter Description Type Size Default

two-factor- Authentication method by FortiToken Cloud. option -

authentication

Option Description

fortitoken FortiToken authentication.

disable Disable username wildcard.

FortiOS 7.4.4 CLI Reference 1137

Fortinet Inc.
config system affinity-interrupt

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F,
FortiGate 201F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 60F, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80F-POE, FortiGate
80F, FortiGate 81F-POE, FortiGate 81F, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R
3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E,
FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E,
FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate
60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate
800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 81E-POE,
FortiGate 81E, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 61E.

Configure interrupt affinity.

config system affinity-interrupt
Description: Configure interrupt affinity.
edit <id>
set affinity-cpumask {string}
set default-affinity-cpumask {string}
set interrupt {string}
next
end

config system affinity-interrupt

Parameter Description Type Size Default

affinity- Affinity setting (64-bit hexadecimal value in the format string Maximum
cpumask of 0xxxxxxxxxxxxxxxxx). length: 127

default- Default affinity setting (64-bit hexadecimal value in string Maximum

affinity- the format of 0xxxxxxxxxxxxxxxxx). length: 127
cpumask

FortiOS 7.4.4 CLI Reference 1138

Fortinet Inc.
Parameter Description Type Size Default

id ID of the interrupt affinity setting. integer Minimum 0

value: 0
Maximum
value:
4294967295

interrupt Interrupt name. string Maximum

length: 127

config system affinity-packet-redistribution

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F,
FortiGate 201F, FortiGate 60F, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F, FortiGate VM64, FortiGateRugged
60F 3G4G, FortiGateRugged 60F, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E,
FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate 800D,
FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 81E-POE, FortiGate
81E, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 61E.

Configure packet redistribution.

config system affinity-packet-redistribution
Description: Configure packet redistribution.
edit <id>
set affinity-cpumask {string}
set interface {string}
set round-robin [enable|disable]
set rxqid {integer}
next
end

FortiOS 7.4.4 CLI Reference 1139

Fortinet Inc.
config system affinity-packet-redistribution

Parameter Description Type Size Default

affinity- Affinity setting for VM throughput (64-bit hexadecimal string Maximum

cpumask value in the format of 0xxxxxxxxxxxxxxxxx). length: 127

id ID of the packet redistribution setting. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Physical interface name on which to perform packet string Maximum

redistribution. length: 15

round-robin Enable/disable round-robin redistribution to multiple option - disable

CPUs.

Option Description

enable Enable round-robin redistribution.

disable Disable round-robin redistribution.

rxqid ID of the receive queue (when the interface has integer Minimum 0
multiple queues) on which to perform packet value: 0
redistribution (255 = all queues). Maximum
value: 255

config system alarm

Configure alarm.
config system alarm
Description: Configure alarm.
set audible [enable|disable]
config groups
Description: Alarm groups.
edit <id>
set period {integer}
set admin-auth-failure-threshold {integer}
set admin-auth-lockout-threshold {integer}
set user-auth-failure-threshold {integer}
set user-auth-lockout-threshold {integer}
set replay-attempt-threshold {integer}
set self-test-failure-threshold {integer}
set log-full-warning-threshold {integer}
set encryption-failure-threshold {integer}
set decryption-failure-threshold {integer}
config fw-policy-violations
Description: Firewall policy violations.
edit <id>
set threshold {integer}

FortiOS 7.4.4 CLI Reference 1140

Fortinet Inc.
set src-ip {ipv4-address}
set dst-ip {ipv4-address}
set src-port {integer}
set dst-port {integer}
next
end
set fw-policy-id {integer}
set fw-policy-id-threshold {integer}
next
end
set status [enable|disable]
end

config system alarm

Parameter Description Type Size Default

audible Enable/disable audible alarm. option - disable

Option Description

enable Enable audible alarm.

disable Disable audible alarm.

status Enable/disable alarm. option - disable

Option Description

enable Enable alarm.

disable Disable alarm.

config groups

Parameter Description Type Size Default

id Group ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

period Time period in seconds (0 = from start up). integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1141

Fortinet Inc.
Parameter Description Type Size Default

admin-auth- Admin authentication failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024

admin-auth- Admin authentication lockout threshold. integer Minimum 0

lockout- value: 0
threshold Maximum
value: 1024

user-auth- User authentication failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024

user-auth- User authentication lockout threshold. integer Minimum 0

lockout- value: 0
threshold Maximum
value: 1024

replay- Replay attempt threshold. integer Minimum 0

attempt- value: 0
threshold Maximum
value: 1024

self-test- Self-test failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1

log-full- Log full warning threshold. integer Minimum 0

warning- value: 0
threshold Maximum
value: 1024

encryption- Encryption failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024

decryption- Decryption failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024

fw-policy-id Firewall policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1142

Fortinet Inc.
Parameter Description Type Size Default

fw-policy-id- Firewall policy ID threshold. integer Minimum 0

threshold value: 0
Maximum
value: 1024

config fw-policy-violations

Parameter Description Type Size Default

id Firewall policy violations ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

threshold Firewall policy violation threshold. integer Minimum 0

value: 0
Maximum
value: 1024

src-ip Source IP (0=all). ipv4- Not Specified 0.0.0.0

address

dst-ip Destination IP (0=all). ipv4- Not Specified 0.0.0.0

address

src-port Source port (0=all). integer Minimum 0

value: 0
Maximum
value: 65535

dst-port Destination port (0=all). integer Minimum 0

value: 0
Maximum
value: 65535

config system alias

Configure alias command.

config system alias
Description: Configure alias command.
edit <name>
set command {var-string}
next
end

FortiOS 7.4.4 CLI Reference 1143

Fortinet Inc.
config system alias

Parameter Description Type Size Default

command Command list to execute. var-string Maximum

length: 255

name Alias command name. string Maximum

length: 35

config system api-user

Option Description

ipv4-trusthost IPv4 trusthost.

ipv6-trusthost IPv6 trusthost.

ipv4-trusthost IPv4 trusted host address. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

ipv6-trusthost IPv6 trusted host address. ipv6-prefix Not Specified ::/0

config system arp-table

Configure ARP table.

config system arp-table
Description: Configure ARP table.
edit <id>
set interface {string}

FortiOS 7.4.4 CLI Reference 1145

Fortinet Inc.
set ip {ipv4-address}
set mac {mac-address}
next
end

config system arp-table

Parameter Description Type Size Default

id Unique integer ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Interface name. string Maximum

length: 15

ip IP address. ipv4- Not Specified 0.0.0.0

address

mac MAC address. mac- Not Specified 00:00:00:00:00:00

address

config system auto-install

Configure USB auto installation.

config system auto-install
Description: Configure USB auto installation.
set auto-install-config [enable|disable]
set auto-install-image [enable|disable]
set default-config-file {string}
set default-image-file {string}
end

config system auto-install

Parameter Description Type Size Default

auto-install- Enable/disable auto install the config in USB disk. option - disable
config

Option Description

enable Enable config.

disable Disable config.

auto-install- Enable/disable auto install the image in USB disk. option - disable
image

FortiOS 7.4.4 CLI Reference 1146

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable config.

disable Disable config.

default- Default config file name in USB disk. string Maximum fgt_
config-file length: 127 system.conf

default- Default image file name in USB disk. string Maximum image.out
image-file length: 127

config system auto-script

Configure auto script.

config system auto-script
Description: Configure auto script.
edit <name>
set interval {integer}
set output-size {integer}
set repeat {integer}
set script {var-string}
set start [manual|auto]
set timeout {integer}
next
end

config system auto-script

Parameter Description Type Size Default

interval Repeat interval in seconds. integer Minimum 0

value: 0
Maximum
value:
31557600

name Auto script name. string Maximum

length: 35

output-size Number of megabytes to limit script output to. integer Minimum 10

value: 10
Maximum
value: 1024

FortiOS 7.4.4 CLI Reference 1147

Fortinet Inc.
Parameter Description Type Size Default

repeat Number of times to repeat this script (0 = infinite). integer Minimum 1

value: 0
Maximum
value:
65535

script List of FortiOS CLI commands to repeat. var-string Maximum

length: 1023

start Script starting mode. option - manual

Option Description

manual Starting manually.

auto Starting automatically.

timeout Maximum running time for this script in seconds (0 = no integer Minimum 0
timeout). value: 0
Maximum
value: 300

config system automation-action

Action for automation stitches.

config system automation-action
Description: Action for automation stitches.
edit <name>
set accprofile {string}
set action-type [email|fortiexplorer-notification|...]
set alicloud-access-key-id {string}
set alicloud-access-key-secret {password}
set alicloud-function-authorization [anonymous|function]
set aws-api-key {password}
set azure-api-key {password}
set azure-function-authorization [anonymous|function|...]
set description {var-string}
set email-from {var-string}
set email-subject {var-string}
set email-to <name1>, <name2>, ...
set execute-security-fabric [enable|disable]
set forticare-email [enable|disable]
set http-body {var-string}
config http-headers
Description: Request headers.
edit <id>
set key {var-string}
set value {var-string}
next
end
set message {string}

FortiOS 7.4.4 CLI Reference 1148

Fortinet Inc.
set message-type [text|json]
set method [post|put|...]
set minimum-interval {integer}
set output-size {integer}
set port {integer}
set protocol [http|https]
set replacement-message [enable|disable]
set replacemsg-group {string}
set script {var-string}
set sdn-connector <name1>, <name2>, ...
set security-tag {string}
set system-action [reboot|shutdown|...]
set timeout {integer}
set tls-certificate {string}
set uri {var-string}
set verify-host-cert [enable|disable]
next
end

config system automation-action

Parameter Description Type Size Default

accprofile Access profile for CLI script action to access string Maximum
FortiGate features. length: 35

action-type Action type. option - alert

Option Description

email Send notification email.

fortiexplorer- Send push notification to FortiExplorer.

notification

alert Generate FortiOS dashboard alert.

disable-ssid Disable interface.

system-actions Perform immediate system operations on this FortiGate unit.

quarantine Quarantine host.

quarantine- Quarantine FortiClient by EMS.

forticlient

quarantine-nsx Quarantine NSX instance.

quarantine- Quarantine host by FortiNAC.

fortinac

ban-ip Ban IP address.

aws-lambda Send log data to integrated AWS service.

azure-function Send log data to an Azure function.

FortiOS 7.4.4 CLI Reference 1149

Fortinet Inc.
Parameter Description Type Size Default

Option Description

google-cloud- Send log data to a Google Cloud function.

function

alicloud-function Send log data to an AliCloud function.

webhook Send an HTTP request.

cli-script Run CLI script.

slack-notification Send a notification message to a Slack incoming webhook.

microsoft-teams- Send a notification message to a Microsoft Teams incoming webhook.

notification

alicloud- AliCloud AccessKey ID. string Maximum

access-key-id length: 35

alicloud- AliCloud AccessKey secret. password Not

access-key- Specified
secret

alicloud- AliCloud function authorization type. option - anonymous

function-
authorization

Option Description

anonymous Anonymous authorization (No authorization required).

function Function authorization (Authorization required).

aws-api-key AWS API Gateway API key. password Not

Specified

azure-api-key Azure function API key. password Not

Specified

azure-function- Azure function authorization level. option - anonymous

authorization

Option Description

anonymous Anonymous authorization level (No authorization required).

function Function authorization level (Function or Host Key required).

admin Admin authorization level (Master Host Key required).

description Description. var-string Maximum

length: 255

email-from Email sender name. var-string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 1150

Fortinet Inc.
Parameter Description Type Size Default

email-subject Email subject. var-string Maximum

length: 511

email-to Email addresses. string Maximum

<name> Email address. length: 255

execute- Enable/disable execution of CLI script on all or only option - disable

security-fabric one FortiGate unit in the Security Fabric.

Option Description

enable CLI script executes on all FortiGate units in the Security Fabric.

disable CLI script executes only on the FortiGate unit that the stitch is triggered.

forticare-email Enable/disable use of your FortiCare email address option - disable

as the email-to address.

Option Description

enable Enable use of your FortiCare email address as the email-to address.

disable Disable use of your FortiCare email address as the email-to address.

http-body Request body (if necessary). Should be serialized var-string Maximum

json string. length: 4095

message Message content. string Maximum %%log%%

length: 4095

message-type Message type. option - text

Option Description

text Plaintext.

json Custom JSON.

method Request method (POST, PUT, GET, PATCH or option - post

DELETE).

Option Description

post POST.

put PUT.

get GET.

patch PATCH.

delete DELETE.

FortiOS 7.4.4 CLI Reference 1151

Fortinet Inc.
Parameter Description Type Size Default

minimum- Limit execution to no more than once in this interval integer Minimum 0
interval (in seconds). value: 0
Maximum
value:
2592000

name Name. string Maximum

length: 64

output-size Number of megabytes to limit script output to. integer Minimum 10

value: 1
Maximum
value: 1024

port Protocol port. integer Minimum 0

value: 1
Maximum
value:
65535

protocol Request protocol. option - http

Option Description

http HTTP.

https HTTPS.

replacement- Enable/disable replacement message. option - disable

message

Option Description

enable Enable replacement message.

disable Disable replacement message.

replacemsg- Replacement message group. string Maximum

group length: 35

script CLI script. var-string Maximum

length: 1023

sdn-connector NSX SDN connector names. string Maximum

<name> SDN connector name. length: 79

security-tag NSX security tag. string Maximum

length: 255

system-action System action type. option -

FortiOS 7.4.4 CLI Reference 1152

Fortinet Inc.
Parameter Description Type Size Default

Option Description

reboot Reboot this FortiGate unit.

shutdown Shutdown this FortiGate unit.

backup-config Backup current configuration to the disk revisions.

timeout Maximum running time for this script in seconds (0 = integer Minimum 0
no timeout). value: 0
Maximum
value: 300

tls-certificate Custom TLS certificate for API request. string Maximum

length: 35

uri Request API URI. var-string Maximum

length: 1023

verify-host-cert Enable/disable verification of the remote host option - enable

certificate.

Option Description

enable Enable verification of the remote host certificate.

disable Disable verification of the remote host certificate.

config http-headers

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

key Request header key. var-string Maximum

length: 1023

value Request header value. var-string Maximum

length: 4095

config system automation-destination

Automation destinations.
config system automation-destination
Description: Automation destinations.
edit <name>

FortiOS 7.4.4 CLI Reference 1153

Fortinet Inc.
set destination <name1>, <name2>, ...
set ha-group-id {integer}
set type [fortigate|ha-cluster]
next
end

config system automation-destination

Parameter Description Type Size Default

destination Destinations. string Maximum

<name> Destination. length: 31

ha-group-id Cluster group ID set for this destination. integer Minimum 0

value: 0
Maximum
value: 255

name Name. string Maximum

length: 35

type Destination type. option - fortigate

Option Description

fortigate FortiGate set as destination.

ha-cluster HA cluster set as destination.

config system automation-stitch

Automation stitches.
config system automation-stitch
Description: Automation stitches.
edit <name>
config actions
Description: Configure stitch actions.
edit <id>
set action {string}
set delay {integer}
set required [enable|disable]
next
end
set description {var-string}
set destination <name1>, <name2>, ...
set status [enable|disable]
set trigger {string}
next
end

FortiOS 7.4.4 CLI Reference 1154

Fortinet Inc.
config system automation-stitch

Parameter Description Type Size Default

description Description. var-string Maximum

length: 255

destination Serial number/HA group-name of destination devices. string Maximum

<name> Destination name. length: 79

name Name. string Maximum

length: 35

status Enable/disable this stitch. option - enable

Option Description

enable Enable stitch.

disable Disable stitch.

trigger Trigger name. string Maximum

length: 35

config actions

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Action name. string Maximum

length: 64

delay Delay before execution (in seconds). integer Minimum 0

value: 0
Maximum
value: 3600

required Required in action chain. option - disable

Option Description

enable Required in action chain.

disable Not required in action chain.

config system automation-trigger

Trigger for automation stitches.

FortiOS 7.4.4 CLI Reference 1155

Fortinet Inc.
config system automation-trigger
Description: Trigger for automation stitches.
edit <name>
set description {var-string}
set event-type [ioc|event-log|...]
set fabric-event-name {var-string}
set fabric-event-severity {var-string}
set faz-event-name {var-string}
set faz-event-severity {var-string}
set faz-event-tags {var-string}
config fields
Description: Customized trigger field settings.
edit <id>
set name {string}
set value {var-string}
next
end
set license-type [forticare-support|fortiguard-webfilter|...]
set logid <id1>, <id2>, ...
set report-type [posture|coverage|...]
set serial {var-string}
set trigger-datetime {datetime}
set trigger-day {integer}
set trigger-frequency [hourly|daily|...]
set trigger-hour {integer}
set trigger-minute {integer}
set trigger-type [event-based|scheduled]
set trigger-weekday [sunday|monday|...]
set vdom <name1>, <name2>, ...
next
end

config system automation-trigger

Parameter Description Type Size Default

description Description. var-string Maximum

length: 255

event-type Event type. option - ioc

Option Description

ioc Indicator of compromise detected.

event-log Use log ID as trigger.

reboot Device reboot.

low-memory Conserve mode due to low memory.

high-cpu High CPU usage.

FortiOS 7.4.4 CLI Reference 1156

Fortinet Inc.
Parameter Description Type Size Default

Option Description

license-near- License near expiration date.

expiry

local-cert-near- The local certificate near expiration date.

expiry

ha-failover HA failover.

config-change Configuration change.

security-rating- Security rating summary.

summary

virus-ips-db- Virus and IPS database updated.

updated

faz-event FortiAnalyzer event.

incoming- Incoming webhook call.

webhook

fabric-event Fabric connector event.

ips-logs IPS logs.

anomaly-logs Anomaly logs.

virus-logs Virus logs.

ssh-logs SSH logs.

webfilter- Webfilter violation.

violation

traffic-violation Traffic violation.

fabric-event- Fabric connector event handler name. var-string Maximum

name length: 255

fabric-event- Fabric connector event severity. var-string Maximum

severity length: 255

faz-event- FortiAnalyzer event handler name. var-string Maximum

name length: 255

faz-event- FortiAnalyzer event severity. var-string Maximum

severity length: 255

faz-event- FortiAnalyzer event tags. var-string Maximum

tags length: 255

license-type License type. option - forticare-

support

FortiOS 7.4.4 CLI Reference 1157

Fortinet Inc.
Parameter Description Type Size Default

Option Description

forticare-support FortiCare support license.

fortiguard- FortiGuard web filter license.

webfilter

fortiguard- FortiGuard antispam license.

antispam

fortiguard- FortiGuard AntiVirus license.

antivirus

fortiguard-ips FortiGuard IPS license.

fortiguard- FortiGuard management service license.

management

forticloud FortiCloud license.

any Any license.

logid <id> Log IDs to trigger event. integer Minimum

Log ID. value: 1
Maximum
value:
65535

name Name. string Maximum

length: 35

report-type Security Rating report. option - posture

Option Description

posture Posture report.

coverage Coverage report.

optimization Optimization report

any Any report.

serial Fabric connector serial number. var-string Maximum

length: 255

trigger- Trigger date and time (YYYY-MM-DD HH:MM:SS). datetime Not 0000-00-00
datetime Specified 00:00:00

trigger-day Day within a month to trigger. integer Minimum 1

value: 1
Maximum
value: 31

FortiOS 7.4.4 CLI Reference 1158

Fortinet Inc.
Parameter Description Type Size Default

trigger- Scheduled trigger frequency. option - daily

frequency

Option Description

hourly Run hourly.

daily Run daily.

weekly Run weekly.

monthly Run monthly.

once Run once at specified date time.

trigger-hour Hour of the day on which to trigger. integer Minimum 0

value: 0
Maximum
value: 23

trigger-minute Minute of the hour on which to trigger. integer Minimum 0

value: 0
Maximum
value: 59

trigger-type Trigger type. option - event-

based

Option Description

event-based Event based trigger.

scheduled Scheduled trigger.

trigger- Day of week for trigger. option -

weekday

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

vdom <name> Virtual domain(s) that this trigger is valid for. string Maximum
Virtual domain name. length: 79

FortiOS 7.4.4 CLI Reference 1159

Fortinet Inc.
config fields

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name. string Maximum

length: 35

value Value. var-string Maximum

length: 63

config system autoupdate schedule

Configure update schedule.

config system autoupdate schedule
Description: Configure update schedule.
set day [Sunday|Monday|...]
set frequency [every|daily|...]
set status [enable|disable]
set time {user}
end

config system autoupdate schedule

Parameter Description Type Size Default

day Update day. option - Monday

Option Description

Sunday Update every Sunday.

Monday Update every Monday.

Tuesday Update every Tuesday.

Wednesday Update every Wednesday.

Thursday Update every Thursday.

Friday Update every Friday.

Saturday Update every Saturday.

frequency Update frequency. option - automatic

FortiOS 7.4.4 CLI Reference 1160

Fortinet Inc.
Parameter Description Type Size Default

Option Description

every Time interval.

daily Every day.

weekly Every week.

automatic Update automatically within every one hour period.

status Enable/disable scheduled updates. option - enable

Option Description

enable Enable setting.

disable Disable setting.

time Update time. user Not

Specified

config system autoupdate tunneling

Configure web proxy tunneling for the FDN.

config system autoupdate tunneling
Description: Configure web proxy tunneling for the FDN.
set address {string}
set password {password}
set port {integer}
set status [enable|disable]
set username {string}
end

config system autoupdate tunneling

Parameter Description Type Size Default

address Web proxy IP address or FQDN. string Maximum

length: 63

password Web proxy password. password Not

Specified

port Web proxy port. integer Minimum 0

value: 0
Maximum
value:
65535

status Enable/disable web proxy tunneling. option - disable

FortiOS 7.4.4 CLI Reference 1161

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

username Web proxy username. string Maximum

length: 49

config system bypass

This command is available for model(s): FortiGate 2500E, FortiGate 400E Bypass, FortiGate
800D, FortiGate 80F Bypass, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiGateRugged 70F 3G4G, FortiGateRugged 70F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E,
FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F,
FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F,
FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F,
FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E, FortiGate 400F,
FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F,
FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E,
FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate
601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate
60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80E-POE,
FortiGate 80E, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E,
FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate
VM64, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi
60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-
POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure system bypass.

FortiOS 7.4.4 CLI Reference 1162

Fortinet Inc.
config system bypass

Parameter Description Type Size Default

auto-recover * Automatically recover from bypass mode after system option - enable
reboot.

Option Description

enable Recover interfaces from bypass mode. The actual mode is determined by
poweron-bypass setting.

disable Keep interfaces in bypass mode if bypass was previously triggered.

bypass- timeout setting for bypass watchdog option - 10

timeout *

Option Description

2 2 second

4 4 second

6 6 second

8 8 second

10 10 second

12 12 second

14 14 second

bypass- watchdog to bypass interfaces in case of option - disable

watchdog software/hardware failure

Option Description

enable Enable watchdog for bypass interfaces.

disable Disable watchdog for bypass interfaces.

poweroff- set interface bypass state in power off option - disable

bypass *

Option Description

enable Enable bypass when power off.

disable Disable bypass when power off.

* This parameter may not exist in some models.

config system central-management

Configure central management.

FortiOS 7.4.4 CLI Reference 1163

Fortinet Inc.
config system central-management
Description: Configure central management.
set allow-monitor [enable|disable]
set allow-push-configuration [enable|disable]
set allow-push-firmware [enable|disable]
set allow-remote-firmware-upgrade [enable|disable]
set allow-remote-lte-firmware-upgrade [enable|disable]
set ca-cert {user}
set enc-algorithm [default|high|...]
set fmg {user}
set fmg-source-ip {ipv4-address}
set fmg-source-ip6 {ipv6-address}
set fmg-update-port [8890|443]
set fortigate-cloud-sso-default-profile {string}
set include-default-servers [enable|disable]
set interface {string}
set interface-select-method [auto|sdwan|...]
set local-cert {string}
set ltefw-upgrade-frequency [everyHour|every12hour|...]
set ltefw-upgrade-time {string}
set mode [normal|backup]
set schedule-config-restore [enable|disable]
set schedule-script-restore [enable|disable]
set serial-number {user}
config server-list
Description: Additional severs that the FortiGate can use for updates (for AV, IPS,
updates) and ratings (for web filter and antispam ratings) servers.
edit <id>
set server-type {option1}, {option2}, ...
set addr-type [ipv4|ipv6|...]
set server-address {ipv4-address}
set server-address6 {ipv6-address}
set fqdn {string}
next
end
set type [fortimanager|fortiguard|...]
set use-elbc-vdom [enable|disable]
set vdom {string}
end

config system central-management

Parameter Description Type Size Default

allow-monitor Enable/disable allowing the central management option - enable

server to remotely monitor this FortiGate unit.

Option Description

enable Enable remote monitoring of device.

disable Disable remote monitoring of device.

enable Enable remote lte firmware upgrade.

disable Disable remote lte firmware upgrade.

ca-cert CA certificate to be used by FGFM protocol. user Not

Specified

enc-algorithm Encryption strength for communications between the option - high

FortiGate and central management.

Option Description

default High strength algorithms and medium-strength 128-bit key length algorithms.

high 128-bit and larger key length algorithms.

low 64-bit or 56-bit key length algorithms without export restrictions.

fmg IP address or FQDN of the FortiManager. user Not

Specified

FortiOS 7.4.4 CLI Reference 1165

Fortinet Inc.
Parameter Description Type Size Default

fmg-source-ip IPv4 source address that this FortiGate uses when ipv4- Not 0.0.0.0
communicating with FortiManager. address Specified

fmg-source-ip6 IPv6 source address that this FortiGate uses when ipv6- Not ::
communicating with FortiManager. address Specified

fmg-update- Port used to communicate with FortiManager that is option - 8890

port acting as a FortiGuard update server.

Option Description

8890 Use port 8890 to communicate with FortiManager that is acting as a

FortiGuard update server.

443 Use port 443 to communicate with FortiManager that is acting as a

FortiGuard update server.

fortigate-cloud- Override access profile. string Maximum

sso-default- length: 35
profile

include-default- Enable/disable inclusion of public FortiGuard servers option - enable

servers in the override server list.

Option Description

enable Enable inclusion of public FortiGuard servers in the override server list.

disable Disable inclusion of public FortiGuard servers in the override server list.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

local-cert Certificate to be used by FGFM protocol. string Maximum

length: 35

ltefw-upgrade- Set LTE firmware auto pushdown frequency. option -

frequency *

FortiOS 7.4.4 CLI Reference 1166

Fortinet Inc.
Parameter Description Type Size Default

Option Description

everyHour Auto check and pushdown LTE firmware every hour

every12hour Auto check and pushdown LTE firmware every 12 hours

everyDay Auto check and pushdown LTE firmware every day

everyWeek Auto check and pushdown LTE firmware every week

ltefw-upgrade- Schedule next LTE firmware upgrade time (Local string Maximum
time * Time). Format: YYYY-MM-DD HH:MM:SS length: 35

mode Central management mode. option - normal

Option Description

normal Manage and configure this FortiGate from FortiManager.

backup Manage and configure this FortiGate locally and back up its configuration to
FortiManager.

schedule- Enable/disable allowing the central management option - enable

config-restore server to restore the configuration of this FortiGate.

Option Description

enable Enable scheduled configuration restore.

disable Disable scheduled configuration restore.

schedule- Enable/disable allowing the central management option - enable

script-restore server to restore the scripts stored on this FortiGate.

Option Description

enable Enable scheduled script restore.

disable Disable scheduled script restore.

serial-number Serial number. user Not

Specified

type Central management type. option - none

Option Description

fortimanager FortiManager.

fortiguard Central management of this FortiGate using FortiCloud.

none No central management.

use-elbc-vdom Enable/disable use of special ELBC config sync VDOM option - disable
* to connect to FortiManager.

FortiOS 7.4.4 CLI Reference 1167

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable enable

disable disable

vdom Virtual domain (VDOM) name to use when string Maximum root
communicating with FortiManager. length: 31

* This parameter may not exist in some models.

config server-list

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server-type FortiGuard service type. option -

Option Description

update AV, IPS, and AV-query update server.

rating Web filter and anti-spam rating server.

iot-query IoT query server.

iot-collect IoT device collection server.

addr-type Indicate whether the FortiGate communicates with option - ipv4

the override server using an IPv4 address, an IPv6
address or a FQDN.

Option Description

ipv4 IPv4 address.

ipv6 IPv6 address.

fqdn FQDN.

server- IPv4 address of override server. ipv4- Not Specified 0.0.0.0

address address

server- IPv6 address of override server. ipv6- Not Specified ::

address6 address

fqdn FQDN address of override server. string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 1168

Fortinet Inc.
config system console

Configure console.
config system console
Description: Configure console.
set fortiexplorer [enable|disable]
set login [enable|disable]
set output [standard|more]
end

config system console

Parameter Description Type Size Default

fortiexplorer * Enable/disable access for FortiExplorer. option - enable

Option Description

enable Enable FortiExplorer access.

disable Disable FortiExplorer access.

login Enable/disable serial console and FortiExplorer. option - enable

Option Description

enable Console login enable.

disable Console login disable.

output Console output mode. option - more

Option Description

standard Standard output.

more More page output.

* This parameter may not exist in some models.

config system csf

Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
config system csf
Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on
this FortiGate.
set accept-auth-by-cert [disable|enable]
set authorization-request-type [serial|certificate]
set certificate {string}
set configuration-sync [default|local]
set downstream-access [enable|disable]
set downstream-accprofile {string}

FortiOS 7.4.4 CLI Reference 1169

Fortinet Inc.
config fabric-connector
Description: Fabric connector configuration.
edit <serial>
set accprofile {string}
set configuration-write-access [enable|disable]
set vdom <name1>, <name2>, ...
next
end
set fabric-object-unification [default|local]
set fabric-workers {integer}
set file-mgmt [enable|disable]
set file-quota {integer}
set file-quota-warning {integer}
set forticloud-account-enforcement [enable|disable]
set group-name {string}
set group-password {password}
set log-unification [disable|enable]
set saml-configuration-sync [default|local]
set source-ip {ipv4-address}
set status [enable|disable]
config trusted-list
Description: Pre-authorized and blocked security fabric nodes.
edit <name>
set authorization-type [serial|certificate]
set serial {string}
set certificate {var-string}
set action [accept|deny]
set ha-members {string}
set downstream-authorization [enable|disable]
set index {integer}
next
end
set uid {string}
set upstream {string}
set upstream-interface {string}
set upstream-interface-select-method [auto|sdwan|...]
set upstream-port {integer}
end

config system csf

Parameter Description Type Size Default

accept-auth-by- Accept connections with unknown certificates and option - enable

cert ask admin for approval.

Option Description

disable Do not accept SSL connections with unknown certificates.

enable Accept SSL connections without automatic certificate verification.

authorization- Authorization request type. option - serial

request-type

FortiOS 7.4.4 CLI Reference 1170

Fortinet Inc.
Parameter Description Type Size Default

Option Description

serial Request verification by serial number.

certificate Request verification by certificate.

certificate Certificate. string Maximum

length: 35

configuration- Configuration sync mode. option - default

sync

Option Description

default Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and

Central Management to root node.

local Do not synchronize configuration with root node.

downstream- Enable/disable downstream device access to this option - disable

access device's configuration and data.

Option Description

enable Enable downstream device access to this device's configuration and data.

disable Disable downstream device access to this device's configuration and data.

downstream- Default access profile for requests from string Maximum

accprofile downstream devices. length: 35

fabric-object- Fabric CMDB Object Unification. option - default

unification

Option Description

default Global CMDB objects will be synchronized in Security Fabric.

local Global CMDB objects will not be synchronized to and from this device.

fabric-workers Number of worker processes for Security Fabric integer Minimum 2

daemon. value: 1
Maximum
value: 4

file-mgmt Enable/disable Security Fabric daemon file option - enable

management.

Option Description

enable Enable daemon file management.

disable Disable daemon file management.

FortiOS 7.4.4 CLI Reference 1171

Fortinet Inc.
Parameter Description Type Size Default

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Security Fabric.

disable Disable Security Fabric.

uid Unique ID of the current CSF node string Maximum

length: 35

upstream IP/FQDN of the FortiGate upstream from this string Maximum

FortiGate in the Security Fabric. length: 255

upstream- Specify outgoing interface to reach server. string Maximum

interface length: 15

upstream- Specify how to select outgoing interface to reach option - auto

interface-select- server.
method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

upstream-port The port number to use to communicate with the integer Minimum 8013
FortiGate upstream from this FortiGate in the value: 1
Security Fabric. Maximum
value: 65535

config fabric-connector

Parameter Description Type Size Default

serial Serial. string Maximum

length: 19

accprofile Override access profile. string Maximum

length: 35

configuration- Enable/disable downstream device write access to option - disable

write-access configuration.

Option Description

enable Enable downstream device write access to configuration.

disable Disable downstream device write access to configuration.

FortiOS 7.4.4 CLI Reference 1173

Fortinet Inc.
Parameter Description Type Size Default

vdom <name> Virtual domains that the connector has access to. If string Maximum
none are set, the connector will only have access to length: 79
the VDOM that it joins the Security Fabric through.
Virtual domain name.

config trusted-list

Parameter Description Type Size Default

name Name. string Maximum

length: 35

authorization- Authorization type. option - serial

type

Option Description

serial Verify downstream by serial number.

certificate Verify downstream by certificate.

serial Serial. string Maximum

length: 19

certificate Certificate. var-string Maximum

length:
32767

action Security fabric authorization action. option - accept

Option Description

accept Accept authorization request.

deny Deny authorization request.

ha-members HA members. string Maximum

length: 19

downstream- Trust authorizations by this node's administrator. option - disable

authorization

Option Description

enable Enable downstream authorization.

disable Disable downstream authorization.

index Index of the downstream in tree. integer Minimum 0

value: 1
Maximum
value: 1024

FortiOS 7.4.4 CLI Reference 1174

Fortinet Inc.
config system custom-language

Configure custom languages.

config system custom-language
Description: Configure custom languages.
edit <name>
set comments {var-string}
set filename {string}
next
end

config system custom-language

Parameter Description Type Size Default

comments Comment. var-string Maximum

length: 255

filename Custom language file path. string Maximum

length: 63

name Name. string Maximum

length: 35

config system ddns

Configure DDNS.
config system ddns
Description: Configure DDNS.
edit <ddnsid>
set addr-type [ipv4|ipv6]
set bound-ip {string}
set clear-text [disable|enable]
set ddns-auth [disable|tsig]
set ddns-domain {string}
set ddns-key {password_aes256}
set ddns-keyname {string}
set ddns-password {password}
set ddns-server [dyndns.org|dyns.net|...]
set ddns-server-addr <addr1>, <addr2>, ...
set ddns-sn {string}
set ddns-ttl {integer}
set ddns-username {string}
set ddns-zone {string}
set monitor-interface <interface-name1>, <interface-name2>, ...
set server-type [ipv4|ipv6]
set ssl-certificate {string}
set update-interval {integer}
set use-public-ip [disable|enable]
next
end

FortiOS 7.4.4 CLI Reference 1175

Fortinet Inc.
config system ddns

Parameter Description Type Size Default

addr-type Address type of interface address in DDNS option - ipv4

update.

Option Description

ipv4 Use IPv4 address of the interface.

ipv6 Use IPv6 address of the interface.

bound-ip Bound IP address. string Maximum

length: 46

clear-text Enable/disable use of clear text connections. option - disable

Option Description

disable Disable use of clear text connections.

enable Enable use of clear text connections.

ddns-auth Enable/disable TSIG authentication for your option - disable

DDNS server.

Option Description

disable Disable DDNS authentication.

tsig Enable TSIG authentication based on RFC2845.

ddns-domain Your fully qualified domain name. For string Maximum

example, yourname.ddns.com. length: 64

ddns-key DDNS update key (base 64 encoding). password_ Not Specified

aes256

ddns-keyname DDNS update key name. string Maximum

length: 64

ddns-password DDNS password. password Not Specified

ddns-server Select a DDNS service provider. option -

Option Description

dyndns.org members.dyndns.org and dnsalias.com

dyns.net www.dyns.net

tzo.com rh.tzo.com

vavic.com Peanut Hull

FortiOS 7.4.4 CLI Reference 1176

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dipdns.net dipdnsserver.dipdns.com

now.net.cn ip.todayisp.com

dhs.org members.dhs.org

easydns.com members.easydns.com

genericDDNS Generic DDNS based on RFC2136.

FortiGuardDDNS FortiGuard DDNS service.

noip.com dynupdate.no-ip.com

ddns-server-addr Generic DDNS server IP/FQDN list. string Maximum

<addr> IP address or FQDN of the server. length: 256

ddns-sn DDNS Serial Number. string Maximum

length: 64

ddns-ttl Time-to-live for DDNS packets. integer Minimum 300

value: 60
Maximum
value: 86400

ddns-username DDNS user name. string Maximum

length: 64

ddns-zone Zone of your domain name (for example, string Maximum

DDNS.com). length: 64

ddnsid DDNS ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

monitor-interface Monitored interface. string Maximum

<interface- Interface name. length: 79
name>

server-type Address type of the DDNS server. option - ipv4

Option Description

ipv4 Use IPv4 addressing.

ipv6 Use IPv6 addressing.

ssl-certificate Name of local certificate for SSL connections. string Maximum Fortinet_
length: 35 Factory

FortiOS 7.4.4 CLI Reference 1177

Fortinet Inc.
Parameter Description Type Size Default

update-interval DDNS update interval. integer Minimum 0

value: 60
Maximum
value:
2592000

use-public-ip Enable/disable use of public IP address. option - disable

Option Description

disable Disable use of public IP address.

enable Enable use of public IP address.

config system dedicated-mgmt

Configure dedicated management.

config system dedicated-mgmt
Description: Configure dedicated management.
set default-gateway {ipv4-address}
set dhcp-end-ip {ipv4-address}
set dhcp-netmask {ipv4-netmask}
set dhcp-server [enable|disable]
set dhcp-start-ip {ipv4-address}
set interface {string}
set status [enable|disable]
end

config system dedicated-mgmt

Parameter Description Type Size Default

default- Default gateway for dedicated management interface. ipv4- Not 0.0.0.0
gateway address Specified

dhcp-end-ip DHCP end IP for dedicated management. ipv4- Not 0.0.0.0

address Specified

dhcp-netmask DHCP netmask. ipv4- Not 0.0.0.0

netmask Specified

dhcp-server Enable/disable DHCP server on management interface. option - disable

Option Description

enable Enable DHCP server on management port.

disable Disable DHCP server on management port.

FortiOS 7.4.4 CLI Reference 1178

Fortinet Inc.
Parameter Description Type Size Default

dhcp-start-ip DHCP start IP for dedicated management. ipv4- Not 0.0.0.0

address Specified

interface Dedicated management interface. string Maximum

length: 15

status Enable/disable dedicated management. option - disable

Option Description

enable Enable setting.

disable Disable setting.

config system device-upgrade

Independent upgrades for managed devices.

config system device-upgrade
Description: Independent upgrades for managed devices.
edit <serial>
set device-type [fortigate|fortiswitch|...]
set failure-reason [none|internal|...]
set ha-reboot-controller {string}
config known-ha-members
Description: Known members of the HA cluster. If a member is missing at upgrade
time, the upgrade will be cancelled.
edit <serial>
next
end
set maximum-minutes {integer}
set setup-time {user}
set status [disabled|initialized|...]
set time {user}
set timing [immediate|scheduled]
set upgrade-path {user}
next
end

config system device-upgrade

Parameter Description Type Size Default

device-type Fortinet device type. option - fortigate

download-failed The image could not be downloaded.

device-missing The device was disconnected from the FortiGate.

version- An image matching the device and version could not be found.
unavailable

staging-failed The image could not be pushed to the device.

reboot-failed The device could not be rebooted.

device-not- The device did not reconnect after rebooting.

reconnected

node-not-ready A device in the Security Fabric tree was not ready.

no-final- The coordinating FortiGate did not confirm the upgrade.

confirmation

no-confirmation- A downstream FortiGate did not initiate final confirmation.

query

config-error-log- Configuration errors encountered during the upgrade.

nonempty

csf-tree-not- The Security Fabric is disabled on the root FortiGate

supported

node-failed A device in the Security Fabric tree failed.

ha-reboot- Serial number of the FortiGate unit that will control the string Maximum
controller reboot process for the federated upgrade of the HA length: 79
cluster.

FortiOS 7.4.4 CLI Reference 1180

Fortinet Inc.
Parameter Description Type Size Default

maximum- Maximum number of minutes to allow for immediate integer Minimum 15

minutes upgrade preparation. value: 5
Maximum
value:
10080

serial Serial number of the node to include. string Maximum

length: 79

setup-time Upgrade preparation start time in UTC (hh:mm user Not

yyyy/mm/dd UTC). Specified

status Current status of the upgrade. option - disabled

Option Description

disabled No federated upgrade has been configured.

initialized The upgrade has been configured.

downloading The image is downloading in preparation for the upgrade.

device- The image downloads are complete, but one or more devices have
disconnected disconnected.

ready The image download finished and the upgrade is pending.

coordinating The upgrade is coordinating with other running upgrades.

staging The upgrade is confirmed and images are being staged.

final-check The upgrade is ready and final checks are in progress.

upgrade-devices The upgrade is ready and devices are being rebooted.

cancelled The upgrade was cancelled due to the tree not being ready.

confirmed The upgrade was confirmed and reboots are running.

done The upgrade completed successfully.

failed The upgrade failed due to a local issue.

time Scheduled upgrade execution time in UTC (hh:mm user Not

yyyy/mm/dd UTC). Specified

timing Run immediately or at a scheduled time. option - immediate

Option Description

immediate Begin the upgrade immediately.

scheduled Begin the upgrade at a configured time.

upgrade-path Fortinet OS image versions to upgrade through in user Not

major-minor-patch format, such as 7-0-4. Specified

FortiOS 7.4.4 CLI Reference 1181

Fortinet Inc.
config known-ha-members

Parameter Description Type Size Default

serial Serial number of HA member string Maximum

length: 79

config system dhcp6 server

Configure DHCPv6 servers.

config system dhcp6 server
Description: Configure DHCPv6 servers.
edit <id>
set delegated-prefix-iaid {integer}
set dns-search-list [delegated|specify]
set dns-server1 {ipv6-address}
set dns-server2 {ipv6-address}
set dns-server3 {ipv6-address}
set dns-server4 {ipv6-address}
set dns-service [delegated|default|...]
set domain {string}
set interface {string}
set ip-mode [range|delegated]
config ip-range
Description: DHCP IP range configuration.
edit <id>
set start-ip {ipv6-address}
set end-ip {ipv6-address}
next
end
set lease-time {integer}
set option1 {user}
set option2 {user}
set option3 {user}
set prefix-mode [dhcp6|ra]
config prefix-range
Description: DHCP prefix configuration.
edit <id>
set start-prefix {ipv6-address}
set end-prefix {ipv6-address}
set prefix-length {integer}
next
end
set rapid-commit [disable|enable]
set status [disable|enable]
set subnet {ipv6-prefix}
set upstream-interface {string}
next
end

FortiOS 7.4.4 CLI Reference 1182

Fortinet Inc.
config system dhcp6 server

Parameter Description Type Size Default

delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

prefix-iaid interface. value: 0
Maximum
value:
4294967295

dns-search- DNS search list options. option - specify

list

Option Description

delegated Delegated the DNS search list.

specify Specify the DNS search list.

dns-server1 DNS server 1. ipv6- Not Specified ::

connected to this interface. length: 15

ip-mode Method used to assign client IP. option - range

FortiOS 7.4.4 CLI Reference 1183

Fortinet Inc.
Parameter Description Type Size Default

Option Description

range Use range defined by start IP/end IP to assign client IP.

delegated Use delegated prefix method to assign client IP.

lease-time Lease time in seconds, 0 means unlimited. integer Minimum 604800

value: 300
Maximum
value:
8640000

option1 Option 1. user Not Specified

option2 Option 2. user Not Specified

option3 Option 3. user Not Specified

prefix-mode Assigning a prefix from a DHCPv6 client or RA. option - dhcp6

Option Description

dhcp6 Use delegated prefix from a DHCPv6 client.

ra Use prefix from RA.

rapid-commit Enable/disable allow/disallow rapid commit. option - disable

Option Description

disable Do not allow rapid commit.

enable Allow rapid commit.

status Enable/disable this DHCPv6 configuration. option - enable

Option Description

disable Enable this DHCPv6 server configuration.

enable Disable this DHCPv6 server configuration.

subnet Subnet or subnet-id if the IP mode is delegated. ipv6-prefix Not Specified ::/0

upstream- Interface name from where delegated information is string Maximum

interface provided. length: 15

FortiOS 7.4.4 CLI Reference 1184

Fortinet Inc.
config ip-range

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip Start of IP range. ipv6- Not Specified ::

address

end-ip End of IP range. ipv6- Not Specified ::

address

config prefix-range

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-prefix Start of prefix range. ipv6- Not Specified ::

address

end-prefix End of prefix range. ipv6- Not Specified ::

address

prefix-length Prefix length. integer Minimum 0

value: 1
Maximum
value: 128

config system dhcp server

Configure DHCP servers.

config system dhcp server
Description: Configure DHCP servers.
edit <id>
set auto-configuration [disable|enable]
set auto-managed-status [disable|enable]
set conflicted-ip-timeout {integer}
set ddns-auth [disable|tsig]
set ddns-key {password_aes256}
set ddns-keyname {string}
set ddns-server-ip {ipv4-address}
set ddns-ttl {integer}
set ddns-update [disable|enable]

FortiOS 7.4.4 CLI Reference 1185

Fortinet Inc.
set ddns-update-override [disable|enable]
set ddns-zone {string}
set default-gateway {ipv4-address}
set dhcp-settings-from-fortiipam [disable|enable]
set dns-server1 {ipv4-address}
set dns-server2 {ipv4-address}
set dns-server3 {ipv4-address}
set dns-server4 {ipv4-address}
set dns-service [local|default|...]
set domain {string}
config exclude-range
Description: Exclude one or more ranges of IP addresses from being assigned to
clients.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
set vci-match [disable|enable]
set vci-string <vci-string1>, <vci-string2>, ...
set uci-match [disable|enable]
set uci-string <uci-string1>, <uci-string2>, ...
set lease-time {integer}
next
end
set filename {string}
set forticlient-on-net-status [disable|enable]
set interface {string}
set ip-mode [range|usrgrp]
config ip-range
Description: DHCP IP range configuration.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
set vci-match [disable|enable]
set vci-string <vci-string1>, <vci-string2>, ...
set uci-match [disable|enable]
set uci-string <uci-string1>, <uci-string2>, ...
set lease-time {integer}
next
end
set ipsec-lease-hold {integer}
set lease-time {integer}
set mac-acl-default-action [assign|block]
set netmask {ipv4-netmask}
set next-server {ipv4-address}
set ntp-server1 {ipv4-address}
set ntp-server2 {ipv4-address}
set ntp-server3 {ipv4-address}
set ntp-service [local|default|...]
config options
Description: DHCP options.
edit <id>
set code {integer}
set type [hex|string|...]
set value {string}
set ip {user}
set vci-match [disable|enable]

FortiOS 7.4.4 CLI Reference 1186

Fortinet Inc.
set vci-string <vci-string1>, <vci-string2>, ...
set uci-match [disable|enable]
set uci-string <uci-string1>, <uci-string2>, ...
next
end
set relay-agent {ipv4-address}
config reserved-address
Description: Options for the DHCP server to assign IP settings to specific MAC
addresses.
edit <id>
set type [mac|option82]
set ip {ipv4-address}
set mac {mac-address}
set action [assign|block|...]
set circuit-id-type [hex|string]
set circuit-id {string}
set remote-id-type [hex|string]
set remote-id {string}
set description {var-string}
next
end
set server-type [regular|ipsec]
set shared-subnet [disable|enable]
set status [disable|enable]
set tftp-server <tftp-server1>, <tftp-server2>, ...
set timezone {string}
set timezone-option [disable|default|...]
set vci-match [disable|enable]
set vci-string <vci-string1>, <vci-string2>, ...
set wifi-ac-service [specify|local]
set wifi-ac1 {ipv4-address}
set wifi-ac2 {ipv4-address}
set wifi-ac3 {ipv4-address}
set wins-server1 {ipv4-address}
set wins-server2 {ipv4-address}
next
end

config system dhcp server

Parameter Description Type Size Default

auto- Enable/disable auto configuration. option - enable

configuration

Option Description

disable Disable auto configuration.

enable Enable auto configuration.

auto-managed- Enable/disable use of this DHCP server once this option - enable
status interface has been assigned an IP address from
FortiIPAM.

FortiOS 7.4.4 CLI Reference 1187

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable use of this DHCP server once this interface has been assigned an IP
address from FortiIPAM.

enable Enable use of this DHCP server once this interface has been assigned an IP
address from FortiIPAM.

conflicted-ip- Time in seconds to wait after a conflicted IP integer Minimum 1800

timeout address is removed from the DHCP range before it value: 60
can be reused. Maximum
value:
8640000

ddns-auth DDNS authentication mode. option - disable

Option Description

disable Disable DDNS authentication.

tsig TSIG based on RFC2845.

ddns-key DDNS update key (base 64 encoding). password_ Not Specified

aes256

ddns-keyname DDNS update key name. string Maximum

length: 64

ddns-server-ip DDNS server IP. ipv4-address Not Specified 0.0.0.0

ddns-ttl TTL. integer Minimum 300

value: 60
Maximum
value: 86400

ddns-update Enable/disable DDNS update for DHCP. option - disable

Option Description

disable Disable DDNS update for DHCP.

enable Enable DDNS update for DHCP.

ddns-update- Enable/disable DDNS update override for DHCP. option - disable

override

Option Description

disable Disable DDNS update override for DHCP.

enable Enable DDNS update override for DHCP.

FortiOS 7.4.4 CLI Reference 1188

Fortinet Inc.
Parameter Description Type Size Default

ddns-zone Zone of your domain name (ex. DDNS.com). string Maximum

length: 64

default- Default gateway IP address assigned by the DHCP ipv4-address Not Specified 0.0.0.0
gateway server.

dhcp-settings- Enable/disable populating of DHCP server settings option - disable

from-fortiipam from FortiIPAM.

Option Description

disable Disable populating of DHCP server settings from FortiIPAM.

enable Enable populating of DHCP server settings from FortiIPAM.

dns-server1 DNS server 1. ipv4-address Not Specified 0.0.0.0

dns-server2 DNS server 2. ipv4-address Not Specified 0.0.0.0

dns-server3 DNS server 3. ipv4-address Not Specified 0.0.0.0

dns-server4 DNS server 4. ipv4-address Not Specified 0.0.0.0

dns-service Options for assigning DNS servers to DHCP option - specify

clients.

Option Description

local IP address of the interface the DHCP server is added to becomes the client's
DNS server IP address.

default Clients are assigned the FortiGate's configured DNS servers.

specify Specify up to 3 DNS servers in the DHCP server configuration.

domain Domain name suffix for the IP addresses that the string Maximum
DHCP server assigns to clients. length: 35

filename Name of the boot file on the TFTP server. string Maximum
length: 127

forticlient-on- Enable/disable FortiClient-On-Net service for this option - enable

net-status DHCP server.

Option Description

disable Disable FortiClient On-Net Status.

enable Enable FortiClient On-Net Status.

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1189

Fortinet Inc.
Parameter Description Type Size Default

interface DHCP server can assign IP configurations to string Maximum

clients connected to this interface. length: 15

ip-mode Method used to assign client IP. option - range

Option Description

range Use range defined by start-ip/end-ip to assign client IP.

usrgrp Use user-group defined method to assign client IP.

ipsec-lease- DHCP over IPsec leases expire this many seconds integer Minimum 60
hold after tunnel down (0 to disable forced-expiry). value: 0
Maximum
value:
8640000

lease-time Lease time in seconds, 0 means unlimited. integer Minimum 604800

value: 300
Maximum
value:
8640000

mac-acl- MAC access control default action (allow or block option - assign
default-action assigning IP settings).

Option Description

assign Allow the DHCP server to assign IP settings to clients on the MAC access
control list.

block Block the DHCP server from assigning IP settings to clients on the MAC
access control list.

netmask Netmask assigned by the DHCP server. ipv4-netmask Not Specified 0.0.0.0

next-server IP address of a server (for example, a TFTP sever) ipv4-address Not Specified 0.0.0.0
that DHCP clients can download a boot file from.

ntp-server1 NTP server 1. ipv4-address Not Specified 0.0.0.0

ntp-server2 NTP server 2. ipv4-address Not Specified 0.0.0.0

ntp-server3 NTP server 3. ipv4-address Not Specified 0.0.0.0

ntp-service Options for assigning Network Time Protocol option - specify

(NTP) servers to DHCP clients.

Option Description

local IP address of the interface the DHCP server is added to becomes the client's
NTP server IP address.

FortiOS 7.4.4 CLI Reference 1190

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Clients are assigned the FortiGate's configured NTP servers.

specify Specify up to 3 NTP servers in the DHCP server configuration.

relay-agent Relay agent IP. ipv4-address Not Specified 0.0.0.0

server-type DHCP server can be a normal DHCP server or an option - regular

IPsec DHCP server.

Option Description

regular Regular DHCP service.

ipsec DHCP over IPsec service.

shared-subnet Enable/disable shared subnet. option - disable

Option Description

disable Disable shared subnet.

enable Enable shared subnet.

status Enable/disable this DHCP configuration. option - enable

Option Description

disable Do not use this DHCP server configuration.

enable Use this DHCP server configuration.

tftp-server One or more hostnames or IP addresses of the string Maximum

<tftp- TFTP servers in quotes separated by spaces. length: 63
server> TFTP server.

timezone Select the time zone to be assigned to DHCP string Maximum

clients. length: 63

timezone- Options for the DHCP server to set the client's time option - disable
option zone.

Option Description

disable Do not set the client's time zone.

default Clients are assigned the FortiGate's configured time zone.

specify Specify the time zone to be assigned to DHCP clients.

FortiOS 7.4.4 CLI Reference 1191

Fortinet Inc.
Parameter Description Type Size Default

vci-match Enable/disable vendor class identifier (VCI) option - disable

matching. When enabled only DHCP requests with
a matching VCI are served.

Option Description

disable Disable VCI matching.

enable Enable VCI matching.

vci-string One or more VCI strings in quotes separated by string Maximum

<vci- spaces. length: 255
string> VCI strings.

wifi-ac-service Options for assigning WiFi access controllers to option - specify

DHCP clients.

Option Description

specify Specify up to 3 WiFi Access Controllers in the DHCP server configuration.

local IP address of the interface the DHCP server is added to becomes the client's
WiFi Access Controller IP address.

wifi-ac1 WiFi Access Controller 1 IP address (DHCP option ipv4-address Not Specified 0.0.0.0
138, RFC 5417).

wifi-ac2 WiFi Access Controller 2 IP address (DHCP option ipv4-address Not Specified 0.0.0.0
138, RFC 5417).

wifi-ac3 WiFi Access Controller 3 IP address (DHCP option ipv4-address Not Specified 0.0.0.0
138, RFC 5417).

wins-server1 WINS server 1. ipv4-address Not Specified 0.0.0.0

wins-server2 WINS server 2. ipv4-address Not Specified 0.0.0.0

config exclude-range

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip Start of IP range. ipv4- Not Specified 0.0.0.0

address

end-ip End of IP range. ipv4- Not Specified 0.0.0.0

address

FortiOS 7.4.4 CLI Reference 1192

Fortinet Inc.
Parameter Description Type Size Default

vci-match Enable/disable vendor class identifier (VCI) option - disable

matching. When enabled only DHCP requests with a
matching VCI are served with this range.

Option Description

disable Disable VCI matching.

enable Enable VCI matching.

vci-string One or more VCI strings in quotes separated by string Maximum

<vci- spaces. length: 255
string> VCI strings.

uci-match Enable/disable user class identifier (UCI) matching. option - disable

When enabled only DHCP requests with a matching
UCI are served with this range.

Option Description

disable Disable UCI matching.

enable Enable UCI matching.

uci-string One or more UCI strings in quotes separated by string Maximum

<uci- spaces. length: 255
string> UCI strings.

lease-time Lease time in seconds, 0 means default lease time. integer Minimum 0
value: 300
Maximum
value:
8640000

config ip-range

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip Start of IP range. ipv4- Not Specified 0.0.0.0

address

end-ip End of IP range. ipv4- Not Specified 0.0.0.0

address

FortiOS 7.4.4 CLI Reference 1193

Fortinet Inc.
Parameter Description Type Size Default

vci-match Enable/disable vendor class identifier (VCI) option - disable

matching. When enabled only DHCP requests with a
matching VCI are served with this range.

Option Description

disable Disable VCI matching.

enable Enable VCI matching.

vci-string One or more VCI strings in quotes separated by string Maximum

<vci- spaces. length: 255
string> VCI strings.

uci-match Enable/disable user class identifier (UCI) matching. option - disable

When enabled only DHCP requests with a matching
UCI are served with this range.

Option Description

disable Disable UCI matching.

enable Enable UCI matching.

uci-string One or more UCI strings in quotes separated by string Maximum

<uci- spaces. length: 255
string> UCI strings.

lease-time Lease time in seconds, 0 means default lease time. integer Minimum 0
value: 300
Maximum
value:
8640000

config options

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

code DHCP option code. integer Minimum 0

value: 0
Maximum
value: 255

type DHCP option type. option - hex

FortiOS 7.4.4 CLI Reference 1194

Fortinet Inc.
Parameter Description Type Size Default

Option Description

hex DHCP option in hex.

string DHCP option in string.

ip DHCP option in IP.

fqdn DHCP option in domain search option format.

value DHCP option value. string Maximum

length: 312

ip DHCP option IPs. user Not Specified

vci-match Enable/disable vendor class identifier (VCI) option - disable

matching. When enabled only DHCP requests with a
matching VCI are served with this option.

Option Description

disable Disable VCI matching.

enable Enable VCI matching.

vci-string One or more VCI strings in quotes separated by string Maximum

<vci- spaces. length: 255
string> VCI strings.

uci-match Enable/disable user class identifier (UCI) matching. option - disable

When enabled only DHCP requests with a matching
UCI are served with this option.

Option Description

disable Disable UCI matching.

enable Enable UCI matching.

uci-string One or more UCI strings in quotes separated by string Maximum

<uci- spaces. length: 255
string> UCI strings.

config reserved-address

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1195

Fortinet Inc.
Parameter Description Type Size Default

type DHCP reserved-address type. option - mac

Option Description

mac Match with MAC address.

option82 Match with DHCP option 82.

ip IP address to be reserved for the MAC ipv4- Not Specified 0.0.0.0

address. address

mac MAC address of the client that will get the mac- Not Specified 00:00:00:00:00:00
reserved IP address. address

action Options for the DHCP server to configure option - reserved

the client with the reserved MAC address.

Option Description

assign Configure the client with this MAC address like any other client.

block Block the DHCP server from assigning IP settings to the client with this MAC
address.

reserved Assign the reserved IP address to the client with this MAC address.

circuit-id-type DHCP option type. option - string

Option Description

hex DHCP option in hex.

string DHCP option in string.

circuit-id Option 82 circuit-ID of the client that will get string Maximum
the reserved IP address. length: 312

remote-id- DHCP option type. option - string

type

Option Description

hex DHCP option in hex.

string DHCP option in string.

remote-id Option 82 remote-ID of the client that will get string Maximum
the reserved IP address. length: 312

description Description. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 1196

Fortinet Inc.
config system dnp3-proxy

This command is available for model(s): FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiGateRugged 70F 3G4G, FortiGateRugged 70F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate
81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure dnpproxy settings.

config system dnp3-proxy
Description: Configure dnpproxy settings.
set port {integer}
set status [enable|disable]
set term-baudrate [9600|19200|...]
set term-databits {integer}
set term-flowcontrol [none|xon_xoff|...]
set term-parity [none|odd|...]
set term-stopbits {integer}
end

config system dnp3-proxy

Parameter Description Type Size Default

port DNP3 TCPServer Port. integer Minimum 20000

value: 1
Maximum
value:
65535

status Enable/disable DNP daemon. option - disable

FortiOS 7.4.4 CLI Reference 1197

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable DNP daemon.

disable Disable DNP daemon.

term-baudrate Term Baudrate. option - 19200

Option Description

9600 set DNP baudrate to 9600

19200 set DNP baudrate to 19200

38400 set DNP baudrate to 38400

115200 set DNP baudrate to 115200

term-databits Term Data Bits. integer Minimum 8

value: 0
Maximum
value:
65535

term- Term Flow Control option - none

flowcontrol

Option Description

none No flow control.

xon_xoff Enable software flow control on both input and output.

hardware Enable hardware flow control.

term-parity Term Parity option - none

Option Description

none No parity check.

odd Odd parity check.

even Even parity check.

term-stopbits Term Stop Bits. integer Minimum 1

value: 0
Maximum
value:
65535

config system dns-database

Configure DNS databases.

FortiOS 7.4.4 CLI Reference 1198

Fortinet Inc.
config system dns-database
Description: Configure DNS databases.
edit <name>
set allow-transfer {user}
set authoritative [enable|disable]
set contact {string}
config dns-entry
Description: DNS entry.
edit <id>
set status [enable|disable]
set type [A|NS|...]
set ttl {integer}
set preference {integer}
set ip {ipv4-address-any}
set ipv6 {ipv6-address}
set hostname {string}
set canonical-name {string}
next
end
set domain {string}
set forwarder {user}
set forwarder6 {ipv6-address}
set ip-primary {ipv4-address-any}
set primary-name {string}
set rr-max {integer}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
set status [enable|disable]
set ttl {integer}
set type [primary|secondary]
set view [shadow|public|...]
next
end

config system dns-database

Parameter Description Type Size Default

allow-transfer DNS zone transfer IP address list. user Not Specified

authoritative Enable/disable authoritative zone. option - enable

Option Description

enable Enable authoritative zone.

disable Disable authoritative zone.

contact Email address of the administrator for this zone. You string Maximum host
can specify only the username, such as admin or the length: 255
full email address, such as [email protected] When
using only a username, the domain of the email will
be this zone.

FortiOS 7.4.4 CLI Reference 1199

Fortinet Inc.
Parameter Description Type Size Default

domain Domain name. string Maximum

length: 255

forwarder DNS zone forwarder IP address list. user Not Specified

forwarder6 Forwarder IPv6 address. ipv6- Not Specified ::

address

ip-primary IP address of primary DNS server. Entries in this ipv4- Not Specified 0.0.0.0
primary DNS server and imported into the DNS address-
zone. any

name Zone name. string Maximum

length: 35

primary-name Domain name of the default DNS server for this string Maximum dns
zone. length: 255

rr-max Maximum number of resource records. integer Minimum 16384

value: 10
Maximum
value: 65536

source-ip Source IP for forwarding to DNS server. ipv4- Not Specified 0.0.0.0
address

source-ip6 IPv6 source IP address for forwarding to DNS ipv6- Not Specified ::
server. address

status Enable/disable this DNS zone. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ttl Default time-to-live value for the entries of this DNS integer Minimum 86400
zone. value: 0
Maximum
value:
2147483647

type Zone type (primary to manage entries directly, option - primary

secondary to import entries from other zones).

Option Description

primary Primary DNS zone, to manage entries directly.

secondary Secondary DNS zone, to import entries from other DNS zones.

FortiOS 7.4.4 CLI Reference 1200

Fortinet Inc.
Parameter Description Type Size Default

view Zone view (public to serve public clients, shadow to option - shadow
serve internal clients).

Option Description

shadow Shadow DNS zone to serve internal clients.

public Public DNS zone to serve public clients.

shadow-ztna implicit DNS zone for ztna dox tunnel.

proxy Shadow DNS zone for internal proxy.

config dns-entry

Parameter Description Type Size Default

id DNS entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Enable/disable resource record status. option - enable

Option Description

enable Enable resource record status.

disable Disable resource record status.

type Resource record type. option - A

Option Description

A Host type.

NS Name server type.

CNAME Canonical name type.

MX Mail exchange type.

AAAA IPv6 host type.

PTR Pointer type.

PTR_V6 IPv6 pointer type.

FortiOS 7.4.4 CLI Reference 1201

Fortinet Inc.
Parameter Description Type Size Default

ttl Time-to-live for this entry. integer Minimum 0

value: 0
Maximum
value:
2147483647

preference DNS entry preference. integer Minimum 10

value: 0
Maximum
value: 65535

ip IPv4 address of the host. ipv4- Not Specified 0.0.0.0

address-
any

ipv6 IPv6 address of the host. ipv6- Not Specified ::

address

hostname Name of the host. string Maximum

length: 255

canonical- Canonical name of the host. string Maximum

name length: 255

non-recursive Public DNS database only.

forward-only Forward only.

name DNS server name. string Maximum

length: 15

config system dns

Configure DNS.
config system dns
Description: Configure DNS.
set alt-primary {ipv4-address}
set alt-secondary {ipv4-address}
set cache-notfound-responses [disable|enable]
set dns-cache-limit {integer}
set dns-cache-ttl {integer}
set domain <domain1>, <domain2>, ...
set fqdn-cache-ttl {integer}
set fqdn-max-refresh {integer}
set fqdn-min-refresh {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ip6-primary {ipv6-address}

FortiOS 7.4.4 CLI Reference 1203

Fortinet Inc.
set ip6-secondary {ipv6-address}
set log [disable|error|...]
set primary {ipv4-address}
set protocol {option1}, {option2}, ...
set retry {integer}
set secondary {ipv4-address}
set server-hostname <hostname1>, <hostname2>, ...
set server-select-method [least-rtt|failover]
set source-ip {ipv4-address}
set ssl-certificate {string}
set timeout {integer}
end

config system dns

Parameter Description Type Size Default

alt-primary Alternate primary DNS server. This is not used as a ipv4- Not Specified 0.0.0.0
failover DNS server. address

alt-secondary Alternate secondary DNS server. This is not used ipv4- Not Specified 0.0.0.0
as a failover DNS server. address

cache- Enable/disable response from the DNS server when option - disable
notfound- a record is not in cache.
responses

Option Description

disable Disable cache NOTFOUND responses from DNS server.

enable Enable cache NOTFOUND responses from DNS server.

dns-cache-limit Maximum number of records in the DNS cache. integer Minimum 5000
value: 0
Maximum
value:
4294967295

dns-cache-ttl Duration in seconds that the DNS cache retains integer Minimum 1800
information. value: 60
Maximum
value: 86400

domain Search suffix list for hostname lookup. string Maximum

<domain> DNS search domain list separated by space length: 127
(maximum 8 domains).

fqdn-cache-ttl FQDN cache time to live in seconds. integer Minimum 0

value: 0
Maximum
value: 86400

FortiOS 7.4.4 CLI Reference 1204

Fortinet Inc.
Parameter Description Type Size Default

fqdn-max- FQDN cache maximum refresh time in seconds. integer Minimum 3600
refresh value: 3600
Maximum
value: 86400

fqdn-min- FQDN cache minimum refresh time in seconds. integer Minimum 60

refresh value: 10
Maximum
value: 3600

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ip6-primary Primary DNS server IPv6 address. ipv6- Not Specified ::

address

ip6-secondary Secondary DNS server IPv6 address. ipv6- Not Specified ::

address

log Local DNS log setting. option - disable

Option Description

disable Disable.

error Enable local DNS error log.

all Enable local DNS log.

primary Primary DNS server IP address. ipv4- Not Specified 0.0.0.0

address

protocol DNS transport protocols. option - cleartext

Option Description

cleartext DNS over UDP/53, DNS over TCP/53.

dot DNS over TLS/853.

doh DNS over HTTPS/443.

FortiOS 7.4.4 CLI Reference 1205

Fortinet Inc.
Parameter Description Type Size Default

retry Number of times to retry. integer Minimum 2

value: 0
Maximum
value: 5

secondary Secondary DNS server IP address. ipv4- Not Specified 0.0.0.0

address

server- DNS server host name list. string Maximum

hostname DNS server host name list separated by space length: 127
<hostname> (maximum 4 domains).

server-select- Specify how configured servers are prioritized. option - least-rtt

method

Option Description

least-rtt Select servers based on least round trip time.

failover Select servers based on the order they are configured.

source-ip IP address used by the DNS server as its source IP. ipv4- Not Specified 0.0.0.0
address

ssl-certificate Name of local certificate for SSL connections. string Maximum Fortinet_
length: 35 Factory

timeout DNS query timeout interval in seconds. integer Minimum 5

value: 1
Maximum
value: 10

config system dns64

Configure DNS64.
config system dns64
Description: Configure DNS64.
set always-synthesize-aaaa-record [enable|disable]
set dns64-prefix {ipv6-prefix}
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1206

Fortinet Inc.
config system dns64

Parameter Description Type Size Default

always- Enable/disable AAAA record synthesis. option - enable

synthesize-
aaaa-record

Option Description

enable Enable AAAA record synthesis.

disable Disable AAAA record synthesis.

dns64-prefix DNS64 prefix must be ::/96. ipv6-prefix Not 64:ff9b::/96

Specified

status Enable/disable DNS64. option - disable

Option Description

enable Enable DNS64.

disable Disable DNS64.

config system dscp-based-priority

Configure DSCP based priority table.

config system dscp-based-priority
Description: Configure DSCP based priority table.
edit <id>
set ds {integer}
set priority [low|medium|...]
next
end

config system dscp-based-priority

Parameter Description Type Size Default

ds DSCP. integer Minimum 0

value: 0
Maximum
value: 63

id Item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1207

Fortinet Inc.
Parameter Description Type Size Default

priority DSCP based priority level. option - high

Option Description

low Low priority.

medium Medium priority.

high High priority.

config system elbc

This command is available for model(s): FortiGate 5001E1, FortiGate 5001E.

It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate
601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate
60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate
80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F,
FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.

Configure enhanced load balance cluster.

config system elbc
Description: Configure enhanced load balance cluster.
set graceful-upgrade [enable|disable]
set hb-device <name1>, <name2>, ...
set inter-chassis-support [enable|disable]
set mode [none|forticontroller|...]
end

FortiOS 7.4.4 CLI Reference 1208

Fortinet Inc.
config system elbc

Parameter Description Type Size Default

config system email-server

Parameter Description Type Size Default

authenticate Enable/disable authentication. option - disable

Option Description

enable Enable authentication.

disable Disable authentication.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

password SMTP server user password for authentication. password Not

Specified

port SMTP server port. integer Minimum 25

value: 1
Maximum
value:
65535

security Connection security used by the email server. option - none

Option Description

none None.

starttls STARTTLS.

smtps SSL/TLS.

server SMTP server IP address or hostname. string Maximum

length: 63

source-ip SMTP server IPv4 source IP. ipv4- Not 0.0.0.0

address Specified

FortiOS 7.4.4 CLI Reference 1210

Fortinet Inc.
Parameter Description Type Size Default

source-ip6 SMTP server IPv6 source IP. ipv6- Not ::

enable Enable validation of server certificate.

disable Disable validation of server certificate.

config system evpn

Configure EVPN instance.

config system evpn
Description: Configure EVPN instance.
edit <id>
set arp-suppression [enable|disable]
set export-rt <route-target1>, <route-target2>, ...
set import-rt <route-target1>, <route-target2>, ...
set ip-local-learning [enable|disable]
set rd {string}
next
end

FortiOS 7.4.4 CLI Reference 1211

Fortinet Inc.
config system evpn

Parameter Description Type Size Default

arp- Enable/disable ARP suppression. option - disable

suppression

Option Description

enable Enable ARP suppression.

disable Disable ARP suppression.

export-rt List of export route targets. string Maximum

<route- Route target: AA:NN|A.B.C.D:NN. length: 79
target>

id ID. integer Minimum 0

value: 1
Maximum
value:
65535

import-rt List of import route targets. string Maximum

<route- Route target: AA:NN|A.B.C.D:NN. length: 79
target>

ip-local- Enable/disable IP address local learning. option - disable

learning

Option Description

enable Enable IP address local learning.

disable Disable IP address local learning.

rd Route Distinguisher: AA:NN|A.B.C.D:NN. string Maximum

length: 79

config system external-resource

Configure external resource.

config system external-resource
Description: Configure external resource.
edit <name>
set category {integer}
set comments {var-string}
set interface {string}
set interface-select-method [auto|sdwan|...]
set password {password}
set refresh-rate {integer}
set resource {string}
set server-identity-check [none|basic|...]

FortiOS 7.4.4 CLI Reference 1212

Fortinet Inc.
set source-ip {ipv4-address}
set status [enable|disable]
set type [category|domain|...]
set update-method [feed|push]
set user-agent {var-string}
set username {string}
set uuid {uuid}
next
end

config system external-resource

Parameter Description Type Size Default

category User resource category. integer Minimum 0

value: 192
Maximum
value: 221

comments Comment. var-string Maximum

length: 255

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

name External resource name. string Maximum

length: 35

password HTTP basic authentication password. password Not

Specified

refresh-rate Time interval to refresh external resource. integer Minimum 5

value: 1
Maximum
value:
43200

resource URL of external resource. string Maximum

length: 511

server- Certificate verification option. option - none

identity-check

FortiOS 7.4.4 CLI Reference 1213

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No certificate verification.

basic Check server certifcate only.

full Check server certificate and verify the domain matches in the server
certificate.

source-ip Source IPv4 address used to communicate with ipv4- Not 0.0.0.0
server. address Specified

status Enable/disable user resource. option - enable

Option Description

enable Enable user resource.

disable Disable user resource.

type User resource type. option - category

Option Description

category FortiGuard category.

domain Domain Name.

malware Malware hash.

address Firewall IP address.

mac-address Firewall MAC address.

data Data file.

update- External resource update method. option - feed

method

Option Description

feed FortiGate unit will pull update from the external resource.

push External Resource update is pushed to the FortiGate unit through the
FortiGate unit's RESTAPI/CLI.

user-agent HTTP User-Agent header. var-string Maximum

length: 255

username HTTP basic authentication user name. string Maximum

length: 64

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

FortiOS 7.4.4 CLI Reference 1214

Fortinet Inc.
config system fabric-vpn

Setup for self orchestrated fabric auto discovery VPN.

config system fabric-vpn
Description: Setup for self orchestrated fabric auto discovery VPN.
config advertised-subnets
Description: Local advertised subnets.
edit <id>
set prefix {ipv4-classnet}
set access [inbound|bidirectional]
set bgp-network {integer}
set firewall-address {string}
set policies {integer}
next
end
set bgp-as {integer}
set branch-name {string}
set health-checks {string}
set loopback-address-block {ipv4-classnet-host}
set loopback-advertised-subnet {integer}
set loopback-interface {string}
config overlays
Description: Local overlay interfaces table.
edit <name>
set overlay-tunnel-block {ipv4-classnet-host}
set remote-gw {ipv4-address-any}
set interface {string}
set bgp-neighbor {string}
set overlay-policy {integer}
set bgp-network {integer}
set route-policy {integer}
set bgp-neighbor-group {string}
set bgp-neighbor-range {integer}
set ipsec-phase1 {string}
set sdwan-member {integer}
next
end
set policy-rule [health-check|manual|...]
set psksecret {password-3}
set sdwan-zone {string}
set status [enable|disable]
set sync-mode [enable|disable]
set vpn-role [hub|spoke]
end

FortiOS 7.4.4 CLI Reference 1215

Fortinet Inc.
config system fabric-vpn

Parameter Description Type Size Default

bgp-as BGP Router AS number, valid from 1 to 4294967295. integer Minimum 0

value: 0
Maximum
value:
4294967295

branch-name Branch name. string Maximum

length: 35

health-checks Underlying health checks. string Maximum

length: 35

loopback- IPv4 address and subnet mask for hub's loopback ipv4- Not Specified 0.0.0.0
address-block address, syntax: X.X.X.X/24. classnet- 0.0.0.0
host

loopback- Loopback advertised subnet reference. integer Minimum 0

advertised- value: 0
subnet Maximum
value:
4294967295

loopback- Loopback interface. string Maximum

interface length: 15

policy-rule Policy creation rule. option - health-

check

Option Description

health-check Create health check policy automatically.

manual All policies will be created manually.

auto Automatically create allow policies.

psksecret Pre-shared secret for ADVPN. password-3 Not Specified

sdwan-zone Reference to created SD-WAN zone. string Maximum

length: 35

status Enable/disable Fabric VPN. option - disable

Option Description

enable Enable Fabric VPN.

disable Disable Fabric VPN.

sync-mode Setting synchronised by fabric or manual. option - enable

FortiOS 7.4.4 CLI Reference 1216

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable fabric led configuration synchronisation.

disable Disable fabric led configuration synchronisation.

vpn-role Fabric VPN role. option - hub

Option Description

hub VPN hub.

spoke VPN spoke.

config advertised-subnets

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

prefix Network prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

access Access policy direction. option - inbound

Option Description

inbound Allow inbound traffic to subnet.

bidirectional Allow inbound and outbound traffic to subnet.

bgp-network Underlying BGP network. integer Minimum 0

value: 0
Maximum
value:
4294967295

firewall- Underlying firewall address. string Maximum

address length: 79

policies Underlying policies. integer Minimum

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1217

Fortinet Inc.
config overlays

Parameter Description Type Size Default

name Overlay name. string Maximum

length: 79

overlay- IPv4 address and subnet mask for the overlay tunnel , ipv4- Not Specified 0.0.0.0
tunnel-block syntax: X.X.X.X/24. classnet- 0.0.0.0
host

remote-gw IP address of the hub gateway (Set by hub). ipv4- Not Specified 0.0.0.0
address-
any

interface Underlying interface name. string Maximum

length: 15

bgp-neighbor Underlying BGP neighbor entry. string Maximum

length: 45

overlay-policy The overlay policy to allow ADVPN thru traffic. integer Minimum 0
value: 0
Maximum
value:
4294967295

bgp-network Underlying BGP network. integer Minimum 0

value: 0
Maximum
value:
4294967295

route-policy Underlying router policy. integer Minimum 0

value: 0
Maximum
value:
4294967295

bgp-neighbor- Underlying BGP neighbor group entry. string Maximum

group length: 45

bgp-neighbor- Underlying BGP neighbor range entry. integer Minimum 0

range value: 0
Maximum
value:
4294967295

ipsec-phase1 IPsec interface. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1218

Fortinet Inc.
Parameter Description Type Size Default

sdwan- Reference to SD-WAN member entry. integer Minimum 0

member value: 0
Maximum
value:
4294967295

config system federated-upgrade

Coordinate federated upgrades within the Security Fabric.

config system federated-upgrade
Description: Coordinate federated upgrades within the Security Fabric.
set failure-device {string}
set failure-reason [none|internal|...]
set ha-reboot-controller {string}
config known-ha-members
Description: Known members of the HA cluster. If a member is missing at upgrade
time, the upgrade will be cancelled.
edit <serial>
next
end
set next-path-index {integer}
config node-list
Description: Nodes which will be included in the upgrade.
edit <serial>
set timing [immediate|scheduled]
set maximum-minutes {integer}
set time {user}
set setup-time {user}
set upgrade-path {user}
set device-type [fortigate|fortiswitch|...]
set coordinating-fortigate {string}
next
end
set status [disabled|initialized|...]
set upgrade-id {integer}
end

config system federated-upgrade

Parameter Description Type Size Default

failure-device Serial number of the node to include. string Maximum

length: 79

failure-reason Reason for upgrade failure. option - none

FortiOS 7.4.4 CLI Reference 1219

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No failure.

internal An internal error occurred.

timeout The upgrade timed out.

device-type- The device type was not supported by the FortiGate.

unsupported

download-failed The image could not be downloaded.

device-missing The device was disconnected from the FortiGate.

version- An image matching the device and version could not be found.
unavailable

staging-failed The image could not be pushed to the device.

reboot-failed The device could not be rebooted.

device-not- The device did not reconnect after rebooting.

reconnected

node-not-ready A device in the Security Fabric tree was not ready.

no-final- The coordinating FortiGate did not confirm the upgrade.

confirmation

no-confirmation- A downstream FortiGate did not initiate final confirmation.

query

config-error-log- Configuration errors encountered during the upgrade.

nonempty

csf-tree-not- The Security Fabric is disabled on the root FortiGate

supported

node-failed A device in the Security Fabric tree failed.

ha-reboot- Serial number of the FortiGate unit that will control the string Maximum
controller reboot process for the federated upgrade of the HA length: 79
cluster.

next-path- The index of the next image to upgrade to. integer Minimum 0
index value: 0
Maximum
value: 10

status Current status of the upgrade. option - disabled

FortiOS 7.4.4 CLI Reference 1220

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disabled No federated upgrade has been configured.

initialized The upgrade has been configured.

downloading The image is downloading in preparation for the upgrade.

device- The image downloads are complete, but one or more devices have
disconnected disconnected.

ready The image download finished and the upgrade is pending.

coordinating The upgrade is coordinating with other running upgrades.

staging The upgrade is confirmed and images are being staged.

final-check The upgrade is ready and final checks are in progress.

upgrade-devices The upgrade is ready and devices are being rebooted.

cancelled The upgrade was cancelled due to the tree not being ready.

confirmed The upgrade was confirmed and reboots are running.

done The upgrade completed successfully.

failed The upgrade failed due to a local issue.

upgrade-id Unique identifier for this upgrade. integer Minimum 0

value: 0
Maximum
value:
4294967295

config known-ha-members

Parameter Description Type Size Default

serial Serial number of HA member string Maximum

length: 79

config node-list

Parameter Description Type Size Default

serial Serial number of the node to include. string Maximum

length: 79

timing Run immediately or at a scheduled time. option - immediate

FortiOS 7.4.4 CLI Reference 1221

Fortinet Inc.
Parameter Description Type Size Default

Option Description

immediate Begin the upgrade immediately.

scheduled Begin the upgrade at a configured time.

maximum- Maximum number of minutes to allow for immediate integer Minimum 15

minutes upgrade preparation. value: 5
Maximum
value:
10080

time Scheduled upgrade execution time in UTC (hh:mm user Not

yyyy/mm/dd UTC). Specified

setup-time Upgrade preparation start time in UTC (hh:mm user Not

yyyy/mm/dd UTC). Specified

upgrade-path Fortinet OS image versions to upgrade through in user Not

major-minor-patch format, such as 7-0-4. Specified

device-type Fortinet device type. option - fortigate

Option Description

fortigate This device is a FortiGate.

fortiswitch This device is a FortiSwitch.

fortiap This device is a FortiAP.

fortiextender This device is a FortiExtender.

coordinating- Serial number of the FortiGate unit that controls this string Maximum
fortigate device. length: 79

config system fips-cc

Configure FIPS-CC mode.

config system fips-cc
Description: Configure FIPS-CC mode.
set key-generation-self-test [enable|disable]
set self-test-period {integer}
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1222

Fortinet Inc.
config system fips-cc

Parameter Description Type Size Default

key- Enable/disable self tests after key generation. option - disable

generation-
self-test

Option Description

enable Enable self tests after key generation.

disable Disable self tests after key generation.

self-test- Self test period. integer Minimum 1440

period value: 1
Maximum
value: 1440

status Enable/disable ciphers for FIPS mode of operation. option - disable

Option Description

enable Enable FIPS-CC mode.

disable Disable FIPS-CC mode.

config system fortiguard

Configure FortiGuard services.

config system fortiguard
Description: Configure FortiGuard services.
set FDS-license-expiring-days {integer}
set antispam-cache [enable|disable]
set antispam-cache-mpermille {integer}
set antispam-cache-ttl {integer}
set antispam-expiration {integer}
set antispam-force-off [enable|disable]
set antispam-license {integer}
set antispam-timeout {integer}
set anycast-sdns-server-ip {ipv4-address}
set anycast-sdns-server-port {integer}
set auto-firmware-upgrade [enable|disable]
set auto-firmware-upgrade-day {option1}, {option2}, ...
set auto-firmware-upgrade-delay {integer}
set auto-firmware-upgrade-end-hour {integer}
set auto-firmware-upgrade-start-hour {integer}
set auto-join-forticloud [enable|disable]
set ddns-server-ip {ipv4-address}
set ddns-server-ip6 {ipv6-address}
set ddns-server-port {integer}
set fortiguard-anycast [enable|disable]
set fortiguard-anycast-source [fortinet|aws|...]

FortiOS 7.4.4 CLI Reference 1223

Fortinet Inc.
set interface {string}
set interface-select-method [auto|sdwan|...]
set load-balance-servers {integer}
set outbreak-prevention-cache [enable|disable]
set outbreak-prevention-cache-mpermille {integer}
set outbreak-prevention-cache-ttl {integer}
set outbreak-prevention-expiration {integer}
set outbreak-prevention-force-off [enable|disable]
set outbreak-prevention-license {integer}
set outbreak-prevention-timeout {integer}
set persistent-connection [enable|disable]
set port [8888|53|...]
set protocol [udp|http|...]
set proxy-password {password}
set proxy-server-ip {string}
set proxy-server-port {integer}
set proxy-username {string}
set sandbox-inline-scan [enable|disable]
set sandbox-region {string}
set sdns-options {option1}, {option2}, ...
set sdns-server-ip {user}
set sdns-server-port {integer}
set service-account-id {string}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
set update-build-proxy [enable|disable]
set update-dldb [enable|disable]
set update-extdb [enable|disable]
set update-ffdb [enable|disable]
set update-server-location [automatic|usa|...]
set update-uwdb [enable|disable]
set vdom {string}
set webfilter-cache [enable|disable]
set webfilter-cache-ttl {integer}
set webfilter-expiration {integer}
set webfilter-force-off [enable|disable]
set webfilter-license {integer}
set webfilter-timeout {integer}
end

config system fortiguard

Parameter Description Type Size Default

FDS-license- Threshold for number of days before FortiGuard integer Minimum 15

expiring-days license expiration to generate license expiring value: 1
event log. Maximum
value: 100

antispam- Enable/disable FortiGuard antispam request option - enable

cache caching. Uses a small amount of memory but
improves performance.

FortiOS 7.4.4 CLI Reference 1224

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiGuard antispam request caching.

disable Disable FortiGuard antispam request caching.

antispam- Maximum permille of FortiGate memory the integer Minimum 1

cache- antispam cache is allowed to use. value: 1
mpermille Maximum
value: 150

antispam- Time-to-live for antispam cache entries in integer Minimum 1800

cache-ttl seconds. Lower times reduce the cache size. value: 300
Higher times may improve performance since the Maximum
cache will have more entries. value: 86400

antispam- Expiration date of the FortiGuard antispam integer Minimum 0

expiration contract. value: 0
Maximum
value:
4294967295

antispam- Enable/disable turning off the FortiGuard option - disable

force-off antispam service.

Option Description

enable Turn off the FortiGuard antispam service.

disable Allow the FortiGuard antispam service.

antispam- Interval of time between license checks for the integer Minimum 4294967295
license FortiGuard antispam contract. value: 0
Maximum
value:
4294967295

antispam- Antispam query time out. integer Minimum 7

timeout value: 1
Maximum
value: 30

anycast-sdns- IP address of the FortiGuard anycast DNS rating ipv4- Not Specified 0.0.0.0
server-ip server. address

anycast-sdns- Port to connect to on the FortiGuard anycast DNS integer Minimum 853
server-port rating server. value: 1
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1225

Fortinet Inc.
Parameter Description Type Size Default

auto- Enable/disable automatic patch-level firmware option - disable **

firmware- upgrade from FortiGuard. The FortiGate unit
upgrade searches for new patches only in the same major
and minor version. Enabled by default for entry-
level FortiGates; see Automatic firmware updates.

Option Description

enable Enable automatic patch-level firmware upgrade to latest version from

FortiGuard.

disable Disable automatic patch-level firmware upgrade to latest version from

FortiGuard.

auto- Allowed day. Disallow any day of the week to use option -
firmware- auto-firmware-upgrade-delay instead, which waits
upgrade-day for designated days before installing an automatic
patch-level firmware upgrade.

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

auto- Delay of day of the week for installing an integer Minimum 3

firmware- automatic patch-level firmware upgrade. value: 0
upgrade- Maximum
delay value: 14

auto- End time in the designated time window for integer Minimum 4
firmware- automatic patch-level firmware upgrade from value: 0
upgrade-end- FortiGuard in 24 hour time. When the end time is Maximum
hour smaller than the start time, the end time is value: 23
interpreted as the next day. The actual upgrade
time is selected randomly within the time window.

auto- Start time in the designated time window for integer Minimum 1
firmware- automatic patch-level firmware upgrade from value: 0
upgrade-start- FortiGuard in 24 hour time. The actual upgrade Maximum
hour time is selected randomly within the time window. value: 23

FortiOS 7.4.4 CLI Reference 1226

Fortinet Inc.
Parameter Description Type Size Default

auto-join- Automatically connect to and login to FortiCloud. option - enable

forticloud *

Option Description

enable Enable automatic connection and login to FortiCloud.

disable Disable automatic connection and login to FortiCloud.

ddns-server- IP address of the FortiDDNS server. ipv4- Not Specified 0.0.0.0

ip address

ddns-server- IPv6 address of the FortiDDNS server. ipv6- Not Specified ::

ip6 address

ddns-server- Port used to communicate with FortiDDNS integer Minimum 443

port servers. value: 1
Maximum
value: 65535

fortiguard- Enable/disable use of FortiGuard's Anycast option - enable

anycast network.

Option Description

enable Enable use of FortiGuard's Anycast network.

disable Disable use of FortiGuard's Anycast network.

fortiguard- Configure which of Fortinet's servers to provide option - fortinet

anycast- FortiGuard services in FortiGuard's anycast
source network. Default is Fortinet.

Option Description

fortinet Use Fortinet's servers to provide FortiGuard services in FortiGuard's anycast

network.

aws Use Fortinet's AWS servers to provide FortiGuard services in FortiGuard's

anycast network.

debug Use Fortinet's internal test servers to provide FortiGuard services in

FortiGuard's anycast network.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

FortiOS 7.4.4 CLI Reference 1227

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

load-balance- Number of servers to alternate between as first integer Minimum 1

servers FortiGuard option. value: 1
Maximum
value: 266

outbreak- Enable/disable FortiGuard Virus Outbreak option - enable

prevention- Prevention cache.
cache

Option Description

enable Enable FortiGuard antivirus caching.

disable Disable FortiGuard antivirus caching.

outbreak- Maximum permille of memory FortiGuard Virus integer Minimum 1

prevention- Outbreak Prevention cache can use. value: 1
cache- Maximum
mpermille value: 150

outbreak- Time-to-live for FortiGuard Virus Outbreak integer Minimum 300

prevention- Prevention cache entries. value: 300
cache-ttl Maximum
value: 86400

outbreak- Expiration date of FortiGuard Virus Outbreak integer Minimum 0

prevention- Prevention contract. value: 0
expiration Maximum
value:
4294967295

outbreak- Turn off FortiGuard Virus Outbreak Prevention option - disable

prevention- service.
force-off

Option Description

enable Turn off FortiGuard antivirus service.

disable Allow the FortiGuard antivirus service.

FortiOS 7.4.4 CLI Reference 1228

Fortinet Inc.
Parameter Description Type Size Default

outbreak- Interval of time between license checks for integer Minimum 4294967295
prevention- FortiGuard Virus Outbreak Prevention contract. value: 0
license Maximum
value:
4294967295

outbreak- FortiGuard Virus Outbreak Prevention time out. integer Minimum 7

prevention- value: 1
timeout Maximum
value: 30

persistent- Enable/disable use of persistent connection to option - disable

connection receive update notification from FortiGuard.

Option Description

enable Enable persistent connection to receive update notification from FortiGuard.

disable Disable persistent connection to receive update notification from FortiGuard.

port Port used to communicate with the FortiGuard option - 443

servers.

Option Description

8888 port 8888 for server communication.

53 port 53 for server communication.

80 port 80 for server communication.

443 port 443 for server communication.

protocol Protocol used to communicate with the FortiGuard option - https

servers.

Option Description

udp UDP for server communication (for use by FortiGuard or FortiManager).

http HTTP for server communication (for use only by FortiManager).

https HTTPS for server communication (for use by FortiGuard or FortiManager).

proxy- Proxy user password. password Not Specified

password

proxy-server- Hostname or IPv4 address of the proxy server. string Maximum

ip length: 63

FortiOS 7.4.4 CLI Reference 1229

Fortinet Inc.
Parameter Description Type Size Default

proxy-server- Port used to communicate with the proxy server. integer Minimum 0
port value: 0
Maximum
value: 65535

proxy- Proxy user name. string Maximum

username length: 64

sandbox- Enable/disable FortiCloud Sandbox inline-scan. option - disable

inline-scan

Option Description

enable Enable FortiCloud Sandbox inline scan.

disable Disable FortiCloud Sandbox inline scan.

sandbox- FortiCloud Sandbox region. string Maximum

region length: 63

sdns-options Customization options for the FortiGuard DNS option -

service.

Option Description

include-question- Include DNS question section in the FortiGuard DNS setup message.
section

sdns-server- IP address of the FortiGuard DNS rating server. user Not Specified
ip

sdns-server- Port to connect to on the FortiGuard DNS rating integer Minimum 53

port server. value: 1
Maximum
value: 65535

service- Service account ID. string Maximum

account-id length: 50

source-ip Source IPv4 address used to communicate with ipv4- Not Specified 0.0.0.0
FortiGuard. address

source-ip6 Source IPv6 address used to communicate with ipv6- Not Specified ::
FortiGuard. address

update-build- Enable/disable proxy dictionary rebuild. option - enable

proxy

Option Description

enable Enable proxy dictionary rebuild.

disable Disable proxy dictionary rebuild.

FortiOS 7.4.4 CLI Reference 1230

Fortinet Inc.
Parameter Description Type Size Default

update-dldb Enable/disable DLP signature update. option - enable

Option Description

enable Enable DLP signature update.

disable Disable DLP signature update.

update-extdb Enable/disable external resource update. option - enable

Option Description

enable Enable external resource update.

disable Disable external resource update.

update-ffdb Enable/disable Internet Service Database update. option - enable

webfilter- Enable/disable FortiGuard web filter caching. option - enable

cache

Option Description

enable Enable FortiGuard web filter caching.

FortiOS 7.4.4 CLI Reference 1231

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable FortiGuard web filter caching.

webfilter- Time-to-live for web filter cache entries in integer Minimum 3600
cache-ttl seconds. value: 300
Maximum
value: 86400

webfilter- Expiration date of the FortiGuard web filter integer Minimum 0

expiration contract. value: 0
Maximum
value:
4294967295

webfilter- Enable/disable turning off the FortiGuard web option - disable

force-off filtering service.

Option Description

enable Turn off the FortiGuard web filtering service.

disable Allow the FortiGuard web filtering service to operate.

webfilter- Interval of time between license checks for the integer Minimum 4294967295
license FortiGuard web filter contract. value: 0
Maximum
value:
4294967295

webfilter- Web filter query time out. integer Minimum 15

timeout value: 1
Maximum
value: 30

* This parameter may not exist in some models.

** Values may differ between models.

config system fortindr

Configure FortiNDR.
config system fortindr
Description: Configure FortiNDR.
set interface {string}
set interface-select-method [auto|sdwan|...]
set source-ip {string}
set status [disable|enable]
end

FortiOS 7.4.4 CLI Reference 1232

Fortinet Inc.
config system fortindr

Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

source-ip Source IP address for communications to FortiNDR. string Maximum

length: 63

status Enable/disable FortiNDR. option - disable

Option Description

disable Disable FortiNDR.

enable Enable FortiNDR.

config system fortisandbox

Configure FortiSandbox.
config system fortisandbox
Description: Configure FortiSandbox.
set email {string}
set enc-algorithm [default|high|...]
set forticloud [enable|disable]
set inline-scan [enable|disable]
set interface {string}
set interface-select-method [auto|sdwan|...]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1233

Fortinet Inc.
config system fortisandbox

Parameter Description Type Size Default

email Notifier email address. string Maximum

length: 63

enc-algorithm Configure the level of SSL protection for secure option - default
communication with FortiSandbox.

Option Description

default SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

forticloud Enable/disable FortiSandbox Cloud. option - disable

Option Description

enable Enable FortiSandbox Cloud.

disable Disable FortiSandbox Cloud.

inline-scan Enable/disable FortiSandbox inline scan. option - disable

Option Description

enable Enable FortiSandbox inline scan.

disable Disable FortiSandbox inline scan.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

server Server IP address or FQDN of the remote string Maximum

FortiSandbox. length: 63

source-ip Source IP address for communications to FortiSandbox. string Maximum

length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.4.4 CLI Reference 1234

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status Enable/disable FortiSandbox. option - disable

Option Description

enable Enable FortiSandbox.

disable Disable FortiSandbox.

config system fsso-polling

Configure Fortinet Single Sign On (FSSO) server.

config system fsso-polling
Description: Configure Fortinet Single Sign On (FSSO) server.
set auth-password {password}
set authentication [enable|disable]
set listening-port {integer}
set status [enable|disable]
end

config system fsso-polling

Parameter Description Type Size Default

auth-password Password to connect to FSSO Agent. password Not

Specified

authentication Enable/disable FSSO Agent Authentication. option - disable

Option Description

enable Enable FSSO Agent Authentication.

disable Disable FSSO Agent Authentication.

FortiOS 7.4.4 CLI Reference 1235

Fortinet Inc.
Parameter Description Type Size Default

listening-port Listening port to accept clients. integer Minimum 8000

value: 1
Maximum
value:
65535

status Enable/disable FSSO Polling Mode. option - enable

Option Description

enable Enable FSSO Polling Mode.

disable Disable FSSO Polling Mode.

config system ftm-push

Configure FortiToken Mobile push services.

config system ftm-push
Description: Configure FortiToken Mobile push services.
set proxy [enable|disable]
set server {string}
set server-cert {string}
set server-ip {ipv4-address}
set server-port {integer}
set status [enable|disable]
end

config system ftm-push

Parameter Description Type Size Default

proxy Enable/disable communication to the proxy server in option - enable

FortiGuard configuration.

Option Description

enable Enable communication to the proxy server in FortiGuard configuration.

disable Disable communication to the proxy server in FortiGuard configuration.

server IPv4 address or domain name of FortiToken Mobile string Maximum

push services server. length: 127

server-cert Name of the server certificate to be used for SSL. string Maximum Fortinet_
length: 35 GUI_Server

server-ip IPv4 address of FortiToken Mobile push services server ipv4- Not 0.0.0.0
(format: xxx.xxx.xxx.xxx). address Specified

FortiOS 7.4.4 CLI Reference 1236

Fortinet Inc.
Parameter Description Type Size Default

server-port Port to communicate with FortiToken Mobile push integer Minimum 4433
services server. value: 1
Maximum
value:
65535

status Enable/disable the use of FortiToken Mobile push option - disable

services.

Option Description

enable Enable FortiToken Mobile push services.

disable Disable FortiToken Mobile push services.

config system geneve

Configure GENEVE devices.

config system geneve
Description: Configure GENEVE devices.
edit <name>
set dstport {integer}
set interface {string}
set ip-version [ipv4-unicast|ipv6-unicast]
set remote-ip {ipv4-address}
set remote-ip6 {ipv6-address}
set type [ethernet|ppp]
set vni {integer}
next
end

config system geneve

Parameter Description Type Size Default

dstport GENEVE destination port. integer Minimum 6081

value: 1
Maximum
value:
65535

interface Outgoing interface for GENEVE encapsulated traffic. string Maximum

length: 15

ip-version IP version to use for the GENEVE interface and so for option - ipv4-unicast
communication over the GENEVE. IPv4 or IPv6
unicast.

FortiOS 7.4.4 CLI Reference 1237

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ipv4-unicast Use IPv4 unicast addressing over the GENEVE.

ipv6-unicast Use IPv6 unicast addressing over the GENEVE.

name GENEVE device or interface name. Must be an unique string Maximum

interface name. length: 15

remote-ip IPv4 address of the GENEVE interface on the device at ipv4- Not 0.0.0.0
the remote end of the GENEVE. address Specified

remote-ip6 IPv6 IP address of the GENEVE interface on the device ipv6- Not ::
at the remote end of the GENEVE. address Specified

type GENEVE type. option - ethernet

Option Description

ethernet Internal packet includes Ethernet header.

ppp Internal packet does not include Ethernet header.

vni GENEVE network ID. integer Minimum 0

value: 0
Maximum
value:
16777215

config system geoip-override

Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.
config system geoip-override
Description: Configure geographical location mapping for IP address(es) to override
mappings from FortiGuard.
edit <name>
set country-id {string}
set description {string}
config ip-range
Description: Table of IP ranges assigned to country.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
next
end
config ip6-range
Description: Table of IPv6 ranges assigned to country.
edit <id>
set start-ip {ipv6-address}
set end-ip {ipv6-address}
next
end

FortiOS 7.4.4 CLI Reference 1238

Fortinet Inc.
next
end

config system geoip-override

Parameter Description Type Size Default

country-id Two character Country ID code. string Maximum

length: 2

description Description. string Maximum

length: 127

name Location name. string Maximum

length: 63

config ip-range

Parameter Description Type Size Default

id ID of individual entry in the IP range table. integer Minimum 0

value: 0
Maximum
value:
65535

start-ip Starting IP address, inclusive, of the address range ipv4- Not 0.0.0.0
(format: xxx.xxx.xxx.xxx). address Specified

end-ip Ending IP address, inclusive, of the address range ipv4- Not 0.0.0.0
(format: xxx.xxx.xxx.xxx). address Specified

config ip6-range

Parameter Description Type Size Default

id ID of individual entry in the IPv6 range table. integer Minimum 0

value: 0
Maximum
value:
65535

start-ip Starting IP address, inclusive, of the address range ipv6- Not ::

(format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address Specified

end-ip Ending IP address, inclusive, of the address range ipv6- Not ::

(format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address Specified

config system global

Configure global attributes.

FortiOS 7.4.4 CLI Reference 1239

Fortinet Inc.
config system global
Description: Configure global attributes.
set admin-ble-button [enable|disable]
set admin-concurrent [enable|disable]
set admin-console-timeout {integer}
set admin-forticloud-sso-default-profile {string}
set admin-forticloud-sso-login [enable|disable]
set admin-host {string}
set admin-hsts-max-age {integer}
set admin-https-pki-required [enable|disable]
set admin-https-redirect [enable|disable]
set admin-https-ssl-banned-ciphers {option1}, {option2}, ...
set admin-https-ssl-ciphersuites {option1}, {option2}, ...
set admin-https-ssl-versions {option1}, {option2}, ...
set admin-lockout-duration {integer}
set admin-lockout-threshold {integer}
set admin-login-max {integer}
set admin-port {integer}
set admin-reset-button [enable|disable]
set admin-restrict-local [enable|disable]
set admin-scp [enable|disable]
set admin-server-cert {string}
set admin-sport {integer}
set admin-ssh-grace-time {integer}
set admin-ssh-password [enable|disable]
set admin-ssh-port {integer}
set admin-ssh-v1 [enable|disable]
set admin-telnet [enable|disable]
set admin-telnet-port {integer}
set admintimeout {integer}
set airplane-mode [enable|disable]
set alias {string}
set allow-traffic-redirect [enable|disable]
set anti-replay [disable|loose|...]
set arp-max-entry {integer}
set auth-cert {string}
set auth-http-port {integer}
set auth-https-port {integer}
set auth-ike-saml-port {integer}
set auth-keepalive [enable|disable]
set auth-session-limit [block-new|logout-inactive]
set auto-auth-extension-device [enable|disable]
set autorun-log-fsck [enable|disable]
set av-affinity {string}
set av-failopen [pass|off|...]
set av-failopen-session [enable|disable]
set batch-cmdb [enable|disable]
set bfd-affinity {string}
set block-session-timer {integer}
set br-fdb-max-entry {integer}
set cert-chain-max {integer}
set cfg-revert-timeout {integer}
set cfg-save [automatic|manual|...]
set check-protocol-header [loose|strict]
set check-reset-range [strict|disable]
set cli-audit-log [enable|disable]

FortiOS 7.4.4 CLI Reference 1240

Fortinet Inc.
set cloud-communication [enable|disable]
set clt-cert-req [enable|disable]
set cmdbsvr-affinity {string}
set cpu-use-threshold {integer}
set csr-ca-attribute [enable|disable]
set daily-restart [enable|disable]
set default-service-source-port {user}
set device-idle-timeout {integer}
set dh-params [1024|1536|...]
set dhcp-lease-backup-interval {integer}
set dnsproxy-worker-count {integer}
set early-tcp-npu-session [enable|disable]
set edit-vdom-prompt [enable|disable]
set extender-controller-reserved-network {ipv4-classnet-host}
set failtime {integer}
set faz-disk-buffer-size {integer}
set fds-statistics [enable|disable]
set fds-statistics-period {integer}
set fgd-alert-subscription {option1}, {option2}, ...
set forticontroller-proxy [enable|disable]
set forticontroller-proxy-port {integer}
set forticonverter-config-upload [once|disable]
set forticonverter-integration [enable|disable]
set fortiextender [disable|enable]
set fortiextender-data-port {integer}
set fortiextender-discovery-lockdown [disable|enable]
set fortiextender-provision-on-authorization [enable|disable]
set fortiextender-vlan-mode [enable|disable]
set fortigslb-integration [disable|enable]
set fortiservice-port {integer}
set fortitoken-cloud [enable|disable]
set fortitoken-cloud-push-status [enable|disable]
set fortitoken-cloud-sync-interval {integer}
set gui-allow-incompatible-fabric-fgt [enable|disable]
set gui-app-detection-sdwan [enable|disable]
set gui-auto-upgrade-setup-warning [enable|disable]
set gui-cdn-domain-override {string}
set gui-cdn-usage [enable|disable]
set gui-certificates [enable|disable]
set gui-custom-language [enable|disable]
set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
set gui-date-time-source [system|browser]
set gui-device-latitude {string}
set gui-device-longitude {string}
set gui-display-hostname [enable|disable]
set gui-firmware-upgrade-warning [enable|disable]
set gui-forticare-registration-setup-warning [enable|disable]
set gui-fortigate-cloud-sandbox [enable|disable]
set gui-ipv6 [enable|disable]
set gui-local-out [enable|disable]
set gui-replacement-message-groups [enable|disable]
set gui-rest-api-cache [enable|disable]
set gui-theme [jade|neutrino|...]
set gui-wireless-opensecurity [enable|disable]
set gui-workflow-management [enable|disable]
set ha-affinity {string}

FortiOS 7.4.4 CLI Reference 1241

Fortinet Inc.
set honor-df [enable|disable]
set hostname {string}
set hyper-scale-vdom-num {integer}
set igmp-state-limit {integer}
set interface-subnet-usage [disable|enable]
set internal-switch-speed {option1}, {option2}, ...
set internet-service-database [mini|standard|...]
set internet-service-download-list <id1>, <id2>, ...
set interval {integer}
set ip-fragment-mem-thresholds {integer}
set ip-src-port-range {user}
set ips-affinity {string}
set ipsec-asic-offload [enable|disable]
set ipsec-ha-seqjump-rate {integer}
set ipsec-hmac-offload [enable|disable]
set ipsec-qat-offload [enable|disable]
set ipsec-round-robin [enable|disable]
set ipv6-accept-dad {integer}
set ipv6-allow-anycast-probe [enable|disable]
set ipv6-allow-local-in-silent-drop [enable|disable]
set ipv6-allow-multicast-probe [enable|disable]
set ipv6-allow-traffic-redirect [enable|disable]
set irq-time-accounting [auto|force]
set language [english|french|...]
set ldapconntimeout {integer}
set legacy-poe-device-support [enable|disable]
set lldp-reception [enable|disable]
set lldp-transmission [enable|disable]
set log-single-cpu-high [enable|disable]
set log-ssl-connection [enable|disable]
set log-uuid-address [enable|disable]
set login-timestamp [enable|disable]
set long-vdom-name [enable|disable]
set management-ip {string}
set management-port {integer}
set management-port-use-admin-sport [enable|disable]
set management-vdom {string}
set max-route-cache-size {integer}
set memory-use-threshold-extreme {integer}
set memory-use-threshold-green {integer}
set memory-use-threshold-red {integer}
set miglog-affinity {string}
set miglogd-children {integer}
set multi-factor-authentication [optional|mandatory]
set ndp-max-entry {integer}
set npu-neighbor-update [enable|disable]
set per-user-bal [enable|disable]
set pmtu-discovery [enable|disable]
set policy-auth-concurrent {integer}
set post-login-banner [disable|enable]
set pre-login-banner [enable|disable]
set private-data-encryption [disable|enable]
set proxy-auth-lifetime [enable|disable]
set proxy-auth-lifetime-timeout {integer}
set proxy-auth-timeout {integer}
set proxy-cert-use-mgmt-vdom [enable|disable]

FortiOS 7.4.4 CLI Reference 1242

Fortinet Inc.
set proxy-hardware-acceleration [disable|enable]
set proxy-keep-alive-mode [session|traffic|...]
set proxy-re-authentication-time {integer}
set proxy-resource-mode [enable|disable]
set proxy-worker-count {integer}
set purdue-level [1|1.5|...]
set quic-ack-thresold {integer}
set quic-congestion-control-algo [cubic|bbr|...]
set quic-max-datagram-size {integer}
set quic-pmtud [enable|disable]
set quic-tls-handshake-timeout {integer}
set quic-udp-payload-size-shaping-per-cid [enable|disable]
set radius-port {integer}
set reboot-upon-config-restore [enable|disable]
set refresh {integer}
set remoteauthtimeout {integer}
set reset-sessionless-tcp [enable|disable]
set restart-time {user}
set revision-backup-on-logout [enable|disable]
set revision-image-auto-backup [enable|disable]
set scanunit-count {integer}
set security-rating-run-on-schedule [enable|disable]
set send-pmtu-icmp [enable|disable]
set sflowd-max-children-num {integer}
set show-backplane-intf [enable|disable]
set snat-route-change [enable|disable]
set special-file-23-support [disable|enable]
set speedtest-server [enable|disable]
set speedtestd-ctrl-port {integer}
set speedtestd-server-port {integer}
set split-port {string}
config split-port-mode
Description: Configure split port mode of ports.
edit <interface>
set split-mode [disable|4x10G|...]
next
end
set ssd-trim-date {integer}
set ssd-trim-freq [never|hourly|...]
set ssd-trim-hour {integer}
set ssd-trim-min {integer}
set ssd-trim-weekday [sunday|monday|...]
set ssl-min-proto-version [SSLv3|TLSv1|...]
set ssl-static-key-ciphers [enable|disable]
set sslvpn-max-worker-count {integer}
set sslvpn-web-mode [enable|disable]
set strict-dirty-session-check [enable|disable]
set strong-crypto [enable|disable]
set switch-controller [disable|enable]
set switch-controller-reserved-network {ipv4-classnet-host}
set sys-perf-log-interval {integer}
set syslog-affinity {string}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-option [enable|disable]
set tcp-rst-timer {integer}

FortiOS 7.4.4 CLI Reference 1243

Fortinet Inc.
set tcp-timewait-timer {integer}
set tftp [enable|disable]
set timezone {string}
set traffic-priority [tos|dscp]
set traffic-priority-level [low|medium|...]
set two-factor-email-expiry {integer}
set two-factor-fac-expiry {integer}
set two-factor-ftk-expiry {integer}
set two-factor-ftm-expiry {integer}
set two-factor-sms-expiry {integer}
set udp-idle-timer {integer}
set url-filter-affinity {string}
set url-filter-count {integer}
set user-device-store-max-devices {integer}
set user-device-store-max-unified-mem {integer}
set user-device-store-max-users {integer}
set vdom-mode [no-vdom|multi-vdom]
set vip-arp-range [unlimited|restricted]
set virtual-switch-vlan [enable|disable]
set vpn-ems-sn-check [enable|disable]
set wad-affinity {string}
set wad-csvc-cs-count {integer}
set wad-csvc-db-count {integer}
set wad-memory-change-granularity {integer}
set wad-restart-end-time {user}
set wad-restart-mode [none|time|...]
set wad-restart-start-time {user}
set wad-source-affinity [disable|enable]
set wad-worker-count {integer}
set wifi-ca-certificate {string}
set wifi-certificate {string}
set wimax-4g-usb [enable|disable]
set wireless-controller [enable|disable]
set wireless-controller-port {integer}
set wireless-mode [ac|client|...]
end

config system global

Parameter Description Type Size Default

admin-ble-button * press the BLE button can enable BLE option - enable
function

Option Description

enable Press the BLE button can enable BLE function

disable Press the BLE button cannot enable BLE function

admin-concurrent Enable/disable concurrent administrator option - enable

logins. Use policy-auth-concurrent for
firewall authenticated users.

FortiOS 7.4.4 CLI Reference 1244

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable admin concurrent login.

disable Disable admin concurrent login.

admin-console- Console login timeout that overrides the integer Minimum 0

timeout admin timeout value. value: 15
Maximum
value: 300

admin-forticloud-sso- Override access profile. string Maximum

default-profile length: 35

admin-forticloud-sso- Enable/disable FortiCloud admin login via option - disable

Option Description

enable Enable FortiCloud admin login via SSO.

disable Disable FortiCloud admin login via SSO.

admin-host Administrative host for HTTP and HTTPS. string Maximum

When set, will be used in lieu of the client's length: 255
Host header for any redirection.

admin-hsts-max-age HTTPS Strict-Transport-Security header integer Minimum 63072000

max-age in seconds. A value of 0 will reset value: 0
any HSTS records in the browser.When Maximum
admin-https-redirect is disabled the value:
header max-age will be 0. 2147483647

admin-https-pki- Enable/disable admin login method. option - disable

required Enable to force administrators to provide a
valid certificate to log in if PKI is enabled.
Disable to allow administrators to log in
with a certificate or password.

Option Description

enable Admin users must provide a valid certificate when PKI is enabled for
HTTPS admin access.

disable Admin users can login by providing a valid certificate or password.

admin-https-redirect Enable/disable redirection of HTTP option - enable

administration access to HTTPS.

FortiOS 7.4.4 CLI Reference 1245

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable redirecting HTTP administration access to HTTPS.

disable Disable redirecting HTTP administration access to HTTPS.

admin-https-ssl- Select one or more cipher technologies option -

banned-ciphers that cannot be used in GUI HTTPS
negotiations. Only applies to TLS 1.2 and
below.

Option Description

RSA Ban the use of cipher suites using RSA key.

DHE Ban the use of cipher suites using authenticated ephemeral DH key
agreement.

ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key
agreement.

DSS Ban the use of cipher suites using DSS authentication.

ECDSA Ban the use of cipher suites using ECDSA authentication.

AES Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM Ban the use of cipher suites using AES in Galois Counter Mode (GCM).

CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES Ban the use of cipher suites using triple DES.

SHA1 Ban the use of cipher suites using HMAC-SHA1.

SHA256 Ban the use of cipher suites using HMAC-SHA256.

SHA384 Ban the use of cipher suites using HMAC-SHA384.

STATIC Ban the use of cipher suites using static keys.

CHACHA20 Ban the use of cipher suites using ChaCha20.

ARIA Ban the use of cipher suites using ARIA.

AESCCM Ban the use of cipher suites using AESCCM.

admin-https-ssl- Select one or more TLS 1.3 ciphersuites to option - TLS-AES-128-

ciphersuites enable. Does not affect ciphers in TLS 1.2 GCM-SHA256
and below. At least one must be enabled. TLS-AES-256-
To disable all, remove TLS1.3 from admin- GCM-SHA384
https-ssl-versions. TLS-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.4.4 CLI Reference 1246

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-AES-128- Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

GCM-SHA256

TLS-AES-256- Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

GCM-SHA384

TLS- Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

CHACHA20-
POLY1305-
SHA256

TLS-AES-128- Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

CCM-SHA256

TLS-AES-128- Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

CCM-8-
SHA256

admin-https-ssl- Allowed TLS versions for web option - tlsv1-2 tlsv1-3

versions administration.

Option Description

tlsv1-1 TLS 1.1.

tlsv1-2 TLS 1.2.

tlsv1-3 TLS 1.3.

admin-lockout- Amount of time in seconds that an integer Minimum 60

duration administrator account is locked out after value: 1
reaching the admin-lockout-threshold for Maximum
repeated failed login attempts. value:
2147483647

admin-lockout- Number of failed login attempts before an integer Minimum 3

threshold administrator account is locked out for the value: 1
admin-lockout-duration. Maximum
value: 10

admin-login-max Maximum number of administrators who integer Minimum 100

can be logged in at the same time. value: 1
Maximum
value: 100

admin-port Administrative access port for HTTP.. integer Minimum 80

value: 1
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1247

Fortinet Inc.
Parameter Description Type Size Default

admin-reset-button * Press the reset button can reset to factory option - enable
default.

Option Description

enable press the reset button can reset to factory default

disable press the reset button cannot reset to factory default

admin-restrict-local Enable/disable local admin authentication option - disable

restriction when remote authenticator is up
and running.

Option Description

enable Enable local admin authentication restriction.

disable Disable local admin authentication restriction.

admin-scp Enable/disable SCP support for system option - disable

configuration backup, restore, and
firmware file upload.

Option Description

enable Enable SCP support for system configuration backup, restore, and
firmware file upload.

disable Disable SCP support for system configuration backup, restore, and
firmware file upload.

admin-server-cert Server certificate that the FortiGate uses string Maximum Fortinet_GUI_
for HTTPS administrative connections. length: 35 Server

admin-sport Administrative access port for HTTPS.. integer Minimum 443

value: 1
Maximum
value: 65535

admin-ssh-grace- Maximum time in seconds permitted integer Minimum 120

time between making an SSH connection to the value: 10
FortiGate unit and authenticating. Maximum
value: 3600

admin-ssh-password Enable/disable password authentication option - enable

for SSH admin access.

Option Description

enable Enable password authentication for SSH admin access.

disable Disable password authentication for SSH admin access.

FortiOS 7.4.4 CLI Reference 1248

Fortinet Inc.
Parameter Description Type Size Default

admin-ssh-port Administrative access port for SSH.. integer Minimum 22

value: 1
Maximum
value: 65535

admin-ssh-v1 Enable/disable SSH v1 compatibility. option - disable

Option Description

enable Enable SSH v1 compatibility.

disable Disable SSH v1 compatibility.

admin-telnet Enable/disable TELNET service. option - enable

Option Description

enable Enable TELNET service.

disable Disable TELNET service.

admin-telnet-port Administrative access port for TELNET.. integer Minimum 23

value: 1
Maximum
value: 65535

admintimeout Number of minutes before an idle integer Minimum 5

administrator session times out. A shorter value: 1
idle timeout is more secure. Maximum
value: 480

airplane-mode * Enable/disable airplane mode. option - disable

Option Description

enable Shutdown RF signal of internal MODEM and Bluetooth module.

disable Enable RF signal of internal MODEM and Bluetooth module.

alias Alias for your FortiGate unit. string Maximum

length: 35

allow-traffic-redirect Disable to prevent traffic with same local option - enable

ingress and egress interface from being
forwarded without policy check.

Option Description

enable Enable allow traffic redirect.

disable Disable allow traffic redirect.

FortiOS 7.4.4 CLI Reference 1249

Fortinet Inc.
Parameter Description Type Size Default

anti-replay Level of checking for packet replay and option - strict

TCP sequence checking.

Option Description

disable Disable anti-replay check.

loose Loose anti-replay check.

strict Strict anti-replay check.

arp-max-entry Maximum number of dynamically learned integer Minimum 131072

MAC addresses that can be added to the value: 131072
ARP table. Maximum
value:
2147483647

auth-cert Server certificate that the FortiGate uses string Maximum Fortinet_
for HTTPS firewall authentication length: 35 Factory
connections.

auth-http-port User authentication HTTP port.. integer Minimum 1000

value: 1
Maximum
value: 65535

auth-https-port User authentication HTTPS port.. integer Minimum 1003

value: 1
Maximum
value: 65535

auth-ike-saml-port User IKE SAML authentication port. integer Minimum 1001

value: 0
Maximum
value: 65535

auth-keepalive Enable to prevent user authentication option - disable

sessions from timing out when idle.

Option Description

enable Enable use of keep alive to extend authentication.

disable Disable use of keep alive to extend authentication.

av-failopen Set the action to take if the FortiGate is option - pass

running low on memory or the proxy
connection limit has been reached.

Option Description

pass Bypass the antivirus system when memory is low. Antivirus scanning
resumes when the low memory condition is resolved.

off Stop accepting new AV sessions when entering conserve mode, but
continue to process current active sessions.

one-shot Bypass the antivirus system when memory is low.

av-failopen-session When enabled and a proxy for a protocol option - disable

runs out of room in its session table, that
protocol goes into failopen mode and
enacts the action specified by av-failopen.

Option Description

enable Enable AV fail open session option.

disable Disable AV fail open session option.

batch-cmdb Enable/disable batch mode, allowing you option - enable

to enter a series of CLI commands that will
execute as a group once they are loaded.

FortiOS 7.4.4 CLI Reference 1251

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable batch mode to execute in CMDB server.

disable Disable batch mode to execute in CMDB server.

bfd-affinity Affinity setting for BFD daemon string Maximum 1

(hexadecimal value up to 256 bits in the length: 79
format of xxxxxxxxxxxxxxxx).

block-session-timer Duration in seconds for blocked sessions. integer Minimum 30

value: 1
Maximum
value: 300

br-fdb-max-entry Maximum number of bridge forwarding integer Minimum 8192

database (FDB) entries. value: 8192
Maximum
value:
2147483647

cert-chain-max Maximum number of certificates that can integer Minimum 8

be traversed in a certificate chain. value: 1
Maximum
value:
2147483647

cfg-revert-timeout Time-out for reverting to the last saved integer Minimum 600
configuration.. value: 10
Maximum
value:
4294967295

cfg-save Configuration file save mode for CLI option - automatic

changes.

Option Description

automatic Automatically save config.

manual Manually save config.

enable Enable CLI audit log.

disable Disable CLI audit log.

cloud-communication Enable/disable all cloud communication. option - enable

Option Description

enable Allow cloud communication.

disable Disable all cloud-related settings.

clt-cert-req Enable/disable requiring administrators to option - disable

have a client certificate to log into the GUI
using HTTPS.

Option Description

enable Enable require client certificate for GUI login.

disable Disable require client certificate for GUI login.

cmdbsvr-affinity Affinity setting for cmdbsvr (hexadecimal string Maximum 1

value up to 256 bits in the format of length: 79
xxxxxxxxxxxxxxxx).

cpu-use-threshold Threshold at which CPU usage is integer Minimum 90

reported. value: 50
Maximum
value: 99

FortiOS 7.4.4 CLI Reference 1253

Fortinet Inc.
Parameter Description Type Size Default

csr-ca-attribute Enable/disable the CA attribute in option - enable

certificates. Some CA servers reject CSRs
that have the CA attribute.

Option Description

enable Enable CA attribute in CSR.

disable Disable CA attribute in CSR.

daily-restart Enable/disable daily restart of FortiGate option - disable

unit. Use the restart-time option to set the
time of day for the restart.

Option Description

enable Enable daily reboot of the FortiGate.

disable Disable daily reboot of the FortiGate.

default-service- Default service source port range. user Not Specified

source-port

device-idle-timeout Time in seconds that a device must be idle integer Minimum 300
to automatically log the device user out.. value: 30
Maximum
value:
31536000

dh-params Number of bits to use in the Diffie-Hellman option - 2048

exchange for HTTPS/SSH protocols.

Option Description

1024 1024 bits.

1536 1536 bits.

2048 2048 bits.

3072 3072 bits.

4096 4096 bits.

6144 6144 bits.

8192 8192 bits.

dhcp-lease-backup- DHCP leases backup interval in seconds. integer Minimum 60

interval value: 10
Maximum
value: 3600

FortiOS 7.4.4 CLI Reference 1254

Fortinet Inc.
Parameter Description Type Size Default

dnsproxy-worker- DNS proxy worker count. For a FortiGate integer Minimum 1

count with multiple logical CPUs, you can set the value: 1
DNS process number from 1 to the Maximum
number of logical CPUs. value: 8 **

early-tcp-npu- Enable/disable early TCP NPU session. option - disable

session

Option Description

enable Enable early TCP NPU session in order to guarantee packet order of 3-
way handshake.

disable Disable early TCP NPU session in order to guarantee packet order of 3-
way handshake.

edit-vdom-prompt * Enable/disable edit new VDOM prompt. option - disable

Option Description

enable Enable edit new VDOM prompt.

disable Disable edit new VDOM prompt.

extender-controller- Configure reserved network subnet for ipv4- Not Specified 10.252.0.1
reserved-network managed LAN extension FortiExtender classnet- 255.255.0.0
units. This is available when the host
FortiExtender daemon is running.

failtime Fail-time for server lost. integer Minimum 5

value: 0
Maximum
value:
4294967295

faz-disk-buffer-size Maximum disk buffer size to temporarily integer Minimum 0

store logs destined for FortiAnalyzer. To value: 0
be used in the event that FortiAnalyzer is Maximum
unavailable. value:
214748364

fds-statistics Enable/disable sending IPS, Application option - enable

Control, and AntiVirus data to FortiGuard.
This data is used to improve FortiGuard
services and is not shared with external
parties and is protected by Fortinet's
privacy policy.

FortiOS 7.4.4 CLI Reference 1255

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiGuard statistics.

disable Disable FortiGuard statistics.

fds-statistics-period FortiGuard statistics collection period in integer Minimum 60

minutes.. value: 1
Maximum
value: 1440

fgd-alert-subscription Type of alert to retrieve from FortiGuard. option -

Option Description

advisory Retrieve FortiGuard advisories, report and news alerts.

latest-threat Retrieve latest FortiGuard threats alerts.

latest-virus Retrieve latest FortiGuard virus alerts.

latest-attack Retrieve latest FortiGuard attack alerts.

new-antivirus- Retrieve FortiGuard AV database release alerts.

disable Disable FortiExtender controller.

enable Enable FortiExtender controller.

enable Enable FortiExtender VLAN mode.

disable Disable FortiExtender VLAN mode.

fortigslb-integration Enable/disable integration with the option - disable

FortiGSLB cloud service.

FortiOS 7.4.4 CLI Reference 1257

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable VIP and ZTNA server integration with the FortiGSLB cloud
service.

enable Enable VIP and ZTNA server integration with the FortiGSLB cloud
service.

fortiservice-port FortiService port. Used by FortiClient integer Minimum 8013

endpoint compliance. Older versions of value: 1
FortiClient used a different port. Maximum
value: 65535

fortitoken-cloud Enable/disable FortiToken Cloud service. option - enable

Option Description

gui-auto-upgrade- Enable/disable the automatic patch option - enable

setup-warning upgrade setup prompt on the GUI.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

gui-cdn-domain- Domain of CDN server. string Maximum

override length: 255

gui-cdn-usage Enable/disable Load GUI static files from a option - disable

CDN.

Option Description

enable Display the feature in GUI.

yyyy/MM/dd Year/Month/Day.

dd/MM/yyyy Day/Month/Year.

FortiOS 7.4.4 CLI Reference 1259

Fortinet Inc.
Parameter Description Type Size Default

Option Description

MM/dd/yyyy Month/Day/Year.

yyyy-MM-dd Year-Month-Day.

dd-MM-yyyy Day-Month-Year.

MM-dd-yyyy Month-Day-Year.

gui-date-time-source Source from which the FortiGate GUI uses option - system
to display date and time entries.

Option Description

system Use this FortiGate unit's configured timezone.

browser Use the web browser's timezone.

gui-device-latitude Add the latitude of the location of this string Maximum

FortiGate to position it on the Threat Map. length: 19

gui-device-longitude Add the longitude of the location of this string Maximum

FortiGate to position it on the Threat Map. length: 19

gui-display- Enable/disable displaying the FortiGate's option - disable

hostname hostname on the GUI login page.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

gui-firmware- Enable/disable the firmware upgrade option - enable

upgrade-warning warning on the GUI.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

gui-forticare- Enable/disable the FortiCare registration option - enable

registration-setup- setup warning on the GUI.
warning

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

FortiOS 7.4.4 CLI Reference 1260

Fortinet Inc.
Parameter Description Type Size Default

gui-fortigate-cloud- Enable/disable displaying FortiGate Cloud option - disable

sandbox Sandbox on the GUI.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

gui-ipv6 Enable/disable IPv6 settings on the GUI. option - disable

retro FortiOS v3 Retro theme.

dark-matter Dark Matter theme.

onyx Onyx theme.

eclipse Eclipse theme.

gui-wireless- Enable/disable wireless open security option - disable

opensecurity option on the GUI.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

gui-workflow- Enable/disable Workflow management option - disable

management features on the GUI.

Option Description

enable Display the feature in GUI.

disable Do not display the feature in GUI.

ha-affinity Affinity setting for HA daemons string Maximum 1

(hexadecimal value up to 256 bits in the length: 79
format of xxxxxxxxxxxxxxxx).

honor-df Enable/disable honoring of Don't- option - enable

Fragment (DF) flag.

Option Description

enable Enable honoring of Don't-Fragment flag.

disable Disable honoring of Don't-Fragment flag.

hostname FortiGate unit's hostname. Most models string Maximum

will truncate names longer than 24 length: 35
characters. Some models support
hostnames up to 35 characters.

FortiOS 7.4.4 CLI Reference 1262

Fortinet Inc.
Parameter Description Type Size Default

hyper-scale-vdom- Number of VDOMs for hyper scale license. integer Minimum 250
num * value: 1
Maximum
value: 250

igmp-state-limit Maximum number of IGMP memberships. integer Minimum 3200

value: 96
Maximum
value: 128000

interface-subnet- Enable/disable allowing use of interface- option - enable

usage subnet setting in firewall addresses.

Option Description

disable Disallow use of the interface-subnet setting in firewall addresses. Use in

conjunction with the FortiGate REST API and when a large number of
firewall addresses exist in the configuration.

enable Allow use of the interface-subnet setting in firewall addresses.

internal-switch-speed Internal port speed. option -

Option Description

auto auto

1000full 1000M Full

100full 100M full.

100half 100M half.

10full 10M full.

10half 10M half.

internet-service- Configure which Internet Service option - full **

database database size to download from
FortiGuard and use.

Option Description

mini Small sized Internet Service database with very limited IP addresses.

standard Medium sized Internet Service database with most IP addresses.

full Full sized Internet Service database with all IP addresses.

on-demand Internet Service database with customer selected IP addresses.

FortiOS 7.4.4 CLI Reference 1263

Fortinet Inc.
Parameter Description Type Size Default

internet-service- Configure which on-demand Internet integer Minimum

download-list <id> Service IDs are to be downloaded. value: 0
Internet Service ID. Maximum
value:
4294967295

interval Dead gateway detection interval. integer Minimum 5

value: 0
Maximum
value:
4294967295

ip-fragment-mem- Maximum memory (MB) used to integer Minimum 32

thresholds reassemble IPv4/IPv6 fragments. value: 32
Maximum
value: 2047

ip-src-port-range IP source port range used for traffic user Not Specified 1024-25000
originating from the FortiGate unit.

ips-affinity * Affinity setting for IPS (hexadecimal value string Maximum 0

up to 256 bits in the format of length: 79
xxxxxxxxxxxxxxxx; allowed CPUs must be
less than total number of IPS engine
daemons).

ipsec-asic-offload * Enable/disable ASIC offloading (hardware option - enable

acceleration) for IPsec VPN traffic.
Hardware acceleration can offload IPsec
VPN sessions and accelerate encryption
and decryption.

Option Description

enable Enable ASIC offload for IPsec VPN.

disable Disable ASIC offload for IPsec VPN.

ipsec-ha-seqjump- ESP jump ahead rate (1G - 10G pps integer Minimum 10
rate equivalent). value: 1
Maximum
value: 10

disable Disable QAT offload for IPsec VPN.

ipsec-round-robin Enable/disable round-robin redistribution option - disable

to multiple CPUs for IPsec VPN traffic.

Option Description

enable Enable round-robin redistribution for IPsec VPN.

disable Disable round-robin redistribution for IPsec VPN.

ipv6-accept-dad Enable/disable acceptance of IPv6 integer Minimum 1

Duplicate Address Detection (DAD). value: 0
Maximum
value: 2

ipv6-allow-anycast- Enable/disable IPv6 address probe option - disable

probe through Anycast.

Option Description

enable Enable probing of IPv6 address space through Anycast

disable Disable probing of IPv6 address space through Anycast

ipv6-allow-local-in- Enable/disable silent drop of IPv6 local-in option - enable

silent-drop traffic.

Option Description

enable Enable silent drop of IPv6 local-in traffic.

disable Disable silent drop of IPv6 local-in traffic.

french French.

spanish Spanish.

portuguese Portuguese.

japanese Japanese.

trach Traditional Chinese.

simch Simplified Chinese.

korean Korean.

ldapconntimeout Global timeout for connections with integer Minimum 500

Option Description

enable Enable insertion of address UUID to traffic logs.

disable Disable insertion of address UUID to traffic logs.

FortiOS 7.4.4 CLI Reference 1267

Fortinet Inc.
Parameter Description Type Size Default

login-timestamp Enable/disable login time recording. option - disable

Option Description

enable Enable login time recording.

disable Disable login time recording.

long-vdom-name * Enable/disable long VDOM name support. option - disable

Option Description

enable Enable long VDOM name support.

disable Disable long VDOM name support.

management-ip Management IP address of this FortiGate. string Maximum

Used to log into this FortiGate from length: 255
another FortiGate in the Security Fabric.

management-port Overriding port for management integer Minimum 443

connection (Overrides admin port). value: 1
Maximum
value: 65535

management-port- Enable/disable use of the admin-sport option - enable

use-admin-sport setting for the management port. If
disabled, FortiGate will allow user to
specify management-port.

Option Description

enable Enable use of the admin-sport setting for the management port.

disable Disable use of the admin-sport setting for the management port.

management-vdom Management virtual domain name. string Maximum root

length: 31

max-route-cache- Maximum number of IP route cache integer Minimum 0

size entries. value: 0
Maximum
value:
2147483647

memory-use- Threshold at which memory usage is integer Minimum 95

threshold-extreme considered extreme. value: 70
Maximum
value: 97

FortiOS 7.4.4 CLI Reference 1268

Fortinet Inc.
Parameter Description Type Size Default

memory-use- Threshold at which memory usage forces integer Minimum 82

threshold-green the FortiGate to exit conserve mode. value: 70
Maximum
value: 97

memory-use- Threshold at which memory usage forces integer Minimum 88

threshold-red the FortiGate to enter conserve mode. value: 70
Maximum
value: 97

miglog-affinity * Affinity setting for logging (hexadecimal string Maximum 0

value up to 256 bits in the format of length: 79
xxxxxxxxxxxxxxxx).

miglogd-children Number of logging (miglogd) processes to integer Minimum 0

be allowed to run. Higher number can value: 0
reduce performance; lower number can Maximum
slow log processing time. value: 15

multi-factor- Enforce all login methods to require an option - optional

authentication additional authentication factor.

Option Description

optional Do not enforce all login methods to require an additional authentication

factor (controlled by user settings).

mandatory Enforce all login methods to require an additional authentication factor.

ndp-max-entry Maximum number of NDP table entries integer Minimum 0

(set to 65,536 or higher; if set to 0, kernel value: 65536
holds 65,536 entries). Maximum
value:
2147483647

npu-neighbor-update Enable/disable sending of ARP/ICMP6 option - disable

* probing packets to update neighbors for
offloaded sessions.

Option Description

enable Enable sending of ARP/ICMP6 probing packets to update neighbors for

offloaded sessions.

disable Disable sending of ARP/ICMP6 probing packets to update neighbors for

offloaded sessions.

per-user-bal * Enable/disable per-user block/allow list option - disable

filter.

FortiOS 7.4.4 CLI Reference 1269

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable per-user block/allow list filter.

disable Disable per-user block/allow list filter.

pmtu-discovery Enable/disable path MTU discovery. option - disable

Option Description

enable Enable path MTU discovery.

disable Disable path MTU discovery.

disable Disable private data encryption using an AES 128-bit key.

enable Enable private data encryption using an AES 128-bit key.

FortiOS 7.4.4 CLI Reference 1270

Fortinet Inc.
Parameter Description Type Size Default

proxy-auth-lifetime Enable/disable authenticated users option - disable

lifetime control. This is a cap on the total
time a proxy user can be authenticated for
after which re-authentication will take
place.

Option Description

enable Enable authenticated users lifetime control.

disable Disable authenticated users lifetime control.

proxy-auth-lifetime- Lifetime timeout in minutes for integer Minimum 480

timeout authenticated users. value: 5
Maximum
value: 65535

proxy-auth-timeout Authentication timeout in minutes for integer Minimum 10

authenticated users. value: 1
Maximum
value: 300

proxy-cert-use- Enable/disable using management VDOM option - disable

mgmt-vdom to send requests.

Option Description

enable Enable setting.

disable Disable setting.

proxy-hardware- Enable/disable email proxy hardware option - enable

acceleration * acceleration.

Option Description

disable Disable email proxy hardware acceleration.

enable Enable email proxy hardware acceleration.

proxy-keep-alive- Control if users must re-authenticate after option - session

mode a session is closed, traffic has been idle,
or from the point at which the user was
authenticated.

Option Description

session Proxy keep-alive timeout begins at the closure of the session.

traffic Proxy keep-alive timeout begins after traffic has not been received.

FortiOS 7.4.4 CLI Reference 1271

Fortinet Inc.
Parameter Description Type Size Default

Option Description

re- Proxy keep-alive timeout begins when the user was authenticated.
authentication

proxy-re- The time limit that users must re- integer Minimum 30
authentication-time authenticate if proxy-keep-alive-mode is value: 1
set to re-authenticate (1 - 86400 sec, Maximum
default=30s. value: 86400

proxy-resource- Enable/disable use of the maximum option - disable

mode memory usage on the FortiGate unit's
proxy processing of resources, such as
block lists, allow lists, and external
resources.

Option Description

enable Enable use of the maximum memory usage.

disable Disable use of the maximum memory usage.

proxy-worker-count Proxy worker count. integer Minimum 0

value: 1
Maximum
value: 8 **

purdue-level Purdue Level of this FortiGate. option - 3

Option Description

1 Level 1 - Basic Control

1.5 Level 1.5

2 Level 2 - Area Supervisory Control

2.5 Level 2.5

3 Level 3 - Operations & Control

3.5 Level 3.5

4 Level 4 - Business Planning & Logistics

5 Level 5 - Enterprise Network

5.5 Level 5.5

quic-ack-thresold Maximum number of unacknowledged integer Minimum 3

packets before sending ACK. value: 2
Maximum
value: 5

FortiOS 7.4.4 CLI Reference 1272

Fortinet Inc.
Parameter Description Type Size Default

quic-congestion- QUIC congestion control algorithm. option - cubic

control-algo

Option Description

cubic Cubic.

bbr BBR.

bbr2 BBR2.

reno Reno.

quic-max-datagram- Maximum transmit datagram size. integer Minimum 1500

size value: 1200
Maximum
value: 1500

GUI. value: 0
Maximum
value:
4294967295

remoteauthtimeout Number of seconds that the FortiGate integer Minimum 5

waits for responses from remote RADIUS, value: 1
LDAP, or TACACS+ authentication Maximum
servers.. value: 300

reset-sessionless-tcp Action to perform if the FortiGate receives option - disable

a TCP packet but cannot find a
corresponding session in its session table.
NAT/Route mode only.

Option Description

enable Enable reset session-less TCP.

disable Disable reset session-less TCP.

restart-time Daily restart time (hh:mm). user Not Specified

revision-backup-on- Enable/disable back-up of the latest option - disable

logout configuration revision when an
administrator logs out of the CLI or GUI.

Option Description

enable Enable revision config backup automatically when logout.

disable Disable revision config backup automatically when logout.

revision-image-auto- Enable/disable back-up of the latest image option - disable

backup revision after the firmware is upgraded.

Option Description

enable Enable revision image backup automatically when upgrading image.

disable Disable revision image backup automatically when upgrading image.

scanunit-count Number of scanunits. The range and the integer Minimum 0

default depend on the number of CPUs. value: 1
Only available on FortiGate units with Maximum
multiple CPUs. value: 8 **

security-rating-run- Enable/disable scheduled runs of Security option - enable

on-schedule Rating.

FortiOS 7.4.4 CLI Reference 1274

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable scheduled runs of Security Rating.

disable Disable scheduled runs of Security Rating.

send-pmtu-icmp Enable/disable sending of path maximum option - enable

transmission unit (PMTU) - ICMP
destination unreachable packet and to
support PMTUD protocol on your network
to reduce fragmentation of packets.

Option Description

enable Enable sending of PMTU ICMP destination unreachable packet.

disable Disable sending of PMTU ICMP destination unreachable packet.

sflowd-max-children- Maximum number of sflowd child integer Minimum 6 **

num processes allowed to run. value: 0
Maximum
value: 6 **

show-backplane-intf show/hide backplane interfaces option - disable

Option Description

enable show backplane interfaces

disable hide backplane interfaces

snat-route-change Enable/disable the ability to change the option - disable

source NAT route.

Option Description

enable Enable SNAT route change.

disable Disable SNAT route change.

special-file-23- Enable/disable detection of those special option - disable

support format files when using Data Loss
Prevention.

Option Description

disable Disable detection of those special format files when using Data Loss
Prevention.

enable Enable detection of those special format files when using Data Loss
Prevention.

FortiOS 7.4.4 CLI Reference 1275

Fortinet Inc.
Parameter Description Type Size Default

speedtest-server Enable/disable speed test server. option - disable

Option Description

enable Enable speed test server service.

disable Disable speed test server service.

speedtestd-ctrl-port Speedtest server controller port number. integer Minimum 5200

value: 1
Maximum
value: 65535

speedtestd-server- Speedtest server port number. integer Minimum 5201

port value: 1
Maximum
value: 65535

split-port * Split port(s) to multiple 10Gbps ports. string Maximum

length: 15

ssd-trim-date * Date within a month to run ssd trim. integer Minimum 1

value: 1
Maximum
value: 31

ssd-trim-freq * How often to run SSD Trim. SSD Trim option - weekly
prevents SSD drive data loss by finding
and isolating errors.

Option Description

never Never Run SSD Trim.

hourly Run SSD Trim Hourly.

daily Run SSD Trim Daily.

weekly Run SSD Trim Weekly.

monthly Run SSD Trim Monthly.

ssd-trim-hour * Hour of the day on which to run SSD Trim. integer Minimum 1
value: 0
Maximum
value: 23

ssd-trim-min * Minute of the hour on which to run SSD integer Minimum 60

Trim. value: 0
Maximum
value: 60

ssd-trim-weekday * Day of week to run SSD Trim. option - sunday

FortiOS 7.4.4 CLI Reference 1276

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

ssl-min-proto-version Minimum supported protocol version for option - TLSv1-2

SSL/TLS connections.

Option Description

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

ssl-static-key-ciphers Enable/disable static key ciphers in option - enable

SSL/TLS connections (e.g. AES128-SHA,
AES256-SHA, AES128-SHA256,
AES256-SHA256).

Option Description

enable Enable static key ciphers in SSL/TLS connections.

disable Disable static key ciphers in SSL/TLS connections.

sslvpn-max-worker- Maximum number of SSL-VPN processes. integer Minimum 0

count Upper limit for this value is the number of value: 0
CPUs and depends on the model. Default Maximum
value of zero means the SSLVPN daemon value: 8 **
decides the number of worker processes.

sslvpn-web-mode Enable/disable SSL-VPN web mode. option - disable

Option Description

enable Enable SSL-VPN web mode.

disable Disable SSL-VPN web mode.

disable Disable switch controller feature.

enable Enable switch controller feature.

switch-controller- Configure reserved network subnet for ipv4- Not Specified 10.255.0.1
reserved-network * managed switches. This is available when classnet- 255.255.0.0
the switch controller is enabled. host

sys-perf-log-interval Time in minutes between updates of integer Minimum 5

performance statistics logging.. value: 0
Maximum
value: 15

syslog-affinity * Affinity setting for syslog (hexadecimal string Maximum 0

value up to 256 bits in the format of length: 79
xxxxxxxxxxxxxxxx).

FortiOS 7.4.4 CLI Reference 1278

Fortinet Inc.
Parameter Description Type Size Default

tcp-halfclose-timer Number of seconds the FortiGate unit integer Minimum 120

should wait to close a session after one value: 1
peer has sent a FIN packet but the other Maximum
has not responded. value: 86400

tcp-halfopen-timer Number of seconds the FortiGate unit integer Minimum 10

should wait to close a session after one value: 1
peer has sent an open session packet but Maximum
the other has not responded. value: 86400

tcp-option Enable SACK, timestamp and MSS TCP option - enable

options.

Option Description

enable Enable TCP option.

disable Disable TCP option.

tcp-rst-timer Length of the TCP CLOSE state in integer Minimum 5

seconds. value: 5
Maximum
value: 300

tcp-timewait-timer Length of the TCP TIME-WAIT state in integer Minimum 1

seconds. value: 0
Maximum
value: 300

tftp Enable/disable TFTP. option - enable

Option Description

enable Enable TFTP.

disable Disable TFTP.

timezone Timezone database name. Enter ? to view string Maximum

the list of timezone. length: 63

traffic-priority Choose Type of Service (ToS) or option - tos

Differentiated Services Code Point
(DSCP) for traffic prioritization in traffic
shaping.

Option Description

tos IP TOS.

dscp DSCP (DiffServ) DS.

FortiOS 7.4.4 CLI Reference 1279

Fortinet Inc.
Parameter Description Type Size Default

traffic-priority-level Default system-wide level of priority for option - medium

traffic prioritization.

Option Description

low Low priority.

medium Medium priority.

high High priority.

two-factor-email- Email-based two-factor authentication integer Minimum 60

expiry session timeout. value: 30
Maximum
value: 300

two-factor-fac-expiry FortiAuthenticator token authentication integer Minimum 60

session timeout. value: 10
Maximum
value: 3600

two-factor-ftk-expiry FortiToken authentication session integer Minimum 60

timeout. value: 60
Maximum
value: 600

two-factor-ftm-expiry FortiToken Mobile session timeout. integer Minimum 72

value: 1
Maximum
value: 168

two-factor-sms- SMS-based two-factor authentication integer Minimum 60

expiry session timeout. value: 30
Maximum
value: 300

udp-idle-timer UDP connection session timeout. This integer Minimum 180

command can be useful in managing CPU value: 1
and memory resources. Maximum
value: 86400

url-filter-affinity * URL filter CPU affinity. string Maximum 0

length: 79

url-filter-count URL filter daemon count. integer Minimum 1

value: 1
Maximum
value: 1 **

FortiOS 7.4.4 CLI Reference 1280

Fortinet Inc.
Parameter Description Type Size Default

user-device-store- Maximum number of devices allowed in integer Minimum 168439 **

max-devices user device store. value: 84219
Maximum
value: 240628
**

user-device-store- Maximum unified memory allowed in user integer Minimum 842198630 **

max-unified-mem device store. value:
168439726
Maximum
value:
1684397260 **

user-device-store- Maximum number of users allowed in user integer Minimum 168439 **

max-users device store. value: 84219
Maximum
value: 240628
**

vdom-mode * Enable/disable support for multiple virtual option - no-vdom

domains (VDOMs).

Option Description

no-vdom Disable multiple VDOMs mode.

multi-vdom Enable multiple VDOMs mode.

vip-arp-range Controls the number of ARPs that the option - restricted

FortiGate sends for a Virtual IP (VIP)
address range.

enable Enable verification of EMS serial number in SSL-VPN connection.

disable Disable verification of EMS serial number in SSL-VPN connection.

wad-affinity * Affinity setting for wad (hexadecimal value string Maximum 0

up to 256 bits in the format of length: 79
xxxxxxxxxxxxxxxx).

wad-csvc-cs-count Number of concurrent WAD-cache-service integer Minimum 1

object-cache processes. value: 1
Maximum
value: 1

wad-csvc-db-count Number of concurrent WAD-cache-service integer Minimum 0

byte-cache processes. value: 0
Maximum
value: 8 **

wad-memory- Minimum percentage change in system integer Minimum 10

change-granularity memory usage detected by the wad value: 5
daemon prior to adjusting TCP window Maximum
size for any active connection. value: 25

wad-restart-end-time WAD workers daily restart end time user Not Specified
(hh:mm).

wad-restart-mode WAD worker restart mode. option - none

Option Description

none Disable restart of WAD workers.

time Enable daily restart of WAD workers.

memory Enable restart of WAD workers based on memory usage.

wad-restart-start- WAD workers daily restart time (hh:mm). user Not Specified
time

wad-source-affinity Enable/disable dispatching traffic to WAD option - enable

workers based on source affinity.

Option Description

disable Disable dispatching traffic to WAD workers based on source affinity.

enable Enable dispatching traffic to WAD workers based on source affinity.

FortiOS 7.4.4 CLI Reference 1282

Fortinet Inc.
Parameter Description Type Size Default

wad-worker-count Number of explicit proxy WAN integer Minimum 0

optimization daemon (WAD) processes. value: 0
By default WAN optimization, explicit Maximum
proxy, and web caching is handled by all value: 8 **
of the CPU cores in a FortiGate unit.

wifi-ca-certificate CA certificate that verifies the WiFi string Maximum Fortinet_Wifi_

certificate. length: 79 CA

wifi-certificate Certificate to use for WiFi authentication. string Maximum Fortinet_Wifi

length: 35

wimax-4g-usb Enable/disable comparability with WiMAX option - disable

* This parameter may not exist in some models.

** Values may differ between models.

FortiOS 7.4.4 CLI Reference 1283

Fortinet Inc.
config split-port-mode

Parameter Description Type Size Default

interface Split port interface. string Maximum

length: 15

split-mode The configuration mode for the split port interface. option - disable

Option Description

disable Disable split.

4x10G Split the port into four 10G ports.

4x25G Split the port into four 25G ports.

4x50G Split the port into four 50G ports.

8x25G Split the port into eight 25G ports.

8x50G Split the port into eight 50G ports.

4x100G Split the port into four 100G ports.

2x200G Split the port into two 200G ports.

config system gre-tunnel

Configure GRE tunnel.

config system gre-tunnel
Description: Configure GRE tunnel.
edit <name>
set auto-asic-offload [enable|disable]
set checksum-reception [disable|enable]
set checksum-transmission [disable|enable]
set diffservcode {user}
set dscp-copying [disable|enable]
set interface {string}
set ip-version [4|6]
set keepalive-failtimes {integer}
set keepalive-interval {integer}
set key-inbound {integer}
set key-outbound {integer}
set local-gw {ipv4-address-any}
set local-gw6 {ipv6-address}
set remote-gw {ipv4-address}
set remote-gw6 {ipv6-address}
set sequence-number-reception [disable|enable]
set sequence-number-transmission [disable|enable]
set use-sdwan [disable|enable]
next
end

FortiOS 7.4.4 CLI Reference 1284

disable Do not include checksums in transmitted GRE packets.

enable Include checksums in transmitted GRE packets.

diffservcode DiffServ setting to be applied to GRE tunnel outer IP user Not Specified
header.

dscp-copying Enable/disable DSCP copying. option - disable

Option Description

disable Disable DSCP copying.

enable Enable DSCP copying.

interface Interface name. string Maximum

length: 15

ip-version IP version to use for VPN interface. option - 4

Option Description

4 Use IPv4 addressing for gateways.

6 Use IPv6 addressing for gateways.

FortiOS 7.4.4 CLI Reference 1285

Fortinet Inc.
Parameter Description Type Size Default

keepalive- Number of consecutive unreturned keepalive integer Minimum 10

failtimes messages before a GRE connection is considered value: 1
down. Maximum
value: 255

keepalive- Keepalive message interval. integer Minimum 0

interval value: 0
Maximum
value: 32767

key-inbound * Require received GRE packets contain this key. integer Minimum 0
value: 0
Maximum
value:
4294967295

key-outbound * Include this key in transmitted GRE packets. integer Minimum 0

value: 0
Maximum
value:
4294967295

local-gw IP address of the local gateway. ipv4- Not Specified 0.0.0.0

address-
any

local-gw6 IPv6 address of the local gateway. ipv6- Not Specified ::

address

name Tunnel name. string Maximum

length: 15

remote-gw IP address of the remote gateway. ipv4- Not Specified 0.0.0.0

address

remote-gw6 IPv6 address of the remote gateway. ipv6- Not Specified ::

address

sequence- Enable/disable validating sequence numbers in option - disable

number- received GRE packets.
reception *

Option Description

disable Do not validate sequence number in received GRE packets.

enable Validate sequence numbers in received GRE packets.

sequence- Enable/disable including of sequence numbers in option - disable

number- transmitted GRE packets.
transmission *

FortiOS 7.4.4 CLI Reference 1286

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Include sequence numbers in transmitted GRE packets.

enable Do not include sequence numbers in transmitted GRE packets.

use-sdwan Enable/disable use of SD-WAN to reach remote option - disable

gateway.

Option Description

disable Disable use of SD-WAN to reach remote gateway.

enable Enable use of SD-WAN to reach remote gateway.

* This parameter may not exist in some models.

config system ha-monitor

Configure HA monitor.
config system ha-monitor
Description: Configure HA monitor.
set monitor-vlan [enable|disable]
set vlan-hb-interval {integer}
set vlan-hb-lost-threshold {integer}
end

config system ha-monitor

Parameter Description Type Size Default

monitor-vlan Enable/disable monitor VLAN interfaces. option - disable

Option Description

enable Enable monitor VLAN interfaces.

disable Disable monitor VLAN interfaces.

vlan-hb- Configure heartbeat interval (seconds). integer Minimum 5

interval value: 1
Maximum
value: 30

vlan-hb-lost- VLAN lost heartbeat threshold. integer Minimum 3

threshold value: 1
Maximum
value: 60

FortiOS 7.4.4 CLI Reference 1287

Fortinet Inc.
config system ha

Configure HA.
config system ha
Description: Configure HA.
set arps {integer}
set arps-interval {integer}
set authentication [enable|disable]
set cpu-threshold {user}
set encryption [enable|disable]
set evpn-ttl {integer}
set failover-hold-time {integer}
set ftp-proxy-threshold {user}
set gratuitous-arps [enable|disable]
set group-id {integer}
set group-name {string}
set ha-direct [enable|disable]
set ha-eth-type {string}
config ha-mgmt-interfaces
Description: Reserve interfaces to manage individual cluster units.
edit <id>
set interface {string}
set dst {ipv4-classnet}
set gateway {ipv4-address}
set gateway6 {ipv6-address}
next
end
set ha-mgmt-status [enable|disable]
set ha-uptime-diff-margin {integer}
set hb-interval {integer}
set hb-interval-in-milliseconds [100ms|10ms]
set hb-lost-threshold {integer}
set hbdev {user}
set hc-eth-type {string}
set hello-holddown {integer}
set http-proxy-threshold {user}
set imap-proxy-threshold {user}
set ipsec-phase2-proposal {option1}, {option2}, ...
set key {password}
set l2ep-eth-type {string}
set link-failed-signal [enable|disable]
set load-balance-all [enable|disable]
set logical-sn [enable|disable]
set memory-based-failover [enable|disable]
set memory-compatible-mode [enable|disable]
set memory-failover-flip-timeout {integer}
set memory-failover-monitor-period {integer}
set memory-failover-sample-rate {integer}
set memory-failover-threshold {integer}
set memory-threshold {user}
set mode [standalone|a-a|...]
set monitor {user}
set multicast-ttl {integer}
set nntp-proxy-threshold {user}
set override [enable|disable]

FortiOS 7.4.4 CLI Reference 1288

Fortinet Inc.
set override-wait-time {integer}
set password {password}
set pingserver-failover-threshold {integer}
set pingserver-flip-timeout {integer}
set pingserver-monitor-interface {user}
set pingserver-secondary-force-reset [enable|disable]
set pop3-proxy-threshold {user}
set priority {integer}
set route-hold {integer}
set route-ttl {integer}
set route-wait {integer}
set schedule [none|leastconnection|...]
set session-pickup [enable|disable]
set session-pickup-connectionless [enable|disable]
set session-pickup-delay [enable|disable]
set session-pickup-expectation [enable|disable]
set session-pickup-nat [enable|disable]
set session-sync-dev {user}
set smtp-proxy-threshold {user}
set ssd-failover [enable|disable]
set standalone-config-sync [enable|disable]
set standalone-mgmt-vdom [enable|disable]
set sync-config [enable|disable]
set sync-packet-balance [enable|disable]
set unicast-gateway {ipv4-address}
set unicast-hb [enable|disable]
set unicast-hb-netmask {ipv4-netmask}
set unicast-hb-peerip {ipv4-address}
config unicast-peers
Description: Number of unicast peers.
edit <id>
set peer-ip {ipv4-address}
next
end
set unicast-status [enable|disable]
set uninterruptible-primary-wait {integer}
set upgrade-mode [simultaneous|uninterruptible|...]
config vcluster
Description: Virtual cluster table.
edit <vcluster-id>
set override [enable|disable]
set priority {integer}
set override-wait-time {integer}
set monitor {user}
set pingserver-monitor-interface {user}
set pingserver-failover-threshold {integer}
set pingserver-secondary-force-reset [enable|disable]
set pingserver-flip-timeout {integer}
set vdom <name1>, <name2>, ...
next
end
set vcluster-status [enable|disable]
set weight {user}
end

FortiOS 7.4.4 CLI Reference 1289

Fortinet Inc.
config system ha

Parameter Description Type Size Default

arps Number of gratuitous ARPs. Lower to integer Minimum 5

reduce traffic. Higher to reduce failover time. value: 1
Maximum
value: 60

arps-interval Time between gratuitous ARPs . Lower to integer Minimum 8

reduce failover time. Higher to reduce traffic. value: 1
Maximum
value: 20

authentication Enable/disable heartbeat message option - disable

authentication.

Option Description

enable Enable heartbeat message authentication.

disable Disable heartbeat message authentication.

cpu-threshold Dynamic weighted load balancing CPU user Not Specified

usage weight and high and low thresholds.

encryption Enable/disable heartbeat message option - disable

encryption.

Option Description

enable Enable heartbeat message encryption.

disable Disable heartbeat message encryption.

evpn-ttl HA EVPN FDB TTL on primary box. integer Minimum 60

value: 5
Maximum
value: 3600

failover-hold-time Time to wait before failover , to avoid flip. integer Minimum 0

value: 0
Maximum
value: 300

ftp-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of FTP proxy
sessions.

gratuitous-arps Enable/disable gratuitous ARPs. Disable if option - enable

link-failed-signal enabled.

FortiOS 7.4.4 CLI Reference 1290

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable gratuitous ARPs.

disable Disable gratuitous ARPs.

group-id HA group ID . Must be the same for all integer Minimum 0

members. value: 0
Maximum
value: 1023

group-name Cluster group name. Must be the same for string Maximum
all members. length: 32

ha-direct Enable/disable using ha-mgmt interface for option - disable

syslog, remote authentication (RADIUS),
FortiAnalyzer, FortiSandbox, sFlow, and
Netflow.

Option Description

enable Enable using ha-mgmt interface for syslog, remote authentication

(RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

disable Disable using ha-mgmt interface for syslog, remote authentication

(RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.

ha-eth-type HA heartbeat packet Ethertype (4-digit hex). string Maximum 8890

length: 4

ha-mgmt-status Enable to reserve interfaces to manage option - disable

individual cluster units.

Option Description

enable Enable setting.

disable Disable setting.

ha-uptime-diff- Normally you would only reduce this value integer Minimum 300
margin for failover testing. value: 1
Maximum
value: 65535

hb-interval Time between sending heartbeat packets. integer Minimum 2

Increase to reduce false positives. value: 1
Maximum
value: 20

hb-interval-in- Units of heartbeat interval time between option - 100ms

milliseconds sending heartbeat packets. Default is
100ms.

FortiOS 7.4.4 CLI Reference 1291

Fortinet Inc.
Parameter Description Type Size Default

Option Description

100ms Each heartbeat interval is 100ms.

10ms Each heartbeat interval is 10ms.

hb-lost-threshold Number of lost heartbeats to signal a failure. integer Minimum 6 **

Increase to reduce false positives. value: 1
Maximum
value: 60

hbdev Heartbeat interfaces. Must be the same for user Not Specified
all members. Enter <interface> <priority>
pairs to specify the priority of each heartbeat
interface. Higher priority takes precedence.

hc-eth-type Transparent mode HA heartbeat packet string Maximum 8891

Ethertype (4-digit hex). length: 4

hello-holddown Time to wait before changing from hello to integer Minimum 20

work state. value: 5
Maximum
value: 300

http-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of HTTP proxy
sessions.

imap-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of IMAP proxy
sessions.

ipsec-phase2- IPsec phase2 proposal. option -

proposal

Option Description

aes128-sha1 aes128-sha1

aes128-sha256 aes128-sha256

aes128-sha384 aes128-sha384

aes128-sha512 aes128-sha512

aes192-sha1 aes192-sha1

aes192-sha256 aes192-sha256

aes192-sha384 aes192-sha384

aes192-sha512 aes192-sha512

FortiOS 7.4.4 CLI Reference 1292

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aes256-sha1 aes256-sha1

aes256-sha256 aes256-sha256

aes256-sha384 aes256-sha384

aes256-sha512 aes256-sha512

aes128gcm aes128gcm

aes256gcm aes256gcm

chacha20poly1305 chacha20poly1305

key Key. password Not Specified

l2ep-eth-type Telnet session HA heartbeat packet string Maximum 8893

Ethertype (4-digit hex). length: 4

link-failed-signal Enable to shut down all interfaces for 1 sec option - disable
after a failover. Use if gratuitous ARPs do
not update network.

Option Description

enable Enable setting.

disable Disable setting.

load-balance-all Enable to load balance TCP sessions. option - disable

Disable to load balance proxy sessions only.

Option Description

enable Enable load balance.

disable Disable load balance.

logical-sn Enable/disable usage of the logical serial option - disable

number.

Option Description

enable Enable usage of the logical serial number.

disable Disable usage of the logical serial number.

memory-based- Enable/disable memory based failover. option - disable

failover

FortiOS 7.4.4 CLI Reference 1293

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

memory- Enable/disable memory compatible mode. option - disable

compatible-mode

Option Description

enable Enable setting.

disable Disable setting.

memory-failover- Time to wait between subsequent memory integer Minimum 6

flip-timeout based failovers in minutes. value: 6
Maximum
value:
2147483647

memory-failover- Duration of high memory usage before integer Minimum 60

monitor-period memory based failover is triggered in value: 1
seconds. Maximum
value: 300

memory-failover- Rate at which memory usage is sampled in integer Minimum 1

sample-rate order to measure memory usage in value: 1
seconds. Maximum
value: 60

memory-failover- Memory usage threshold to trigger memory integer Minimum 0

threshold based failover (0 means using conserve value: 0
mode threshold in system.global). Maximum
value: 95

memory- Dynamic weighted load balancing memory user Not Specified

threshold usage weight and high and low thresholds.

mode HA mode. Must be the same for all option - standalone

members. FGSP requires standalone.

Option Description

standalone Standalone mode.

a-a Active-active mode.

a-p Active-passive mode.

monitor Interfaces to check for port monitoring (or user Not Specified
link failure).

FortiOS 7.4.4 CLI Reference 1294

Fortinet Inc.
Parameter Description Type Size Default

multicast-ttl HA multicast TTL on primary. integer Minimum 600

value: 5
Maximum
value: 3600

nntp-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of NNTP proxy
sessions.

override Enable and increase the priority of the unit option - disable
that should always be primary (master).

Option Description

enable Enable setting.

disable Disable setting.

override-wait- Delay negotiating if override is enabled. integer Minimum 0

time Reduces how often the cluster negotiates. value: 0
Maximum
value: 3600

password Cluster password. Must be the same for all password Not Specified
members.

pingserver- Remote IP monitoring failover threshold. integer Minimum 0

failover-threshold value: 0
Maximum
value: 50

pingserver-flip- Time to wait in minutes before renegotiating integer Minimum 60

timeout after a remote IP monitoring failover. value: 6
Maximum
value:
2147483647

pingserver- Interfaces to check for remote IP monitoring. user Not Specified

monitor-interface

pingserver- Enable to force the cluster to negotiate after option - enable

secondary-force- a remote IP monitoring failover.
reset

Option Description

enable Enable force reset of secondary member after PING server failure.

disable Disable force reset of secondary member after PING server failure.

FortiOS 7.4.4 CLI Reference 1295

Fortinet Inc.
Parameter Description Type Size Default

pop3-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of POP3 proxy
sessions.

priority Increase the priority to select the primary integer Minimum 128
unit. value: 0
Maximum
value: 255

route-hold Time to wait between routing table updates integer Minimum 10

to the cluster. value: 0
Maximum
value: 3600

route-ttl TTL for primary unit routes. Increase to integer Minimum 10

maintain active routes during failover. value: 5
Maximum
value: 3600

route-wait Time to wait before sending new routes to integer Minimum 0

the cluster. value: 0
Maximum
value: 3600

schedule Type of A-A load balancing. Use none if you option - round-robin
have external load balancers.

Option Description

none None.

leastconnection Least connection.

round-robin Round robin.

weight-round-robin Weight round robin.

random Random.

ip IP.

ipport IP port.

session-pickup Enable/disable session pickup. Enabling it option - disable

can reduce session down time when fail
over happens.

Option Description

enable Enable session pickup.

disable Disable session pickup.

enable Enable setting.

disable Disable setting.

session-sync-dev Offload session-sync process to kernel and user Not Specified

sync sessions using connected interface(s)
directly.

smtp-proxy- Dynamic weighted load balancing weight user Not Specified

threshold and high and low number of SMTP proxy
sessions.

ssd-failover * Enable/disable automatic HA failover on option - disable

SSD disk failure.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable HA packet distribution to multiple CPUs.

disable Disable HA packet distribution to multiple CPUs.

unicast-gateway Default route gateway for unicast interface. ipv4- Not Specified 0.0.0.0
* address

unicast-hb * Enable/disable unicast heartbeat. option - disable

Option Description

enable Enable setting.

disable Disable setting.

unicast-hb- Unicast heartbeat netmask. ipv4- Not Specified 0.0.0.0

netmask * netmask

unicast-hb-peerip Unicast heartbeat peer IP. ipv4- Not Specified 0.0.0.0

* address

FortiOS 7.4.4 CLI Reference 1298

Fortinet Inc.
Parameter Description Type Size Default

unicast-status * Enable/disable unicast connection. option - disable

Option Description

enable Enable setting.

disable Disable setting.

uninterruptible- Number of minutes the primary HA unit waits integer Minimum 30

primary-wait before the secondary HA unit is considered value: 15
upgraded and the system is started before Maximum
starting its own upgrade. value: 300

upgrade-mode The mode to upgrade a cluster. option - uninterruptible

Option Description

simultaneous Upgrade all HA members at the same time.

uninterruptible Upgrade HA cluster without blocking network traffic.

local-only Upgrade local member only.

secondary-only Upgrade secondary member only.

vcluster-status Enable/disable virtual cluster for virtual option - disable

clustering.

Option Description

enable Enable setting.

disable Disable setting.

weight Weight-round-robin weight for each cluster user Not Specified 0 40

unit. Syntax <priority> <weight>.

* This parameter may not exist in some models.

** Values may differ between models.

config ha-mgmt-interfaces

Parameter Description Type Size Default

id Table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Interface to reserve for HA management. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 1299

Fortinet Inc.
Parameter Description Type Size Default

dst Default route destination for reserved HA ipv4- Not Specified 0.0.0.0
management interface. classnet 0.0.0.0

gateway Default route gateway for reserved HA management ipv4- Not Specified 0.0.0.0
interface. address

gateway6 Default IPv6 gateway for reserved HA management ipv6- Not Specified ::
interface. address

config unicast-peers

Parameter Description Type Size Default

id Table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

peer-ip Unicast peer IP. ipv4- Not Specified 0.0.0.0

address

config vcluster

Parameter Description Type Size Default

vcluster-id ID. integer Minimum 1

value: 1
Maximum
value: 30

override Enable and increase the priority of the unit that should option - disable
always be primary (master).

Option Description

enable Enable setting.

disable Disable setting.

priority Increase the priority to select the primary unit. integer Minimum 128
value: 0
Maximum
value: 255

override-wait- Delay negotiating if override is enabled. Reduces how integer Minimum 0

time often the cluster negotiates. value: 0
Maximum
value: 3600

FortiOS 7.4.4 CLI Reference 1300

Fortinet Inc.
Parameter Description Type Size Default

monitor Interfaces to check for port monitoring (or link failure). user Not Specified

pingserver- Interfaces to check for remote IP monitoring. user Not Specified

monitor-
interface

pingserver- Remote IP monitoring failover threshold. integer Minimum 0

failover- value: 0
threshold Maximum
value: 50

pingserver- Enable to force the cluster to negotiate after a remote option - enable
secondary- IP monitoring failover.
force-reset

Option Description

enable Enable force reset of secondary member after PING server failure.

disable Disable force reset of secondary member after PING server failure.

pingserver- Time to wait in minutes before renegotiating after a integer Minimum 60

flip-timeout remote IP monitoring failover. value: 6
Maximum
value:
2147483647

vdom <name> Virtual domain(s) in the virtual cluster. string Maximum

Virtual domain name. length: 79

FortiOS 7.4.4 CLI Reference 1301

Fortinet Inc.
config system icond

Configure Industrial Connectivity.

config system icond
Description: Configure Industrial Connectivity.
set iec101-keepalive [disable|enable]
set iec101-laddr-local {integer}
set iec101-laddr-remote {integer}
set iec101-laddr-size {integer}
set iec101-mode [balanced|unbalanced]
set iec101-t0 {integer}
set iec101-trp {integer}
set iec101-use-ack-char [disable|enable]
set iec104-k {integer}
set iec104-t1 {integer}
set iec104-t2 {integer}
set iec104-t3 {integer}
set iec104-w {integer}
set modbus-serial-addr {integer}
set modbus-serial-mode [RTU|ASCII]
set modbus-serial-timeout-resp {integer}
set modbus-tcp-unit-id {integer}
set port {integer}
set status [disable|enable]
set tty-baudrate [200|300|...]
set tty-databits {integer}
set tty-device {string}
set tty-flowcontrol [none|xon-xoff|...]

FortiOS 7.4.4 CLI Reference 1302

Fortinet Inc.
set tty-parity [none|odd|...]
set tty-stopbits {integer}
set type [iec101-104|modbus-serial-tcp|...]
end

config system icond

Parameter Description Type Size Default

iec101- Send periodic test frame for probing link status. option - enable
keepalive

Option Description

disable Disable the selected function.

enable Enable the selected function.

iec101-laddr- Link address of local. integer Minimum 1

local value: 1
Maximum
value:
65534

iec101-laddr- Link address of remote. integer Minimum 2

remote value: 1
Maximum
value:
65535

iec101-laddr- Link address size. integer Minimum 1

size value: 0
Maximum
value: 2

iec101-mode Link layer transmission procedure. option - balanced

Option Description

balanced Set IEC101 transmission mode to balanced.

unbalanced Set IEC101 transmission mode to unbalanced.

iec101-t0 Time out for repetition of frames in milliseconds. integer Minimum 500
value: 1
Maximum
value:
30000

FortiOS 7.4.4 CLI Reference 1303

Fortinet Inc.
Parameter Description Type Size Default

iec101-trp Time interval during which repetitions are permitted in integer Minimum 2500
milliseconds. value: 1
Maximum
value:
300000

iec101-use- Use single character for ACK. option - disable

ack-char

Option Description

disable Disable the selected function.

enable Enable the selected function.

iec104-k Maximum number of outstanding I formate APDUs. integer Minimum 12

value: 1
Maximum
value:
32767

iec104-t1 Time-out of send or test APDUs in seconds. integer Minimum 15

value: 1
Maximum
value: 255

iec104-t2 Time-out for acknowledges in case no data messages in integer Minimum 10

seconds. value: 1
Maximum
value: 255

iec104-t3 Time-out for sending test frames in case of a long idle integer Minimum 20
state in seconds. value: 1
Maximum
value:
172800

iec104-w Maximum number of latest acknowledge APDUs. integer Minimum 8

value: 1
Maximum
value:
32767

modbus- Serial remote station address. integer Minimum 1

serial-addr value: 1
Maximum
value: 247

modbus- Serial transmission mode. option - RTU

serial-mode

FortiOS 7.4.4 CLI Reference 1304

Fortinet Inc.
Parameter Description Type Size Default

Option Description

RTU Set Modbus transmission mode to RTU.

ASCII Set Modbus transmission mode to ASCII.

modbus- Time out for serial remote station response in integer Minimum 500
serial- milliseconds. value: 10
timeout-resp Maximum
value:
30000

modbus-tcp- TCP MBAP unit identifier. integer Minimum 255

unit-id value: 0
Maximum
value: 255

port Listening socket port. integer Minimum 0

value: 1
Maximum
value:
65535

status Enable/disable this connection. option - disable

Option Description

disable Disable the selected function.

enable Enable the selected function.

tty-baudrate TTY baudrate. option - 9600

Option Description

200 Set TTY baudrate to 200.

300 Set TTY baudrate to 300.

600 Set TTY baudrate to 600.

1200 Set TTY baudrate to 1200.

2400 Set TTY baudrate to 2400.

4800 Set TTY baudrate to 4800.

9600 Set TTY baudrate to 9600.

19200 Set TTY baudrate to 19200.

38400 Set TTY baudrate to 38400.

115200 Set TTY baudrate to 115200.

FortiOS 7.4.4 CLI Reference 1305

Fortinet Inc.
Parameter Description Type Size Default

tty-databits TTY databits. integer Minimum 8

value: 5
Maximum
value: 8

tty-device TTY device. string Maximum serial0

length: 35

tty-flowcontrol TTY flowcontrol. option - none

Option Description

none Set TTY flow control to none.

xon-xoff Set TTY flow control to xon/xoff.

hw Set TTY flow control to hardware.

tty-parity TTY parity. option - even

Option Description

none Set TTY parity to none.

odd Set TTY parity to odd.

even Set TTY parity to even.

tty-stopbits TTY stopbits. integer Minimum 1

value: 1
Maximum
value: 2

type Connection type. option - iec101-104

Option Description

iec101-104 Convert between IEC60870-5-101 and IEC60870-5-104.

modbus-serial- Convert between Modbus Serial and Modbus TCP.

tcp

raw Re-direct traffic from TTY to socket without conversion.

config system ike

Configure IKE global attributes.

config system ike
Description: Configure IKE global attributes.
config dh-group-1
Description: Diffie-Hellman group 1 (MODP-768).
set mode [software|hardware|...]
set keypair-cache [global|custom]

FortiOS 7.4.4 CLI Reference 1306

Fortinet Inc.
set keypair-count {integer}
end
config dh-group-14
Description: Diffie-Hellman group 14 (MODP-2048).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-15
Description: Diffie-Hellman group 15 (MODP-3072).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-16
Description: Diffie-Hellman group 16 (MODP-4096).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-17
Description: Diffie-Hellman group 17 (MODP-6144).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-18
Description: Diffie-Hellman group 18 (MODP-8192).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-19
Description: Diffie-Hellman group 19 (EC-P256).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-2
Description: Diffie-Hellman group 2 (MODP-1024).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-20
Description: Diffie-Hellman group 20 (EC-P384).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-21
Description: Diffie-Hellman group 21 (EC-P521).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end

FortiOS 7.4.4 CLI Reference 1307

Fortinet Inc.
config dh-group-27
Description: Diffie-Hellman group 27 (EC-P224BP).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-28
Description: Diffie-Hellman group 28 (EC-P256BP).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-29
Description: Diffie-Hellman group 29 (EC-P384BP).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-30
Description: Diffie-Hellman group 30 (EC-P512BP).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-31
Description: Diffie-Hellman group 31 (EC-X25519).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-32
Description: Diffie-Hellman group 32 (EC-X448).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-5
Description: Diffie-Hellman group 5 (MODP-1536).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
set dh-keypair-cache [enable|disable]
set dh-keypair-count {integer}
set dh-keypair-throttle [enable|disable]
set dh-mode [software|hardware]
set dh-multiprocess [enable|disable]
set dh-worker-count {integer}
set embryonic-limit {integer}
end

FortiOS 7.4.4 CLI Reference 1308

Fortinet Inc.
config system ike

Parameter Description Type Size Default

dh-keypair- Enable/disable Diffie-Hellman key pair cache. option - enable

cache

Option Description

enable Enable Diffie-Hellman key pair cache.

enable Enable multiprocess Diffie-Hellman for IKE.

disable Disable multiprocess Diffie-Hellman for IKE.

dh-worker- Number of Diffie-Hellman workers to start. integer Minimum 0

count value: 1
Maximum
value: 8 **

embryonic-limit Maximum number of IPsec tunnels to negotiate integer Minimum 5000 **

simultaneously. value: 50
Maximum
value:
20000

FortiOS 7.4.4 CLI Reference 1309

Fortinet Inc.
** Values may differ between models.

config dh-group-1

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-14

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

FortiOS 7.4.4 CLI Reference 1310

Fortinet Inc.
Parameter Description Type Size Default

Option Description

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-15

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-16

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

FortiOS 7.4.4 CLI Reference 1311

Fortinet Inc.
Parameter Description Type Size Default

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-17

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

FortiOS 7.4.4 CLI Reference 1312

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-2

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-20

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

FortiOS 7.4.4 CLI Reference 1316

Fortinet Inc.
Parameter Description Type Size Default

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-29

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global dh-mode setting.

keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.

Option Description

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config dh-group-30

Parameter Description Type Size Default

mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.

Option Description

software Prefer CPU to perform Diffie-Hellman calculations.

hardware Prefer CPX to perform Diffie-Hellman calculations.

global Use global Diffie-Hellman key pair cache setting.

custom Use custom Diffie-Hellman key pair cache setting.

FortiOS 7.4.4 CLI Reference 1319

Fortinet Inc.
Parameter Description Type Size Default

keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000

config system interface

Configure interfaces.
config system interface
Description: Configure interfaces.
edit <name>
set ac-name {string}
set aggregate {string}
set aggregate-type [physical|vxlan]
set algorithm [L2|L3|...]
set alias {string}
set allowaccess {option1}, {option2}, ...
set ap-discover [enable|disable]
set arpforward [enable|disable]
set atm-protocol [none|ipoa]
set auth-cert {string}
set auth-portal-addr {string}
set auth-type [auto|pap|...]
set auto-auth-extension-device [enable|disable]
set bandwidth-measure-time {integer}
set bfd [global|enable|...]
set bfd-desired-min-tx {integer}
set bfd-detect-mult {integer}
set bfd-required-min-rx {integer}
set broadcast-forward [enable|disable]
set cli-conn-status {integer}
config client-options
Description: DHCP client options.
edit <id>
set code {integer}
set type [hex|string|...]
set value {string}
set ip {user}
next
end
set color {integer}
set dedicated-to [none|management]
set default-purdue-level [1|1.5|...]
set defaultgw [enable|disable]
set description {var-string}
set detected-peer-mtu {integer}
set detectprotocol {option1}, {option2}, ...
set detectserver {user}
set device-identification [enable|disable]
set device-user-identification [enable|disable]

FortiOS 7.4.4 CLI Reference 1320

Fortinet Inc.
set devindex {integer}
set dhcp-broadcast-flag [disable|enable]
set dhcp-classless-route-addition [enable|disable]
set dhcp-client-identifier {string}
set dhcp-relay-agent-option [enable|disable]
set dhcp-relay-allow-no-end-option [disable|enable]
set dhcp-relay-circuit-id {string}
set dhcp-relay-interface {string}
set dhcp-relay-interface-select-method [auto|sdwan|...]
set dhcp-relay-ip {user}
set dhcp-relay-link-selection {ipv4-address}
set dhcp-relay-request-all-server [disable|enable]
set dhcp-relay-service [disable|enable]
set dhcp-relay-source-ip {ipv4-address}
set dhcp-relay-type [regular|ipsec]
set dhcp-renew-time {integer}
set dhcp-smart-relay [disable|enable]
config dhcp-snooping-server-list
Description: Configure DHCP server access list.
edit <name>
set server-ip {ipv4-address}
next
end
set disc-retry-timeout {integer}
set distance {integer}
set dns-server-override [enable|disable]
set dns-server-protocol {option1}, {option2}, ...
set drop-fragment [enable|disable]
set drop-overlapped-fragment [enable|disable]
set eap-ca-cert {string}
set eap-identity {string}
set eap-method [tls|peap]
set eap-password {password}
set eap-supplicant [enable|disable]
set eap-user-cert {string}
set egress-cos [disable|cos0|...]
config egress-queues
Description: Configure queues of NP port on egress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end
set egress-shaping-profile {string}
set estimated-downstream-bandwidth {integer}
set estimated-upstream-bandwidth {integer}
set explicit-ftp-proxy [enable|disable]
set explicit-web-proxy [enable|disable]
set external [enable|disable]
set fail-action-on-extender [soft-restart|hard-restart|...]
set fail-alert-interfaces <name1>, <name2>, ...
set fail-alert-method [link-failed-signal|link-down]

FortiOS 7.4.4 CLI Reference 1321

Fortinet Inc.
set fail-detect [enable|disable]
set fail-detect-option {option1}, {option2}, ...
set fortilink [enable|disable]
set fortilink-backup-link {integer}
set fortilink-neighbor-detect [lldp|fortilink]
set fortilink-split-interface [enable|disable]
set forward-domain {integer}
set forward-error-correction [none|disable|...]
set gateway-address {ipv4-address}
set gwaddr {ipv4-address}
set gwdetect [enable|disable]
set ha-priority {integer}
set icmp-accept-redirect [enable|disable]
set icmp-send-redirect [enable|disable]
set ident-accept [enable|disable]
set idle-timeout {integer}
set ike-saml-server {string}
set inbandwidth {integer}
set ingress-cos [disable|cos0|...]
set ingress-shaping-profile {string}
set ingress-spillover-threshold {integer}
set interconnect-profile [default|profile1|...]
set interface {string}
set internal {integer}
set ip {ipv4-classnet-host}
set ip-managed-by-fortiipam [inherit-global|enable|...]
set ipmac [enable|disable]
set ips-sniffer-mode [enable|disable]
set ipunnumbered {ipv4-address}
config ipv6
Description: IPv6 of interface.
set ip6-mode [static|dhcp|...]
set nd-mode [basic|SEND-compatible]
set nd-cert {string}
set nd-security-level {integer}
set nd-timestamp-delta {integer}
set nd-timestamp-fuzz {integer}
set nd-cga-modifier {user}
set ip6-dns-server-override [enable|disable]
set ip6-address {ipv6-prefix}
config ip6-extra-addr
Description: Extra IPv6 address prefixes of interface.
edit <prefix>
next
end
set ip6-allowaccess {option1}, {option2}, ...
set ip6-send-adv [enable|disable]
set icmp6-send-redirect [enable|disable]
set ip6-manage-flag [enable|disable]
set ip6-other-flag [enable|disable]
set ip6-max-interval {integer}
set ip6-min-interval {integer}
set ip6-link-mtu {integer}
set ra-send-mtu [enable|disable]
set ip6-reachable-time {integer}
set ip6-retrans-time {integer}

FortiOS 7.4.4 CLI Reference 1322

Fortinet Inc.
set ip6-default-life {integer}
set ip6-hop-limit {integer}
set autoconf [enable|disable]
set unique-autoconf-addr [enable|disable]
set interface-identifier {ipv6-address}
set ip6-prefix-mode [dhcp6|ra]
set ip6-delegated-prefix-iaid {integer}
set ip6-upstream-interface {string}
set ip6-subnet {ipv6-prefix}
config ip6-prefix-list
Description: Advertised prefix list.
edit <prefix>
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set valid-life-time {integer}
set preferred-life-time {integer}
set rdnss {user}
set dnssl <domain1>, <domain2>, ...
next
end
config ip6-delegated-prefix-list
Description: Advertised IPv6 delegated prefix list.
edit <prefix-id>
set upstream-interface {string}
set delegated-prefix-iaid {integer}
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set subnet {ipv6-network}
set rdnss-service [delegated|default|...]
set rdnss {user}
next
end
set dhcp6-relay-service [disable|enable]
set dhcp6-relay-type {option}
set dhcp6-relay-source-interface [disable|enable]
set dhcp6-relay-ip {user}
set dhcp6-relay-source-ip {ipv6-address}
set dhcp6-relay-interface-id {string}
set dhcp6-client-options {option1}, {option2}, ...
set dhcp6-prefix-delegation [enable|disable]
set dhcp6-information-request [enable|disable]
config dhcp6-iapd-list
Description: DHCPv6 IA-PD list.
edit <iaid>
set prefix-hint {ipv6-network}
set prefix-hint-plt {integer}
set prefix-hint-vlt {integer}
next
end
set cli-conn6-status {integer}
set vrrp-virtual-mac6 [enable|disable]
set vrip6_link_local {ipv6-address}
config vrrp6
Description: IPv6 VRRP configuration.
edit <vrid>
set vrgrp {integer}

FortiOS 7.4.4 CLI Reference 1323

Fortinet Inc.
set vrip6 {ipv6-address}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst6 {ipv6-address}
set ignore-default-route [enable|disable]
set status [enable|disable]
next
end
end
set l2forward [enable|disable]
set l2tp-client [enable|disable]
config l2tp-client-settings
Description: L2TP client settings.
set user {string}
set password {password}
set peer-host {string}
set peer-mask {ipv4-netmask}
set peer-port {integer}
set auth-type [auto|pap|...]
set mtu {integer}
set distance {integer}
set priority {integer}
set defaultgw [enable|disable]
set ip {ipv4-classnet-host}
set hello-interval {integer}
end
set lacp-ha-secondary [enable|disable]
set lacp-mode [static|passive|...]
set lacp-speed [slow|fast]
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set link-up-delay {integer}
set lldp-network-policy {string}
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set macaddr {mac-address}
set managed-subnetwork-size [32|64|...]
set management-ip {ipv4-classnet-host}
set measured-downstream-bandwidth {integer}
set measured-upstream-bandwidth {integer}
set mediatype [serdes-sfp|sgmii-sfp|...]
set member <interface-name1>, <interface-name2>, ...
set min-links {integer}
set min-links-down [operational|administrative]
set mirroring-direction [rx|tx|...]
config mirroring-filter
Description: Mirroring filter.
set filter-srcip {ipv4-classnet-host}
set filter-dstip {ipv4-classnet-host}
set filter-sport {integer}
set filter-dport {integer}
set filter-protocol {integer}
end

FortiOS 7.4.4 CLI Reference 1324

Fortinet Inc.
set mirroring-port {string}
set mode [static|dhcp|...]
set monitor-bandwidth [enable|disable]
set mtu {integer}
set mtu-override [enable|disable]
set mux-type [llc-encaps|vc-encaps]
set ndiscforward [enable|disable]
set netbios-forward [disable|enable]
set netflow-sampler [disable|tx|...]
set np-qos-profile {integer}
set outbandwidth {integer}
set padt-retry-timeout {integer}
set password {password}
set phy-mode {option}
set ping-serv-status {integer}
set poe [enable|disable]
set polling-interval {integer}
set port-mirroring [disable|enable]
set pppoe-unnumbered-negotiate [enable|disable]
set pptp-auth-type [auto|pap|...]
set pptp-client [enable|disable]
set pptp-password {password}
set pptp-server-ip {ipv4-address}
set pptp-timeout {integer}
set pptp-user {string}
set preserve-session-route [enable|disable]
set priority {integer}
set priority-override [enable|disable]
set proxy-captive-portal [enable|disable]
set pvc-atm-qos [cbr|rt-vbr|...]
set pvc-chan {integer}
set pvc-crc {integer}
set pvc-pcr {integer}
set pvc-scr {integer}
set pvc-vlan-id {integer}
set pvc-vlan-rx-id {integer}
set pvc-vlan-rx-op [pass-through|replace|...]
set pvc-vlan-tx-id {integer}
set pvc-vlan-tx-op [pass-through|replace|...]
set reachable-time {integer}
set redundant-interface {string}
set remote-ip {ipv4-classnet-host}
set replacemsg-override-group {string}
set retransmission [disable|enable]
set ring-rx {integer}
set ring-tx {integer}
set role [lan|wan|...]
set sample-direction [tx|rx|...]
set sample-rate {integer}
set secondary-IP [enable|disable]
config secondaryip
Description: Second IP address of interface.
edit <id>
set ip {ipv4-classnet-host}
set secip-relay-ip {user}
set allowaccess {option1}, {option2}, ...

FortiOS 7.4.4 CLI Reference 1325

Fortinet Inc.
set gwdetect [enable|disable]
set ping-serv-status {integer}
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
set ha-priority {integer}
next
end
set security-8021x-dynamic-vlan-id {integer}
set security-8021x-master {string}
set security-8021x-member-mode [switch|disable]
set security-8021x-mode [default|dynamic-vlan|...]
set security-exempt-list {string}
set security-external-logout {string}
set security-external-web {var-string}
set security-groups <name1>, <name2>, ...
set security-mac-auth-bypass [mac-auth-only|enable|...]
set security-mode [none|captive-portal|...]
set security-redirect-url {var-string}
set service-name {string}
set sflow-sampler [enable|disable]
set sfp-dsl [disable|enable]
set sfp-dsl-adsl-fallback [disable|enable]
set sfp-dsl-autodetect [disable|enable]
set sfp-dsl-mac {mac-address}
set snmp-index {integer}
set speed [auto|10full|...]
set spillover-threshold {integer}
set src-check [enable|disable]
set status [up|down]
set stp [disable|enable]
set stp-edge [disable|enable]
set stp-ha-secondary [disable|enable|...]
set stpforward [enable|disable]
set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
set subst [enable|disable]
set substitute-dst-mac {mac-address}
set sw-algorithm [l2|l3|...]
set swc-first-create {integer}
set swc-vlan {integer}
set switch {string}
set switch-controller-access-vlan [enable|disable]
set switch-controller-arp-inspection [enable|disable|...]
set switch-controller-dhcp-snooping [enable|disable]
set switch-controller-dhcp-snooping-option82 [enable|disable]
set switch-controller-dhcp-snooping-verify-mac [enable|disable]
set switch-controller-dynamic {string}
set switch-controller-feature [none|default-vlan|...]
set switch-controller-igmp-snooping [enable|disable]
set switch-controller-igmp-snooping-fast-leave [enable|disable]
set switch-controller-igmp-snooping-proxy [enable|disable]
set switch-controller-iot-scanning [enable|disable]
set switch-controller-learning-limit {integer}
set switch-controller-mgmt-vlan {integer}
set switch-controller-nac {string}
set switch-controller-netflow-collect [disable|enable]
set switch-controller-offload [enable|disable]

FortiOS 7.4.4 CLI Reference 1326

Fortinet Inc.
set switch-controller-offload-gw [enable|disable]
set switch-controller-offload-ip {ipv4-address}
set switch-controller-rspan-mode [disable|enable]
set switch-controller-source-ip [outbound|fixed]
set switch-controller-traffic-policy {string}
set system-id {mac-address}
set system-id-type [auto|user]
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set tc-mode {option}
set tcp-mss {integer}
set trunk [enable|disable]
set trust-ip-1 {ipv4-classnet-any}
set trust-ip-2 {ipv4-classnet-any}
set trust-ip-3 {ipv4-classnet-any}
set trust-ip6-1 {ipv6-prefix}
set trust-ip6-2 {ipv6-prefix}
set trust-ip6-3 {ipv6-prefix}
set type [physical|vlan|...]
set username {string}
set vci {integer}
set vdom {string}
set vectoring [disable|enable]
set vindex {integer}
set vlan-protocol [8021q|8021ad]
set vlanforward [enable|disable]
set vlanid {integer}
set vpi {integer}
set vrf {integer}
config vrrp
Description: VRRP configuration.
edit <vrid>
set version [2|3]
set vrgrp {integer}
set vrip {ipv4-address-any}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst {ipv4-address-any}
set vrdst-priority {integer}
set ignore-default-route [enable|disable]
set status [enable|disable]
config proxy-arp
Description: VRRP Proxy ARP configuration.
edit <id>
set ip {user}
next
end
next

FortiOS 7.4.4 CLI Reference 1327

Fortinet Inc.
end
set vrrp-virtual-mac [enable|disable]
set wccp [enable|disable]
set weight {integer}
set wifi-5g-threshold {string}
set wifi-acl [allow|deny]
set wifi-ap-band [any|5g-preferred|...]
set wifi-auth [PSK|radius|...]
set wifi-auto-connect [enable|disable]
set wifi-auto-save [enable|disable]
set wifi-broadcast-ssid [enable|disable]
set wifi-dns-server1 {ipv4-address}
set wifi-dns-server2 {ipv4-address}
set wifi-encrypt [TKIP|AES]
set wifi-fragment-threshold {integer}
set wifi-gateway {ipv4-address}
set wifi-key {password}
set wifi-keyindex {integer}
set wifi-mac-filter [enable|disable]
config wifi-mac-list
Description: MAC filter list.
edit <id>
set mac {mac-address}
next
end
config wifi-networks
Description: WiFi network table.
edit <id>
set wifi-ssid {string}
set wifi-security [open|wep64|...]
set wifi-encrypt [TKIP|AES]
set wifi-keyindex {integer}
set wifi-key {password}
set wifi-passphrase {password}
set wifi-eap-type [both|tls|...]
set wifi-username {string}
set wifi-client-certificate {string}
set wifi-private-key {string}
set wifi-private-key-password {password}
set wifi-ca-certificate {string}
next
end
set wifi-passphrase {password}
set wifi-radius-server {string}
set wifi-rts-threshold {integer}
set wifi-security [open|wep64|...]
set wifi-ssid {string}
set wifi-usergroup {string}
set wins-ip {ipv4-address}
next
end

FortiOS 7.4.4 CLI Reference 1328

Fortinet Inc.
config system interface

Parameter Description Type Size Default

ac-name PPPoE server name. string Maximum

length: 63

https HTTPS access.

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

fgfm FortiManager access.

radius-acct RADIUS accounting access.

disable Disable ARP forwarding.

atm-protocol * ATM protocol. option - none

Option Description

none Not over ATM.

ipoa IPoA RFC2684.

auth-cert HTTPS server certificate. string Maximum

length: 35

auth-portal-addr Address of captive portal. string Maximum

length: 63

auth-type PPP authentication type to use. option - auto

Option Description

auto Automatically choose authentication.

pap PAP authentication.

chap CHAP authentication.

mschapv1 MS-CHAPv1 authentication.

mschapv2 MS-CHAPv2 authentication.

auto-auth- Enable/disable automatic authorization option - disable

extension-device of dedicated Fortinet extension device
on this interface.

FortiOS 7.4.4 CLI Reference 1330

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable automatic authorization of dedicated Fortinet extension device on

this interface.

disable Disable automatic authorization of dedicated Fortinet extension device on

this interface.

bandwidth- Bandwidth measure time. integer Minimum 0

measure-time value: 0
Maximum
value:
4294967295

bfd Bidirectional Forwarding Detection option - global

(BFD) settings.

Option Description

global BFD behavior of this interface will be based on global configuration.

enable Enable BFD on this interface and ignore global configuration.

disable Disable BFD on this interface and ignore global configuration.

bfd-desired-min- BFD desired minimal transmit interval. integer Minimum 250

tx value: 1
Maximum
value: 100000

bfd-detect-mult BFD detection multiplier. integer Minimum 3

value: 1
Maximum
value: 50

bfd-required-min- BFD required minimal receive interval. integer Minimum 250

rx value: 1
Maximum
value: 100000

broadcast- Enable/disable broadcast forwarding. option - disable

forward

Option Description

enable Enable broadcast forwarding.

disable Disable broadcast forwarding.

FortiOS 7.4.4 CLI Reference 1331

Fortinet Inc.
Parameter Description Type Size Default

cli-conn-status CLI connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

dedicated-to Configure interface for single purpose. option - none

Option Description

none Interface not dedicated for any purpose.

management Dedicate this interface for management purposes only.

default-purdue- default purdue level of device detected option - 3

level on this interface.

Option Description

1 Level 1 - Basic Control

1.5 Level 1.5

2 Level 2 - Area Supervisory Control

2.5 Level 2.5

3 Level 3 - Operations & Control

3.5 Level 3.5

4 Level 4 - Business Planning & Logistics

5 Level 5 - Enterprise Network

5.5 Level 5.5

defaultgw Enable to get the gateway IP from the option - enable

DHCP or PPPoE server.

Option Description

enable Enable default gateway.

disable Disable default gateway.

description Description. var-string Maximum

length: 255

FortiOS 7.4.4 CLI Reference 1332

Fortinet Inc.
Parameter Description Type Size Default

detected-peer- MTU of detected peer. integer Minimum 0

mtu value: 0
Maximum
value:
4294967295

detectprotocol Protocols used to detect the server. option - ping

Option Description

ping PING.

tcp-echo TCP echo.

udp-echo UDP echo.

detectserver Gateway's ping server for this IP. user Not Specified

device- Enable/disable passively gathering of option - disable

identification device identity information about the
devices on the network connected to this
interface.

Option Description

enable Enable passive gathering of identity information about hosts.

disable Disable passive gathering of identity information about hosts.

device-user- Enable/disable passive gathering of user option - enable

identification identity information about users on this
interface.

Option Description

enable Enable passive gathering of user identity information about users.

disable Disable passive gathering of user identity information about users.

devindex Device Index. integer Minimum 0

value: 0
Maximum
value:
4294967295

dhcp-broadcast- Enable/disable setting of the broadcast option - enable

flag flag in messages sent by the DHCP
client.

FortiOS 7.4.4 CLI Reference 1333

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable broadcast flag.

enable Enable broadcast flag.

dhcp-classless- Enable/disable addition of classless option - disable **

route-addition static routes retrieved from DHCP
server.

Option Description

enable Enable addition of classless static routes retrieved from DHCP server.

disable Disable addition of classless static routes retrieved from DHCP server.

dhcp-client- DHCP client identifier. string Maximum

identifier length: 48

dhcp-relay- Enable/disable DHCP relay agent option. option - enable

agent-option

Option Description

enable Enable DHCP relay agent option.

disable Disable DHCP relay agent option.

dhcp-relay-allow- Enable/disable relaying DHCP option - disable

no-end-option messages with no end option.

Option Description

disable Disable relaying DHCP messages with no end option.

enable Enable relaying DHCP messages with no end option.

dhcp-relay- DHCP relay circuit ID. string Maximum

circuit-id length: 64

dhcp-relay- Specify outgoing interface to reach string Maximum

interface server. length: 15

dhcp-relay- Specify how to select outgoing interface option - auto

interface-select- to reach server.
method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.4.4 CLI Reference 1334

Fortinet Inc.
Parameter Description Type Size Default

dhcp-relay-ip DHCP relay IP address. user Not Specified

dhcp-relay-link- DHCP relay link selection. ipv4- Not Specified 0.0.0.0

selection address

dhcp-relay- Enable/disable sending of DHCP option - disable

request-all- requests to all servers.
server

Option Description

disable Send DHCP requests only to a matching server.

enable Send DHCP requests to all servers.

dhcp-relay- Enable/disable allowing this interface to option - disable

service act as a DHCP relay.

Option Description

disable None.

enable DHCP relay agent.

dhcp-relay- IP address used by the DHCP relay as its ipv4- Not Specified 0.0.0.0
source-ip source IP. address

dhcp-relay-type DHCP relay type (regular or IPsec). option - regular

Option Description

regular Regular DHCP relay.

ipsec DHCP relay for IPsec.

dhcp-renew-time DHCP renew time in seconds , 0 means integer Minimum 0

use the renew time provided by the value: 300
server. Maximum
value: 604800

dhcp-smart-relay Enable/disable DHCP smart relay. option - disable

Option Description

disable Disable DHCP smart relay.

enable Enable DHCP smart relay.

disc-retry-timeout Time in seconds to wait before retrying to integer Minimum 1

start a PPPoE discovery, 0 means no value: 0
timeout. Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1335

Fortinet Inc.
Parameter Description Type Size Default

distance Distance for routes learned through integer Minimum 5

PPPoE or DHCP, lower distance value: 1
indicates preferred route. Maximum
value: 255

eap-ca-cert EAP CA certificate name. string Maximum

length: 79

eap-identity EAP identity. string Maximum

length: 35

eap-method EAP method. option -

FortiOS 7.4.4 CLI Reference 1336

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls TLS.

peap PEAP.

eap-password EAP password. password Not Specified

eap-supplicant Enable/disable EAP-Supplicant. option - disable

Option Description

enable Enable EAP Supplicant.

disable Disable EAP Supplicant.

eap-user-cert EAP user certificate name. string Maximum

length: 35

egress-cos * Override outgoing CoS in user VLAN tag. option - disable

Option Description

disable Disable.

cos0 CoS 0.

cos1 CoS 1.

cos2 CoS 2.

cos3 CoS 3.

cos4 CoS 4.

cos5 CoS 5.

cos6 CoS 6.

cos7 CoS 7.

egress-shaping- Outgoing traffic shaping profile. string Maximum

profile length: 35

estimated- Estimated maximum downstream integer Minimum 0

downstream- bandwidth (kbps). Used to estimate link value: 0
bandwidth utilization. Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1337

Fortinet Inc.
Parameter Description Type Size Default

estimated- Estimated maximum upstream integer Minimum 0

upstream- bandwidth (kbps). Used to estimate link value: 0
bandwidth utilization. Maximum
value:
4294967295

explicit-ftp-proxy Enable/disable the explicit FTP proxy on option - disable

this interface.

Option Description

enable Enable explicit FTP proxy on this interface.

disable Disable explicit FTP proxy on this interface.

explicit-web- Enable/disable the explicit web proxy on option - disable

proxy this interface.

Option Description

enable Enable explicit Web proxy on this interface.

disable Disable explicit Web proxy on this interface.

external Enable/disable identifying the interface option - disable

as an external interface (which usually
means it's connected to the Internet).

Option Description

enable Enable identifying the interface as an external interface.

disable Disable identifying the interface as an external interface.

fail-action-on- Action on FortiExtender when interface option - soft-restart

extender fail.

Option Description

soft-restart Soft-restart-on-extender.

hard-restart Hard-restart-on-extender.

reboot Reboot-on-extender.

fail-alert- Names of the FortiGate interfaces to string Maximum

interfaces which the link failure alert is sent. length: 15
<name> Names of the non-virtual interface.

fail-alert-method Select link-failed-signal or link-down option - link-down

method to alert about a failed link.

FortiOS 7.4.4 CLI Reference 1338

Fortinet Inc.
Parameter Description Type Size Default

Option Description

link-failed-signal Link-failed-signal.

link-down Link-down.

fail-detect Enable/disable fail detection features for option - disable

this interface.

Option Description

enable Enable interface failed option status.

disable Disable interface failed option status.

fail-detect-option Options for detecting that this interface option - link-down

has failed.

Option Description

detectserver Use a ping server to determine if the interface has failed.

link-down Use port detection to determine if the interface has failed.

fortilink * Enable FortiLink to dedicate this option - disable

interface to manage other Fortinet
devices.

Option Description

enable Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup- FortiLink split interface backup link. integer Minimum 0

link value: 0
Maximum
value: 255

fortilink-neighbor- Protocol for FortiGate neighbor option - fortilink

detect discovery.

Option Description

lldp Detect FortiLink neighbors using LLDP protocol.

fortilink Detect FortiLink neighbors using FortiLink protocol.

fortilink-split- Enable/disable FortiLink split interface to option - enable

interface connect member link to different
FortiSwitch in stack for uplink
redundancy.

FortiOS 7.4.4 CLI Reference 1339

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiLink split interface to connect member link to different

FortiSwitch in stack for uplink redundancy.

disable Disable FortiLink split interface.

forward-domain Transparent mode forward domain. integer Minimum 0

value: 0
Maximum
value:
2147483647

forward-error- Configure forward error correction option - none

correction * (FEC).

Option Description

none none

disable Disable forward error correction (FEC).

cl91-rs-fec Reed-Solomon (FEC CL91).

cl74-fc-fec Fire-Code (FEC CL74).

auto Negotaite forward error correction (FEC).

gateway-address Gateway address. ipv4- Not Specified 0.0.0.0

* address

gwaddr * Gateway address. ipv4- Not Specified 0.0.0.0

address

gwdetect Enable/disable detect gateway alive for option - disable

first.

Option Description

enable Enable detect gateway alive for first.

disable Disable detect gateway alive for first.

ha-priority HA election priority for the PING server. integer Minimum 1

value: 1
Maximum
value: 50

icmp-accept- Enable/disable ICMP accept redirect. option - enable

redirect

FortiOS 7.4.4 CLI Reference 1340

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable ICMP accept redirect.

disable Disable ICMP accept redirect.

icmp-send- Enable/disable sending of ICMP option - enable

redirect redirects.

Option Description

enable Enable sending of ICMP redirects.

disable Disable sending of ICMP redirects.

ident-accept Enable/disable authentication for this option - disable

interface.

Option Description

enable Enable determining a user's identity from packet identification.

disable Disable determining a user's identity from packet identification.

idle-timeout PPPoE auto disconnect after idle timeout integer Minimum 0

seconds, 0 means no timeout. value: 0
Maximum
value: 32767

ike-saml-server Configure IKE authentication SAML string Maximum

server. length: 35

inbandwidth Bandwidth limit for incoming traffic , 0 integer Minimum 0

means unlimited. value: 0
Maximum
value:
80000000 **

ingress-cos * Override incoming CoS in user VLAN tag option - disable

on VLAN interface or assign a priority
VLAN tag on physical interface.

Option Description

disable Disable.

cos0 CoS 0.

cos1 CoS 1.

cos2 CoS 2.

FortiOS 7.4.4 CLI Reference 1341

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cos3 CoS 3.

cos4 CoS 4.

cos5 CoS 5.

cos6 CoS 6.

cos7 CoS 7.

ingress-shaping- Incoming traffic shaping profile. string Maximum

ipmac Enable/disable IP/MAC binding. option - disable

Option Description

enable Enable IP/MAC binding.

disable Disable IP/MAC binding.

ips-sniffer-mode Enable/disable the use of this interface option - disable

as a one-armed sniffer.

Option Description

enable Enable IPS sniffer mode.

disable Disable IPS sniffer mode.

ipunnumbered Unnumbered IP used for PPPoE ipv4- Not Specified 0.0.0.0

interfaces for which no unique local address
address is provided.

l2forward Enable/disable l2 forwarding. option - disable

lacp-mode LACP mode. option - active

Option Description

static Use static aggregation, do not send and ignore any LACP messages.

passive Passively use LACP to negotiate 802.3ad aggregation.

active Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed How often the interface sends LACP option - slow

messages.

Option Description

slow Send LACP message every 30 seconds.

fast Send LACP message every second.

lcp-echo-interval Time in seconds between PPPoE Link integer Minimum 5

Control Protocol (LCP) echo requests. value: 0
Maximum
value: 32767

lcp-max-echo- Maximum missed LCP echo messages integer Minimum 3

fails before disconnect. value: 0
Maximum
value: 32767

link-up-delay Number of milliseconds to wait before integer Minimum 50

considering a link is up. value: 50
Maximum
value:
3600000

lldp-network- LLDP-MED network policy profile. string Maximum

policy length: 35

lldp-reception Enable/disable Link Layer Discovery option - vdom

Protocol (LLDP) reception.

Option Description

enable Enable reception of Link Layer Discovery Protocol (LLDP).

disable Disable reception of Link Layer Discovery Protocol (LLDP).

vdom Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration
setting.

lldp-transmission Enable/disable Link Layer Discovery option - vdom

Protocol (LLDP) transmission.

FortiOS 7.4.4 CLI Reference 1344

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable transmission of Link Layer Discovery Protocol (LLDP).

disable Disable transmission of Link Layer Discovery Protocol (LLDP).

vdom Use VDOM Link Layer Discovery Protocol (LLDP) transmission

configuration setting.

macaddr Change the interface's MAC address. mac- Not Specified 00:00:00:00:00:00
address

managed- Number of IP addresses to be allocated option - 256

subnetwork-size by FortiIPAM and used by this FortiGate
unit's DHCP server settings.

Option Description

32 Allocate a subnet with 32 IP addresses.

64 Allocate a subnet with 64 IP addresses.

128 Allocate a subnet with 128 IP addresses.

256 Allocate a subnet with 256 IP addresses.

512 Allocate a subnet with 512 IP addresses.

1024 Allocate a subnet with 1024 IP addresses.

2048 Allocate a subnet with 2048 IP addresses.

4096 Allocate a subnet with 4096 IP addresses.

8192 Allocate a subnet with 8192 IP addresses.

16384 Allocate a subnet with 16384 IP addresses.

32768 Allocate a subnet with 32768 IP addresses.

65536 Allocate a subnet with 65536 IP addresses.

management-ip High Availability in-band management IP ipv4- Not Specified 0.0.0.0 0.0.0.0
address of this interface. classnet-
host

measured- Measured downstream bandwidth integer Minimum 0

downstream- (kbps). value: 0
bandwidth Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1345

Fortinet Inc.
Parameter Description Type Size Default

measured- Measured upstream bandwidth (kbps). integer Minimum 0

upstream- value: 0
bandwidth Maximum
value:
4294967295

mediatype * Select SFP media interface type option - serdes-sfp **

Option Description

serdes-sfp SFP using SerDes Media Interface

sgmii-sfp SFP using SGMII Media Interface

serdes-copper- Copper SFP using SerDes media Interface.

sfp

member Physical interfaces that belong to the string Maximum

<interface- aggregate or redundant interface. length: 79
name> Physical interface name.

min-links Minimum number of aggregated ports integer Minimum 1

that must be up. value: 1
Maximum
value: 32

min-links-down Action to take when less than the option - operational

configured minimum number of links are
active.

Option Description

operational Set the aggregate operationally down.

administrative Set the aggregate administratively down.

mirroring- Port mirroring direction. option -

direction *

Option Description

rx Port mirroring receive direction only.

tx Port mirroring transmit direction only.

both Port mirroring both directions.

mirroring-port * Mirroring port. string Maximum

length: 15

mode Addressing mode (static, DHCP, option - static

PPPoE).

FortiOS 7.4.4 CLI Reference 1346

Fortinet Inc.
Parameter Description Type Size Default

Option Description

static Static setting.

dhcp External DHCP client mode.

pppoe External PPPoE mode.

monitor- Enable monitoring bandwidth on this option - disable

bandwidth interface.

Option Description

enable Enable monitoring bandwidth on this interface.

disable Disable monitoring bandwidth on this interface.

mtu MTU value for this interface. integer Minimum 1500

value: 0
Maximum
value:
4294967295

mtu-override Enable to set a custom MTU for this option - disable

interface.

Option Description

enable Override default MTU.

disable Use default MTU.

mux-type * Multiplexer type. option - llc-encaps

Option Description

llc-encaps LLC encapsulation.

vc-encaps VC encapsulation.

name Name. string Maximum

length: 15

ndiscforward Enable/disable NDISC forwarding. option - enable

outbandwidth Bandwidth limit for outgoing traffic. integer Minimum 0

value: 0
Maximum
value:
80000000 **

padt-retry- PPPoE Active Discovery Terminate integer Minimum 1

timeout (PADT) used to terminate sessions after value: 0
an idle time. Maximum
value:
4294967295

password PPPoE account's password. password Not Specified

phy-mode * DSL physical mode. option - vdsl

Option Description

vdsl VDSL.

ping-serv-status PING server status. integer Minimum 0

value: 0
Maximum
value: 255

poe * Enable/disable PoE status. option - enable

FortiOS 7.4.4 CLI Reference 1348

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable PoE status.

disable Disable PoE status.

polling-interval sFlow polling interval in seconds. integer Minimum 20

value: 1
Maximum
value: 255

port-mirroring * Enable/disable NP port mirroring. option - disable

Option Description

disable Disable NP port mirroring.

enable Enable NP port mirroring.

pppoe- Enable/disable PPPoE unnumbered option - enable

unnumbered- negotiation.
negotiate

Option Description

enable Enable IP address negotiating for unnumbered.

disable Disable IP address negotiating for unnumbered.

pptp-auth-type PPTP authentication type. option - auto

Option Description

auto Automatically choose authentication.

pap PAP authentication.

chap CHAP authentication.

mschapv1 MS-CHAPv1 authentication.

mschapv2 MS-CHAPv2 authentication.

pptp-client Enable/disable PPTP client. option - disable

Option Description

enable Enable PPTP client.

disable Disable PPTP client.

pptp-password PPTP password. password Not Specified

pptp-server-ip PPTP server IP address. ipv4- Not Specified 0.0.0.0

address

FortiOS 7.4.4 CLI Reference 1349

Fortinet Inc.
Parameter Description Type Size Default

pptp-timeout Idle timer in minutes (0 for disabled). integer Minimum 0

value: 0
Maximum
value: 65535

pptp-user PPTP user name. string Maximum

length: 64

preserve- Enable/disable preservation of session option - disable

session-route route when dirty.

Option Description

enable Enable preservation of session route when dirty.

disable Disable preservation of session route when dirty.

cbr ATM QoS CBR.

rt-vbr ATM QoS rt-VBR.

nrt-vbr ATM QoS nrt-VBR.

ubr ATM QoS CCBR.

FortiOS 7.4.4 CLI Reference 1350

Fortinet Inc.
Parameter Description Type Size Default

pvc-chan * SFP-DSL ADSL Fallback PVC Channel. integer Minimum 0

value: 0
Maximum
value: 7

pvc-crc * SFP-DSL ADSL Fallback PVC CRC integer Minimum 2

Option: bit0: sar LLC preserve, bit1: value: 0
ream LLC preserve, bit2: ream VC-MUX Maximum
has crc. value: 7

pvc-pcr * SFP-DSL ADSL Fallback PVC Packet integer Minimum 0

Cell Rate in cells. value: 0
Maximum
value: 5500

pvc-scr * SFP-DSL ADSL Fallback PVC integer Minimum 0

Sustainable Cell Rate in cells. value: 0
Maximum
value: 5500

pvc-vlan-id * SFP-DSL ADSL Fallback PVC VLAN ID. integer Minimum 7

value: 1
Maximum
value: 4094

pvc-vlan-rx-id * SFP-DSL ADSL Fallback PVC VLANID integer Minimum 7

RX. value: 1
Maximum
value: 4094

pvc-vlan-rx-op * SFP-DSL ADSL Fallback PVC VLAN RX option - pass-through

op.

Option Description

pass-through PVC VLAN Tag Passthrough.

replace PVC VLAN Tag Replace.

remove PVC VLAN Tag Remove.

pvc-vlan-tx-id * SFP-DSL ADSL Fallback PVC VLAN ID integer Minimum 7

TX. value: 1
Maximum
value: 4094

pvc-vlan-tx-op * SFP-DSL ADSL Fallback PVC VLAN TX option - remove

op.

FortiOS 7.4.4 CLI Reference 1351

Fortinet Inc.
Parameter Description Type Size Default

Option Description

pass-through PVC VLAN Tag Passthrough.

replace PVC VLAN Tag Replace.

remove PVC VLAN Tag Remove.

reachable-time IPv4 reachable time in milliseconds. integer Minimum 30000

value: 30000
Maximum
value:
3600000

redundant- Redundant interface. string Maximum

interface length: 15

remote-ip Remote IP address of tunnel. ipv4- Not Specified 0.0.0.0 0.0.0.0

classnet-
host

replacemsg- Replacement message override group. string Maximum

override-group length: 35

retransmission * Enable/disable DSL retransmission. option - enable

Option Description

disable Disable retransmission.

enable Enable retransmission.

ring-rx * RX ring size. integer Minimum 0

value: 0
Maximum
value:
4294967295

ring-tx * TX ring size. integer Minimum 0

value: 0
Maximum
value:
4294967295

role Interface role. option - undefined

value: 10
Maximum
value: 99999

secondary-IP Enable/disable adding a secondary IP to option - disable

this interface.

Option Description

enable Enable secondary IP.

disable Disable secondary IP.

security-8021x- VLAN ID for virtual switch. integer Minimum 0

dynamic-vlan-id * value: 0
Maximum
value: 4094

security-8021x- 802.1X master virtual-switch. string Maximum

master * length: 15

security-8021x- 802.1X member mode. option - switch

member-mode *

Option Description

switch This member will use switch 802.1X configuration.

disable This member will disable 802.1X configuration.

security-8021x- 802.1X mode. option - default

mode *

FortiOS 7.4.4 CLI Reference 1353

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default 802.1X default mode.

dynamic-vlan 802.1X dynamic VLAN (master) mode.

fallback 802.1X fallback (master) mode.

slave 802.1X slave mode.

security-exempt- Name of security-exempt-list. string Maximum

list length: 35

security-external- URL of external authentication logout string Maximum

logout server. length: 127

security-external- URL of external authentication web var-string Maximum

web server. length: 1023

security-groups User groups that can authenticate with string Maximum

<name> the captive portal. length: 79
Names of user groups that can
authenticate with the captive portal.

security-mac- Enable/disable MAC authentication option - disable

auth-bypass bypass.

Option Description

mac-auth-only Enable MAC authentication bypass without EAP.

enable Enable MAC authentication bypass.

disable Disable MAC authentication bypass.

security-mode Turn on captive portal authentication for option - none

this interface.

Option Description

none No security option.

captive-portal Captive portal authentication.

802.1X 802.1X port-based authentication.

security-redirect- URL redirection after var-string Maximum

url disclaimer/authentication. length: 1023

service-name PPPoE service name. string Maximum

length: 63

sflow-sampler Enable/disable sFlow on this interface. option - disable

FortiOS 7.4.4 CLI Reference 1354

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sFlow protocol on this interface.

disable Disable sFlow protocol on this interface.

sfp-dsl * Enable/disable SFP DSL. option - disable

snmp-index Permanent SNMP Index of the interface. integer Minimum 0

value: 1
Maximum
value:
2147483647

speed Interface speed. The default setting and option - auto

the options available depend on the
interface hardware.

Option Description

auto Automatically adjust speed.

10full 10M full-duplex.

10half 10M half-duplex.

FortiOS 7.4.4 CLI Reference 1355

Fortinet Inc.
Parameter Description Type Size Default

Option Description

100full 100M full-duplex.

100half 100M half-duplex.

1000full 1000M full-duplex.

1000auto 1000M auto adjust.

10000full 10G full-duplex.

10000auto 10G auto.

spillover- Egress Spillover threshold , 0 means integer Minimum 0

threshold unlimited. value: 0
Maximum
value:
16776000

src-check Enable/disable source IP check. option - enable

Option Description

enable Enable source IP check.

disable Disable STP edge port.

enable Enable STP edge port.

stp-ha-secondary Control STP behavior on HA secondary. option - priority-adjust

FortiOS 7.4.4 CLI Reference 1356

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable STP negotiation on HA secondary.

enable Enable STP negotiation on HA secondary.

priority-adjust Enable STP negotiation on HA secondary and make priority lower than HA
primary.

stpforward Enable/disable STP forwarding. option - disable

Option Description

enable Enable STP forwarding.

disable Disable STP forwarding.

stpforward-mode Configure STP forwarding mode. option - rpl-all-ext-id

Option Description

rpl-all-ext-id Replace all extension IDs (root, bridge).

rpl-bridge-ext-id Replace the bridge extension ID only.

rpl-nothing Replace nothing.

subst Enable to always send packets from this option - disable

interface to a destination MAC address.

Option Description

enable Send packets from this interface.

disable Do not send packets from this interface.

substitute-dst- Destination MAC address that all mac- Not Specified 00:00:00:00:00:00
mac packets are sent to from this interface. address

sw-algorithm * Frame distribution algorithm for switch. option - default

Option Description

l2 Use layer 2 address for distribution.

l3 Use layer 3 address for distribution.

eh Use enhanced hashing for distribution.

default Use the hashing that the driver selects during initialization for distribution.

FortiOS 7.4.4 CLI Reference 1357

Fortinet Inc.
Parameter Description Type Size Default

swc-first-create * Initial create for switch-controller VLANs. integer Minimum 0

value: 0
Maximum
value:
4294967295

swc-vlan * Creation status for switch-controller integer Minimum 0

VLANs. value: 0
Maximum
value:
4294967295

switch Contained in switch. string Maximum

length: 15

switch-controller- Block FortiSwitch port-to-port traffic. option - disable

access-vlan *

Option Description

enable Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to
and from the FortiGate.

disable Allow normal VLAN traffic.

switch-controller- Enable/disable/Monitor FortiSwitch ARP option - disable

arp-inspection * inspection.

Option Description

dynamic * managed FortiSwitch. length: 35

switch-controller- Interface's purpose when assigning option - none

feature * traffic (read only).

Option Description

none VLAN for generic purpose.

default-vlan Default VLAN (native) assigned to all switch ports upon discovery.

quarantine VLAN for quarantined traffic.

rspan VLAN for RSPAN/ERSPAN mirrored traffic.

voice VLAN dedicated for voice devices.

video VLAN dedicated for camera devices.

nac VLAN dedicated for NAC onboarding devices.

nac-segment VLAN dedicated for NAC segment devices.

switch-controller- Switch controller IGMP snooping. option - disable

igmp-snooping *

Option Description

enable Enable IGMP snooping.

disable Disable IGMP snooping.

enable Enable IoT scanning for managed FortiSwitch devices.

disable Disable IoT scanning for managed FortiSwitch devices.

switch-controller- Limit the number of dynamic MAC integer Minimum 0

learning-limit * addresses on this VLAN. value: 0
Maximum
value: 128

switch-controller- VLAN to use for FortiLink management integer Minimum 4094

mgmt-vlan * purposes. value: 1
Maximum
value: 4094

switch-controller- Integrated FortiLink settings for string Maximum

nac * managed FortiSwitch. length: 35

switch-controller- NetFlow collection and processing. option - disable

netflow-collect *

Option Description

disable Disable NetFlow collection.

enable Enable NetFlow collection.

switch-controller- Enable/disable managed FortiSwitch option - disable

offload * routing offload.

FortiOS 7.4.4 CLI Reference 1360

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable routing offload to managed FortiSwitch devices.

disable Disable routing offload to managed FortiSwitch devices.

switch-controller- Enable/disable managed FortiSwitch option - disable

offload-gw * routing offload gateway.

Option Description

enable Enable routing offload gateway to managed FortiSwitch devices.

disable Disable routing offload gateway to managed FortiSwitch devices.

switch-controller- IP for routing offload on FortiSwitch. ipv4- Not Specified 0.0.0.0

offload-ip * address

switch-controller- Stop Layer2 MAC learning and option - disable

rspan-mode * interception of BPDUs and other packets
on this interface.

Option Description

disable Disable RSPAN passthrough mode on this VLAN interface.

enable Enable RSPAN passthrough mode on this VLAN interface.

switch-controller- Source IP address used in FortiLink over option - outbound

source-ip * L3 connections.

Option Description

outbound Source IP address is that of the outbound interface.

fixed Source IP address is that of the FortiLink interface.

switch-controller- Switch controller traffic policy for the string Maximum

traffic-policy * VLAN. length: 63

system-id Define a system ID for the aggregate mac- Not Specified 00:00:00:00:00:00
interface. address

system-id-type Method in which system ID is generated. option - auto

Option Description

auto Use the MAC address of the first member.

user User-defined system ID.

tc-mode * DSL transfer mode. option - ptm

FortiOS 7.4.4 CLI Reference 1361

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ptm Packet transfer mode.

tcp-mss TCP maximum segment size. 0 means integer Minimum 0

do not change segment size. value: 48
Maximum
value: 65535

trunk * Enable/disable VLAN trunk. option - disable

Option Description

enable Enable VLAN trunk on this interface.

disable Disable VLAN trunk on this interface.

trust-ip-1 Trusted host for dedicated management ipv4- Not Specified 0.0.0.0 0.0.0.0
traffic (0.0.0.0/24 for all hosts). classnet-
any

trust-ip-2 Trusted host for dedicated management ipv4- Not Specified 0.0.0.0 0.0.0.0
traffic (0.0.0.0/24 for all hosts). classnet-
any

trust-ip-3 Trusted host for dedicated management ipv4- Not Specified 0.0.0.0 0.0.0.0
traffic (0.0.0.0/24 for all hosts). classnet-
any

trust-ip6-1 Trusted IPv6 host for dedicated ipv6-prefix Not Specified ::/0
management traffic (::/0 for all hosts).

trust-ip6-2 Trusted IPv6 host for dedicated ipv6-prefix Not Specified ::/0
management traffic (::/0 for all hosts).

trust-ip6-3 Trusted IPv6 host for dedicated ipv6-prefix Not Specified ::/0
management traffic (::/0 for all hosts).

type Interface type. option - vlan

Option Description

physical Physical interface.

vlan VLAN interface.

aggregate Aggregate interface.

redundant Redundant interface.

tunnel Tunnel interface.

vdom-link VDOM link interface.

FortiOS 7.4.4 CLI Reference 1362

Fortinet Inc.
Parameter Description Type Size Default

Option Description

loopback Loopback interface.

switch Software switch interface.

vap-switch VAP interface.

wl-mesh WLAN mesh interface.

fext-wan FortiExtender interface.

vxlan VXLAN interface.

geneve GENEVE interface.

hdlc T1/E1 interface.

switch-vlan Switch VLAN interface.

emac-vlan EMAC VLAN interface.

ssl SSL VPN client interface.

lan-extension LAN extension interface.

username Username of the PPPoE account, string Maximum

provided by your ISP. length: 64

vci * Virtual Channel ID. integer Minimum 35

value: 0
Maximum
value: 65535

vdom Interface is in this virtual domain string Maximum

(VDOM). length: 31

vectoring * Enable/disable DSL vectoring. option - enable

Option Description

disable Disable vectoring.

enable Enable vectoring.

vindex * Switch control interface VLAN ID. integer Minimum 0

value: 0
Maximum
value: 65535

vlan-protocol Ethernet protocol of VLAN. option - 8021q

FortiOS 7.4.4 CLI Reference 1363

Fortinet Inc.
Parameter Description Type Size Default

Option Description

8021q IEEE 802.1Q.

8021ad IEEE 802.1AD.

vlanforward Enable/disable traffic forwarding option - disable

between VLANs on this interface.

Option Description

enable Enable traffic forwarding.

disable Disable traffic forwarding.

vlanid VLAN ID. integer Minimum 0

value: 1
Maximum
value: 4094

vpi * Virtual Path ID. integer Minimum 0

value: 0
Maximum
value: 255

vrf Virtual Routing Forwarding ID. integer Minimum 0

value: 0
Maximum
value: 251

vrrp-virtual-mac Enable/disable use of virtual MAC for option - disable

VRRP.

Option Description

enable Enable use of virtual MAC for VRRP.

disable Disable use of virtual MAC for VRRP.

wccp Enable/disable WCCP on this interface. option - disable

Used for encapsulated WCCP
communication between WCCP clients
and servers.

Option Description

enable Enable WCCP protocol on this interface.

disable Disable WCCP protocol on this interface.

FortiOS 7.4.4 CLI Reference 1364

Fortinet Inc.
Parameter Description Type Size Default

weight Default weight for static routes (if route integer Minimum 0
has no weight configured). value: 0
Maximum
value: 255

wifi-5g-threshold Minimal signal strength to be considered string Maximum -78

* as a good 5G AP. length: 7

wifi-acl * Access control for MAC addresses in the option - deny

MAC list.

Option Description

allow Allow.

deny Deny.

wifi-ap-band * How to select the AP to connect. option - any

Option Description

any Connect to the best 2G or 5G AP.

5g-preferred Connect to the 5G AP if a good 5G AP exists.

5g-only Only connect to the 5G AP.

wifi-auth * WiFi authentication. option - PSK

Option Description

PSK PSK.

radius RADIUS.

usergroup User group.

wifi-auto-connect Enable/disable WiFi network auto option - enable

* connect.

Option Description

enable Enable WiFi network auto connect.

disable Disable WiFi network auto connect.

wifi-auto-save * Enable/disable WiFi network automatic option - disable

save.

Option Description

enable Enable WiFi network automatic save.

disable Disable WiFi network automatic save.

FortiOS 7.4.4 CLI Reference 1365

Fortinet Inc.
Parameter Description Type Size Default

wifi-broadcast- Enable/disable SSID broadcast in the option - enable

ssid * beacon.

Option Description

enable Enable SSID broadcast in the beacon.

disable Disable SSID broadcast in the beacon.

wifi-key * WiFi WEP Key. password Not Specified

wifi-keyindex * WEP key index. integer Minimum 1

value: 1
Maximum
value: 4

wifi-mac-filter * Enable/disable MAC filter status. option - disable

Option Description

enable Enable MAC filter.

disable Disable MAC filter.

wifi-passphrase * WiFi pre-shared key for WPA. password Not Specified

wifi-radius-server WiFi RADIUS server for WPA. string Maximum

* length: 35

FortiOS 7.4.4 CLI Reference 1366

Fortinet Inc.
Parameter Description Type Size Default

wifi-rts-threshold WiFi RTS threshold. integer Minimum 2346

* value: 256
Maximum
value: 2346

wifi-security * Wireless access security of SSID. option - wpa-personal

Option Description

open Open.

wep64 WEP64.

wep128 WEP128.

wpa-personal WPA personal.

wpa-enterprise WPA enterprise.

wpa-only- WPA personal only.

personal

wpa-only- WPA enterprise only.

enterprise

wpa2-only- WPA2 personal only.

personal

wpa2-only- WPA2 enterprise only.

enterprise

wifi-ssid * IEEE 802.11 Service Set Identifier. string Maximum fortinet

length: 32

wifi-usergroup * WiFi user group for WPA. string Maximum

length: 35

wins-ip WINS server IP. ipv4- Not Specified 0.0.0.0

address

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1367

Fortinet Inc.
Parameter Description Type Size Default

code DHCP client option code. integer Minimum 0

value: 0
Maximum
value: 255

type DHCP client option type. option - hex

Option Description

hex DHCP option in hex.

string DHCP option in string.

ip DHCP option in IP.

fqdn DHCP option in domain search option format.

value DHCP client option value. string Maximum

length: 312

ip DHCP option IPs. user Not Specified

config dhcp-snooping-server-list

Parameter Description Type Size Default

name DHCP server name. string Maximum default

length: 35

server-ip IP address for DHCP server. ipv4- Not 0.0.0.0

address Specified

config egress-queues

Parameter Description Type Size Default

cos7 CoS profile name for CoS 7. string Maximum

length: 35

config ipv6

Parameter Description Type Size Default

ip6-mode Addressing mode (static, DHCP, delegated). option - static

Option Description

static Static setting.

dhcp DHCPv6 client mode.

pppoe IPv6 over PPPoE mode.

delegated IPv6 address with delegated prefix.

nd-mode Neighbor discovery mode. option - basic

Option Description

basic Do not support SEND.

SEND- Support SEND.

compatible

nd-cert Neighbor discovery certificate. string Maximum

length: 35

nd-security- Neighbor discovery security level. integer Minimum 0

level value: 0
Maximum
value: 7

nd-timestamp- Neighbor discovery timestamp delta value. integer Minimum 300

delta value: 1
Maximum
value: 3600

nd-timestamp- Neighbor discovery timestamp fuzz factor. integer Minimum 1

fuzz value: 1
Maximum
value: 60

FortiOS 7.4.4 CLI Reference 1369

Fortinet Inc.
Parameter Description Type Size Default

nd-cga- Neighbor discovery CGA modifier. user Not Specified

modifier

ip6-dns- Enable/disable using the DNS server acquired by option - enable

server- DHCP.
override

Option Description

enable Enable using the DNS server acquired by DHCP.

disable Disable using the DNS server acquired by DHCP.

ip6-address Primary IPv6 address prefix. Syntax: ipv6-prefix Not Specified ::/0
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ip6- Allow management access to the interface. option -

allowaccess

Option Description

ping PING access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

fgfm FortiManager access.

fabric Fabric access.

ip6-send-adv Enable/disable sending advertisements about the option - disable

interface.

Option Description

enable Enable sending advertisements about this interface.

disable Disable sending advertisements about this interface.

icmp6-send- Enable/disable sending of ICMPv6 redirects. option - enable

redirect

Option Description

enable Enable sending of ICMPv6 redirects.

disable Disable sending of ICMPv6 redirects.

FortiOS 7.4.4 CLI Reference 1370

Fortinet Inc.
Parameter Description Type Size Default

ip6-manage- Enable/disable the managed flag. option - disable

flag

Option Description

enable Enable the managed IPv6 flag.

disable Disable the managed IPv6 flag.

ip6-other-flag Enable/disable the other IPv6 flag. option - disable

Option Description

enable Enable the other IPv6 flag.

disable Disable the other IPv6 flag.

ip6-max- IPv6 maximum interval (4 to 1800 sec). integer Minimum 600

interval value: 4
Maximum
value: 1800

ip6-min- IPv6 minimum interval (3 to 1350 sec). integer Minimum 198

interval value: 3
Maximum
value: 1350

ip6-link-mtu IPv6 link MTU. integer Minimum 0

value: 1280
Maximum
value: 16000

ra-send-mtu Enable/disable sending link MTU in RA packet. option - enable

Option Description

enable Enable sending link MTU in RA packet.

disable Disable sending link MTU in RA packet.

ip6-reachable- IPv6 reachable time (milliseconds; 0 means integer Minimum 0

time unspecified). value: 0
Maximum
value:
3600000

ip6-retrans- IPv6 retransmit time (milliseconds; 0 means integer Minimum 0

time unspecified). value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1371

Fortinet Inc.
Parameter Description Type Size Default

ip6-default-life Default life (sec). integer Minimum 1800

value: 0
Maximum
value: 9000

ip6-hop-limit Hop limit (0 means unspecified). integer Minimum 0

value: 0
Maximum
value: 255

autoconf Enable/disable address auto config. option - disable

Option Description

enable Enable auto-configuration.

disable Disable auto-configuration.

unique- Enable/disable unique auto config address. option - disable

autoconf-addr

Option Description

enable Enable unique auto-configuration address.

disable Disable unique auto-configuration address.

interface- IPv6 interface identifier. ipv6- Not Specified ::

identifier address

ip6-prefix- Assigning a prefix from DHCP or RA. option - dhcp6

mode

Option Description

dhcp6 Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.

ra Use prefix from RA to form a delegated IPv6 address.

ip6-delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

prefix-iaid interface. value: 0
Maximum
value:
4294967295

ip6-upstream- Interface name providing delegated information. string Maximum

interface length: 15

ip6-subnet Subnet to routing prefix. Syntax: ipv6-prefix Not Specified ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

dhcp6-relay- Enable/disable DHCPv6 relay. option - disable

service

FortiOS 7.4.4 CLI Reference 1372

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable DHCPv6 relay

enable Enable DHCPv6 relay.

dhcp6-relay- DHCPv6 relay type. option - regular

type

Option Description

regular Regular DHCP relay.

dhcp6-relay- Enable/disable use of address on this interface as the option - disable

source- source address of the relay message.
interface

Option Description

disable Use address of the egress interface as source address of the relay message.

enable Use address of this interface as source address of the relay message.

dhcp6-relay-ip DHCPv6 relay IP address. user Not Specified

dhcp6-relay- IPv6 address used by the DHCP6 relay as its source ipv6- Not Specified ::
source-ip IP. address

dhcp6-relay- DHCP6 relay interface ID. string Maximum

interface-id length: 64

dhcp6-client- DHCPv6 client options. option -

options

Option Description

disable Disable virtual MAC for VRRP.

vrip6_link_ Link-local IPv6 address of virtual router. ipv6- Not Specified ::

local address

config ip6-extra-addr

Parameter Description Type Size Default

prefix IPv6 address prefix. ipv6-prefix Not ::/0

Specified

config ip6-prefix-list

Parameter Description Type Size Default

prefix IPv6 prefix. ipv6- Not Specified ::/0

network

autonomous- Enable/disable the autonomous flag. option - enable

flag

Option Description

enable Enable the autonomous flag.

disable Disable the autonomous flag.

FortiOS 7.4.4 CLI Reference 1374

Fortinet Inc.
Parameter Description Type Size Default

onlink-flag Enable/disable the onlink flag. option - enable

Option Description

enable Enable the onlink flag.

disable Disable the onlink flag.

valid-life-time Valid life time (sec). integer Minimum 2592000

value: 0
Maximum
value:
4294967295

preferred-life- Preferred life time (sec). integer Minimum 604800

time value: 0
Maximum
value:
4294967295

rdnss Recursive DNS server option. user Not Specified

dnssl DNS search list option. string Maximum

<domain> Domain name. length: 79

config ip6-delegated-prefix-list

Parameter Description Type Size Default

prefix-id Prefix ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

upstream- Name of the interface that provides delegated string Maximum

interface information. length: 15

delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

prefix-iaid interface. value: 0
Maximum
value:
4294967295

autonomous- Enable/disable the autonomous flag. option - enable

flag

Option Description

enable Enable the autonomous flag.

disable Disable the autonomous flag.

FortiOS 7.4.4 CLI Reference 1375

Fortinet Inc.
Parameter Description Type Size Default

onlink-flag Enable/disable the onlink flag. option - enable

Option Description

enable Enable the onlink flag.

disable Disable the onlink flag.

subnet Add subnet ID to routing prefix. ipv6- Not Specified ::/0

network

rdnss-service Recursive DNS service option. option - specify

Option Description

delegated Delegated RDNSS settings.

default System RDNSS settings.

specify Specify recursive DNS servers.

rdnss Recursive DNS server option. user Not Specified

config dhcp6-iapd-list

Parameter Description Type Size Default

iaid Identity association identifier. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix-hint DHCPv6 prefix that will be used as a hint to the ipv6- Not Specified ::/0
upstream DHCPv6 server. network

prefix-hint-plt DHCPv6 prefix hint preferred life time (sec), 0 means integer Minimum 604800
unlimited lease time. value: 0
Maximum
value:
4294967295

prefix-hint-vlt DHCPv6 prefix hint valid life time (sec). integer Minimum 2592000
value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1376

Fortinet Inc.
config vrrp6

Parameter Description Type Size Default

FortiOS 7.4.4 CLI Reference 1377

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Ignore default route when checking destination.

disable Do not ignore default route when checking destination.

status Enable/disable VRRP. option - enable

Option Description

enable Enable VRRP.

disable Disable VRRP.

config l2tp-client-settings

Parameter Description Type Size Default

user L2TP user name. string Maximum

length: 127

password L2TP password. password Not

Specified

peer-host L2TP peer host address. string Maximum

length: 255

peer-mask L2TP peer mask. ipv4- Not 255.255.255.255

netmask Specified

peer-port L2TP peer port number. integer Minimum 1701

value: 1
Maximum
value:
65535

auth-type L2TP authentication type. option - auto

Option Description

auto Automatically choose authentication.

pap PAP authentication.

chap CHAP authentication.

mschapv1 MS-CHAPv1 authentication.

mschapv2 MS-CHAPv2 authentication.

FortiOS 7.4.4 CLI Reference 1378

Fortinet Inc.
Parameter Description Type Size Default

mtu L2TP MTU. integer Minimum 1460

value: 40
Maximum
value:
65535

distance Distance of learned routes. integer Minimum 2

value: 1
Maximum
value: 255

priority Priority of learned routes. integer Minimum 1

value: 1
Maximum
value:
65535

defaultgw Enable/disable default gateway. option - disable

Option Description

enable Enable default gateway.

disable Disable default gateway.

ip IP. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
host

hello-interval L2TP hello message interval in seconds. integer Minimum 60

value: 0
Maximum
value: 3600

config mirroring-filter

Parameter Description Type Size Default

filter-srcip Source IP and mask of mirroring filter. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

filter-dstip Destinatin IP and mask of mirroring filter. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

filter-sport Source port of mirroring filter. integer Minimum 0

value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1379

Fortinet Inc.
Parameter Description Type Size Default

filter-dport Destinatin port of mirroring filter. integer Minimum 0

value: 0
Maximum
value:
65535

filter-protocol Protocol of mirroring filter. integer Minimum 0

value: 0
Maximum
value: 255

config secondaryip

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip Secondary IP address of the interface. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
host

secip-relay-ip DHCP relay IP address. user Not Specified

allowaccess Management access settings for the secondary IP option -

address.

Option Description

ping PING access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

http HTTP access.

telnet TELNET access.

fgfm FortiManager access.

radius-acct RADIUS accounting access.

probe-response Probe access.

fabric Security Fabric access.

ftm FTM access.

speed-test Speed test access.

FortiOS 7.4.4 CLI Reference 1380

Fortinet Inc.
Parameter Description Type Size Default

gwdetect Enable/disable detect gateway alive for first. option - disable

Option Description

enable Enable detect gateway alive for first.

disable Disable detect gateway alive for first.

ping-serv-status PING server status. integer Minimum 0

value: 0
Maximum
value: 255

detectserver Gateway's ping server for this IP. user Not Specified

detectprotocol Protocols used to detect the server. option - ping

Option Description

ping PING.

tcp-echo TCP echo.

udp-echo UDP echo.

ha-priority HA election priority for the PING server. integer Minimum 1

value: 1
Maximum
value: 50

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

config vrrp

Parameter Description Type Size Default

vrid Virtual router identifier. integer Minimum 0

value: 1
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1381

Fortinet Inc.
Parameter Description Type Size Default

version VRRP version. option - 2

Option Description

2 VRRP version 2.

3 VRRP version 3.

vrgrp VRRP group ID. integer Minimum 0

value: 1
Maximum
value:
65535

vrip IP address of the virtual router. ipv4- Not 0.0.0.0

address- Specified
any

priority Priority of the virtual router. integer Minimum 100

value: 1
Maximum
value: 255

adv-interval Advertisement interval. integer Minimum 1

value: 1
Maximum
value: 255

start-time Startup time. integer Minimum 3

value: 1
Maximum
value: 255

preempt Enable/disable preempt mode. option - enable

Option Description

enable Enable preempt mode.

disable Disable preempt mode.

accept-mode Enable/disable accept mode. option - enable

Option Description

enable Enable accept mode.

disable Disable accept mode.

vrdst Monitor the route to this destination. ipv4- Not

address- Specified
any

FortiOS 7.4.4 CLI Reference 1382

Fortinet Inc.
Parameter Description Type Size Default

vrdst-priority Priority of the virtual router when the virtual router integer Minimum 0
destination becomes unreachable. value: 0
Maximum
value: 254

ignore- Enable/disable ignoring of default route when checking option - disable

default-route destination.

Option Description

enable Ignore default route when checking destination.

disable Do not ignore default route when checking destination.

status Enable/disable this VRRP configuration. option - enable

Option Description

enable Enable this VRRP configuration.

disable Disable this VRRP configuration.

config proxy-arp

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip Set IP addresses of proxy ARP. user Not Specified

config wifi-mac-list

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

mac MAC address. mac- Not Specified 00:00:00:00:00:00

address

FortiOS 7.4.4 CLI Reference 1383

Fortinet Inc.
config wifi-networks

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

wifi-ssid IEEE 802.11 Service Set Identifier. string Maximum fortinet

length: 32

wifi-security Wireless access security of SSID. option - wpa-

personal

Option Description

open Open.

wep64 WEP64.

wep128 WEP128.

wpa-personal WPA personal.

wpa-only- WPA personal only.

personal

wpa2-only- WPA2 personal only.

personal

wpa3-sae WPA3 SAE.

owe OWE.

wpa-enterprise WPA2/WPA3 ENTERPRISE.

wifi-encrypt Data encryption. option - AES

Option Description

TKIP TKIP.

AES AES.

wifi-keyindex WEP key index. integer Minimum 1

value: 1
Maximum
value: 4

wifi-key WiFi WEP Key. password Not Specified

wifi- WiFi pre-shared key for WPA-PSK or password for password Not Specified
passphrase WPA3-SAE and WPA2/WPA3-ENTERPRISE.

wifi-eap-type WPA2/WPA3-ENTERPRISE EAP Method. option - peap

FortiOS 7.4.4 CLI Reference 1384

Fortinet Inc.
Parameter Description Type Size Default

Option Description

both EAP PEAP and TLS.

tls EAP TLS.

peap EAP PEAP.

wifi-username Username for WPA2/WPA3-ENTERPRISE. string Maximum fortinet

length: 64

wifi-client- Client certificate for WPA2/WPA3-ENTERPRISE. string Maximum

certificate length: 35

wifi-private- Private key for WPA2/WPA3-ENTERPRISE. string Maximum

key length: 35

wifi-private- Password for private key file for WPA2/WPA3- password Not Specified
key-password ENTERPRISE.

wifi-ca- CA certificate for WPA2/WPA3-ENTERPRISE. string Maximum

certificate length: 79

config system ipam

Configure IP address management services.

config system ipam
Description: Configure IP address management services.
set automatic-conflict-resolution [disable|enable]
set manage-lan-addresses [disable|enable]
set manage-lan-extension-addresses [disable|enable]
set manage-ssid-addresses [disable|enable]
config pools
Description: Configure IPAM pools.
edit <name>
set description {string}
set subnet {ipv4-classnet}
config exclude
Description: Configure pool exclude subnets.
edit <ID>
set exclude-subnet {ipv4-classnet}
next
end
next
end
set require-subnet-size-match [disable|enable]
config rules
Description: Configure IPAM allocation rules.
edit <name>
set description {string}
set device <name1>, <name2>, ...
set interface <name1>, <name2>, ...

FortiOS 7.4.4 CLI Reference 1385

Fortinet Inc.
set role [any|lan|...]
set pool <name1>, <name2>, ...
set dhcp [enable|disable]
next
end
set server-type {option}
set status [enable|disable]
end

config system ipam

Parameter Description Type Size Default

automatic- Enable/disable automatic conflict resolution. option - disable

conflict-
resolution

Option Description

disable Disable automatic conflict resolution.

enable Enable automatic conflict resolution.

manage-lan- Enable/disable default management of LAN interface option - disable

addresses addresses.

Option Description

disable Disable LAN interface address management by default.

enable Enable LAN interface address management by default.

manage-lan- Enable/disable default management of FortiExtender option - disable

extension- LAN extension interface addresses.
addresses

Option Description

disable Disable FortiExtender LAN extension interface address management by

default.

enable Enable FortiExtender LAN extension interface address management by

default.

manage-ssid- Enable/disable default management of FortiAP SSID option - disable

addresses addresses.

Option Description

disable Disable FortiAP SSID address management by default.

enable Enable FortiAP SSID address management by default.

Parameter Description Type Size Default

name IPAM pool name. string Maximum

length: 79

description Description. string Maximum

length: 127

subnet Configure IPAM pool subnet, Class A - Class B subnet. ipv4- Not 0.0.0.0
classnet Specified 0.0.0.0

config exclude

Parameter Description Type Size Default

ID Exclude ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

exclude- Configure subnet to exclude from the IPAM pool. ipv4- Not Specified 0.0.0.0
subnet classnet 0.0.0.0

FortiOS 7.4.4 CLI Reference 1387

Fortinet Inc.
config rules

Parameter Description Type Size Default

name IPAM rule name. string Maximum

length: 79

description Description. string Maximum

length: 127

device Configure serial number or wildcard of FortiGate to string Maximum

<name> match. length: 79
FortiGate serial number or wildcard.

interface Configure name or wildcard of interface to match. string Maximum

<name> Interface name or wildcard. length: 79

role Configure role of interface to match. option - any

Option Description

any Match any interface role.

lan Match interface role lan.

wan Match interface role wan.

dmz Match interface role dmz.

undefined Match interface role undefined.

pool <name> Configure name of IPAM pool to use. string Maximum

IPAM pool name. length: 79

dhcp Enable/disable DHCP server for matching IPAM option - disable

interfaces.

Option Description

enable Enable DHCP server on matched IPAM interface.

disable Disable DHCP server on matched IPAM interface.

config system ipip-tunnel

Configure IP in IP Tunneling.
config system ipip-tunnel
Description: Configure IP in IP Tunneling.
edit <name>
set auto-asic-offload [enable|disable]
set interface {string}
set local-gw {ipv4-address-any}
set remote-gw {ipv4-address}
set use-sdwan [disable|enable]

FortiOS 7.4.4 CLI Reference 1388

Fortinet Inc.
next
end

config system ipip-tunnel

Parameter Description Type Size Default

auto-asic- Enable/disable tunnel ASIC offloading. option - enable

offload *

Option Description

enable Enable auto ASIC offloading.

disable Disable ASIC offloading.

interface Interface name that is associated with the incoming string Maximum
traffic from available options. length: 15

local-gw IPv4 address for the local gateway. ipv4- Not 0.0.0.0
address- Specified
any

name IPIP Tunnel name. string Maximum

length: 15

remote-gw IPv4 address for the remote gateway. ipv4- Not 0.0.0.0
address Specified

use-sdwan Enable/disable use of SD-WAN to reach remote option - disable

gateway.

Option Description

disable Disable use of SD-WAN to reach remote gateway.

enable Enable use of SD-WAN to reach remote gateway.

* This parameter may not exist in some models.

config system ips-urlfilter-dns

Configure IPS URL filter DNS servers.

config system ips-urlfilter-dns
Description: Configure IPS URL filter DNS servers.
edit <address>
set ipv6-capability [enable|disable]
set status [enable|disable]
next
end

FortiOS 7.4.4 CLI Reference 1389

Fortinet Inc.
config system ips-urlfilter-dns

Parameter Description Type Size Default

address DNS server IP address. ipv4- Not 0.0.0.0

address Specified

ipv6- Enable/disable this server for IPv6 queries. option - disable

capability

Option Description

enable Enable setting.

disable Disable setting.

status Enable/disable using this DNS server for IPS URL filter option - enable
DNS queries.

Option Description

enable Enable this DNS server for IPS URL filter DNS queries.

disable Disable this DNS server for IPS URL filter DNS queries.

config system ips-urlfilter-dns6

Configure IPS URL filter IPv6 DNS servers.

config system ips-urlfilter-dns6
Description: Configure IPS URL filter IPv6 DNS servers.
edit <address6>
set status [enable|disable]
next
end

config system ips-urlfilter-dns6

Parameter Description Type Size Default

address6 IPv6 address of DNS server. ipv6- Not ::

address Specified

status Enable/disable this server for IPv6 DNS queries. option - enable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 1390

Fortinet Inc.
config system ips

Configure IPS system settings.

config system ips
Description: Configure IPS system settings.
set override-signature-hold-by-id [enable|disable]
set signature-hold-time {user}
end

config system ips

Parameter Description Type Size Default

override- Enable/disable override of hold of triggering signatures option - enable

signature- that are specified by IDs regardless of hold.
hold-by-id

Option Description

enable Allow the signatures specified by IDs to be triggered even if they are on hold.

disable Do not trigger the signatures that are on hold.

signature- Time to hold and monitor IPS signatures. Format user Not 0h
hold-time <#d##h>. Specified

config system ipsec-aggregate

Configure an aggregate of IPsec tunnels.

config system ipsec-aggregate
Description: Configure an aggregate of IPsec tunnels.
edit <name>
set algorithm [L3|L4|...]
set member <tunnel-name1>, <tunnel-name2>, ...
next
end

config system ipsec-aggregate

Parameter Description Type Size Default

algorithm Frame distribution algorithm. option - round-robin

Option Description

L3 Use layer 3 address for distribution.

L4 Use layer 4 information for distribution.

FortiOS 7.4.4 CLI Reference 1391

Fortinet Inc.
Parameter Description Type Size Default

Option Description

round-robin Per-packet round-robin distribution.

redundant Use first tunnel that is up for all traffic.

weighted-round- Weighted round-robin distribution.

robin

member Member tunnels of the aggregate. string Maximum

<tunnel- Tunnel name. length: 79
name>

name IPsec aggregate name. string Maximum

length: 15

config system ipv6-neighbor-cache

Configure IPv6 neighbor cache table.

config system ipv6-neighbor-cache
Description: Configure IPv6 neighbor cache table.
edit <id>
set interface {string}
set ipv6 {ipv6-address}
set mac {mac-address}
next
end

config system ipv6-neighbor-cache

Parameter Description Type Size Default

id Unique integer ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Select the associated interface name from string Maximum

available options. length: 15

ipv6 IPv6 address (format: ipv6- Not Specified ::

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address

mac MAC address (format: xx:xx:xx:xx:xx:xx). mac- Not Specified 00:00:00:00:00:00

address

FortiOS 7.4.4 CLI Reference 1392

Fortinet Inc.
config system ipv6-tunnel

Configure IPv6/IPv4 in IPv6 tunnel.

config system ipv6-tunnel
Description: Configure IPv6/IPv4 in IPv6 tunnel.
edit <name>
set auto-asic-offload [enable|disable]
set destination {ipv6-address}
set interface {string}
set source {ipv6-address}
set use-sdwan [disable|enable]
next
end

config system ipv6-tunnel

Parameter Description Type Size Default

auto-asic- Enable/disable tunnel ASIC offloading. option - enable

offload *

Option Description

enable Enable auto ASIC offloading.

disable Disable ASIC offloading.

destination Remote IPv6 address of the tunnel. ipv6- Not ::

address Specified

interface Interface name. string Maximum

length: 15

name IPv6 tunnel name. string Maximum

length: 15

source Local IPv6 address of the tunnel. ipv6- Not ::

address Specified

use-sdwan Enable/disable use of SD-WAN to reach remote option - disable

gateway.

Option Description

disable Disable use of SD-WAN to reach remote gateway.

enable Enable use of SD-WAN to reach remote gateway.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 1393

Fortinet Inc.
config system isf-queue-profile

This command is available for model(s): FortiGate 1100E, FortiGate 1101E, FortiGate 1800F,
FortiGate 1801F, FortiGate 2200E, FortiGate 2201E, FortiGate 2600F, FortiGate 2601F,
FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3300E, FortiGate 3301E, FortiGate 3700D, FortiGate 400E, FortiGate 401E,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 800D.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2500E, FortiGate 3000F,
FortiGate 3001F, FortiGate 3200F, FortiGate 3201F, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700F,
FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400F,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001E1, FortiGate 5001E,
FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate
601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate
60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80E-POE,
FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-
POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E,
FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.

Create a queue profile of switch.

config system isf-queue-profile
Description: Create a queue profile of switch.
edit <name>
set bandwidth-unit [kbps|pps]
set burst-bps-granularity [disable|512-bytes|...]
set burst-pps-granularity [disable|half-packet|...]
set guaranteed-bandwidth {integer}
set maximum-bandwidth {integer}
next
end

config system isf-queue-profile

Parameter Description Type Size Default

bandwidth-unit Unit of measurement for guaranteed and maximum option - kbps

bandwidth.

Option Description

kbps kilobits per second.

pps packets per second.

FortiOS 7.4.4 CLI Reference 1394

Fortinet Inc.
Parameter Description Type Size Default

burst-bps- Burst granularity based on bytes per second. option - disable

granularity

Option Description

disable Disable burst control.

512-bytes 512 bytes.

1k-bytes 1K bytes.

2k-bytes 2K bytes.

4k-bytes 4K bytes.

8k-bytes 8K bytes.

16k-bytes 16K bytes.

32k-bytes 32K bytes.

burst-pps- Burst granularity based on packets per second. option - disable

granularity

Option Description

disable Disable burst control.

half-packet One burst unit equals two time slots in which one packet is sent.

1-packet 1 packet.

2-packets 2 packets.

4-packets 4 packets.

16-packets 16 packets.

65-packets 65 packets.

262-packets 262 packets.

guaranteed- Guaranteed bandwidth. integer Minimum 0

bandwidth value: 0
Maximum
value:
1000000000

maximum- Upper bandwidth limit enforced. integer Minimum 0

bandwidth value: 0
Maximum
value:
1000000000

name Profile name. string Maximum

length: 15

FortiOS 7.4.4 CLI Reference 1395

Fortinet Inc.
config system link-monitor

FortiOS 7.4.4 CLI Reference 1396

Fortinet Inc.
config system link-monitor

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

diffservcode Differentiated services code point (DSCP) in the IP user Not Specified
header of the probe packet.

fail-weight Threshold weight to trigger link failure alert. integer Minimum 0

value: 0
Maximum
value: 255

failtime Number of retry attempts before the server is integer Minimum 5

considered down. value: 1
Maximum
value: 3600

gateway-ip Gateway IP address used to probe the server. ipv4- Not Specified 0.0.0.0
address-
any

gateway-ip6 Gateway IPv6 address used to probe the server. ipv6- Not Specified ::
address

ha-priority HA election priority. integer Minimum 1

value: 1
Maximum
value: 50

http-agent String in the http-agent field in the HTTP header. string Maximum Chrome/
length: 1024 Safari/

http-get If you are monitoring an HTML server you can send string Maximum /
an HTTP-GET request with a custom string. Use this length: 1024
option to define the string.

http-match String that you expect to see in the HTTP-GET string Maximum
requests of the traffic to be monitored. length: 1024

FortiOS 7.4.4 CLI Reference 1397

Fortinet Inc.
Parameter Description Type Size Default

interval Detection interval in milliseconds. integer Minimum 500

value: 20
Maximum
value:
3600000

name Link monitor name. string Maximum

length: 35

packet-size Packet size of a TWAMP test session. integer Minimum 124

value: 0
Maximum
value: 65535

password TWAMP controller password in authentication password Not Specified

mode.

port Port number of the traffic to be used to monitor the integer Minimum 0
server. value: 1
Maximum
value: 65535

probe-count Number of most recent probes that should be used integer Minimum 30
to calculate latency and jitter. value: 5
Maximum
value: 30

probe-timeout Time to wait before a probe packet is considered integer Minimum 500
lost. value: 20
Maximum
value: 5000

protocol Protocols used to monitor the server. option - ping

Option Description

ping PING link monitor.

tcp-echo TCP echo link monitor.

udp-echo UDP echo link monitor.

http HTTP-GET link monitor.

https HTTPS-GET link monitor.

twamp TWAMP link monitor.

static Static servers.

dynamic Dynamic servers.

service- Only use monitor to read quality values. If enabled, option - disable
detection static routes and cascade interfaces will not be
updated.

Option Description

enable Only use monitor for service-detection.

disable Monitor will update routes/interfaces on link failure.

source-ip Source IP address used in packet to the server. ipv4- Not Specified 0.0.0.0
address-
any

source-ip6 Source IPv6 address used in packet to the server. ipv6- Not Specified ::
address

srcintf Interface that receives the traffic to be monitored. string Maximum

enable Enable updating the static route.

disable Disable updating the static route.

config server-list

Parameter Description Type Size Default

id Server ID. integer Minimum 0

value: 1
Maximum
value: 32

dst IP address of the server to be monitored. string Maximum

length: 64

protocol Protocols used to monitor the server. option - ping

Option Description

ping PING link monitor.

FortiOS 7.4.4 CLI Reference 1400

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tcp-echo TCP echo link monitor.

udp-echo UDP echo link monitor.

http HTTP-GET link monitor.

https HTTPS-GET link monitor.

twamp TWAMP link monitor.

port Port number of the traffic to be used to monitor the integer Minimum 0
server. value: 1
Maximum
value:
65535

weight Weight of the monitor to this dst. integer Minimum 0

value: 0
Maximum
value: 255

config system lldp network-policy

FortiOS 7.4.4 CLI Reference 1401

Fortinet Inc.
set dscp {integer}
end
config streaming-video
Description: Streaming Video.
set status [disable|enable]
set tag [none|dot1q|...]
set vlan {integer}
set priority {integer}
set dscp {integer}
end
config video-conferencing
Description: Video Conferencing.
set status [disable|enable]
set tag [none|dot1q|...]
set vlan {integer}
set priority {integer}
set dscp {integer}
end
config video-signaling
Description: Video Signaling.
set status [disable|enable]
set tag [none|dot1q|...]
set vlan {integer}
set priority {integer}
set dscp {integer}
end
config voice
Description: Voice.
set status [disable|enable]
set tag [none|dot1q|...]
set vlan {integer}
set priority {integer}
set dscp {integer}
end
config voice-signaling
Description: Voice signaling.
set status [disable|enable]
set tag [none|dot1q|...]
set vlan {integer}
set priority {integer}
set dscp {integer}
end
next
end

config system lldp network-policy

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 1023

name LLDP network policy name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1402

Fortinet Inc.
config guest

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config guest-voice-signaling

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

FortiOS 7.4.4 CLI Reference 1403

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config softphone

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

FortiOS 7.4.4 CLI Reference 1404

Fortinet Inc.
Parameter Description Type Size Default

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config streaming-video

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

FortiOS 7.4.4 CLI Reference 1405

Fortinet Inc.
config video-conferencing

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config video-signaling

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

FortiOS 7.4.4 CLI Reference 1406

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config voice

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

FortiOS 7.4.4 CLI Reference 1407

Fortinet Inc.
Parameter Description Type Size Default

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

config voice-signaling

Parameter Description Type Size Default

status Enable/disable advertising this policy. option - disable

Option Description

disable Disable advertising this LLDP network policy.

enable Enable advertising this LLDP network policy.

tag Advertise tagged or untagged traffic. option - none

Option Description

none Advertise that untagged frames should be used.

dot1q Advertise that 802.1Q (VLAN) tagging should be used.

dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.

vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094

priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7

dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63

FortiOS 7.4.4 CLI Reference 1408

Fortinet Inc.
config system lte-modem

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate
80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE,
FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate
91E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate VM64.

Configure USB LTE/WIMAX devices.

config system lte-modem
Description: Configure USB LTE/WIMAX devices.
set allow-modify-mtu-size [enable|disable]
set allow-modify-wireless-profile-table [enable|disable]
set apn {string}
set authtype [none|pap|...]
set auto-connect [enable|disable]
set band-restrictions {string}
config data-plan
Description: Configure data plan.
edit <name>
set target-sim-slot [SIM-slot-1|SIM-slot-2]
set data-limit {integer}
set data-limit-alert {integer}
set billing-period [monthly|weekly|...]
set billing-date {integer}
set billing-weekday [sunday|monday|...]
set billing-hour {integer}
set overage [enable|disable]
set delay-switch-time {string}
set iccid {string}
next
end
set data-usage-tracking [enable|disable]
set dhcp-relay [enable|disable]

FortiOS 7.4.4 CLI Reference 1409

Fortinet Inc.
set extra-init {string}
set force-wireless-profile {integer}
set gps-port {integer}
set gps-service [enable|disable]
set holddown-timer {integer}
set image-preference [generic|att|...]
set interface {string}
set manual-handover [enable|disable]
set mode [standalone|redundant]
set modem-port {integer}
set network-type [auto|umts-3g|...]
set override-gateway [enable|disable]
set passwd {password}
set pdptype {option}
config sim-switch
Description: Configure SIM card switch.
set by-sim-state [disable|enable]
set by-connection-state [disable|enable]
set by-data-plan [enable|disable]
set by-link-monitor [disable|enable]
set modem-disconnection-time {integer}
set link-monitor {string}
set sim-switch-log-alert-interval {integer}
set sim-switch-log-alert-threshold {integer}
set sim-slot {integer}
end
set sim1-pin {password}
set sim2-pin {password}
set status [enable|disable]
set username {string}
end

config system lte-modem

Parameter Description Type Size Default

allow-modify- Allow FortiGate to modify the wireless WAN interface option - enable
mtu-size * MTU size.

Option Description

enable Allow LTE daemon to modify wireless profile table.

disable Do not allow LTE daemon to modify wireless profile table.

allow-modify- Allow FortiGate to modify the wireless profile table if option - enable
wireless- the internal LTE modem is running the GENERIC
profile-table * modem firmware.

Option Description

enable Allow LTE daemon to modify wireless profile table.

disable Do not allow LTE daemon to modify wireless profile table.

FortiOS 7.4.4 CLI Reference 1410

Fortinet Inc.
Parameter Description Type Size Default

apn Login APN string for PDP-IP packet data calls. string Maximum
length: 127

authtype Authentication type for PDP-IP packet data calls. option - none

Option Description

none Username and password not required.

pap Use PAP authentication.

chap Use CHAP authentication.

auto-connect Enable/disable modem auto connect. option - disable

Option Description

enable Enable modem auto connect.

disable Disable modem auto connect.

band- Bitmaps for the allowed 3G and LTE bands.Ex: string Maximum
restrictions * 0000000000000000-0000000000001008 (3G Mask- length: 35
LTE Mask)

data-usage- Enable/disable data usage tracking. option - disable

tracking *

Option Description

enable Enable data usage tracking.

disable Disable data usage tracking.

dhcp-relay * Enable/disable DHCP relay over modem. option - disable

Option Description

enable Enable DHCP relay.

disable Disable DHCP relay.

extra-init Extra initialization string for USB LTE/WIMAX devices. string Maximum
length: 127

force- Force to use wireless profile index , 0 if don't force. integer Minimum 0
wireless- value: 0
profile * Maximum
value: 16

FortiOS 7.4.4 CLI Reference 1411

Fortinet Inc.
Parameter Description Type Size Default

gps-port * Modem GPS port index. integer Minimum 255

value: 0
Maximum
value: 20

gps-service * Enable/disable GPS daemon. option - enable

Option Description

enable Enable GPS daemon.

disable Disable GPS daemon.

holddown- Hold down timer. integer Minimum 30

timer value: 10
Maximum
value: 60

image- Modem Image Preference. option - auto-sim

preference *

Option Description

generic Generic Firmware.

att AT&T Firmware.

verizon Verizon Firmware.

telus Telus Firmware.

docomo DOCOMO Firmware.

softbank Softbank Firmware.

sprint Sprint Firmware.

auto-sim Auto Select Firmware.

no-change Do not change.

interface The interface that the modem is acting as a redundant string Maximum
interface for. length: 63

manual- Enable/Disable manual handover from 3G to LTE option - disable

handover * network.

Option Description

enable Enable 3G to LTE manual handover.

disable Disable 3G to LTE manual handover.

mode Modem operation mode. option - standalone

FortiOS 7.4.4 CLI Reference 1412

Fortinet Inc.
Parameter Description Type Size Default

Option Description

standalone Standalone modem operation mode.

redundant Redundant modem operation mode where the modem is used as a backup
interface.

modem-port Modem port index. integer Minimum 255

value: 0
Maximum
value: 20

network-type Wireless network type. option - auto

Option Description

auto Automatic detection

umts-3g UMTS 3G -- For networks use GSM technology

lte LTE

override- Enable/disable LTE gateway override. option - disable

gateway *

Option Description

enable Override gateway to 0.0.0.0

disable Use gateway as assigned by ISP DHCP server.

passwd Authentication password for PDP-IP packet data calls. password Not
Specified

pdptype Packet Data Protocol (PDP) context type. option - **

Option Description

IPv4 Only IPv4.

sim1-pin * PIN code for SIM #1 (if applicable). password Not

Specified

sim2-pin * PIN code for SIM #2 (if applicable). password Not

Specified

status Enable/disable USB LTE/WIMAX device. option - disable **

Option Description

enable Enable USB LTE/WIMA device.

disable Disable USB LTE/WIMA device.

FortiOS 7.4.4 CLI Reference 1413

Fortinet Inc.
Parameter Description Type Size Default

username Authentication username for PDP-IP packet data string Maximum

calls. length: 63

* This parameter may not exist in some models.

** Values may differ between models.

config data-plan

Parameter Description Type Size Default

name Data plan name. string Maximum

length: 35

target-sim- Target sim slot <1 or 2> option -

slot

Option Description

SIM-slot-1 SIM slot 1

SIM-slot-2 SIM slot 2

data-limit LTE MODEM data limit in megabytes. integer Minimum 4294967295

value: 0
Maximum
value:
100000

data-limit- LTE MODEM data usage percentage at which to integer Minimum 75

alert trigger log.. value: 1
Maximum
value: 99

billing-period <MONTH, WEEK, DAY> option -

Option Description

monthly 1-31(day)

weekly Mon to Sun

daily 1-24(hour)

billing-date LTE MODEM billing date. integer Minimum 4294967295

value: 1
Maximum
value: 31

billing- LTE MODEM billing weekday (Mon - Sun). option -

weekday

FortiOS 7.4.4 CLI Reference 1414

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

billing-hour LTE MODEM billing hour. integer Minimum 4294967295

value: 0
Maximum
value: 23

overage Enable/disable allowance of data overage as option - enable

configured by data-limit. If disabled, perform sim-
swap/stop-network as configured by by-data-plan.

Option Description

enable Allow data overage data-limit. This won't perform sim-swap/stop-network.

disable Disable data overage data-limit. This will perform sim-swap/stop-network as

configured by by-data-plan.

delay-switch- Instead of SIM switching shortly after data limit is string Maximum NA
time reached, schedule a delay switch time in format length: 35
hh:mm.

iccid Dedicated data plan to specific ICCID. string Maximum

length: 35

config sim-switch

Parameter Description Type Size Default

by-sim-state Enable/disable automatic switch of SIM when option - enable

MODEM SIM state is empty or in error.

Option Description

disable Disable SIM auto switch when SIM state is empty or in error.

enable Enable SIM auto switch when SIM state is empty or in error.

FortiOS 7.4.4 CLI Reference 1415

Fortinet Inc.
Parameter Description Type Size Default

by-connection- Enable/disable automatic switch of SIM by MODEM option - enable

state connection state (mobile data usage charges not
incurred).

Option Description

disable Disable SIM auto switch by modem connection state.

enable Enable SIM auto switch by modem connection state.

by-data-plan Enable/disable SIM auto switch by data-plan config. option - disable

Option Description

enable Enable automatic switch of SIM by data-plan configuration.

disable Disable automatic switch of SIM by data-plan configuration.

by-link-monitor Enable/disable automatic switch of SIM by link option - disable

monitor (mobile data usage charges incurred).

Option Description

disable Disable SIM auto switch by link monitor.

enable Enable SIM auto switch by link monitor.

modem- Configure connection-based automatic switch of SIM integer Minimum 300

disconnection- time interval in seconds. value: 30
time Maximum
value:
86400

link-monitor Set link monitor name. string Maximum

length: 35

sim-switch-log- When sim-switch > X threshold within Y interval, integer Minimum 15

alert-interval trigger log event. value: 1
Maximum
value:
99999

sim-switch-log- When sim-switch > X threshold within Y interval, integer Minimum 5

alert-threshold trigger log event. value: 1
Maximum
value: 1000

sim-slot SIM card slot. 1: SIM-slot 1. 2: SIM-slot 2. integer Minimum 1

value: 1
Maximum
value: 2

FortiOS 7.4.4 CLI Reference 1416

Fortinet Inc.
config system mac-address-table

Configure MAC address tables.

config system mac-address-table
Description: Configure MAC address tables.
edit <mac>
set interface {string}
set reply-substitute {mac-address}
next
end

config system mac-address-table

Parameter Description Type Size Default

interface Interface name. string Maximum

length: 35

mac MAC address. mac- Not 00:00:00:00:00:00

address Specified

reply- New MAC for reply traffic. mac- Not 00:00:00:00:00:00

substitute address Specified

config system management-tunnel

Management tunnel configuration.

config system management-tunnel
Description: Management tunnel configuration.
set allow-collect-statistics [enable|disable]
set allow-config-restore [enable|disable]
set allow-push-configuration [enable|disable]
set allow-push-firmware [enable|disable]
set authorized-manager-only [enable|disable]
set serial-number {user}
set status [enable|disable]
end

config system management-tunnel

Parameter Description Type Size Default

enable Enable restriction of authorized manager only.

disable Disable restriction of authorized manager only.

serial-number Serial number. user Not

Specified

status Enable/disable FGFM tunnel. option - enable

Option Description

enable Enable management tunnel.

disable Disable management tunnel.

FortiOS 7.4.4 CLI Reference 1418

Fortinet Inc.
config system mobile-tunnel

Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.
config system mobile-tunnel
Description: Configure Mobile tunnels, an implementation of Network Mobility (NEMO)
extensions for Mobile IPv4 RFC5177.
edit <name>
set hash-algorithm {option}
set home-address {ipv4-address}
set home-agent {ipv4-address}
set lifetime {integer}
set n-mhae-key {password_aes256}
set n-mhae-key-type [ascii|base64]
set n-mhae-spi {integer}
config network
Description: NEMO network configuration.
edit <id>
set interface {string}
set prefix {ipv4-classnet}
next
end
set reg-interval {integer}
set reg-retry {integer}
set renew-interval {integer}
set roaming-interface {string}
set status [disable|enable]
set tunnel-mode {option}
next
end

config system mobile-tunnel

Parameter Description Type Size Default

hash- Hash Algorithm (Keyed MD5). option - hmac-md5

algorithm

Option Description

hmac-md5 Keyed MD5.

home- Home IP address (Format: xxx.xxx.xxx.xxx). ipv4-address Not Specified 0.0.0.0

address

home-agent IPv4 address of the NEMO HA (Format: ipv4-address Not Specified 0.0.0.0
xxx.xxx.xxx.xxx).

lifetime NMMO HA registration request lifetime. integer Minimum 65535

value: 180
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1419

Fortinet Inc.
Parameter Description Type Size Default

n-mhae-key NEMO authentication key. password_ Not Specified

aes256

n-mhae-key- NEMO authentication key type (ASCII or base64). option - ascii

type

Option Description

ascii The authentication key is an ASCII string.

base64 The authentication key is Base64 encoded.

n-mhae-spi NEMO authentication SPI. integer Minimum 256

value: 0
Maximum
value:
4294967295

name Tunnel name. string Maximum

length: 15

reg-interval NMMO HA registration interval. integer Minimum 5

value: 5
Maximum
value: 300

reg-retry Maximum number of NMMO HA registration retries. integer Minimum 3

value: 1
Maximum
value: 30

renew-interval Time before lifetime expiration to send NMMO HA integer Minimum 60

re-registration. value: 5
Maximum
value: 60

roaming- Select the associated interface name from available string Maximum
interface options. length: 15

status Enable/disable this mobile tunnel. option - enable

Option Description

disable Disable this mobile tunnel.

enable Enable this mobile tunnel.

tunnel-mode NEMO tunnel mode (GRE tunnel). option - gre

Option Description

gre GRE tunnel.

FortiOS 7.4.4 CLI Reference 1420

Fortinet Inc.
config network

Parameter Description Type Size Default

id Network entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Select the associated interface name from available string Maximum
options. length: 15

prefix Class IP and Netmask with correction ipv4- Not Specified 0.0.0.0
(Format:xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx or classnet 0.0.0.0
xxx.xxx.xxx.xxx/x).

config system modem

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate
80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE,
FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate
91E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate VM64.

Configure MODEM.
config system modem
Description: Configure MODEM.
set action [dial|stop|...]
set altmode [enable|disable]
set authtype1 {option1}, {option2}, ...
set authtype2 {option1}, {option2}, ...

FortiOS 7.4.4 CLI Reference 1421

Fortinet Inc.
set authtype3 {option1}, {option2}, ...
set auto-dial [enable|disable]
set connect-timeout {integer}
set dial-cmd1 {string}
set dial-cmd2 {string}
set dial-cmd3 {string}
set dial-on-demand [enable|disable]
set distance {integer}
set dont-send-CR1 [enable|disable]
set dont-send-CR2 [enable|disable]
set dont-send-CR3 [enable|disable]
set extra-init1 {string}
set extra-init2 {string}
set extra-init3 {string}
set holddown-timer {integer}
set idle-timer {integer}
set interface {string}
set lockdown-lac {string}
set mode [standalone|redundant]
set network-init {string}
set passwd1 {password}
set passwd2 {password}
set passwd3 {password}
set peer-modem1 [generic|actiontec|...]
set peer-modem2 [generic|actiontec|...]
set peer-modem3 [generic|actiontec|...]
set phone1 {string}
set phone2 {string}
set phone3 {string}
set pin-init {string}
set ppp-echo-request1 [enable|disable]
set ppp-echo-request2 [enable|disable]
set ppp-echo-request3 [enable|disable]
set priority {integer}
set redial [none|1|...]
set reset {integer}
set status [enable|disable]
set traffic-check [enable|disable]
set username1 {string}
set username2 {string}
set username3 {string}
set wireless-port {integer}
end

config system modem

Parameter Description Type Size Default

action Dial up/stop MODEM. option - stop

Option Description

chap CHAP

mschap MSCHAP

mschapv2 MSCHAPv2

authtype2 Allowed authentication types for ISP 2. option - pap chap

mschap
mschapv2

Option Description

pap PAP

chap CHAP

mschap MSCHAP

mschapv2 MSCHAPv2

authtype3 Allowed authentication types for ISP 3. option - pap chap

mschap
mschapv2

Option Description

pap PAP

chap CHAP

mschap MSCHAP

FortiOS 7.4.4 CLI Reference 1423

Fortinet Inc.
Parameter Description Type Size Default

Option Description

mschapv2 MSCHAPv2

auto-dial Enable/disable auto-dial after a reboot or option - disable

disconnection.

Option Description

enable Enable setting.

disable Disable setting.

connect- Connection completion timeout. integer Minimum 90

timeout value: 30
Maximum
value: 255

dial-cmd1 Dial command (this is often an ATD or ATDT string Maximum

command). length: 63

dial-cmd2 Dial command (this is often an ATD or ATDT string Maximum

command). length: 63

dial-cmd3 Dial command (this is often an ATD or ATDT string Maximum

standalone.

Option Description

standalone Standalone.

redundant Redundant for an interface.

network-init AT command to set the Network name/type string Maximum

(AT+COPS=<mode>,[<format>,<oper>[,<AcT>]]). length: 127

passwd1 Password to access the specified dialup account. password Not Specified

FortiOS 7.4.4 CLI Reference 1425

Fortinet Inc.
Parameter Description Type Size Default

passwd2 Password to access the specified dialup account. password Not Specified

ascend_TNT Ascend TNT modem.

phone1 Phone number to connect to the dialup account string Maximum

(must not contain spaces, and should include length: 63
standard special characters).

phone2 Phone number to connect to the dialup account string Maximum

(must not contain spaces, and should include length: 63
standard special characters).

phone3 Phone number to connect to the dialup account string Maximum

(must not contain spaces, and should include length: 63
standard special characters).

pin-init AT command to set the PIN (AT+PIN=<pin>). string Maximum

length: 127

ppp-echo- Enable/disable PPP echo-request to ISP 1. option - enable

request1

FortiOS 7.4.4 CLI Reference 1426

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

ppp-echo- Enable/disable PPP echo-request to ISP 2. option - enable

request2

Option Description

enable Enable setting.

disable Disable setting.

ppp-echo- Enable/disable PPP echo-request to ISP 3. option - enable

request3

Option Description

enable Enable setting.

disable Disable setting.

priority Priority of learned routes. integer Minimum 1

value: 1
Maximum
value: 65535

redial Redial limit. option - none

Option Description

none Forever.

1 One attempt.

2 Two attempts.

3 Three attempts.

4 Four attempts.

5 Five attempts.

6 Six attempts.

7 Seven attempts.

8 Eight attempts.

9 Nine attempts.

10 Ten attempts.

FortiOS 7.4.4 CLI Reference 1427

Fortinet Inc.
Parameter Description Type Size Default

reset Number of dial attempts before resetting modem (0 integer Minimum 0

= never reset). value: 0
Maximum
value: 10

status Enable/disable Modem support (equivalent to option - disable

bringing an interface up or down).

Option Description

enable Enable setting.

disable Disable setting.

traffic-check Enable/disable traffic-check. option - disable

Option Description

enable Enable setting.

disable Disable setting.

username1 User name to access the specified dialup account. string Maximum
length: 63

username2 User name to access the specified dialup account. string Maximum
length: 63

username3 User name to access the specified dialup account. string Maximum
length: 63

wireless-port Enter wireless port number: 0 for default, 1 for first integer Minimum 0
port, and so on. value: 0
Maximum
value:
4294967295

config system nd-proxy

Configure IPv6 neighbor discovery proxy (RFC4389).

config system nd-proxy
Description: Configure IPv6 neighbor discovery proxy (RFC4389).
set member <interface-name1>, <interface-name2>, ...
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1428

Fortinet Inc.
config system nd-proxy

Parameter Description Type Size Default

member Interfaces using the neighbor discovery proxy. string Maximum

<interface- Interface name. length: 79
name>

status Enable/disable neighbor discovery proxy. option - disable

Option Description

enable Enable neighbor discovery proxy.

disable Disable neighbor discovery proxy.

config system netflow

Configure NetFlow.
config system netflow
Description: Configure NetFlow.
set active-flow-timeout {integer}
config collectors
Description: Netflow collectors.
edit <id>
set collector-ip {string}
set collector-port {integer}
set source-ip {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
set inactive-flow-timeout {integer}
set template-tx-counter {integer}
set template-tx-timeout {integer}
end

config system netflow

Parameter Description Type Size Default

active-flow- Timeout to report active flows. integer Minimum 1800

timeout value: 60
Maximum
value: 3600

inactive-flow- Timeout for periodic report of finished flows. integer Minimum 15

timeout value: 10
Maximum
value: 600

FortiOS 7.4.4 CLI Reference 1429

Fortinet Inc.
Parameter Description Type Size Default

template-tx- Counter of flowset records before resending a template integer Minimum 20

counter flowset record. value: 10
Maximum
value: 6000

template-tx- Timeout for periodic template flowset transmission. integer Minimum 1800
timeout value: 60
Maximum
value:
86400

config collectors

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 1
Maximum
value: 6

collector-ip Collector IP. string Maximum

length: 63

collector-port NetFlow collector port number. integer Minimum 2055

value: 0
Maximum
value:
65535

source-ip Source IP address for communication with the NetFlow string Maximum
agent. length: 63

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

config system network-visibility

Configure network visibility settings.

FortiOS 7.4.4 CLI Reference 1430

Fortinet Inc.
config system network-visibility
Description: Configure network visibility settings.
set destination-hostname-visibility [disable|enable]
set destination-location [disable|enable]
set destination-visibility [disable|enable]
set hostname-limit {integer}
set hostname-ttl {integer}
set source-location [disable|enable]
end

config system network-visibility

Parameter Description Type Size Default

destination- Enable/disable logging of destination hostname option - enable

hostname- visibility.
visibility

Option Description

disable Disable logging of destination hostname visibility.

enable Enable logging of destination hostname visibility.

destination- Enable/disable logging of destination geographical option - enable

location location visibility.

Option Description

disable Disable logging of destination geographical location visibility.

enable Enable logging of destination geographical location visibility.

destination- Enable/disable logging of destination visibility. option - enable

visibility

Option Description

disable Disable logging of destination visibility.

enable Enable logging of destination visibility.

hostname- Limit of the number of hostname table entries. integer Minimum 5000
limit value: 0
Maximum
value:
50000

hostname-ttl TTL of hostname table entries. integer Minimum 86400

value: 60
Maximum
value:
86400

FortiOS 7.4.4 CLI Reference 1431

Fortinet Inc.
Parameter Description Type Size Default

source- Enable/disable logging of source geographical location option - enable

location visibility.

Option Description

disable Disable logging of source geographical location visibility.

enable Enable logging of source geographical location visibility.

config system np6

Configure NP6 attributes.

FortiOS 7.4.4 CLI Reference 1432

Fortinet Inc.
set tcp-winnuke [allow|drop|...]
set tcp-land [allow|drop|...]
set udp-land [allow|drop|...]
set icmp-land [allow|drop|...]
set icmp-frag [allow|drop|...]
set ipv4-land [allow|drop|...]
set ipv4-proto-err [allow|drop|...]
set ipv4-unknopt [allow|drop|...]
set ipv4-optrr [allow|drop|...]
set ipv4-optssrr [allow|drop|...]
set ipv4-optlsrr [allow|drop|...]
set ipv4-optstream [allow|drop|...]
set ipv4-optsecurity [allow|drop|...]
set ipv4-opttimestamp [allow|drop|...]
set ipv4-csum-err [drop|trap-to-host]
set tcp-csum-err [drop|trap-to-host]
set udp-csum-err [drop|trap-to-host]
set icmp-csum-err [drop|trap-to-host]
set ipv6-land [allow|drop|...]
set ipv6-proto-err [allow|drop|...]
set ipv6-unknopt [allow|drop|...]
set ipv6-saddr-err [allow|drop|...]
set ipv6-daddr-err [allow|drop|...]
set ipv6-optralert [allow|drop|...]
set ipv6-optjumbo [allow|drop|...]
set ipv6-opttunnel [allow|drop|...]
set ipv6-opthomeaddr [allow|drop|...]
set ipv6-optnsap [allow|drop|...]
set ipv6-optendpid [allow|drop|...]
set ipv6-optinvld [allow|drop|...]
end
set garbage-session-collector [disable|enable]
config hpe
Description: HPE configuration.
set tcpsyn-max {integer}
set tcpsyn-ack-max {integer}
set tcpfin-rst-max {integer}
set tcp-max {integer}
set udp-max {integer}
set icmp-max {integer}
set sctp-max {integer}
set esp-max {integer}
set ip-frag-max {integer}
set ip-others-max {integer}
set arp-max {integer}
set l2-others-max {integer}
set pri-type-max {integer}
set enable-shaper [disable|enable]
end
set ipsec-ob-hash-function [switch-group-hash|global-hash|...]
set ipsec-outbound-hash [disable|enable]
set low-latency-mode [disable|enable]
set per-session-accounting [disable|traffic-log-only|...]
set session-collector-interval {integer}
set session-timeout-fixed [disable|enable]
set session-timeout-interval {integer}

FortiOS 7.4.4 CLI Reference 1433

switch-group- Hash outbound SA traffic within NPs connected to same switch.

hash

global-hash Hash outbound SA traffic among all NPs.

global-hash- Hash outbound SA traffic among all NPs with more weights on NPs connected
weighted to switch 0. It's applicable to the case that ingress traffic is from switch 1.

round-robin- Round-robin outbound SA traffic within NPs connected to same switch.

switch-group

round-robin- Round-robin outbound SA traffic among all NPs.

global

ipsec- Enable/disable hash function for IPsec outbound traffic. option - disable
outbound-
hash *

Option Description

disable Disable hash function for IPsec outbound traffic.

enable Enable hash function for IPsec outbound traffic.

FortiOS 7.4.4 CLI Reference 1434

Fortinet Inc.
Parameter Description Type Size Default

low-latency- Enable/disable low latency mode. option - disable

mode

Option Description

disable Disable low latency mode.

enable Enable low latency mode.

name Device Name. string Maximum

length: 31

per-session- Enable/disable per-session accounting. option - traffic-log-

accounting only

Option Description

disable Disable per-session accounting.

traffic-log-only Per-session accounting only for sessions with traffic logging enabled in firewall
policy.

enable Per-session accounting for all sessions.

session- Set garbage session collection cleanup interval. integer Minimum 64

collector- value: 1
interval Maximum
value: 100

session- {disable | enable} Toggle between using fixed or random option - disable
timeout-fixed timeouts for refreshing NP6 sessions.

Option Description

disable Disable Refresh NP6 sessions at the configured fixed interval.

enable Enable Refresh NP6 sessions randomly where the time between refreshes is
within the random range.

session- Set the fixed timeout for refreshing NP6 sessions. integer Minimum 40
timeout- value: 0
interval Maximum
value: 1000

session- Set the random timeout range for refreshing NP6 integer Minimum 8
timeout- sessions. value: 0
random-range Maximum
value: 1000

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 1435

Fortinet Inc.
config fp-anomaly

Parameter Description Type Size Default

tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies. option - allow

Option Description

allow Allow TCP packets with syn_fin flag set to pass.

drop Drop TCP packets with syn_fin flag set.

trap-to-host Forward TCP packets with syn_fin flag set to FortiOS.

tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting option - trap-to-host
anomalies.

Option Description

allow Allow TCP packets with FIN flag set without ack setting to pass.

drop Drop TCP packets with FIN flag set without ack setting.

trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only TCP SYN flood with only FIN flag set anomalies. option - trap-to-host

Option Description

allow Allow TCP packets with FIN flag set only to pass.

drop Drop TCP packets with FIN flag set only.

trap-to-host Forward TCP packets with FIN flag set only to FortiOS.

tcp-no-flag TCP SYN flood with no flag set anomalies. option - allow

Option Description

allow Allow TCP packets without flag set to pass.

drop Drop TCP packets without flag set.

trap-to-host Forward TCP packets without flag set to FortiOS.

tcp-syn-data TCP SYN flood packets with data anomalies. option - allow

Option Description

allow Allow TCP syn packets with data to pass.

drop Drop TCP syn packets with data.

ipv4-unknopt Unknown option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with unknown options to pass.

drop Drop IPv4 with unknown options.

trap-to-host Forward IPv4 with unknown options to FortiOS.

ipv4-optrr Record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with record route option to pass.

drop Drop IPv4 with record route option.

trap-to-host Forward IPv4 with record route option to FortiOS.

ipv4-optssrr Strict source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with strict source record route option to pass.

drop Drop IPv4 with strict source record route option.

trap-to-host Forward IPv4 with strict source record route option to FortiOS.

ipv4-optlsrr Loose source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with loose source record route option to pass.

drop Drop IPv4 with loose source record route option.

trap-to-host Forward IPv4 with loose source record route option to FortiOS.

FortiOS 7.4.4 CLI Reference 1438

Fortinet Inc.
Parameter Description Type Size Default

ipv4-optstream Stream option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with stream option to pass.

drop Drop IPv4 with stream option.

trap-to-host Forward IPv4 with stream option to FortiOS.

ipv4-optsecurity Security option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with security option to pass.

allow Allow IPv6 land attack to pass.

drop Drop IPv6 land attack.

trap-to-host Forward IPv6 land attack to FortiOS.

ipv6-proto-err Layer 4 invalid protocol anomalies. option - trap-to-host

Option Description

allow Allow IPv6 L4 invalid protocol to pass.

drop Drop IPv6 L4 invalid protocol.

trap-to-host Forward IPv6 L4 invalid protocol to FortiOS.

ipv6-unknopt Unknown option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with unknown options to pass.

drop Drop IPv6 with unknown options.

trap-to-host Forward IPv6 with unknown options to FortiOS.

ipv6-saddr-err Source address as multicast anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with source address as multicast to pass.

drop Drop IPv6 with source address as multicast.

trap-to-host Forward IPv6 with source address as multicast to FortiOS.

ipv6-daddr-err Destination address as unspecified or loopback option - trap-to-host

address anomalies.

FortiOS 7.4.4 CLI Reference 1440

Fortinet Inc.
Parameter Description Type Size Default

trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6- Home address option anomalies. option - trap-to-host

opthomeaddr

Option Description

allow Allow IPv6 with home address option to pass.

drop Drop IPv6 with home address option.

trap-to-host Forward IPv6 with home address option to FortiOS.

ipv6-optnsap Network service access point address option option - trap-to-host

anomalies.

FortiOS 7.4.4 CLI Reference 1441

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow IPv6 with network service access point address option to pass.

drop Drop IPv6 with network service access point address option.

trap-to-host Forward IPv6 with network service access point address option to FortiOS.

ipv6-optendpid End point identification anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with end point identification option to pass.

drop Drop IPv6 with end point identification option.

trap-to-host Forward IPv6 with end point identification option to FortiOS.

ipv6-optinvld Invalid option anomalies.Invalid option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with invalid option to pass.

drop Drop IPv6 with invalid option.

trap-to-host Forward IPv6 with invalid option to FortiOS.

config hpe

Parameter Description Type Size Default

tcpsyn-max Maximum TCP SYN packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000

tcpsyn-ack- Maximum TCP carries SYN and ACK flags packet integer Minimum 600000
max rate. value: 1000
Maximum
value:
1000000000

tcpfin-rst-max Maximum TCP carries FIN or RST flags packet rate. integer Minimum 600000
value: 1000
Maximum
value:
1000000000

FortiOS 7.4.4 CLI Reference 1442

Fortinet Inc.
Parameter Description Type Size Default

tcp-max Maximum TCP packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000

udp-max Maximum UDP packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000

icmp-max Maximum ICMP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

sctp-max Maximum SCTP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

esp-max Maximum ESP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

ip-frag-max Maximum fragmented IP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

ip-others-max Maximum IP packet rate for other packets. integer Minimum 200000
value: 1000
Maximum
value:
1000000000

arp-max Maximum ARP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

FortiOS 7.4.4 CLI Reference 1443

Fortinet Inc.
Parameter Description Type Size Default

l2-others-max Maximum L2 packet rate for L2 packets that are not integer Minimum 200000
ARP packets. value: 1000
Maximum
value:
1000000000

pri-type-max Maximum overflow rate of priority type traffic. integer Minimum 200000
Includes L2: HA, 802.3ad LACP, heartbeats. L3: value: 1000
OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. Maximum
value:
1000000000

enable- Enable/Disable NPU Host Protection Engine(HPE) option - disable

shaper for packet type shaper.

Option Description

disable Disable NPU HPE shaping based on packet type.

enable Enable NPU HPE shaping based on packet type.

config system np6xlite

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F,
FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60F, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-
POE, FortiGate 81F, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged
70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F,
FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E,
FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate
601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE,
FortiGate 60E, FortiGate 61E, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate
81E-POE, FortiGate 81E, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E.

Configure NP6XLITE attributes.

FortiOS 7.4.4 CLI Reference 1444

Fortinet Inc.
config system np6xlite
Description: Configure NP6XLITE attributes.
edit <name>
set congestion-handling-mode [flow-control|head-of-line]
set fastpath [disable|enable]
config fp-anomaly
Description: NP6XLITE IPv4 anomaly protection. The trap-to-host forwards anomaly
sessions to the CPU.
set tcp-syn-fin [allow|drop|...]
set tcp-fin-noack [allow|drop|...]
set tcp-fin-only [allow|drop|...]
set tcp-no-flag [allow|drop|...]
set tcp-syn-data [allow|drop|...]
set tcp-winnuke [allow|drop|...]
set tcp-land [allow|drop|...]
set udp-land [allow|drop|...]
set icmp-land [allow|drop|...]
set icmp-frag [allow|drop|...]
set ipv4-land [allow|drop|...]
set ipv4-proto-err [allow|drop|...]
set ipv4-unknopt [allow|drop|...]
set ipv4-optrr [allow|drop|...]
set ipv4-optssrr [allow|drop|...]
set ipv4-optlsrr [allow|drop|...]
set ipv4-optstream [allow|drop|...]
set ipv4-optsecurity [allow|drop|...]
set ipv4-opttimestamp [allow|drop|...]
set ipv4-csum-err [drop|trap-to-host]
set tcp-csum-err [drop|trap-to-host]
set udp-csum-err [drop|trap-to-host]
set icmp-csum-err [drop|trap-to-host]
set ipv6-land [allow|drop|...]
set ipv6-proto-err [allow|drop|...]
set ipv6-unknopt [allow|drop|...]
set ipv6-saddr-err [allow|drop|...]
set ipv6-daddr-err [allow|drop|...]
set ipv6-optralert [allow|drop|...]
set ipv6-optjumbo [allow|drop|...]
set ipv6-opttunnel [allow|drop|...]
set ipv6-opthomeaddr [allow|drop|...]
set ipv6-optnsap [allow|drop|...]
set ipv6-optendpid [allow|drop|...]
set ipv6-optinvld [allow|drop|...]
end
set garbage-session-collector [disable|enable]
config hpe
Description: HPE configuration.
set tcpsyn-max {integer}
set tcpsyn-ack-max {integer}
set tcpfin-rst-max {integer}
set tcp-others-max {integer}
set udp-max {integer}
set icmp-max {integer}
set sctp-max {integer}
set esp-max {integer}
set ip-frag-max {integer}

FortiOS 7.4.4 CLI Reference 1445

Fortinet Inc.
set ip-others-max {integer}
set arp-max {integer}
set l2-others-max {integer}
set pri-type-max {integer}
set enable-shaper [disable|enable]
end
set ipsec-inner-fragment [disable|enable]
set ipsec-sts-timeout [1|2|...]
set ipsec-throughput-msg-frequency [disable|32kb|...]
set per-session-accounting [disable|traffic-log-only|...]
set session-collector-interval {integer}
set session-timeout-fixed [disable|enable]
set session-timeout-interval {integer}
set session-timeout-random-range {integer}
next
end

config system np6xlite

Parameter Description Type Size Default

congestion- Configure Marvell switch packet congestion handling. option - head-of-line

handling-
mode *

Option Description

flow-control Pause peer sending additional traffic until congestion is resolved.

head-of-line Drop excessive traffic until congestion is resolved.

fastpath Enable/disable NP6XLITE offloading (also called fast option - enable

path).

Option Description

disable Disable NP6XLITE offloading (fast path).

enable Enable NP6XLITE offloading (fast path).

garbage- Enable/disable garbage session collector. option - disable

session-
collector

Option Description

disable Disable garbage session collector.

enable Enable garbage session collector.

ipsec-inner- Enable/disable NP6XLite IPsec fragmentation type: option - disable

fragment inner.

FortiOS 7.4.4 CLI Reference 1446

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable NP6XLite ipsec fragmentation type: outer.

enable Enable NP6XLite ipsec fragmentation type: inner.

ipsec-sts- Set NP6XLite IPsec STS message timeout. option - 5

timeout

Option Description

1 Set NP6Xlite STS message timeout to 1 sec (recommended for IPSec

throughput GUI).

2 Set NP6Xlite STS message timeout to 2 sec.

3 Set NP6Xlite STS message timeout to 3 sec.

4 Set NP6Xlite STS message timeout to 4 sec.

5 Set NP6Xlite STS message timeout to 5 sec (default).

6 Set NP6Xlite STS message timeout to 6 sec.

7 Set NP6Xlite STS message timeout to 7 sec.

8 Set NP6Xlite STS message timeout to 8 sec.

9 Set NP6Xlite STS message timeout to 9 sec.

10 Set NP6Xlite STS message timeout to 10 sec.

ipsec- Set NP6XLite IPsec throughput message frequency (0 = option - disable

throughput- disable).
msg-
frequency

Option Description

disable Disable NP6Xlite throughput update message.

32kb Set NP6Xlite throughput update message frequency to 32KB.

64kb Set NP6Xlite throughput update message frequency to 64KB.

128kb Set NP6Xlite throughput update message frequency to 128KB.

256kb Set NP6Xlite throughput update message frequency to 256KB.

512kb Set NP6Xlite throughput update message frequency to 512KB.

1mb Set NP6Xlite throughput update message frequency to 1MB.

2mb Set NP6Xlite throughput update message frequency to 2MB.

FortiOS 7.4.4 CLI Reference 1447

Fortinet Inc.
Parameter Description Type Size Default

Option Description

4mb Set NP6Xlite throughput update message frequency to 4MB.

8mb Set NP6Xlite throughput update message frequency to 8MB.

16mb Set NP6Xlite throughput update message frequency to 16MB.

32mb Set NP6Xlite throughput update message frequency to 32MB.

64mb Set NP6Xlite throughput update message frequency to 64MB.

128mb Set NP6Xlite throughput update message frequency to 128MB.

256mb Set NP6Xlite throughput update message frequency to 256MB.

512mb Set NP6Xlite throughput update message frequency to 512MB.

1gb Set NP6Xlite throughput update message frequency to 1GB.

name Device Name. string Maximum

length: 31

per-session- Enable/disable per-session accounting. option - traffic-log-

accounting only

Option Description

disable Disable per-session accounting.

traffic-log-only Per-session accounting only for sessions with traffic logging enabled in
firewall policy.

enable Per-session accounting for all sessions.

session- Set garbage session collection cleanup interval. integer Minimum 64

collector- value: 1
interval Maximum
value: 100

session- Enable/disable fixed timeout interval mode. option - disable

timeout-fixed

Option Description

disable Disable NPU session timeout at fixed interval.

enable Enable NPU session timeout at fixed interval.

session- Set session timeout interval. integer Minimum 40

timeout- value: 0
interval Maximum
value: 1000

FortiOS 7.4.4 CLI Reference 1448

Fortinet Inc.
Parameter Description Type Size Default

session- Set the randomization range. integer Minimum 8

timeout- value: 0
random-range Maximum
value: 1000

* This parameter may not exist in some models.

config fp-anomaly

Parameter Description Type Size Default

tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies. option - allow

Option Description

allow Allow TCP packets with syn_fin flag set to pass.

drop Drop TCP packets with syn_fin flag set.

trap-to-host Forward TCP packets with syn_fin flag set to FortiOS.

tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting option - trap-to-host
anomalies.

Option Description

allow Allow TCP packets with FIN flag set without ack setting to pass.

drop Drop TCP packets with FIN flag set without ack setting.

trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only TCP SYN flood with only FIN flag set anomalies. option - trap-to-host

Option Description

allow Allow TCP packets with FIN flag set only to pass.

drop Drop TCP packets with FIN flag set only.

trap-to-host Forward TCP packets with FIN flag set only to FortiOS.

tcp-no-flag TCP SYN flood with no flag set anomalies. option - allow

Option Description

allow Allow TCP packets without flag set to pass.

drop Drop TCP packets without flag set.

trap-to-host Forward TCP packets without flag set to FortiOS.

tcp-syn-data TCP SYN flood packets with data anomalies. option - allow

allow Allow IPv4 land attack to pass.

drop Drop IPv4 land attack.

trap-to-host Forward IPv4 land attack to FortiOS.

ipv4-proto-err Invalid layer 4 protocol anomalies. option - trap-to-host

Option Description

allow Allow IPv4 invalid L4 protocol to pass.

drop Drop IPv4 invalid L4 protocol.

trap-to-host Forward IPv4 invalid L4 protocol to FortiOS.

ipv4-unknopt Unknown option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with unknown options to pass.

drop Drop IPv4 with unknown options.

trap-to-host Forward IPv4 with unknown options to FortiOS.

ipv4-optrr Record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with record route option to pass.

drop Drop IPv4 with record route option.

trap-to-host Forward IPv4 with record route option to FortiOS.

ipv4-optssrr Strict source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with strict source record route option to pass.

drop Drop IPv4 with strict source record route option.

trap-to-host Forward IPv4 with strict source record route option to FortiOS.

FortiOS 7.4.4 CLI Reference 1451

Fortinet Inc.
Parameter Description Type Size Default

ipv4-optlsrr Loose source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with loose source record route option to pass.

drop Drop IPv4 with loose source record route option.

trap-to-host Forward IPv4 with loose source record route option to FortiOS.

ipv4-optstream Stream option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with stream option to pass.

drop Drop IPv4 with stream option.

trap-to-host Forward IPv4 with stream option to FortiOS.

ipv4-optsecurity Security option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with security option to pass.

FortiOS 7.4.4 CLI Reference 1452

Fortinet Inc.
Parameter Description Type Size Default

Option Description

drop Drop IPv6 land attack.

trap-to-host Forward IPv6 land attack to FortiOS.

ipv6-proto-err Layer 4 invalid protocol anomalies. option - trap-to-host

trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6- Home address option anomalies. option - trap-to-host

opthomeaddr

FortiOS 7.4.4 CLI Reference 1454

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow IPv6 with home address option to pass.

drop Drop IPv6 with home address option.

trap-to-host Forward IPv6 with home address option to FortiOS.

ipv6-optnsap Network service access point address option option - trap-to-host

anomalies.

Option Description

allow Allow IPv6 with network service access point address option to pass.

drop Drop IPv6 with network service access point address option.

trap-to-host Forward IPv6 with network service access point address option to FortiOS.

ipv6-optendpid End point identification anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with end point identification option to pass.

drop Drop IPv6 with end point identification option.

trap-to-host Forward IPv6 with end point identification option to FortiOS.

ipv6-optinvld Invalid option anomalies.Invalid option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with invalid option to pass.

drop Drop IPv6 with invalid option.

trap-to-host Forward IPv6 with invalid option to FortiOS.

config hpe

Parameter Description Type Size Default

tcpsyn-max Maximum TCP SYN only packet rate. integer Minimum 600000
value: 1000
Maximum
value:
1000000000

FortiOS 7.4.4 CLI Reference 1455

Fortinet Inc.
Parameter Description Type Size Default

tcpsyn-ack- Maximum TCP carries SYN and ACK flags packet integer Minimum 600000
max rate. value: 1000
Maximum
value:
1000000000

tcpfin-rst-max Maximum TCP carries FIN or RST flags packet rate. integer Minimum 600000
value: 1000
Maximum
value:
1000000000

tcp-others- Maximum TCP packet rate for TCP packets that integer Minimum 600000
max match none of the 3 types above. value: 1000
Maximum
value:
1000000000

udp-max Maximum UDP packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000

icmp-max Maximum ICMP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

sctp-max Maximum SCTP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

esp-max Maximum ESP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

ip-frag-max Maximum fragmented IP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

FortiOS 7.4.4 CLI Reference 1456

Fortinet Inc.
Parameter Description Type Size Default

ip-others-max Maximum IP packet rate for other packets. integer Minimum 200000
value: 1000
Maximum
value:
1000000000

arp-max Maximum ARP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

l2-others-max Maximum L2 packet rate for L2 packets that are not integer Minimum 200000
ARP packets. value: 1000
Maximum
value:
1000000000

enable- Enable/Disable NPU host protection engine (HPE) option - disable

shaper shaper.

Option Description

disable Disable NPU HPE shaping based on packet type.

enable Enable NPU HPE shaping based on packet type.

FortiOS 7.4.4 CLI Reference 1457

Fortinet Inc.
config system npu-post

This command is available for model(s): FortiGate 1000F, FortiGate 1001F, FortiGate 1800F,
FortiGate 1801F, FortiGate 2600F, FortiGate 2601F, FortiGate 3000F, FortiGate 3001F,
FortiGate 3200F, FortiGate 3201F, FortiGate 3500F, FortiGate 3501F, FortiGate 3700F,
FortiGate 3701F, FortiGate 400F, FortiGate 401F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 600F, FortiGate 601F.
It is not available for: FortiGate 1000D, FortiGate 100F, FortiGate 101F, FortiGate 1100E,
FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D,
FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate
80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.

Configure NPU attributes after interface initialization.

config system npu-post
Description: Configure NPU attributes after interface initialization.
set npu-group-effective-scope {integer}
config port-npu-map
Description: Configure port to NPU group list.
edit <interface>
set npu-group <group-name1>, <group-name2>, ...
next
end
end

config system npu-post

Parameter Description Type Size Default

npu-group- npu-group-effective-scope defines under which npu- integer Minimum 255

effective- group cmds such as list/purge will be excecuted. Default value: 0
scope scope is for all four HS-ok groups.. Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1458

Fortinet Inc.
config port-npu-map

Parameter Description Type Size Default

interface Set NPU interface port for NPU group mapping. string Maximum
length: 15

npu-group Mapping NPU group list. string Maximum

<group- NPU group name. length: 15
name>

config system npu-setting prp

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 60F,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGateRugged 60F 3G4G, FortiGateRugged
60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 60F, FortiWiFi 61F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E,
FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate
2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate
3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E,
FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E,
FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E,
FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate
60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate
800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE,
FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiWiFi 40F 3G4G,
FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E,
FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure NPU PRP attributes.

config system npu-setting prp
Description: Configure NPU PRP attributes.
set prp-port-in <interface-name1>, <interface-name2>, ...
set prp-port-out <interface-name1>, <interface-name2>, ...
end

FortiOS 7.4.4 CLI Reference 1459

Fortinet Inc.
config system npu-setting prp

Parameter Description Type Size Default

prp-port-in Ingress port configured to allow the PRP trailer not string Maximum
<interface- be stripped off when the PRP packets come in. All of length: 35
name> the traffic originating from these ports will always be
sent to the host.
Physical interface name.

prp-port-out Egress port configured to allow the PRP trailer not be string Maximum
<interface- stripped off when the PRP packets go out. length: 35
name> Physical interface name.

config system npu-vlink

Configure NPU VDOM link.

config system npu-vlink
Description: Configure NPU VDOM link.
edit <name>
next
end

FortiOS 7.4.4 CLI Reference 1460

Fortinet Inc.
config system npu-vlink

Parameter Description Type Size Default

name NPU VDOM link name in format npuX_vlink. X means x- string Maximum
th pair of npu-vlink. Maximum 14 characters. length: 19

config system npu

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F,
FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F,
FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F,
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate
80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE,
FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGateRugged 60F
3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi
60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 90E, FortiGate 91E, FortiGate VM64.

Configure NPU attributes.

config system npu
Description: Configure NPU attributes.
set capwap-offload [enable|disable]
set dedicated-management-affinity {string}
set dedicated-management-cpu [enable|disable]
set default-qos-type [policing|shaping|...]
config dos-options
Description: NPU DoS configurations.
set npu-dos-meter-mode [global|local]
set npu-dos-tpe-mode [enable|disable]
end
set double-level-mcast-offload [enable|disable]
config dsw-dts-profile
Description: Configure NPU DSW DTS profile.
edit <profile-id>
set min-limit {integer}

FortiOS 7.4.4 CLI Reference 1461

Fortinet Inc.
set step {integer}
set action [wait|drop|...]
next
end
config dsw-queue-dts-profile
Description: Configure NPU DSW Queue DTS profile.
edit <name>
set iport [eif0|eif1|...]
set oport [eif0|eif1|...]
set profile-id {integer}
set queue-select {integer}
next
end
set fastpath [disable|enable]
config fp-anomaly
Description: IPv4/IPv6 anomaly protection.
set tcp-syn-fin [allow|drop|...]
set tcp-fin-noack [allow|drop|...]
set tcp-fin-only [allow|drop|...]
set tcp-no-flag [allow|drop|...]
set tcp-syn-data [allow|drop|...]
set tcp-winnuke [allow|drop|...]
set tcp-land [allow|drop|...]
set udp-land [allow|drop|...]
set icmp-land [allow|drop|...]
set icmp-frag [allow|drop|...]
set ipv4-land [allow|drop|...]
set ipv4-proto-err [allow|drop|...]
set ipv4-unknopt [allow|drop|...]
set ipv4-optrr [allow|drop|...]
set ipv4-optssrr [allow|drop|...]
set ipv4-optlsrr [allow|drop|...]
set ipv4-optstream [allow|drop|...]
set ipv4-optsecurity [allow|drop|...]
set ipv4-opttimestamp [allow|drop|...]
set ipv4-csum-err [drop|trap-to-host]
set tcp-csum-err [drop|trap-to-host]
set udp-csum-err [drop|trap-to-host]
set icmp-csum-err [drop|trap-to-host]
set sctp-csum-err [allow|drop|...]
set ipv6-land [allow|drop|...]
set ipv6-proto-err [allow|drop|...]
set ipv6-unknopt [allow|drop|...]
set ipv6-saddr-err [allow|drop|...]
set ipv6-daddr-err [allow|drop|...]
set ipv6-optralert [allow|drop|...]
set ipv6-optjumbo [allow|drop|...]
set ipv6-opttunnel [allow|drop|...]
set ipv6-opthomeaddr [allow|drop|...]
set ipv6-optnsap [allow|drop|...]
set ipv6-optendpid [allow|drop|...]
set ipv6-optinvld [allow|drop|...]
end
set gtp-enhanced-cpu-range [0|1|...]
set gtp-enhanced-mode [enable|disable]
set gtp-support [enable|disable]

FortiOS 7.4.4 CLI Reference 1462

Fortinet Inc.
set hash-tbl-spread [enable|disable]
set host-shortcut-mode [bi-directional|host-shortcut]
config hpe
Description: Host protection engine configuration.
set all-protocol {integer}
set tcpsyn-max {integer}
set tcpsyn-ack-max {integer}
set tcpfin-rst-max {integer}
set tcp-max {integer}
set udp-max {integer}
set icmp-max {integer}
set sctp-max {integer}
set esp-max {integer}
set ip-frag-max {integer}
set ip-others-max {integer}
set arp-max {integer}
set l2-others-max {integer}
set high-priority {integer}
set enable-shaper [disable|enable]
end
set htab-dedi-queue-nr {integer}
set htab-msg-queue [data|idle|...]
set htx-gtse-quota [100Mbps|200Mbps|...]
set htx-icmp-csum-chk [drop|pass]
set inbound-dscp-copy-port <interface1>, <interface2>, ...
set intf-shaping-offload [enable|disable]
set ip-fragment-offload [disable|enable]
config ip-reassembly
Description: IP reassebmly engine configuration.
set min-timeout {integer}
set max-timeout {integer}
set status [disable|enable]
end
set iph-rsvd-re-cksum [enable|disable]
set ipsec-dec-subengine-mask {user}
set ipsec-enc-subengine-mask {user}
set ipsec-inbound-cache [enable|disable]
set ipsec-mtu-override [disable|enable]
set ipsec-ob-np-sel [rr|Packet|...]
set ipsec-over-vlink [enable|disable]
config isf-np-queues
Description: Configure queues of switch port connected to NP6 XAUI on ingress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end
set lag-out-port-select [disable|enable]
set max-receive-unit {integer}
set max-session-timeout {integer}
set mcast-session-accounting [tpe-based|session-based|...]
set napi-break-interval {integer}

FortiOS 7.4.4 CLI Reference 1463

Fortinet Inc.
config np-queues
Description: Configure queue assignment on NP7.
config profile
Description: Configure a NP7 class profile.
edit <id>
set type [cos|dscp]
set weight {integer}
set cos0 [queue0|queue1|...]
set cos1 [queue0|queue1|...]
set cos2 [queue0|queue1|...]
set cos3 [queue0|queue1|...]
set cos4 [queue0|queue1|...]
set cos5 [queue0|queue1|...]
set cos6 [queue0|queue1|...]
set cos7 [queue0|queue1|...]
set dscp0 [queue0|queue1|...]
set dscp1 [queue0|queue1|...]
set dscp2 [queue0|queue1|...]
set dscp3 [queue0|queue1|...]
set dscp4 [queue0|queue1|...]
set dscp5 [queue0|queue1|...]
set dscp6 [queue0|queue1|...]
set dscp7 [queue0|queue1|...]
set dscp8 [queue0|queue1|...]
set dscp9 [queue0|queue1|...]
set dscp10 [queue0|queue1|...]
set dscp11 [queue0|queue1|...]
set dscp12 [queue0|queue1|...]
set dscp13 [queue0|queue1|...]
set dscp14 [queue0|queue1|...]
set dscp15 [queue0|queue1|...]
set dscp16 [queue0|queue1|...]
set dscp17 [queue0|queue1|...]
set dscp18 [queue0|queue1|...]
set dscp19 [queue0|queue1|...]
set dscp20 [queue0|queue1|...]
set dscp21 [queue0|queue1|...]
set dscp22 [queue0|queue1|...]
set dscp23 [queue0|queue1|...]
set dscp24 [queue0|queue1|...]
set dscp25 [queue0|queue1|...]
set dscp26 [queue0|queue1|...]
set dscp27 [queue0|queue1|...]
set dscp28 [queue0|queue1|...]
set dscp29 [queue0|queue1|...]
set dscp30 [queue0|queue1|...]
set dscp31 [queue0|queue1|...]
set dscp32 [queue0|queue1|...]
set dscp33 [queue0|queue1|...]
set dscp34 [queue0|queue1|...]
set dscp35 [queue0|queue1|...]
set dscp36 [queue0|queue1|...]
set dscp37 [queue0|queue1|...]
set dscp38 [queue0|queue1|...]
set dscp39 [queue0|queue1|...]
set dscp40 [queue0|queue1|...]

FortiOS 7.4.4 CLI Reference 1464

Fortinet Inc.
set dscp41 [queue0|queue1|...]
set dscp42 [queue0|queue1|...]
set dscp43 [queue0|queue1|...]
set dscp44 [queue0|queue1|...]
set dscp45 [queue0|queue1|...]
set dscp46 [queue0|queue1|...]
set dscp47 [queue0|queue1|...]
set dscp48 [queue0|queue1|...]
set dscp49 [queue0|queue1|...]
set dscp50 [queue0|queue1|...]
set dscp51 [queue0|queue1|...]
set dscp52 [queue0|queue1|...]
set dscp53 [queue0|queue1|...]
set dscp54 [queue0|queue1|...]
set dscp55 [queue0|queue1|...]
set dscp56 [queue0|queue1|...]
set dscp57 [queue0|queue1|...]
set dscp58 [queue0|queue1|...]
set dscp59 [queue0|queue1|...]
set dscp60 [queue0|queue1|...]
set dscp61 [queue0|queue1|...]
set dscp62 [queue0|queue1|...]
set dscp63 [queue0|queue1|...]
next
end
config ethernet-type
Description: Configure a NP7 QoS Ethernet Type.
edit <name>
set type {ether-type}
set queue {integer}
set weight {integer}
next
end
config ip-protocol
Description: Configure a NP7 QoS IP Protocol.
edit <name>
set protocol {integer}
set queue {integer}
set weight {integer}
next
end
config ip-service
Description: Configure a NP7 QoS IP Service.
edit <name>
set protocol {integer}
set sport {integer}
set dport {integer}
set queue {integer}
set weight {integer}
next
end
config scheduler
Description: Configure a NP7 QoS Scheduler.
edit <name>
set mode [none|priority|...]
next

FortiOS 7.4.4 CLI Reference 1465

Fortinet Inc.
end
end
set np6-cps-optimization-mode [enable|disable]
config npu-tcam
Description: Configure NPU TCAM policies.
edit <name>
set type [L2_src_tc|L2_tgt_tc|...]
set oid {integer}
set vid {integer}
config data
Description: Data fields of TCAM.
set gen-buf-cnt {integer}
set gen-pri {integer}
set gen-pri-v [valid|invalid]
set gen-iv [valid|invalid]
set gen-tv [valid|invalid]
set gen-pkt-ctrl {integer}
set gen-l3-flags {integer}
set gen-l4-flags {integer}
set vdid {integer}
set tp {integer}
set tgt-updt [enable|disable]
set smac-change [enable|disable]
set ext-tag [enable|disable]
set tgt-v [valid|invalid]
set tvid {integer}
set tgt-cfi [enable|disable]
set tgt-prio {integer}
set sp {integer}
set src-updt [enable|disable]
set slink {integer}
set svid {integer}
set src-cfi [enable|disable]
set src-prio {integer}
set srcmac {mac-address}
set dstmac {mac-address}
set ethertype {ether-type}
set ipver {integer}
set ihl {integer}
set ip4-id {integer}
set srcip {ipv4-address-any}
set dstip {ipv4-address-any}
set ip6-fl {integer}
set srcipv6 {ipv6-address}
set dstipv6 {ipv6-address}
set ttl {integer}
set protocol {integer}
set tos {integer}
set frag-off {integer}
set mf [enable|disable]
set df [enable|disable]
set srcport {integer}
set dstport {integer}
set tcp-fin [enable|disable]
set tcp-syn [enable|disable]
set tcp-rst [enable|disable]

FortiOS 7.4.4 CLI Reference 1466

Fortinet Inc.
set tcp-push [enable|disable]
set tcp-ack [enable|disable]
set tcp-urg [enable|disable]
set tcp-ece [enable|disable]
set tcp-cwr [enable|disable]
set l4-wd8 {integer}
set l4-wd9 {integer}
set l4-wd10 {integer}
set l4-wd11 {integer}
end
config mask
Description: Mask fields of TCAM.
set gen-buf-cnt {integer}
set gen-pri {integer}
set gen-pri-v [valid|invalid]
set gen-iv [valid|invalid]
set gen-tv [valid|invalid]
set gen-pkt-ctrl {integer}
set gen-l3-flags {integer}
set gen-l4-flags {integer}
set vdid {integer}
set tp {integer}
set tgt-updt [enable|disable]
set smac-change [enable|disable]
set ext-tag [enable|disable]
set tgt-v [valid|invalid]
set tvid {integer}
set tgt-cfi [enable|disable]
set tgt-prio {integer}
set sp {integer}
set src-updt [enable|disable]
set slink {integer}
set svid {integer}
set src-cfi [enable|disable]
set src-prio {integer}
set srcmac {mac-address}
set dstmac {mac-address}
set ethertype {ether-type}
set ipver {integer}
set ihl {integer}
set ip4-id {integer}
set srcip {ipv4-address-any}
set dstip {ipv4-address-any}
set ip6-fl {integer}
set srcipv6 {ipv6-address}
set dstipv6 {ipv6-address}
set ttl {integer}
set protocol {integer}
set tos {integer}
set frag-off {integer}
set mf [enable|disable]
set df [enable|disable]
set srcport {integer}
set dstport {integer}
set tcp-fin [enable|disable]
set tcp-syn [enable|disable]

FortiOS 7.4.4 CLI Reference 1467

Fortinet Inc.
set tcp-rst [enable|disable]
set tcp-push [enable|disable]
set tcp-ack [enable|disable]
set tcp-urg [enable|disable]
set tcp-ece [enable|disable]
set tcp-cwr [enable|disable]
set l4-wd8 {integer}
set l4-wd9 {integer}
set l4-wd10 {integer}
set l4-wd11 {integer}
end
config mir-act
Description: Mirror action of TCAM.
set vlif {integer}
end
config pri-act
Description: Priority action of TCAM.
set priority {integer}
set weight {integer}
end
config sact
Description: Source action of TCAM.
set fwd-lif-v [enable|disable]
set fwd-lif {integer}
set fwd-tvid-v [enable|disable]
set fwd-tvid {integer}
set df-lif-v [enable|disable]
set df-lif {integer}
set act-v [enable|disable]
set act {integer}
set pleen-v [enable|disable]
set pleen {integer}
set icpen-v [enable|disable]
set icpen {integer}
set vdm-v [enable|disable]
set vdm {integer}
set learn-v [enable|disable]
set learn {integer}
set rfsh-v [enable|disable]
set rfsh {integer}
set fwd-v [enable|disable]
set fwd {integer}
set x-mode-v [enable|disable]
set x-mode {integer}
set promis-v [enable|disable]
set promis {integer}
set bmproc-v [enable|disable]
set bmproc {integer}
set mac-id-v [enable|disable]
set mac-id {integer}
set dosen-v [enable|disable]
set dosen {integer}
set dfr-v [enable|disable]
set dfr {integer}
set m-srh-ctrl-v [enable|disable]
set m-srh-ctrl {integer}

FortiOS 7.4.4 CLI Reference 1468

Fortinet Inc.
set tpe-id-v [enable|disable]
set tpe-id {integer}
set vdom-id-v [enable|disable]
set vdom-id {integer}
set mss-v [enable|disable]
set mss {integer}
set tp-smchk-v [enable|disable]
set tp_smchk {integer}
set etype-pid-v [enable|disable]
set etype-pid {integer}
set frag-proc-v [enable|disable]
set frag-proc {integer}
set espff-proc-v [enable|disable]
set espff-proc {integer}
set prio-pid-v [enable|disable]
set prio-pid {integer}
set igmp-mld-snp-v [enable|disable]
set igmp-mld-snp {integer}
set smac-skip-v [enable|disable]
set smac-skip {integer}
set dmac-skip-v [enable|disable]
set dmac-skip {integer}
end
config tact
Description: Target action of TCAM.
set act-v [enable|disable]
set act {integer}
set mtuv4-v [enable|disable]
set mtuv4 {integer}
set mtuv6-v [enable|disable]
set mtuv6 {integer}
set mac-id-v [enable|disable]
set mac-id {integer}
set slif-act-v [enable|disable]
set slif-act {integer}
set tlif-act-v [enable|disable]
set tlif-act {integer}
set tgtv-act-v [enable|disable]
set tgtv-act {integer}
set tpeid-v [enable|disable]
set tpeid {integer}
set v6fe-v [enable|disable]
set v6fe {integer}
set xlt-vid-v [enable|disable]
set xlt-vid {integer}
set xlt-lif-v [enable|disable]
set xlt-lif {integer}
set mss-t-v [enable|disable]
set mss-t {integer}
set lnkid-v [enable|disable]
set lnkid {integer}
set sublnkid-v [enable|disable]
set sublnkid {integer}
set fmtuv4-s-v [enable|disable]
set fmtuv4-s {integer}
set fmtuv6-s-v [enable|disable]

FortiOS 7.4.4 CLI Reference 1469

Fortinet Inc.
set fmtuv6-s {integer}
set vep-en-v [enable|disable]
set vep_en {integer}
set vep-slid-v [enable|disable]
set vep-slid {integer}
end
next
end
set per-policy-accounting [disable|enable]
set per-session-accounting [traffic-log-only|disable|...]
config port-cpu-map
Description: Configure NPU interface to CPU core mapping.
edit <interface>
set cpu-core {string}
next
end
config port-npu-map
Description: Configure port to NPU group mapping.
edit <interface>
set npu-group-index {integer}
next
end
config port-path-option
Description: Configure port using NPU or Intel-NIC.
set ports-using-npu <interface-name1>, <interface-name2>, ...
end
config priority-protocol
Description: Configure NPU priority protocol.
set bgp [enable|disable]
set slbc [enable|disable]
set bfd [enable|disable]
end
set qos-mode [disable|priority|...]
set qtm-buf-mode [6ch|4ch]
set rdp-offload [enable|disable]
set session-acct-interval {integer}
set session-denied-offload [disable|enable]
set shaping-stats [disable|enable]
set split-ipsec-engines [disable|enable]
set sse-backpressure [enable|disable]
set strip-clear-text-padding [enable|disable]
set strip-esp-padding [enable|disable]
config sw-eh-hash
Description: Configure switch enhanced hashing.
set computation [xor16|xor8|...]
set ip-protocol [include|exclude]
set source-ip-upper-16 [include|exclude]
set source-ip-lower-16 [include|exclude]
set destination-ip-upper-16 [include|exclude]
set destination-ip-lower-16 [include|exclude]
set source-port [include|exclude]
set destination-port [include|exclude]
set netmask-length {integer}
end
set sw-np-bandwidth [0G|2G|...]
config sw-tr-hash

FortiOS 7.4.4 CLI Reference 1470

config system npu

shaping QoS type shaping.

policing- Enhanced QoS type policing.

enhanced

double-level- Enable double level mcast offload. option - disable

mcast-offload *

FortiOS 7.4.4 CLI Reference 1471

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable double level mcast offload.

disable Disable double level mcast offload.

fastpath * Enable/disable NP6 offloading (also called fast option - enable

path).

Option Description

disable Disable NP6 offloading (fast path).

enable Enable NP6 offloading (fast path).

gtp-enhanced- GTP enhanced CPU range option. option - 0

cpu-range *

Option Description

0 Inspect GTPU packets by all CPUs.

1 Inspect GTPU packets by Master CPUs.

2 Inspect GTPU packets by Slave CPUs.

gtp-enhanced- Enable/disable GTP enhanced mode. option - disable

mode *

Option Description

enable Enable GTP enhanced mode.

disable Disable GTP enhanced mode.

gtp-support * Enable/Disable NP7 GTP support option - disable

Option Description

enable Enable NP7 GTP support

disable Disable NP7 GTP support

hash-tbl-spread * Enable/disable hash table entry spread. option - enable

Option Description

enable Enable hash table entry spread.

disable Disable hash table entry spread.

host-shortcut- Set NP6 host shortcut mode. option - bi-directional

mode *

FortiOS 7.4.4 CLI Reference 1472

Fortinet Inc.
Parameter Description Type Size Default

Option Description

bi-directional Offload TCP and IP Tunnel sessions in both directions between 10G and
1G interfaces (normal operation).

host-shortcut Only offload TCP and IP Tunnel sessions received by 1G interfaces. Select
if packets are dropped for offloaded traffic between 10G to 1G interfaces.

htab-dedi-queue- Set the number of dedicate queue for hash table integer Minimum 1
nr * messages. value: 1
Maximum
value: 2

htab-msg-queue Set hash table message queue mode. option - data

Option Description

data Use data queue.

idle Use idle queue.

dedicated Use dedicated queue.

htx-gtse-quota * Configure HTX GTSE quota. option - 1Gbps

Option Description

100Mbps 100Mbps.

200Mbps 200Mbps.

300Mbps 300Mbps.

400Mbps 400Mbps.

500Mbps 500Mbps.

600Mbps 600Mbps.

700Mbps 700Mbps.

800Mbps 800Mbps.

900Mbps 900Mbps.

1Gbps 1Gbps.

2Gbps 2Gbps.

4Gbps 4Gbps.

8Gbps 8Gbps.

10Gbps 10Gbps.

FortiOS 7.4.4 CLI Reference 1473

Fortinet Inc.
Parameter Description Type Size Default

htx-icmp-csum- Set HTX icmp csum checking mode. option - drop

chk *

Option Description

drop Drop bad icmp csum.

pass Pass bad icmp csum.

enable Enable IP checksum re-calculation for packets with iph.reserved bit set.

disable Disable IP checksum re-calculation for packets with iph.reserved bit set.

ipsec-dec- IPsec decryption subengine mask. user Not

subengine-mask Specified
*

ipsec-enc- IPsec encryption subengine mask. user Not

enable Enable IPSEC over vlink.

disable Disable IPSEC over vlink.

lag-out-port- Enable/disable LAG outgoing port selection based option - disable

select * on incoming traffic port.

Option Description

disable Disable LAG outgoing trunk in switch.

enable Enable LAG outgoing trunk in switch.

max-receive-unit Set the maximum packet size for receive, larger integer Minimum 10000
* packets will be silently dropped. value: 64
Maximum
value:
10000

FortiOS 7.4.4 CLI Reference 1475

Fortinet Inc.
Parameter Description Type Size Default

max-session- Maximum time interval for refreshing NPU-offloaded integer Minimum 40

timeout * sessions. value: 10
Maximum
value: 1000

mcast-session- Enable/disable traffic accounting for each multicast option - tpe-based

accounting * session through TAE counter.

Option Description

tpe-based Enable TPE-based multicast session accounting.

session-based Enable session-based multicast session accounting.

disable Disable multicast session accounting.

traffic-log-only Per-session accounting only for sessions with traffic logging

disable Disable per-session accounting.

disable Disable reliable datagram protocol traffic offload.

session-acct- Session accounting update interval. integer Minimum 5

interval * value: 1
Maximum
value: 10

session-denied- Enable/disable offloading of denied sessions. option - disable

offload * Requires ses-denied-traffic to be set.

Option Description

disable Disable offloading of denied sessions.

enable Enable offloading of denied sessions.

shaping-stats * Enable/disable NP7 traffic shaping statistics. option - disable

Option Description

disable Disable NP7 traffic shaping statistics.

enable Enable NP7 traffic shaping statistics.

split-ipsec- Enable/disable Split IPsec Engines. option - disable

engines *

Option Description

disable Disable Split IPsec Engines.

enable Enable Split IPsec Engines.

FortiOS 7.4.4 CLI Reference 1477

Fortinet Inc.
Parameter Description Type Size Default

Option Description

0G Default value. No bandwidth control.

2G 2Gbps.

4G 4Gbps.

5G 5Gbps.

6G 6Gbps.

7G 7Gbps.

8G 8Gbps.

9G 9Gbps.

switch-np-hash * Switch-NP trunk port selection Criteria. option - src-dst-ip

Option Description

ull-port-mode * Set ULL port's speed to 10G/25G. option - 10G

Parameter Description Type Size Default

npu-dos- Set DoS meter NPU offloading mode. option - global

meter-mode

Option Description

global Install DoS meter to all NPs.

local Install DoS meter only to the NP assigned to the traffic.

npu-dos-tpe- Enable/disable insertion of DoS meter ID to session option - enable

mode table.

Option Description

enable Enable insertion of DoS meter ID to session table.

disable Disable insertion of DoS meter ID to session table.

config dsw-dts-profile

Parameter Description Type Size Default

profile-id Set NPU DSW DTS profile profile id. integer Minimum 0
value: 1
Maximum
value: 32

min-limit Set NPU DSW DTS profile min-limt. integer Minimum 0

value: 32
Maximum
value: 2048

step Set NPU DSW DTS profile step. integer Minimum 0

value: 0
Maximum
value: 64

action Set NPU DSW DTS profile action. option - wait

Option Description

wait DSW DTS profile WAIT indefinitely.

drop DSW DTS profile DROP immediately.

drop_tmr_0 DSW DTS profile DROP after interval #0 time-out.

drop_tmr_1 DSW DTS profile DROP after interval #1 time-out.

enque DSW DTS profile ENQUE immediately.

FortiOS 7.4.4 CLI Reference 1480

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enque_0 DSW DTS profile ENQUE after interval #0 time-out.

enque_1 DSW DTS profile ENQUE after interval #1 time-out.

config dsw-queue-dts-profile

Parameter Description Type Size Default

name Name. string Maximum

length: 35

iport Set NPU DSW DTS in port. option - eif0

Option Description

eif0 DSW IPORT EIF0.

eif1 DSW IPORT EIF1.

eif2 DSW IPORT EIF2.

eif3 DSW IPORT EIF3.

eif4 DSW IPORT EIF4.

eif5 DSW IPORT EIF5.

eif6 DSW IPORT EIF6.

eif7 DSW IPORT EIF7.

htx0 DSW IPORT HTX0.

htx1 DSW IPORT HTX1.

sse0 DSW IPORT SSE0.

sse1 DSW IPORT SSE1.

sse2 DSW IPORT SSE2.

sse3 DSW IPORT SSE3.

rlt DSW IPORT RLT.

dfr DSW IPORT DFR.

ipseci DSW IPORT IPSECI.

ipseco DSW IPORT IPSECO.

ipti DSW IPORT IPTI.

ipto DSW IPORT IPTO.

FortiOS 7.4.4 CLI Reference 1481

Fortinet Inc.
Parameter Description Type Size Default

Option Description

vep0 DSW IPORT VEP0.

vep2 DSW IPORT VEP2.

vep4 DSW IPORT VEP4.

vep6 DSW IPORT VEP6.

ivs DSW IPORT IVS.

l2ti1 DSW IPORT L2TI1.

l2to DSW IPORT L2TO.

l2ti0 DSW IPORT L2TI0.

ple DSW IPORT PLE.

spath DSW IPORT SPATH.

qtm DSW IPORT QTM.

oport Set NPU DSW DTS out port. option - eif0

Option Description

eif0 DSW OPORT EIF0.

eif1 DSW OPORT EIF1.

eif2 DSW OPORT EIF2.

eif3 DSW OPORT EIF3.

eif4 DSW OPORT EIF4.

eif5 DSW OPORT EIF5.

eif6 DSW OPORT EIF6.

eif7 DSW OPORT EIF7.

hrx DSW OPORT HRX.

sse0 DSW OPORT SSE0.

sse1 DSW OPORT SSE1.

sse2 DSW OPORT SSE2.

sse3 DSW OPORT SSE3.

rlt DSW OPORT RLT.

dfr DSW OPORT DFR.

FortiOS 7.4.4 CLI Reference 1482

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ipseci DSW OPORT IPSECI.

ipseco DSW OPORT IPSECO.

ipti DSW OPORT IPTI.

ipto DSW OPORT IPTO.

vep0 DSW OPORT VEP0.

vep2 DSW OPORT VEP2.

vep4 DSW OPORT VEP4.

vep6 DSW OPORT VEP6.

ivs DSW OPORT IVS.

l2ti1 DSW OPORT L2TI1.

l2to DSW OPORT L2TO.

l2ti0 DSW OPORT L2TI0.

ple DSW OPORT PLE.

sync DSW OPORT SYNK.

nss DSW OPORT NSS.

tsk DSW OPORT TSK.

qtm DSW OPORT QTM.

profile-id Set NPU DSW DTS profile ID. integer Minimum 0

value: 1
Maximum
value: 32

queue-select Set NPU DSW DTS queue ID select. integer Minimum 0

value: 0
Maximum
value: 4095

config fp-anomaly

drop Drop TCP packets with FIN flag set without ack setting.

trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only * TCP SYN flood with only FIN flag set anomalies. option - trap-to-host

Option Description

allow Allow TCP packets with FIN flag set only to pass.

drop Drop TCP packets with FIN flag set only.

trap-to-host Forward TCP packets with FIN flag set only to FortiOS.

allow Allow UDP land attack to pass.

drop Drop UDP land attack.

trap-to-host Forward UDP land attack to FortiOS.

icmp-land * ICMP land anomalies. option - trap-to-host

trap-to-host Forward IPv4 with record route option to FortiOS.

ipv4-optssrr * Strict source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with strict source record route option to pass.

drop Drop IPv4 with strict source record route option.

trap-to-host Forward IPv4 with strict source record route option to FortiOS.

ipv4-optlsrr * Loose source record route option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with loose source record route option to pass.

drop Drop IPv4 with loose source record route option.

trap-to-host Forward IPv4 with loose source record route option to FortiOS.

ipv4-optstream Stream option anomalies. option - trap-to-host

FortiOS 7.4.4 CLI Reference 1486

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow IPv4 with stream option to pass.

drop Drop IPv4 with stream option.

trap-to-host Forward IPv4 with stream option to FortiOS.

ipv4-optsecurity Security option anomalies. option - trap-to-host

Option Description

allow Allow IPv4 with security option to pass.

drop Drop IPv6 with destination address as unspecified or loopback address.

trap-to-host Forward IPv6 with destination address as unspecified or loopback address

to FortiOS.

ipv6-optralert * Router alert option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with router alert option to pass.

drop Drop IPv6 with router alert option.

trap-to-host Forward IPv6 with router alert option to FortiOS.

ipv6-optjumbo * Jumbo options anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with jumbo option to pass.

drop Drop IPv6 with jumbo option.

trap-to-host Forward IPv6 with jumbo option to FortiOS.

ipv6-opttunnel * Tunnel encapsulation limit option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with tunnel encapsulation limit to pass.

drop Drop IPv6 with tunnel encapsulation limit.

trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6- Home address option anomalies. option - trap-to-host

opthomeaddr *

FortiOS 7.4.4 CLI Reference 1489

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow IPv6 with home address option to pass.

drop Drop IPv6 with home address option.

trap-to-host Forward IPv6 with home address option to FortiOS.

ipv6-optnsap * Network service access point address option option - trap-to-host

anomalies.

Option Description

allow Allow IPv6 with network service access point address option to pass.

drop Drop IPv6 with network service access point address option.

trap-to-host Forward IPv6 with network service access point address option to FortiOS.

ipv6-optendpid End point identification anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with end point identification option to pass.

drop Drop IPv6 with end point identification option.

trap-to-host Forward IPv6 with end point identification option to FortiOS.

ipv6-optinvld * Invalid option anomalies.Invalid option anomalies. option - trap-to-host

Option Description

allow Allow IPv6 with invalid option to pass.

drop Drop IPv6 with invalid option.

trap-to-host Forward IPv6 with invalid option to FortiOS.

* This parameter may not exist in some models.

config hpe

Parameter Description Type Size Default

all-protocol Maximum packet rate of each host queue except high integer Minimum 400000
priority traffic, set 0 to disable. value: 0
Maximum
value:
32000000

FortiOS 7.4.4 CLI Reference 1490

Fortinet Inc.
Parameter Description Type Size Default

tcpsyn-max Maximum TCP SYN packet rate. integer Minimum 40000

value: 1000
Maximum
value:
32000000

tcpsyn-ack- Maximum TCP carries SYN and ACK flags packet rate. integer Minimum 40000
max value: 1000
Maximum
value:
32000000

tcpfin-rst-max Maximum TCP carries FIN or RST flags packet rate. integer Minimum 40000
value: 1000
Maximum
value:
32000000

tcp-max Maximum TCP packet rate. integer Minimum 40000

value: 1000
Maximum
value:
32000000

udp-max Maximum UDP packet rate. integer Minimum 40000

value: 1000
Maximum
value:
32000000

icmp-max Maximum ICMP packet rate. integer Minimum 5000

value: 1000
Maximum
value:
32000000

sctp-max Maximum SCTP packet rate. integer Minimum 5000

value: 1000
Maximum
value:
32000000

esp-max Maximum ESP packet rate. integer Minimum 5000

value: 1000
Maximum
value:
32000000

FortiOS 7.4.4 CLI Reference 1491

Fortinet Inc.
Parameter Description Type Size Default

ip-frag-max Maximum fragmented IP packet rate. integer Minimum 5000

value: 1000
Maximum
value:
32000000

ip-others-max Maximum IP packet rate for other packets. integer Minimum 5000
value: 1000
Maximum
value:
32000000

arp-max Maximum ARP packet rate. Entry is valid when ARP is integer Minimum 5000
removed from high-priority traffic. value: 1000
Maximum
value:
32000000

l2-others-max Maximum L2 packet rate for L2 packets that are not integer Minimum 5000
ARP packets. value: 1000
Maximum
value:
32000000

high-priority Maximum packet rate for high priority traffic packets. integer Minimum 400000
value: 1000
Maximum
value:
32000000

enable- Enable/Disable NPU Host Protection Engine (HPE) for option - disable
shaper packet type shaper.

Option Description

disable Disable NPU HPE shaping based on packet type.

enable Enable NPU HPE shaping based on packet type.

config ip-reassembly

Parameter Description Type Size Default

min-timeout Minimum timeout value for IP reassembly (5 us - integer Minimum 64

600,000,000 us). value: 5
Maximum
value:
600000000

FortiOS 7.4.4 CLI Reference 1492

Fortinet Inc.
Parameter Description Type Size Default

max-timeout Maximum timeout value for IP reassembly (5 us - integer Minimum 200000

600,000,000 us). value: 5
Maximum
value:
600000000

status Set IP reassembly processing status. option - disable

Option Description

disable Disable IP reassembly.

enable Enable IP reassembly.

config isf-np-queues

Parameter Description Type Size Default

config profile

Parameter Description Type Size Default

id Profile ID. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1493

Fortinet Inc.
Parameter Description Type Size Default

queue0 Queue number 0.

queue1 Queue number 1.

cos5 Queue number of CoS 5. option - queue5

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

cos6 Queue number of CoS 6. option - queue6

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

cos7 Queue number of CoS 7. option - queue7

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

FortiOS 7.4.4 CLI Reference 1496

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue7 Queue number 7.

dscp0 Queue number of DSCP 0. option - queue0

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp1 Queue number of DSCP 1. option - queue1

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp2 Queue number of DSCP 2. option - queue2

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

FortiOS 7.4.4 CLI Reference 1497

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp3 Queue number of DSCP 3. option - queue3

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp4 Queue number of DSCP 4. option - queue4

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp5 Queue number of DSCP 5. option - queue5

Option Description

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

FortiOS 7.4.4 CLI Reference 1501

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue7 Queue number 7.

dscp14 Queue number of DSCP 14. option - queue6

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp15 Queue number of DSCP 15. option - queue7

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp16 Queue number of DSCP 16. option - queue0

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

FortiOS 7.4.4 CLI Reference 1502

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp17 Queue number of DSCP 17. option - queue1

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp18 Queue number of DSCP 18. option - queue2

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp19 Queue number of DSCP 19. option - queue3

Option Description

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

FortiOS 7.4.4 CLI Reference 1506

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue7 Queue number 7.

dscp28 Queue number of DSCP 28. option - queue4

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp29 Queue number of DSCP 29. option - queue5

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp30 Queue number of DSCP 30. option - queue6

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

FortiOS 7.4.4 CLI Reference 1507

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp31 Queue number of DSCP 31. option - queue7

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp32 Queue number of DSCP 32. option - queue0

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp33 Queue number of DSCP 33. option - queue1

Option Description

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

FortiOS 7.4.4 CLI Reference 1511

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue7 Queue number 7.

dscp42 Queue number of DSCP 42. option - queue2

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp43 Queue number of DSCP 43. option - queue3

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp44 Queue number of DSCP 44. option - queue4

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

FortiOS 7.4.4 CLI Reference 1512

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp45 Queue number of DSCP 45. option - queue5

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp46 Queue number of DSCP 46. option - queue6

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp47 Queue number of DSCP 47. option - queue7

Option Description

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

FortiOS 7.4.4 CLI Reference 1516

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue7 Queue number 7.

dscp56 Queue number of DSCP 56. option - queue0

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp57 Queue number of DSCP 57. option - queue1

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp58 Queue number of DSCP 58. option - queue2

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

FortiOS 7.4.4 CLI Reference 1517

Fortinet Inc.
Parameter Description Type Size Default

Option Description

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp59 Queue number of DSCP 59. option - queue3

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp60 Queue number of DSCP 60. option - queue4

Option Description

queue0 Queue number 0.

queue1 Queue number 1.

queue2 Queue number 2.

queue3 Queue number 3.

queue4 Queue number 4.

queue5 Queue number 5.

queue6 Queue number 6.

queue7 Queue number 7.

dscp61 Queue number of DSCP 61. option - queue5

Option Description

sport Source port. integer Minimum 0

value: 0
Maximum
value:
65535

dport Destination port. integer Minimum 0

value: 0
Maximum
value:
65535

queue Queue number. integer Minimum 0

value: 0
Maximum
value: 11

weight Class weight. integer Minimum 13

value: 0
Maximum
value: 15

config scheduler

Parameter Description Type Size Default

name Scheduler name. string Maximum

length: 35

mode Scheduler mode. option - none

Option Description

none Disable QoS on NP7.

priority Priority Based.

round-robin Round Robin Scheduler.

config npu-tcam

Parameter Description Type Size Default

name NPU TCAM policies name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1521

Fortinet Inc.
Parameter Description Type Size Default

type TCAM policy type. option - L2_src_tc

Option Description

L2_src_tc L2 source port traffic class.

L2_tgt_tc L2 target port traffic class.

L2_src_mir L2 source port mirroring.

L2_tgt_mir L2 target port mirroring.

L2_src_act L2 source port action.

L2_tgt_act L2 target port action.

IPv4_src_tc IPv4 source port traffic class.

IPv4_tgt_tc IPv4 target port traffic class.

IPv4_src_mir IPv4 source port mirroring.

IPv4_tgt_mir IPv4 target port mirroring.

IPv4_src_act IPv4 source port action.

IPv4_tgt_act IPv4 target port action.

IPv6_src_tc IPv6 source port traffic class.

IPv6_tgt_tc IPv6 target port traffic class.

IPv6_src_mir IPv6 source port mirroring.

IPv6_tgt_mir IPv6 target port mirroring.

IPv6_src_act IPv6 source port action.

IPv6_tgt_act IPv6 target port action.

oid NPU TCAM OID. integer Minimum 0

value: 0
Maximum
value: 4095

vid NPU TCAM VID. integer Minimum 0

value: 0
Maximum
value: 4095

FortiOS 7.4.4 CLI Reference 1522

Fortinet Inc.
config data

FortiOS 7.4.4 CLI Reference 1524

frag-off tcam data ip flag fragment offset. integer Minimum 0

value: 0
Maximum
value: 31

gen-pri tcam mask gen info priority. integer Minimum 0

value: 0
Maximum
value: 7

gen-pri-v tcam mask gen info priority valid. option - invalid

gen-l3-flags tcam mask gen info L3 flags. integer Minimum 0

value: 0
Maximum
value: 15

gen-l4-flags tcam mask gen info L4 flags. integer Minimum 0

value: 0
Maximum
value: 15

vdid tcam mask vdom id. integer Minimum 0

value: 0
Maximum
value:
65535

tp tcam mask target port. integer Minimum 0

value: 0
Maximum
value: 4095

tgt-updt tcam mask target port update. option - disable

valid Ftag tgt valid.

invalid Ftag tgt valid.

tvid tcam mask target vid. integer Minimum 0

value: 0
Maximum
value: 4095

tgt-cfi tcam mask target cfi. option - disable

Option Description

enable Ftag tgt_cfi enable.

disable Ftag tgt_cfi disable.

tgt-prio tcam mask target priority. integer Minimum 0

value: 0
Maximum
value: 7

sp tcam mask source port. integer Minimum 0

value: 0
Maximum
value: 4095

src-updt tcam mask source update. option - disable

Option Description

enable Ftag src_updt enable.

disable Ftag src_updt disable.

ttl tcam mask ip ttl. integer Minimum 0

value: 0
Maximum
value: 255

protocol tcam mask ip protocol. integer Minimum 0

value: 0
Maximum
value: 255

tos tcam mask ip tos. integer Minimum 0

value: 0
Maximum
value: 255

frag-off tcam data ip flag fragment offset. integer Minimum 0

value: 0
Maximum
value: 31

mf tcam mask ip flag mf. option - disable

Option Description

enable Enable ip header mf bit.

disable Disable ip header mf bit.

df tcam mask ip flag df. option - disable

Option Description

enable Enable ip header df bit.

disable Disable ip header df bit.

FortiOS 7.4.4 CLI Reference 1533

Fortinet Inc.
Parameter Description Type Size Default

srcport tcam mask L4 src port. integer Minimum 0

value: 0
Maximum
value:
65535

dstport tcam mask L4 dst port. integer Minimum 0

value: 0
Maximum
value:
65535

tcp-fin tcam mask tcp flag fin. option - disable

Option Description

enable Enable tcp header fin bit.

disable Disable tcp header fin bit.

tcp-syn tcam mask tcp flag syn. option - disable

Option Description

enable Enable tcp header syn bit.

disable Disable tcp header syn bit.

tcp-rst tcam mask tcp flag rst. option - disable

Option Description

enable Enable tcp header rst bit.

disable Disable tcp header rst bit.

tcp-push tcam mask tcp flag push. option - disable

enable Enable tcp header ece bit.

disable Disable tcp header ece bit.

Parameter Description Type Size Default

priority tcam priority action priority. integer Minimum 0

value: 0
Maximum
value: 15

weight tcam priority action weight. integer Minimum 0

value: 0
Maximum
value: 15

config sact

Parameter Description Type Size Default

fwd-lif-v Enable to set sact fwd-lif. option - disable

Option Description

enable Enable fwd_lif.

disable Disable fwd_lif.

fwd-lif tcam sact fwd-lif. integer Minimum 0

value: 0
Maximum
value: 4095

fwd-tvid-v Enable to set sact fwd-vid. option - disable

Option Description

enable Enable fwd_tvid.

disable Disable fwd_tvid.

FortiOS 7.4.4 CLI Reference 1536

Fortinet Inc.
Parameter Description Type Size Default

fwd-tvid tcam sact fwd-tvid. integer Minimum 0

value: 0
Maximum
value: 4095

df-lif-v Enable to set sact df-lif. option - disable

Option Description

enable Enable df_lif.

disable Disable df_lif.

df-lif tcam sact df-lif. integer Minimum 0

value: 0
Maximum
value: 4095

act-v Enable to set sact act. option - disable

Option Description

enable Enable act.

disable Disable act.

act tcam sact act. integer Minimum 0

value: 0
Maximum
value: 3

pleen-v Enable to set sact pleen. option - disable

Option Description

enable Enable pleen.

disable Disable pleen.

pleen tcam sact pleen. integer Minimum 0

value: 0
Maximum
value: 1

icpen-v Enable to set sact icpen. option - disable

Option Description

enable Enable icpen.

disable Disable icpen.

FortiOS 7.4.4 CLI Reference 1537

Fortinet Inc.
Parameter Description Type Size Default

icpen tcam sact icpen. integer Minimum 0

value: 0
Maximum
value: 1

vdm-v Enable to set sact vdm. option - disable

Option Description

enable Enable vdm.

disable Disable vdm.

vdm tcam sact vdm. integer Minimum 0

value: 0
Maximum
value: 1

learn-v Enable to set sact learn. option - disable

Option Description

enable Enable learn.

disable Disable learn.

learn tcam sact learn. integer Minimum 0

value: 0
Maximum
value: 1

rfsh-v Enable to set sact rfsh. option - disable

Option Description

enable Enable rfsh.

disable Disable rfsh.

rfsh tcam sact rfsh. integer Minimum 0

value: 0
Maximum
value: 1

fwd-v Enable to set sact fwd. option - disable

Option Description

enable Enable fwd.

disable Disable fwd.

FortiOS 7.4.4 CLI Reference 1538

Fortinet Inc.
Parameter Description Type Size Default

fwd tcam sact fwd. integer Minimum 0

value: 0
Maximum
value: 1

x-mode-v Enable to set sact x-mode. option - disable

Option Description

enable Enable x_mode.

disable Disable x_mode.

x-mode tcam sact x-mode. integer Minimum 0

value: 0
Maximum
value: 3

promis-v Enable to set sact promis. option - disable

Option Description

enable Enable promis.

disable Disable promis.

promis tcam sact promis. integer Minimum 0

value: 0
Maximum
value: 1

bmproc-v Enable to set sact bmproc. option - disable

Option Description

enable Enable bmproc.

disable Disable bmproc.

bmproc tcam sact bmproc. integer Minimum 0

value: 0
Maximum
value: 1

mac-id-v Enable to set sact mac-id. option - disable

Option Description

enable Enable mac_id.

disable Disable mac_id.

FortiOS 7.4.4 CLI Reference 1539

Fortinet Inc.
Parameter Description Type Size Default

mac-id tcam sact mac-id. integer Minimum 0

value: 0
Maximum
value:
65535

dosen-v Enable to set sact dosen. option - disable

Option Description

enable Enable dosen.

disable Disable dosen.

dosen tcam sact dosen. integer Minimum 0

value: 0
Maximum
value: 1

dfr-v Enable to set sact dfr. option - disable

Option Description

enable Enable dfr.

disable Disable dfr.

dfr tcam sact dfr. integer Minimum 0

value: 0
Maximum
value: 1

m-srh-ctrl-v Enable to set sact m-srh-ctrl. option - disable

Option Description

enable Enable m_srh_ctrl.

disable Disable m_srh_ctrl.

m-srh-ctrl tcam sact m-srh-ctrl. integer Minimum 0

value: 0
Maximum
value: 1

tpe-id-v Enable to set sact tpe-id. option - disable

Option Description

enable Enable tpe_id.

disable Disable tpe_id.

FortiOS 7.4.4 CLI Reference 1540

Fortinet Inc.
Parameter Description Type Size Default

tpe-id tcam sact tpe-id. integer Minimum 0

value: 0
Maximum
value:
16383

vdom-id-v Enable to set sact vdom-id. option - disable

Option Description

enable Enable vdom_id.

disable Disable vdom_id.

vdom-id tcam sact vdom-id. integer Minimum 0

value: 0
Maximum
value:
16383

mss-v Enable to set sact mss. option - disable

Option Description

enable Enable mss.

disable Disable mss.

mss tcam sact mss. integer Minimum 0

value: 0
Maximum
value:
16383

tp-smchk-v Enable to set sact tp mode. option - disable

Option Description

enable Enable tp_smchk.

disable Disable tp_smchk.

tp_smchk tcam sact tp mode. integer Minimum 0

value: 0
Maximum
value: 1

etype-pid-v Enable to set sact etype-pid. option - disable

FortiOS 7.4.4 CLI Reference 1541

igmp-mld- Enable to set sact igmp-mld-snp. option - disable

snp-v

FortiOS 7.4.4 CLI Reference 1542

config tact

Parameter Description Type Size Default

act-v Enable to set tact act. option - disable

Option Description

enable Enable act.

disable Disable act.

enable Enable mac_id.

disable Disable mac_id.

mac-id tcam tact mac-id. integer Minimum 0

value: 0
Maximum
value:
65535

slif-act-v Enable to set tact slif-act. option - disable

FortiOS 7.4.4 CLI Reference 1544

v6fe-v Enable to set tact v6fe. option - disable

FortiOS 7.4.4 CLI Reference 1545

lnkid-v Enable to set tact lnkid. option - disable

FortiOS 7.4.4 CLI Reference 1546

vep-en-v Enable to set tact vep-en. option - disable

FortiOS 7.4.4 CLI Reference 1547

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable vep_en.

disable Disable vep_en.

vep_en tcam tact vep_en. integer Minimum 0

value: 0
Maximum
value: 1

vep-slid-v Enable to set tact vep-slid. option - disable

Option Description

enable Enable vep_slid.

disable Disable vep_slid.

vep-slid tcam tact vep_slid. integer Minimum 0

value: 0
Maximum
value: 3

config port-cpu-map

Parameter Description Type Size Default

interface The interface to map to a CPU core. string Maximum

length: 15

cpu-core The CPU core to map to an interface. string Maximum all

length: 31

config port-npu-map

Parameter Description Type Size Default

interface Set NPU interface port for NPU group mapping. string Maximum
length: 15

npu-group- Mapping NPU group index. integer Minimum 0

index value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1548

Fortinet Inc.
config port-path-option

Parameter Description Type Size Default

ports-using-npu Set ha/aux ports to handle traffic with NPU (otherwise string Maximum
<interface- traffic goes to Intel-NIC and then CPU). length: 15
name> Available interfaces for NPU path.

config priority-protocol

Parameter Description Type Size Default

bgp Enable/disable NPU BGP priority protocol. option - enable

Option Description

enable Enable NPU BGP priority protocol.

disable Disable NPU BGP priority protocol.

slbc Enable/disable NPU SLBC priority protocol. option - enable

Option Description

enable Enable NPU SLBC priority protocol.

disable Disable NPU SLBC priority protocol.

bfd Enable/disable NPU BFD priority protocol. option - enable

Option Description

enable Enable NPU BFD priority protocol.

disable Disable NPU BFD priority protocol.

config sw-eh-hash

Parameter Description Type Size Default

computation Set hashing computation. option - xor16

Option Description

xor16 Use XOR operator to make 16 bits hash.

xor8 Use XOR operator to make 8 bits hash.

xor4 Use XOR operator to make 4 bits hash.

exclude Exclude source port if TCP/UDP.

destination- Include/exclude destination port if TCP/UDP. option - include

port

FortiOS 7.4.4 CLI Reference 1550

Fortinet Inc.
Parameter Description Type Size Default

Option Description

include Include destination port if TCP/UDP.

exclude Exclude destination port if TCP/UDP.

netmask- Network mask length. integer Minimum 32

length value: 17
Maximum
value: 32

config sw-tr-hash

Parameter Description Type Size Default

draco15 Enable/disable DRACO15 hashing. option - enable

Option Description

enable Enable using DRACO15 hashing for unicast trunk traffic.

disable Enable using DRACO15 hashing for unicast trunk traffic.

tcp-udp-port Include/exclude TCP/UDP source and destination port option - exclude

for unicast trunk traffic.

Option Description

include Include TCP/UDP source and destination port for unicast trunk traffic.

exclude Exclude TCP/UDP source and destination port for unicast trunk traffic.

config system ntp

Configure system NTP information.

config system ntp
Description: Configure system NTP information.
set authentication [enable|disable]
set interface <interface-name1>, <interface-name2>, ...
set key {password}
set key-id {integer}
set key-type [MD5|SHA1|...]
config ntpserver
Description: Configure the FortiGate to connect to any available third-party NTP
server.
edit <id>
set server {string}
set ntpv3 [enable|disable]
set authentication [enable|disable]
set key-type [MD5|SHA1|...]

FortiOS 7.4.4 CLI Reference 1551

Fortinet Inc.
set key {password}
set key-id {integer}
set ip-type [IPv6|IPv4|...]
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
set ntpsync [enable|disable]
set server-mode [enable|disable]
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
set syncinterval {integer}
set type [fortiguard|custom]
end

config system ntp

Parameter Description Type Size Default

authentication Enable/disable authentication. option - disable

Option Description

enable Enable authentication.

disable Disable authentication.

interface FortiGate interface(s) with NTP server mode string Maximum

<interface- enabled. Devices on your network can contact length: 79
name> these interfaces for NTP services.
Interface name.

key Key for authentication. password Not Specified

key-id Key ID for authentication. integer Minimum 0

value: 0
Maximum
value:
4294967295

key-type Key type for authentication (MD5, SHA1, option - MD5

SHA256).

Option Description

MD5 Use MD5 to authenticate the message.

SHA1 Use SHA1 to authenticate the message.

SHA256 Use SHA256 to authenticate the message.

ntpsync Enable/disable setting the FortiGate system time option - disable

by synchronizing with an NTP Server.

FortiOS 7.4.4 CLI Reference 1552

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable synchronization with NTP Server.

disable Disable synchronization with NTP Server.

server-mode Enable/disable FortiGate NTP Server Mode. option - disable

Your FortiGate becomes an NTP server for other
devices on your network. The FortiGate relays
NTP requests to its configured NTP server.

Option Description

enable Enable FortiGate NTP Server Mode.

disable Disable FortiGate NTP Server Mode.

source-ip Source IP address for communication to the NTP ipv4- Not Specified 0.0.0.0
server. address

source-ip6 Source IPv6 address for communication to the ipv6- Not Specified ::
NTP server. address

syncinterval NTP synchronization interval. integer Minimum 60

value: 1
Maximum
value: 1440

type Use the FortiGuard NTP server or any other option - fortiguard
available NTP Server.

Option Description

fortiguard Use the FortiGuard NTP server.

custom Use any other available NTP server.

config ntpserver

Parameter Description Type Size Default

id NTP server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server IP address or hostname of the NTP Server. string Maximum

length: 63

ntpv3 Enable to use NTPv3 instead of NTPv4. option - disable

FortiOS 7.4.4 CLI Reference 1553

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable NTPv3.

disable Disable NTPv3 (use NTPv4).

authentication Enable/disable authentication. option - disable

Option Description

enable Enable authentication.

disable Disable authentication.

key-type Select NTP authentication type. option - MD5

Option Description

MD5 Enable MD5(NTPv3) authentication.

SHA1 Enable SHA1(NTPv4) authentication.

SHA256 Enable SHA256(NTPv4) authentication.

key Key for MD5(NTPv3)/SHA1(NTPv4)/SHA256 password Not Specified

(NTPv4) authentication.

key-id Key ID for authentication. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-type Choose to connect to IPv4 or/and IPv6 NTP server. option - Both

Option Description

IPv6 Enable look up for IPv6 NTP server.

IPv4 Enable look up for IPv4 NTP server.

Both Enable look up for both IPv4 and IPv6 NTP server.

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.4.4 CLI Reference 1554

Fortinet Inc.
Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

config system object-tagging

Configure object tagging.

config system object-tagging
Description: Configure object tagging.
edit <category>
set address [disable|mandatory|...]
set color {integer}
set device [disable|mandatory|...]
set interface [disable|mandatory|...]
set multiple [enable|disable]
set tags <name1>, <name2>, ...
next
end

config system object-tagging

Parameter Description Type Size Default

address Address. option - optional

Option Description

disable Disable.

disable Disable multi-tagging.

tags <name> Tags. string Maximum

Tag name. length: 79

config system password-policy-guest-admin

Configure the password policy for guest administrators.

config system password-policy-guest-admin
Description: Configure the password policy for guest administrators.
set apply-to {option1}, {option2}, ...
set expire-day {integer}
set expire-status [enable|disable]
set min-change-characters {integer}
set min-lower-case-letter {integer}
set min-non-alphanumeric {integer}
set min-number {integer}
set min-upper-case-letter {integer}
set minimum-length {integer}
set reuse-password [enable|disable]
set status [enable|disable]
end

config system password-policy-guest-admin

Parameter Description Type Size Default

apply-to Guest administrator to which this password policy option - guest-

applies. admin-
password

FortiOS 7.4.4 CLI Reference 1556

Fortinet Inc.
Parameter Description Type Size Default

Option Description

guest-admin- Apply to guest administrator password.

password

expire-day Number of days after which passwords expire. integer Minimum 90

value: 1
Maximum
value: 999

expire-status Enable/disable password expiration. option - disable

Option Description

enable Passwords expire after expire-day days.

disable Passwords do not expire.

min-change- Minimum number of unique characters in new integer Minimum 0

characters password which do not exist in old password. value: 0
Maximum
value: 128

min-lower-case- Minimum number of lowercase characters in integer Minimum 0

letter password. value: 0
Maximum
value: 128

min-non- Minimum number of non-alphanumeric characters in integer Minimum 0

alphanumeric password. value: 0
Maximum
value: 128

min-number Minimum number of numeric characters in password. integer Minimum 0

value: 0
Maximum
value: 128

min-upper- Minimum number of uppercase characters in integer Minimum 0

case-letter password. value: 0
Maximum
value: 128

minimum-length Minimum password length. integer Minimum 8

value: 8
Maximum
value: 128

reuse-password Enable/disable reuse of password. If both reuse- option - enable

password and min-change-characters are enabled,
min-change-characters overrides.

FortiOS 7.4.4 CLI Reference 1557

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Administrators are allowed to reuse the same password.

disable Administrators must create a new password.

status Enable/disable setting a password policy for locally option - disable

defined administrator passwords and IPsec VPN pre-
shared keys.

Option Description

enable Enable password policy.

disable Disable password policy.

config system password-policy

Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.
config system password-policy
Description: Configure password policy for locally defined administrator passwords and
IPsec VPN pre-shared keys.
set apply-to {option1}, {option2}, ...
set expire-day {integer}
set expire-status [enable|disable]
set min-change-characters {integer}
set min-lower-case-letter {integer}
set min-non-alphanumeric {integer}
set min-number {integer}
set min-upper-case-letter {integer}
set minimum-length {integer}
set reuse-password [enable|disable]
set status [enable|disable]
end

config system password-policy

Parameter Description Type Size Default

apply-to Apply password policy to administrator passwords or option - admin-

IPsec pre-shared keys or both. Separate entries with password
a space.

Option Description

admin-password Apply to administrator passwords.

ipsec-preshared- Apply to IPsec pre-shared keys.

key

FortiOS 7.4.4 CLI Reference 1558

Fortinet Inc.
Parameter Description Type Size Default

expire-day Number of days after which passwords expire. integer Minimum 90

value: 1
Maximum
value: 999

expire-status Enable/disable password expiration. option - disable

Option Description

enable Passwords expire after expire-day days.

disable Passwords do not expire.

min-change- Minimum number of unique characters in new integer Minimum 0

characters password which do not exist in old password. value: 0
Maximum
value: 128

min-lower-case- Minimum number of lowercase characters in integer Minimum 0

letter password. value: 0
Maximum
value: 128

min-non- Minimum number of non-alphanumeric characters in integer Minimum 0

alphanumeric password. value: 0
Maximum
value: 128

min-number Minimum number of numeric characters in password. integer Minimum 0

value: 0
Maximum
value: 128

min-upper- Minimum number of uppercase characters in integer Minimum 0

case-letter password. value: 0
Maximum
value: 128

minimum-length Minimum password length. integer Minimum 8

value: 8
Maximum
value: 128

reuse-password Enable/disable reuse of password. If both reuse- option - enable

password and min-change-characters are enabled,
min-change-characters overrides.

Option Description

enable Administrators are allowed to reuse the same password.

disable Administrators must create a new password.

FortiOS 7.4.4 CLI Reference 1559

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable setting a password policy for locally option - disable

defined administrator passwords and IPsec VPN pre-
shared keys.

Option Description

enable Enable password policy.

disable Disable password policy.

config system pcp-server

Configure PCP server information.

config system pcp-server
Description: Configure PCP server information.
config pools
Description: Configure PCP pools.
edit <name>
set description {string}
set id {integer}
set client-subnet <subnet1>, <subnet2>, ...
set ext-intf {string}
set arp-reply [disable|enable]
set extip {user}
set extport {user}
set minimal-lifetime {integer}
set maximal-lifetime {integer}
set client-mapping-limit {integer}
set mapping-filter-limit {integer}
set allow-opcode {option1}, {option2}, ...
set third-party [allow|disallow]
set third-party-subnet <subnet1>, <subnet2>, ...
set multicast-announcement [enable|disable]
set announcement-count {integer}
set intl-intf <interface-name1>, <interface-name2>, ...
set recycle-delay {integer}
next
end
set status [enable|disable]
end

config system pcp-server

Parameter Description Type Size Default

status Enable/disable PCP server. option - disable

FortiOS 7.4.4 CLI Reference 1560

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable PCP Server.

disable Disable PCP Server.

config pools

Parameter Description Type Size Default

name PCP pool name. string Maximum

length: 79

description Description. string Maximum

length: 127

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

client-subnet Subnets from which PCP requests are accepted. string Maximum
<subnet> Client subnets. length: 79

ext-intf External interface name. string Maximum

length: 35

arp-reply Enable to respond to ARP requests for external option - enable

IP.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

extip IP address or address range on the external user Not Specified

interface that you want to map to an address on
the internal network.

extport Incoming port number range that you want to user Not Specified
map to a port number on the internal network.

minimal-lifetime Minimal lifetime of a PCP mapping in seconds. integer Minimum 120

value: 60
Maximum
value: 300

FortiOS 7.4.4 CLI Reference 1561

Fortinet Inc.
Parameter Description Type Size Default

maximal-lifetime Maximal lifetime of a PCP mapping in seconds. integer Minimum 86400

value: 3600
Maximum
value: 604800

client-mapping- Mapping limit per client. integer Minimum 0

limit value: 0
Maximum
value: 65535

mapping-filter- Filter limit per mapping. integer Minimum 1

limit value: 0
Maximum
value: 5

allow-opcode Allowed PCP opcode. option - map peer

announce

Option Description

map Allow opcode MAP.

peer Allow opcode PEER.

announce Allow opcode ANNOUNCE.

third-party Allow/disallow third party option. option - disallow

Option Description

allow Allow third party option.

disallow Disallow third party opiton.

third-party-subnet Subnets from which third party requests are string Maximum
<subnet> accepted. length: 79
Third party subnets.

multicast- Enable/disable multicast announcements. option - enable

announcement

Option Description

enable Enable multicast announcements.

disable Disable multicast announcements.

announcement- Number of multicast announcements. integer Minimum 3

count value: 3
Maximum
value: 10

FortiOS 7.4.4 CLI Reference 1562

Fortinet Inc.
Parameter Description Type Size Default

intl-intf Internal interface name. string Maximum

<interface- Interface name. length: 79
name>

recycle-delay Minimum delay. integer Minimum 0

value: 0
Maximum
value: 3600

config system physical-switch

This command is available for model(s): FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 200F, FortiGate 201F, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E,
FortiGate 3200F, FortiGate 3201F, FortiGate 3500F, FortiGate 3501F, FortiGate 3700F,
FortiGate 3701F, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 600F, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E,
FortiGate 81F-POE, FortiGate 81F, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F
3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi
60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 2000E, FortiGate 200E, FortiGate 201E,
FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3960E, FortiGate 3980E,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D, FortiGate VM64.

Configure physical switches.

config system physical-switch
Description: Configure physical switches.
edit <name>
set age-enable [enable|disable]
set age-val {integer}
next
end

FortiOS 7.4.4 CLI Reference 1563

Fortinet Inc.
config system physical-switch

Parameter Description Type Size Default

age-enable Enable/disable layer 2 age timer. option - disable

Option Description

enable Enable layer 2 ageing timer.

disable Disable layer 2 ageing timer.

age-val Layer 2 table age timer value. integer Minimum 3158067

value: 0
Maximum
value:
4294967295

name Name. string Maximum

length: 15

config system pppoe-interface

Configure the PPPoE interfaces.

config system pppoe-interface
Description: Configure the PPPoE interfaces.
edit <name>
set ac-name {string}
set auth-type [auto|pap|...]
set device {string}
set dial-on-demand [enable|disable]
set disc-retry-timeout {integer}
set idle-timeout {integer}
set ipunnumbered {ipv4-address}
set ipv6 [enable|disable]
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set padt-retry-timeout {integer}
set password {password}
set pppoe-unnumbered-negotiate [enable|disable]
set service-name {string}
set username {string}
next
end

FortiOS 7.4.4 CLI Reference 1564

Fortinet Inc.
config system pppoe-interface

Parameter Description Type Size Default

ac-name PPPoE AC name. string Maximum

length: 63

auth-type PPP authentication type to use. option - auto

Option Description

auto Automatically choose the authentication method.

pap PAP authentication.

chap CHAP authentication.

mschapv1 MS-CHAPv1 authentication.

mschapv2 MS-CHAPv2 authentication.

device Name for the physical interface. string Maximum

length: 15

dial-on-demand Enable/disable dial on demand to dial the PPPoE option - disable

interface when packets are routed to the PPPoE
interface.

Option Description

enable Enable dial on demand.

disable Disable dial on demand.

disc-retry- PPPoE discovery init timeout value in. integer Minimum 1

timeout value: 0
Maximum
value:
4294967295

idle-timeout PPPoE auto disconnect after idle timeout. integer Minimum 0

value: 0
Maximum
value:
4294967295

ipunnumbered PPPoE unnumbered IP. ipv4- Not Specified 0.0.0.0

address

ipv6 Enable/disable IPv6 Control Protocol (IPv6CP). option - disable

Option Description

enable Enable IPv6CP.

disable Disable IPv6CP.

FortiOS 7.4.4 CLI Reference 1565

Fortinet Inc.
Parameter Description Type Size Default

lcp-echo-interval Time in seconds between PPPoE Link Control integer Minimum 5

Protocol (LCP) echo requests. value: 0
Maximum
value: 32767

lcp-max-echo- Maximum missed LCP echo messages before integer Minimum 3

fails disconnect. value: 0
Maximum
value: 32767

name Name of the PPPoE interface. string Maximum

length: 15

padt-retry- PPPoE terminate timeout value in. integer Minimum 1

timeout value: 0
Maximum
value:
4294967295

password Enter the password. password Not Specified

pppoe- Enable/disable PPPoE unnumbered negotiation. option - enable

unnumbered-
negotiate

Option Description

enable Enable PPPoE unnumbered negotiation.

disable Disable PPPoE unnumbered negotiation.

service-name PPPoE service name. string Maximum

length: 63

username User name. string Maximum

length: 64

config system probe-response

Configure system probe response.

config system probe-response
Description: Configure system probe response.
set http-probe-value {string}
set mode [none|http-probe|...]
set password {password}
set port {integer}
set security-mode [none|authentication]
set timeout {integer}
set ttl-mode [reinit|decrease|...]
end

FortiOS 7.4.4 CLI Reference 1566

Fortinet Inc.
config system probe-response

Parameter Description Type Size Default

http-probe- Value to respond to the monitoring server. string Maximum OK

value length: 1024

mode SLA response mode. option - none

Option Description

none Disable probe.

http-probe HTTP probe.

twamp Two way active measurement protocol.

password TWAMP responder password in authentication mode. password Not

Specified

port Port number to response. integer Minimum 8008

value: 1
Maximum
value:
65535

security-mode TWAMP responder security mode. option - none

Option Description

none Unauthenticated mode.

authentication Authenticated mode.

timeout An inactivity timer for a twamp test session. integer Minimum 300
value: 10
Maximum
value: 3600

ttl-mode Mode for TWAMP packet TTL modification. option - retain

Option Description

reinit Reinitialize TTL.

decrease Decrease TTL.

retain Retain TTL.

config system proxy-arp

Configure proxy-ARP.
config system proxy-arp
Description: Configure proxy-ARP.

FortiOS 7.4.4 CLI Reference 1567

Fortinet Inc.
edit <id>
set end-ip {ipv4-address}
set interface {string}
set ip {ipv4-address}
next
end

config system proxy-arp

Parameter Description Type Size Default

end-ip End IP of IP range to be proxied. ipv4- Not Specified 0.0.0.0

address

id Unique integer ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295

interface Interface acting proxy-ARP. string Maximum

length: 15

ip IP address or start IP to be proxied. ipv4- Not Specified 0.0.0.0

address

config system ptp

Configure system PTP information.

config system ptp
Description: Configure system PTP information.
set delay-mechanism [E2E|P2P]
set interface {string}
set mode [multicast|hybrid]
set request-interval {integer}
config server-interface
Description: FortiGate interface(s) with PTP server mode enabled. Devices on your
network can contact these interfaces for PTP services.
edit <id>
set server-interface-name {string}
set delay-mechanism [E2E|P2P]
next
end
set server-mode [enable|disable]
set status [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1568

Fortinet Inc.
config system ptp

Parameter Description Type Size Default

delay- End to end delay detection or peer to peer delay option - E2E
mechanism detection.

Option Description

E2E End to end delay detection.

P2P Peer to peer delay detection.

interface PTP client will reply through this interface. string Maximum
length: 15

mode Multicast transmission or hybrid transmission. option - multicast

Option Description

multicast Send PTP packets with multicast.

hybrid Send PTP packets with unicast and multicast.

request- The delay request value is the logarithmic mean interval integer Minimum 1
interval in seconds between the delay request messages sent value: 1
by the slave to the master. Maximum
value: 6

server-mode Enable/disable FortiGate PTP server mode. Your option - disable

FortiGate becomes an PTP server for other devices on
your network.

Option Description

enable Enable FortiGate PTP server mode.

disable Disable FortiGate PTP server mode.

status Enable/disable setting the FortiGate system time by option - disable

synchronizing with an PTP Server.

Option Description

enable Enable synchronization with PTP Server.

disable Disable synchronization with PTP Server.

FortiOS 7.4.4 CLI Reference 1569

Fortinet Inc.
config server-interface

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server- Interface name. string Maximum

interface- length: 15
name

delay- End to end delay detection or peer to peer delay option - E2E
mechanism detection.

Option Description

E2E End to end delay detection.

P2P Peer to peer delay detection.

config system replacemsg-group

Configure replacement message groups.

config system replacemsg-group
Description: Configure replacement message groups.
edit <name>
config admin
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config alertmail
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config auth
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end

FortiOS 7.4.4 CLI Reference 1570

Fortinet Inc.
config automation
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
set comment {var-string}
config custom-message
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config fortiguard-wf
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config ftp
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
set group-type [default|utm|...]
config http
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config icap
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config mail
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]

FortiOS 7.4.4 CLI Reference 1571

Fortinet Inc.
next
end
config nac-quar
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config spam
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config sslvpn
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config traffic-quota
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config utm
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config webproxy
Description: Replacement message table entries.
edit <msg-type>
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
next
end

FortiOS 7.4.4 CLI Reference 1572

Fortinet Inc.
config system replacemsg-group

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

group-type Group type. option - default

Option Description

default Per-vdom replacement messages.

utm For use with UTM settings in firewall policies.

auth For use with authentication pages in firewall policies.

name Group name. string Maximum

length: 35

config admin

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

FortiOS 7.4.4 CLI Reference 1573

Fortinet Inc.
config alertmail

Parameter Description Type Size Default

msg-type Message type. string Maximum

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

FortiOS 7.4.4 CLI Reference 1574

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No format type.

text Text format.

html HTML format.

config automation

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

html HTML format.

config fortiguard-wf

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

FortiOS 7.4.4 CLI Reference 1576

Fortinet Inc.
config ftp

Parameter Description Type Size Default

msg-type Message type. string Maximum

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

FortiOS 7.4.4 CLI Reference 1577

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No format type.

text Text format.

html HTML format.

config icap

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

html HTML format.

config nac-quar

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

FortiOS 7.4.4 CLI Reference 1579

Fortinet Inc.
config spam

Parameter Description Type Size Default

msg-type Message type. string Maximum

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

FortiOS 7.4.4 CLI Reference 1580

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No format type.

text Text format.

html HTML format.

config traffic-quota

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

html HTML format.

config webproxy

Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

buffer Message string. var-string Maximum

length:
32768

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

config system replacemsg-image

Configure replacement message images.

FortiOS 7.4.4 CLI Reference 1582

Fortinet Inc.
config system replacemsg-image
Description: Configure replacement message images.
edit <name>
set image-base64 {var-string}
set image-type [gif|jpg|...]
next
end

config system replacemsg-image

Parameter Description Type Size Default

image-base64 Image data. var-string Maximum

length:
32768

image-type Image type. option - png

Option Description

gif GIF image.

jpg JPEG image.

tiff TIFF image.

png PNG image.

name Image name. string Maximum

length: 23

config system replacemsg admin

Replacement messages.
config system replacemsg admin
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg admin

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

FortiOS 7.4.4 CLI Reference 1583

Fortinet Inc.
Parameter Description Type Size Default

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg alertmail

Replacement messages.
config system replacemsg alertmail
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg alertmail

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

FortiOS 7.4.4 CLI Reference 1584

Fortinet Inc.
Parameter Description Type Size Default

Option Description

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg auth

Replacement messages.
config system replacemsg auth
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg auth

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

FortiOS 7.4.4 CLI Reference 1585

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg automation

Replacement messages.
config system replacemsg automation
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg automation

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

FortiOS 7.4.4 CLI Reference 1586

Fortinet Inc.
Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

config system replacemsg custom-message

Replacement messages.
config system replacemsg custom-message
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg custom-message

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg fortiguard-wf

Replacement messages.

FortiOS 7.4.4 CLI Reference 1587

Fortinet Inc.
config system replacemsg fortiguard-wf
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg fortiguard-wf

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg ftp

Replacement messages.
config system replacemsg ftp
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

FortiOS 7.4.4 CLI Reference 1588

Fortinet Inc.
config system replacemsg ftp

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg http

Replacement messages.
config system replacemsg http
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg http

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

FortiOS 7.4.4 CLI Reference 1589

Fortinet Inc.
Parameter Description Type Size Default

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg icap

Replacement messages.
config system replacemsg icap
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg icap

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

FortiOS 7.4.4 CLI Reference 1590

Fortinet Inc.
Parameter Description Type Size Default

Option Description

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg mail

Replacement messages.
config system replacemsg mail
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg mail

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

FortiOS 7.4.4 CLI Reference 1591

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg nac-quar

Replacement messages.
config system replacemsg nac-quar
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg nac-quar

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

FortiOS 7.4.4 CLI Reference 1592

Fortinet Inc.
Parameter Description Type Size Default

msg-type Message type. string Maximum

length: 28

config system replacemsg spam

Replacement messages.
config system replacemsg spam
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg spam

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg sslvpn

Replacement messages.

FortiOS 7.4.4 CLI Reference 1593

Fortinet Inc.
config system replacemsg sslvpn
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg sslvpn

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg traffic-quota

Replacement messages.
config system replacemsg traffic-quota
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

FortiOS 7.4.4 CLI Reference 1594

Fortinet Inc.
config system replacemsg traffic-quota

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg utm

Replacement messages.
config system replacemsg utm
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg utm

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

FortiOS 7.4.4 CLI Reference 1595

Fortinet Inc.
Parameter Description Type Size Default

format Format flag. option - none

Option Description

none No format type.

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system replacemsg webproxy

Replacement messages.
config system replacemsg webproxy
Description: Replacement messages.
edit <msg-type>
set buffer {var-string}
set format [none|text|...]
set header [none|http|...]
next
end

config system replacemsg webproxy

Parameter Description Type Size Default

buffer Message string. var-string Maximum

length:
32768

format Format flag. option - none

Option Description

none No format type.

FortiOS 7.4.4 CLI Reference 1596

Fortinet Inc.
Parameter Description Type Size Default

Option Description

text Text format.

html HTML format.

header Header flag. option - none

Option Description

none No header type.

http HTTP

8bit 8 bit.

msg-type Message type. string Maximum

length: 28

config system resource-limits

Configure resource limits.

config system resource-limits
Description: Configure resource limits.
set custom-service {integer}
set dialup-tunnel {integer}
set firewall-address {integer}
set firewall-addrgrp {integer}
set firewall-policy {integer}
set ipsec-phase1 {integer}
set ipsec-phase1-interface {integer}
set ipsec-phase2 {integer}
set ipsec-phase2-interface {integer}
set log-disk-quota {integer}
set onetime-schedule {integer}
set proxy {integer}
set recurring-schedule {integer}
set service-group {integer}
set session {integer}
set sslvpn {integer}
set user {integer}
set user-group {integer}
end

FortiOS 7.4.4 CLI Reference 1597

Fortinet Inc.
config system resource-limits

Parameter Description Type Size Default

custom- Maximum number of firewall custom services. integer Minimum

service value: 0
Maximum
value:
4294967295

dialup-tunnel Maximum number of dial-up tunnels. integer Minimum

value: 0
Maximum
value:
4294967295

firewall- Maximum number of firewall addresses (IPv4, IPv6, integer Minimum

address multicast). value: 0
Maximum
value:
4294967295

firewall- Maximum number of firewall address groups (IPv4, integer Minimum

addrgrp IPv6). value: 0
Maximum
value:
4294967295

firewall-policy Maximum number of firewall policies (policy, DoS- integer Minimum

policy4, DoS-policy6, multicast). value: 0
Maximum
value:
4294967295

ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. integer Minimum

value: 0
Maximum
value:
4294967295

ipsec-phase1- Maximum number of VPN IPsec phase1 interface integer Minimum

interface tunnels. value: 0
Maximum
value:
4294967295

ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. integer Minimum

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1598

Fortinet Inc.
Parameter Description Type Size Default

ipsec-phase2- Maximum number of VPN IPsec phase2 interface integer Minimum

interface tunnels. value: 0
Maximum
value:
4294967295

log-disk-quota Log disk quota in megabytes (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295 **

onetime- Maximum number of firewall one-time schedules. integer Minimum

schedule value: 0
Maximum
value:
4294967295

proxy Maximum number of concurrent proxy users. integer Minimum

value: 0
Maximum
value:
4294967295

recurring- Maximum number of firewall recurring schedules. integer Minimum

schedule value: 0
Maximum
value:
4294967295

service-group Maximum number of firewall service groups. integer Minimum

value: 0
Maximum
value:
4294967295

session Maximum number of sessions. integer Minimum

value: 0
Maximum
value:
4294967295

sslvpn Maximum number of SSL-VPN. integer Minimum

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1599

Fortinet Inc.
Parameter Description Type Size Default

user Maximum number of local users. integer Minimum

value: 0
Maximum
value:
4294967295

user-group Maximum number of user groups. integer Minimum

value: 0
Maximum
value:
4294967295

** Values may differ between models.

config system saml

Global settings for SAML authentication.

config system saml
Description: Global settings for SAML authentication.
set binding-protocol [post|redirect]
set cert {string}
set default-login-page [normal|sso]
set default-profile {string}
set entity-id {string}
set idp-cert {string}
set idp-entity-id {string}
set idp-single-logout-url {string}
set idp-single-sign-on-url {string}
set life {integer}
set portal-url {string}
set role [identity-provider|service-provider]
set server-address {string}
config service-providers
Description: Authorized service providers.
edit <name>
set prefix {string}
set sp-binding-protocol [post|redirect]
set sp-cert {string}
set sp-entity-id {string}
set sp-single-sign-on-url {string}
set sp-single-logout-url {string}
set sp-portal-url {string}
set idp-entity-id {string}
set idp-single-sign-on-url {string}
set idp-single-logout-url {string}
config assertion-attributes
Description: Customized SAML attributes to send along with assertion.
edit <name>
set type [username|email|...]
next
end

FortiOS 7.4.4 CLI Reference 1600

Fortinet Inc.
next
end
set single-logout-url {string}
set single-sign-on-url {string}
set status [enable|disable]
set tolerance {integer}
end

config system saml

Parameter Description Type Size Default

binding- IdP Binding protocol. option - redirect

protocol

Option Description

post HTTP POST binding.

redirect HTTP Redirect binding.

cert Certificate to sign SAML messages. string Maximum

length: 35

default-login- Choose default login page. option - normal

page

Option Description

normal Use local login page as default.

sso Use IdP's Single Sign-On page as default.

default-profile Default profile for new SSO admin. string Maximum

length: 35

entity-id SP entity ID. string Maximum

length: 255

idp-cert IDP certificate name. string Maximum

length: 35

idp-entity-id IDP entity ID. string Maximum

length: 255

idp-single- IDP single logout URL. string Maximum

logout-url length: 255

idp-single- IDP single sign-on URL. string Maximum

sign-on-url length: 255

FortiOS 7.4.4 CLI Reference 1601

Fortinet Inc.
Parameter Description Type Size Default

life Length of the range of time when the assertion is valid integer Minimum 30
(in minutes). value: 0
Maximum
value:
4294967295

portal-url SP portal URL. string Maximum

length: 255

role SAML role. option - service-

provider

Option Description

identity-provider Identity Provider.

service-provider Service Provider.

server- Server address. string Maximum

address length: 63

single-logout- SP single logout URL. string Maximum

url length: 255

single-sign- SP single sign-on URL. string Maximum

on-url length: 255

status Enable/disable SAML authentication. option - disable

Option Description

enable Enable SAML authentication.

disable Disable SAML authentication.

config assertion-attributes

Parameter Description Type Size Default

name Name. string Maximum

length: 35

type Type. option - username

Option Description

username User Name.

email Email Address.

profile-name Profile Name.

config system sdn-connector

Configure connection to SDN Connector.

config system sdn-connector
Description: Configure connection to SDN Connector.

FortiOS 7.4.4 CLI Reference 1603

Fortinet Inc.
edit <name>
set access-key {string}
set alt-resource-ip [disable|enable]
set api-key {password}
set azure-region [global|china|...]
set client-id {string}
set client-secret {password}
config compartment-list
Description: Configure OCI compartment list.
edit <compartment-id>
next
end
set compute-generation {integer}
set domain {string}
config external-account-list
Description: Configure AWS external account list.
edit <role-arn>
set external-id {string}
set region-list <region1>, <region2>, ...
next
end
config external-ip
Description: Configure GCP external IP.
edit <name>
next
end
config forwarding-rule
Description: Configure GCP forwarding rule.
edit <rule-name>
set target {string}
next
end
config gcp-project-list
Description: Configure GCP project list.
edit <id>
set gcp-zone-list <name1>, <name2>, ...
next
end
set group-name {string}
set ha-status [disable|enable]
set ibm-region [dallas|washington-dc|...]
set login-endpoint {string}
config nic
Description: Configure Azure network interface.
edit <name>
config ip
Description: Configure IP configuration.
edit <name>
set public-ip {string}
set resource-group {string}
next
end
next
end
set oci-cert {string}
set oci-fingerprint {string}

FortiOS 7.4.4 CLI Reference 1604

Fortinet Inc.
config oci-region-list
Description: Configure OCI region list.
edit <region>
next
end
set oci-region-type [commercial|government]
set password {password_aes256}
set private-key {user}
set proxy {string}
set region {string}
set resource-group {string}
set resource-url {string}
config route
Description: Configure GCP route.
edit <name>
next
end
config route-table
Description: Configure Azure route table.
edit <name>
set subscription-id {string}
set resource-group {string}
config route
Description: Configure Azure route.
edit <name>
set next-hop {string}
next
end
next
end
set secret-key {password}
set secret-token {user}
set server {string}
set server-ca-cert {string}
set server-cert {string}
set server-list <ip1>, <ip2>, ...
set server-port {integer}
set service-account {string}
set status [disable|enable]
set subscription-id {string}
set tenant-id {string}
set type [aci|alicloud|...]
set update-interval {integer}
set use-metadata-iam [disable|enable]
set user-id {string}
set username {string}
set vcenter-password {password_aes256}
set vcenter-server {string}
set vcenter-username {string}
set verify-certificate [disable|enable]
set vpc-id {string}
next
end

FortiOS 7.4.4 CLI Reference 1605

Fortinet Inc.
config system sdn-connector

Parameter Description Type Size Default

access-key AWS / ACS access key ID. string Maximum

length: 31

alt-resource-ip Enable/disable AWS alternative resource IP. option - disable

Option Description

disable Disable AWS alternative resource IP.

enable Enable AWS alternative resource IP.

api-key IBM cloud API key or service ID API key. password Not
Specified

azure-region Azure server region. option - global

Option Description

global Global Azure Server.

china China Azure Server.

germany Germany Azure Server.

usgov US Government Azure Server.

local Azure Stack Local Server.

client-id Azure client ID (application ID). string Maximum

length: 63

client-secret Azure client secret (application key). password Not

Specified

compute- Compute generation for IBM cloud infrastructure. integer Minimum 2

generation value: 1
Maximum
value: 2

domain Domain name. string Maximum

length: 127

group-name Full path group name of computers. string Maximum

length: 127

ha-status Enable/disable use for FortiGate HA service. option - disable

Option Description

disable Disable use for FortiGate HA service.

enable Enable use for FortiGate HA service.

FortiOS 7.4.4 CLI Reference 1606

Fortinet Inc.
Parameter Description Type Size Default

ibm-region IBM cloud region name. option - dallas

Option Description

dallas US South (Dallas) Public Endpoint.

washington-dc US East (Washington DC) Public Endpoint.

london United Kingdom (London) Public Endpoint.

frankfurt Germany (Frankfurt) Public Endpoint.

sydney Australia (Sydney) Public Endpoint.

tokyo Japan (Tokyo) Public Endpoint.

osaka Japan (Osaka) Public Endpoint.

server-cert Trust servers that contain this certificate only. string Maximum
length: 127

server-list Server address list of the remote SDN connector. string Maximum
<ip> IPv4 address. length: 15

server-port Port number of the remote SDN connector. integer Minimum 0

value: 0
Maximum
value:
65535

service- GCP service account email. string Maximum

account length: 127

status Enable/disable connection to the remote SDN option - enable

connector.

Option Description

disable Disable connection to this SDN Connector.

enable Enable connection to this SDN Connector.

subscription-id Azure subscription ID. string Maximum

length: 63

tenant-id Tenant ID (directory ID). string Maximum

length: 127

type Type of SDN connector. option - aws

Option Description

aci Application Centric Infrastructure (ACI).

alicloud AliCloud Service (ACS).

FortiOS 7.4.4 CLI Reference 1608

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aws Amazon Web Services (AWS).

azure Microsoft Azure.

gcp Google Cloud Platform (GCP).

nsx VMware NSX.

nuage Nuage VSP.

oci Oracle Cloud Infrastructure.

openstack OpenStack.

kubernetes Kubernetes.

vmware VMware vSphere (vCenter & ESXi).

sepm Symantec Endpoint Protection Manager.

aci-direct Application Centric Infrastructure (ACI Direct Connection).

ibm IBM Cloud Infrastructure.

nutanix Nutanix Prism Central.

sap SAP Control.

update-interval Dynamic object update interval. integer Minimum 60

value: 0
Maximum
value: 3600

use-metadata- Enable/disable use of IAM role from metadata to option - disable

iam call API.

Option Description

disable Disable using IAM role to call API.

enable Enable using IAM role to call API.

user-id User ID. string Maximum

length: 127

username Username of the remote SDN connector as login string Maximum

credentials. length: 64

vcenter- vCenter server password for NSX quarantine. password_ Not

password aes256 Specified

vcenter-server vCenter server address for NSX quarantine. string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 1609

Fortinet Inc.
Parameter Description Type Size Default

vcenter- vCenter server username for NSX quarantine. string Maximum

username length: 64

verify- Enable/disable server certificate verification. option - enable

certificate

Option Description

disable Disable server certificate verification.

enable Enable server certificate verification.

vpc-id AWS VPC ID. string Maximum

length: 31

config compartment-list

Parameter Description Type Size Default

compartment-id OCI compartment ID. string Maximum

length: 127

config external-account-list

Parameter Description Type Size Default

role-arn AWS role ARN to assume. string Maximum

length: 2047

external-id AWS external ID. string Maximum

length: 1399

region-list AWS region name list. string Maximum

<region> AWS region name. length: 31

config external-ip

Parameter Description Type Size Default

name External IP name. string Maximum

length: 63

config forwarding-rule

Parameter Description Type Size Default

rule-name Forwarding rule name. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1610

Fortinet Inc.
Parameter Description Type Size Default

target Target instance name. string Maximum

length: 63

config gcp-project-list

Parameter Description Type Size Default

id GCP project ID. string Maximum

length: 127

gcp-zone-list Configure GCP zone list. string Maximum

<name> GCP zone name. length: 127

config nic

Fortinet Inc.
config route

Parameter Description Type Size Default

name Route name. string Maximum

length: 63

next-hop Next hop address. string Maximum

length: 127

config route-table

Parameter Description Type Size Default

name Route table name. string Maximum

length: 63

subscription-id Subscription ID of Azure route table. string Maximum

length: 63

resource-group Resource group of Azure route table. string Maximum

length: 63

config route

Parameter Description Type Size Default

name Route name. string Maximum

length: 63

config route

Parameter Description Type Size Default

name Route name. string Maximum

length: 63

next-hop Next hop address. string Maximum

length: 127

config system sdn-proxy

Configure SDN proxy.

config system sdn-proxy
Description: Configure SDN proxy.
edit <name>
set password {password_aes256}
set server {string}
set server-port {integer}
set type [general|fortimanager]

FortiOS 7.4.4 CLI Reference 1612

Fortinet Inc.
set username {string}
next
end

config system sdn-proxy

Parameter Description Type Size Default

name SDN proxy name. string Maximum

length: 35

password SDN proxy password. password_ Not

aes256 Specified

server Server address of the SDN proxy. string Maximum

length: 127

server-port Port number of the SDN proxy. integer Minimum 0

value: 0
Maximum
value:
65535

type Type of SDN proxy. option - general

Option Description

general General HTTP proxy.

fortimanager FortiManager SDN proxy.

username SDN proxy username. string Maximum

length: 64

config system sdwan

Configure redundant Internet connections with multiple outbound links and health-check profiles.
config system sdwan
Description: Configure redundant Internet connections with multiple outbound links and
health-check profiles.
set app-perf-log-period {integer}
config duplication
Description: Create SD-WAN duplication rule.
edit <id>
set service-id <id1>, <id2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set service <name1>, <name2>, ...
set packet-duplication [disable|force|...]

FortiOS 7.4.4 CLI Reference 1613

Fortinet Inc.
set sla-match-service [enable|disable]
set packet-de-duplication [enable|disable]
next
end
set duplication-max-num {integer}
set fail-alert-interfaces <name1>, <name2>, ...
set fail-detect [enable|disable]
config health-check
Description: SD-WAN status checking or health checking. Identify a server on the
Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
edit <name>
set probe-packets [disable|enable]
set addr-mode [ipv4|ipv6]
set system-dns [disable|enable]
set server {string}
set detect-mode [active|passive|...]
set protocol [ping|tcp-echo|...]
set port {integer}
set quality-measured-method [half-open|half-close]
set security-mode [none|authentication]
set user {string}
set password {password}
set packet-size {integer}
set ha-priority {integer}
set ftp-mode [passive|port]
set ftp-file {string}
set http-get {string}
set http-agent {string}
set http-match {string}
set dns-request-domain {string}
set dns-match-ip {ipv4-address}
set interval {integer}
set probe-timeout {integer}
set failtime {integer}
set recoverytime {integer}
set probe-count {integer}
set diffservcode {user}
set update-cascade-interface [enable|disable]
set update-static-route [enable|disable]
set embed-measured-health [enable|disable]
set sla-id-redistribute {integer}
set sla-fail-log-period {integer}
set sla-pass-log-period {integer}
set threshold-warning-packetloss {integer}
set threshold-alert-packetloss {integer}
set threshold-warning-latency {integer}
set threshold-alert-latency {integer}
set threshold-warning-jitter {integer}
set threshold-alert-jitter {integer}
set vrf {integer}
set source {ipv4-address}
set source6 {ipv6-address}
set members <seq-num1>, <seq-num2>, ...
set mos-codec [g711|g722|...]
set class-id {integer}
config sla

FortiOS 7.4.4 CLI Reference 1614

Fortinet Inc.
Description: Service level agreement (SLA).
edit <id>
set link-cost-factor {option1}, {option2}, ...
set latency-threshold {integer}
set jitter-threshold {integer}
set packetloss-threshold {integer}
set mos-threshold {string}
set priority-in-sla {integer}
set priority-out-sla {integer}
next
end
next
end
set load-balance-mode [source-ip-based|weight-based|...]
config members
Description: FortiGate interfaces added to the SD-WAN.
edit <seq-num>
set interface {string}
set zone {string}
set gateway {ipv4-address}
set preferred-source {ipv4-address}
set source {ipv4-address}
set gateway6 {ipv6-address}
set source6 {ipv6-address}
set cost {integer}
set weight {integer}
set priority {integer}
set priority6 {integer}
set spillover-threshold {integer}
set ingress-spillover-threshold {integer}
set volume-ratio {integer}
set status [disable|enable]
set transport-group {integer}
set comment {var-string}
next
end
config neighbor
Description: Create SD-WAN neighbor from BGP neighbor table to control route
advertisements according to SLA status.
edit <ip>
set member <seq-num1>, <seq-num2>, ...
set service-id {integer}
set minimum-sla-meet-members {integer}
set mode [sla|speedtest]
set role [standalone|primary|...]
set health-check {string}
set sla-id {integer}
next
end
set neighbor-hold-boot-time {integer}
set neighbor-hold-down [enable|disable]
set neighbor-hold-down-time {integer}
config service
Description: Create SD-WAN rules (also called services) to control how sessions are
distributed to interfaces in the SD-WAN.
edit <id>

FortiOS 7.4.4 CLI Reference 1615

Fortinet Inc.
set name {string}
set addr-mode [ipv4|ipv6]
set load-balance [enable|disable]
set input-device <name1>, <name2>, ...
set input-device-negate [enable|disable]
set input-zone <name1>, <name2>, ...
set mode [auto|manual|...]
set zone-mode [enable|disable]
set minimum-sla-meet-members {integer}
set hash-mode [round-robin|source-ip-based|...]
set shortcut-priority [enable|disable|...]
set role [standalone|primary|...]
set standalone-action [enable|disable]
set quality-link {integer}
set tos {user}
set tos-mask {user}
set protocol {integer}
set start-port {integer}
set end-port {integer}
set start-src-port {integer}
set end-src-port {integer}
set dst <name1>, <name2>, ...
set dst-negate [enable|disable]
set src <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
set src6 <name1>, <name2>, ...
set src-negate [enable|disable]
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-app-ctrl <id1>, <id2>, ...
set internet-service-app-ctrl-group <name1>, <name2>, ...
set internet-service-app-ctrl-category <id1>, <id2>, ...
set health-check <name1>, <name2>, ...
set link-cost-factor [latency|jitter|...]
set packet-loss-weight {integer}
set latency-weight {integer}
set jitter-weight {integer}
set bandwidth-weight {integer}
set link-cost-threshold {integer}
set hold-down-time {integer}
set sla-stickiness [enable|disable]
set dscp-forward [enable|disable]
set dscp-reverse [enable|disable]
set dscp-forward-tag {user}
set dscp-reverse-tag {user}
config sla
Description: Service level agreement (SLA).
edit <health-check>
set id {integer}
next
end

FortiOS 7.4.4 CLI Reference 1616

Fortinet Inc.
set priority-members <seq-num1>, <seq-num2>, ...
set priority-zone <name1>, <name2>, ...
set status [enable|disable]
set gateway [enable|disable]
set default [enable|disable]
set sla-compare-method [order|number]
set tie-break [zone|cfg-order|...]
set use-shortcut-sla [enable|disable]
set passive-measurement [enable|disable]
set agent-exclusive [enable|disable]
set shortcut [enable|disable]
next
end
set speedtest-bypass-routing [disable|enable]
set status [disable|enable]
config zone
Description: Configure SD-WAN zones.
edit <name>
set advpn-select [enable|disable]
set advpn-health-check {string}
set service-sla-tie-break [cfg-order|fib-best-match|...]
set minimum-sla-meet-members {integer}
next
end
end

config system sdwan

Parameter Description Type Size Default

app-perf-log- Time interval in seconds that application performance integer Minimum 0

period logs are generated. value: 0
Maximum
value: 3600

duplication- Maximum number of interface members a packet is integer Minimum 2

max-num duplicated in the SD-WAN zone. value: 2
Maximum
value: 4

fail-alert- Physical interfaces that will be alerted. string Maximum

interfaces Physical interface name. length: 79
<name>

fail-detect Enable/disable SD-WAN Internet connection status option - disable

checking (failure detection).

Option Description

enable Enable status checking.

disable Disable status checking.

FortiOS 7.4.4 CLI Reference 1617

Fortinet Inc.
Parameter Description Type Size Default

load-balance- Algorithm or mode to use for load balancing Internet option - source-ip-
mode traffic to SD-WAN members. based

Option Description

source-ip-based Source IP load balancing. All traffic from a source IP is sent to the same
interface.

weight-based Weight-based load balancing. Interfaces with higher weights have higher
priority and get more traffic.

usage-based Usage-based load balancing. All traffic is sent to the first interface on the list.
When the bandwidth on that interface exceeds the spill-over limit new traffic is
sent to the next interface.

source-dest-ip- Source and destination IP load balancing. All traffic from a source IP to a
based destination IP is sent to the same interface.

measured- Volume-based load balancing. Traffic is load balanced based on traffic volume
volume-based (in bytes). More traffic is sent to interfaces with higher volume ratios.

neighbor- Waiting period in seconds when switching from the integer Minimum 0
hold-boot- primary neighbor to the secondary neighbor from the value: 0
time neighbor start.. Maximum
value:
10000000

neighbor- Enable/disable hold switching from the secondary option - disable

hold-down neighbor to the primary neighbor.

Option Description

enable Enable hold switching from the secondary neighbor to the primary neighbor.

disable Disable hold switching from the secondary neighbor to the primary neighbor.

neighbor- Waiting period in seconds when switching from the integer Minimum 0
hold-down- secondary neighbor to the primary neighbor when hold- value: 0
time down is disabled.. Maximum
value:
10000000

speedtest- Enable/disable bypass routing when speedtest on a option - disable

bypass- SD-WAN member.
routing

Option Description

disable Disable SD-WAN.

enable Enable SD-WAN.

FortiOS 7.4.4 CLI Reference 1618

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable SD-WAN. option - disable

Option Description

disable Disable SD-WAN.

enable Enable SD-WAN.

config duplication

Parameter Description Type Size Default

id Duplication rule ID. integer Minimum 0

value: 1
Maximum
value: 255

service-id SD-WAN service rule ID list. integer Minimum

<id> SD-WAN service rule ID. value: 0
Maximum
value:
4294967295

srcaddr Source address or address group names. string Maximum

<name> Address or address group name. length: 79

dstaddr Destination address or address group names. string Maximum

<name> Address or address group name. length: 79

srcaddr6 Source address6 or address6 group names. string Maximum

<name> Address6 or address6 group name. length: 79

dstaddr6 Destination address6 or address6 group names. string Maximum

<name> Address6 or address6 group name. length: 79

srcintf Incoming (ingress) interfaces or zones. string Maximum

<name> Interface, zone or SDWAN zone name. length: 79

dstintf Outgoing (egress) interfaces or zones. string Maximum

<name> Interface, zone or SDWAN zone name. length: 79

service Service and service group name. string Maximum

<name> Service and service group name. length: 79

packet- Configure packet duplication method. option - disable

duplication

Option Description

disable Disable packet duplication.

FortiOS 7.4.4 CLI Reference 1619

Fortinet Inc.
Parameter Description Type Size Default

Option Description

force Duplicate packets across all interface members of the SD-WAN zone.

on-demand Duplicate packets across all interface members of the SD-WAN zone based
on the link quality.

sla-match- Enable/disable packet duplication matching health- option - disable

service check SLAs in service rule.

Option Description

enable Enable packet duplication matching health-check SLAs in service rule

(matching all SLAs of current defined service).

disable Disable packet duplication matching health-check SLAs in service rule

(matching all SLAs of all defined health-check).

packet-de- Enable/disable discarding of packets that have been option - disable

duplication duplicated.

Option Description

enable Enable discarding of packets that have been duplicated.

disable Disable discarding of packets that have been duplicated.

config health-check

Parameter Description Type Size Default

name Status check or health check name. string Maximum

length: 35

probe-packets Enable/disable transmission of probe option - enable

packets.

Option Description

disable Disable transmission of probe packets.

enable Enable transmission of probe packets.

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

FortiOS 7.4.4 CLI Reference 1620

Fortinet Inc.
Parameter Description Type Size Default

system-dns Enable/disable system DNS as the probe option - disable

server.

Option Description

disable Disable system DNS as the probe server.

enable Enable system DNS as the probe server.

server IP address or FQDN name of the server. string Maximum

length: 79

detect-mode The mode determining how to detect the option - active

server.

Option Description

active The probes are sent actively.

passive The traffic measures health without probes.

prefer-passive The probes are sent in case of no new traffic.

remote Link health obtained from remote peers.

agent-based Traffic health is measured from the fabric connectors.

protocol Protocol used to determine if the option - ping

FortiGate can communicate with the
server.

Option Description

ping Use PING to test the link with the server.

tcp-echo Use TCP echo to test the link with the server.

udp-echo Use UDP echo to test the link with the server.

http Use HTTP-GET to test the link with the server.

https Use HTTPS-GET to test the link with the server.

twamp Use TWAMP to test the link with the server.

dns Use DNS query to test the link with the server.

tcp-connect Use a full TCP connection to test the link with the server.

ftp Use FTP to test the link with the server.

port Port number used to communicate with integer Minimum 0

the server over the selected protocol. value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1621

Fortinet Inc.
Parameter Description Type Size Default

quality- Method to measure the quality of tcp- option - half-open

measured- connect.
method

Option Description

half-open Measure the round trip between syn and ack.

half-close Measure the round trip between fin and ack.

security-mode Twamp controller security mode. option - none

Option Description

none Unauthenticated mode.

authentication Authenticated mode.

user The user name to access probe server. string Maximum

length: 64

password TWAMP controller password in password Not Specified

authentication mode.

packet-size Packet size of a TWAMP test session. integer Minimum 124

value: 0
Maximum
value: 65535

ha-priority HA election priority. integer Minimum 1

value: 1
Maximum
value: 50

ftp-mode FTP mode. option - passive

Option Description

passive The FTP health-check initiates and establishes the data connection.

port The FTP server initiates and establishes the data connection.

ftp-file Full path and file name on the FTP server string Maximum
to download for FTP health-check to length: 254
probe.

http-get URL used to communicate with the server string Maximum /

if the protocol if the protocol is HTTP. length: 1024

http-agent String in the http-agent field in the HTTP string Maximum Chrome/ Safari/
header. length: 1024

FortiOS 7.4.4 CLI Reference 1622

Fortinet Inc.
Parameter Description Type Size Default

http-match Response string expected from the server string Maximum

if the protocol is HTTP. length: 1024

dns-request- Fully qualified domain name to resolve for string Maximum www.example.com
domain the DNS probe. length: 255

dns-match-ip Response IP expected from DNS server if ipv4- Not Specified 0.0.0.0
the protocol is DNS. address

interval Status check interval in milliseconds, or integer Minimum 500

the time between attempting to connect to value: 20
the server. Maximum
value:
3600000

probe-timeout Time to wait before a probe packet is integer Minimum 500

considered lost. value: 20
Maximum
value:
3600000

failtime Number of failures before server is integer Minimum 5

considered lost. value: 1
Maximum
value: 3600

recoverytime Number of successful responses received integer Minimum 5

before server is considered recovered. value: 1
Maximum
value: 3600

probe-count Number of most recent probes that should integer Minimum 30

be used to calculate latency and jitter. value: 5
Maximum
value: 30

diffservcode Differentiated services code point (DSCP) user Not Specified

in the IP header of the probe packet.

update- Enable/disable update cascade interface. option - enable

cascade-
interface

Option Description

enable Enable update cascade interface.

disable Disable update cascade interface.

update-static- Enable/disable updating the static route. option - enable

route

FortiOS 7.4.4 CLI Reference 1623

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable updating the static route.

disable Disable updating the static route.

embed- Enable/disable embedding measured option - disable

measured- health information.
health

Option Description

enable Enable embed measured health.

disable Disable embed measured health.

sla-id- Select the ID from the SLA sub-table. The integer Minimum 0
redistribute selected SLA's priority value will be value: 0
distributed into the routing table. Maximum
value: 32

sla-fail-log- Time interval in seconds that SLA fail log integer Minimum 0
period messages will be generated. value: 0
Maximum
value: 3600

sla-pass-log- Time interval in seconds that SLA pass integer Minimum 0

period log messages will be generated. value: 0
Maximum
value: 3600

threshold- Warning threshold for packet loss. integer Minimum 0

warning- value: 0
packetloss Maximum
value: 100

threshold-alert- Alert threshold for packet loss. integer Minimum 0

packetloss value: 0
Maximum
value: 100

threshold- Warning threshold for latency. integer Minimum 0

warning- value: 0
latency Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1624

Fortinet Inc.
Parameter Description Type Size Default

threshold-alert- Alert threshold for latency. integer Minimum 0

latency value: 0
Maximum
value:
4294967295

threshold- Warning threshold for jitter. integer Minimum 0

warning-jitter value: 0
Maximum
value:
4294967295

threshold-alert- Alert threshold for jitter. integer Minimum 0

jitter value: 0
Maximum
value:
4294967295

vrf Virtual Routing Forwarding ID. integer Minimum 0

value: 0
Maximum
value: 251

source Source IP address used in the health- ipv4- Not Specified 0.0.0.0
check packet to the server. address

source6 Source IPv6 address used in the health- ipv6- Not Specified ::
check packet to server. address

members Member sequence number list. integer Minimum

<seq-num> Member sequence number. value: 0
Maximum
value:
4294967295

mos-codec Codec to use for MOS calculation. option - g711

Option Description

g711 Calculate MOS based on the G.711 codec.

g722 Calculate MOS based on the G.722 codec.

g729 Calculate MOS based on the G.729 codec.

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1625

Fortinet Inc.
config sla

Parameter Description Type Size Default

health-check SD-WAN health-check. string Maximum

length: 35

id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config members

Parameter Description Type Size Default

seq-num Sequence number. integer Minimum 0

value: 0
Maximum
value: 512

interface Interface name. string Maximum

length: 15

zone Zone name. string Maximum virtual-wan-

length: 35 link

gateway The default gateway for this interface. Usually the ipv4- Not Specified 0.0.0.0
default gateway of the Internet service provider that address
this interface is connected to.

preferred- Preferred source of route for this member. ipv4- Not Specified 0.0.0.0
source address

source Source IP address used in the health-check packet to ipv4- Not Specified 0.0.0.0
the server. address

gateway6 IPv6 gateway. ipv6- Not Specified ::

address

source6 Source IPv6 address used in the health-check packet ipv6- Not Specified ::
to the server. address

cost Cost of this interface for services in SLA mode. integer Minimum 0
value: 0
Maximum
value:
4294967295

weight Weight of this interface for weighted load balancing. integer Minimum 1
More traffic is directed to interfaces with higher value: 1
weights. Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1626

Fortinet Inc.
Parameter Description Type Size Default

priority Priority of the interface for IPv4. Used for SD-WAN integer Minimum 1
rules or priority rules. value: 1
Maximum
value: 65535

priority6 Priority of the interface for IPv6. Used for SD-WAN integer Minimum 1024
rules or priority rules. value: 1
Maximum
value: 65535

spillover- Egress spillover threshold for this interface. When integer Minimum 0
threshold this traffic volume threshold is reached, new sessions value: 0
spill over to other interfaces in the SD-WAN. Maximum
value:
16776000

ingress- Ingress spillover threshold for this interface. When integer Minimum 0
spillover- this traffic volume threshold is reached, new sessions value: 0
threshold spill over to other interfaces in the SD-WAN. Maximum
value:
16776000

volume-ratio Measured volume ratio. integer Minimum 1

value: 1
Maximum
value: 255

status Enable/disable this interface in the SD-WAN. option - enable

Option Description

disable Disable this interface in the SD-WAN.

enable Enable this interface in the SD-WAN.

transport- Measured transport group. integer Minimum 0

group value: 0
Maximum
value: 255

comment Comments. var-string Maximum

length: 255

config neighbor

Parameter Description Type Size Default

ip IP/IPv6 address of neighbor or neighbor-group string Maximum

name. length: 45

FortiOS 7.4.4 CLI Reference 1627

Fortinet Inc.
Parameter Description Type Size Default

member Member sequence number list. integer Minimum

<seq-num> Member sequence number. value: 0
Maximum
value:
4294967295

service-id SD-WAN service ID to work with the neighbor. integer Minimum 0

value: 0
Maximum
value:
4294967295

minimum-sla- Minimum number of members which meet SLA integer Minimum 1

meet- when the neighbor is preferred. value: 1
members Maximum
value: 255

mode What metric to select the neighbor. option - sla

Option Description

sla Select neighbor based on SLA link quality.

speedtest Select neighbor based on the speedtest status.

role Role of neighbor. option - standalone

Option Description

standalone Standalone neighbor.

primary Primary neighbor.

secondary Secondary neighbor.

health-check SD-WAN health-check name. string Maximum

length: 35

sla-id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1628

Fortinet Inc.
config service

Parameter Description Type Size Default

id SD-WAN rule ID. integer Minimum 0

value: 1
Maximum
value: 4000

name SD-WAN rule name. string Maximum

length: 35

addr-mode Address mode (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

load-balance Enable/disable load-balance. option - disable

Option Description

enable Enable load-balance.

disable Disable load-balance.

input-device Source interface name. string Maximum

<name> Interface name. length: 79

input-device- Enable/disable negation of input device match. option - disable

negate

Option Description

enable Enable negation of input device match.

disable Disable negation of input device match.

input-zone Source input-zone name. string Maximum

<name> Zone. length: 79

mode Control how the SD-WAN rule sets the priority of option - manual
interfaces in the SD-WAN.

Option Description

auto Assign interfaces a priority based on quality.

manual Assign interfaces a priority manually.

priority Assign interfaces a priority based on the link-cost-factor quality of the

interface.

sla Assign interfaces a priority based on selected SLA settings.

FortiOS 7.4.4 CLI Reference 1629

Fortinet Inc.
Parameter Description Type Size Default

zone-mode Enable/disable zone mode. option - disable

Option Description

enable Traffic steered based on zone.

disable Traffic steered based on member.

minimum-sla- Minimum number of members which meet SLA. integer Minimum 0

meet-members value: 0
Maximum
value: 255

hash-mode Hash algorithm for selected priority members for option - round-robin
load balance mode.

Option Description

round-robin All traffic are distributed to selected interfaces in equal portions and circular
order.

source-ip-based All traffic from a source IP is sent to the same interface.

source-dest-ip- All traffic from a source IP to a destination IP is sent to the same interface.
based

inbandwidth All traffic are distributed to a selected interface with most available
bandwidth for incoming traffic.

outbandwidth All traffic are distributed to a selected interface with most available
bandwidth for outgoing traffic.

value: 0
Maximum
value: 255

tos Type of service bit pattern. user Not Specified

tos-mask Type of service evaluated bits. user Not Specified

protocol Protocol number. integer Minimum 0

value: 0
Maximum
value: 255

dst-negate Enable/disable negation of destination address option - disable

match.

Option Description

enable Enable destination address negation.

disable Disable destination address negation.

src <name> Source address name. string Maximum

Address or address group name. length: 79

dst6 <name> Destination address6 name. string Maximum

Address6 or address6 group name. length: 79

src6 <name> Source address6 name. string Maximum

Address6 or address6 group name. length: 79

src-negate Enable/disable negation of source address match. option - disable

Option Description

enable Enable source address negation.

disable Disable source address negation.

users <name> User name. string Maximum

User name. length: 79

groups <name> User groups. string Maximum

Group name. length: 79

internet-service Enable/disable use of Internet service for option - disable

application-based load balancing.

Option Description

enable Enable cloud service to support application-based load balancing.

disable Disable cloud service to support application-based load balancing.

internet-service- Custom Internet service name list. string Maximum

custom <name> Custom Internet service name. length: 79

internet-service- Custom Internet Service group list. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>

internet-service- Internet service name list. string Maximum

name <name> Internet service name. length: 79

internet-service- Internet Service group list. string Maximum

group <name> Internet Service group name. length: 79

FortiOS 7.4.4 CLI Reference 1632

Fortinet Inc.
Parameter Description Type Size Default

internet-service- Application control based Internet Service ID list. integer Minimum

app-ctrl <id> Application control based Internet Service ID. value: 0
Maximum
value:
4294967295

internet-service- Application control based Internet Service group string Maximum

app-ctrl-group list. length: 79
<name> Application control based Internet Service group
name.

internet-service- IDs of one or more application control categories. integer Minimum

app-ctrl- Application control category ID. value: 0
category <id> Maximum
value:
4294967295

health-check Health check list. string Maximum

<name> Health check name. length: 79

link-cost-factor Link cost factor. option - latency

Option Description

latency Select link based on latency.

jitter Select link based on jitter.

packet-loss Select link based on packet loss.

inbandwidth Select link based on available bandwidth of incoming traffic.

outbandwidth Select link based on available bandwidth of outgoing traffic.

bibandwidth Select link based on available bandwidth of bidirectional traffic.

custom-profile-1 Select link based on customized profile.

packet-loss- Coefficient of packet-loss in the formula of integer Minimum 0

weight custom-profile-1. value: 0
Maximum
value:
10000000

latency-weight Coefficient of latency in the formula of custom- integer Minimum 0

profile-1. value: 0
Maximum
value:
10000000

FortiOS 7.4.4 CLI Reference 1633

Fortinet Inc.
Parameter Description Type Size Default

jitter-weight Coefficient of jitter in the formula of custom-profile- integer Minimum 0

1. value: 0
Maximum
value:
10000000

bandwidth- Coefficient of reciprocal of available bidirectional integer Minimum 0

weight bandwidth in the formula of custom-profile-1. value: 0
Maximum
value:
10000000

link-cost- Percentage threshold change of link cost values integer Minimum 10

threshold that will result in policy route regeneration. value: 0
Maximum
value:
10000000

hold-down-time Waiting period in seconds when switching from integer Minimum 0

the back-up member to the primary member. value: 0
Maximum
value:
10000000

sla-stickiness Enable/disable SLA stickiness. option - disable

Option Description

enable Traffic remains in the original session path if the path is within the SLA.

disable Traffic switches to the best path regardless of the SLA.

dscp-forward Enable/disable forward traffic DSCP tag. option - disable

Option Description

enable Enable use of forward DSCP tag.

disable Disable use of forward DSCP tag.

dscp-reverse Enable/disable reverse traffic DSCP tag. option - disable

Option Description

enable Enable use of reverse DSCP tag.

disable Disable use of reverse DSCP tag.

dscp-forward- Forward traffic DSCP tag. user Not Specified

tag

enable Enable use of SD-WAN as default service.

disable Disable use of SD-WAN as default service.

sla-compare- Method to compare SLA value for SLA mode. option - order
method

Option Description

order Compare SLA value based on the order of health-check.

number Compare SLA value based on the number of satisfied health-check. Limits
health-checks to only configured member interfaces.

tie-break Method of selecting member if more than one option - zone

meets the SLA.

Option Description

zone Use the setting that is configured for the members' zone.

FortiOS 7.4.4 CLI Reference 1635

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cfg-order Members that meet the SLA are selected in the order they are configured.

fib-best-match Members that meet the SLA are selected that match the longest prefix in the
routing table.

input-device Members that meet the SLA are selected by matching the input device.

Option Description

enable Enable use of ADVPN shortcut for this service.

disable Disable use of ADVPN shortcut for this service.

config sla

Parameter Description Type Size Default

health-check SD-WAN health-check. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1636

Fortinet Inc.
Parameter Description Type Size Default

id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config zone

Parameter Description Type Size Default

name Zone name. string Maximum

length: 35

advpn-select Enable/disable selection of ADVPN based on SDWAN option - disable

information.

Option Description

enable Enable selection of ADVPN based on SDWAN information.

disable Disable selection of ADVPN based on SDWAN information.

advpn-health- Health check for ADVPN local overlay link quality. string Maximum
check length: 35

service-sla- Method of selecting member if more than one meets the option - cfg-order
tie-break SLA.

Option Description

cfg-order Members that meet the SLA are selected in the order they are configured.

fib-best-match Members that meet the SLA are selected that match the longest prefix in the
routing table.

input-device Members that meet the SLA are selected by matching the input device.

minimum-sla- Minimum number of members which meet SLA when integer Minimum 1
meet- the neighbor is preferred. value: 1
members Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1637

Fortinet Inc.
config system serial-port

Serial port list.

config system serial-port
Description: Serial port list.
edit <name>
next
end

config system serial-port

Parameter Description Type Size Default

name Serial port name. string Maximum

length: 35

config system session-helper

Configure session helper.

config system session-helper
Description: Configure session helper.
edit <id>
set name [ftp|tftp|...]
set port {integer}

FortiOS 7.4.4 CLI Reference 1638

Fortinet Inc.
set protocol {integer}
next
end

config system session-helper

Parameter Description Type Size Default

id Session helper ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Helper name. option -

Option Description

ftp FTP.

tftp TFTP.

ras RAS.

h323 H323.

tns TNS.

mms MMS.

sip SIP.

pptp PPTP.

rtsp RTSP.

dns-udp DNS UDP.

dns-tcp DNS TCP.

pmap PMAP.

rsh RSH.

dcerpc DCERPC.

mgcp MGCP.

port Protocol port. integer Minimum 0

value: 1
Maximum
value: 65535

protocol Protocol number. integer Minimum 0

value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1639

Fortinet Inc.
config system session-ttl

Configure global session TTL timers for this FortiGate.

config system session-ttl
Description: Configure global session TTL timers for this FortiGate.
set default {user}
config port
Description: Session TTL port.
edit <id>
set protocol {integer}
set start-port {integer}
set end-port {integer}
set timeout {user}
set refresh-direction [both|outgoing|...]
next
end
end

config system session-ttl

Parameter Description Type Size Default

default Default timeout. user Not

Specified

config port

Parameter Description Type Size Default

refresh- Configure refresh direction. option - both

direction

Option Description

both Refresh both directions.

outgoing Refresh outgoing direction (original).

incoming Refresh incoming direction (reply).

config system settings

Configure VDOM settings.

config system settings
Description: Configure VDOM settings.
set allow-linkdown-path [enable|disable]
set allow-subnet-overlap [enable|disable]
set application-bandwidth-tracking [disable|enable]
set asymroute [enable|disable]
set asymroute-icmp [enable|disable]
set asymroute6 [enable|disable]
set asymroute6-icmp [enable|disable]
set auxiliary-session [enable|disable]
set bfd [enable|disable]
set bfd-desired-min-tx {integer}
set bfd-detect-mult {integer}
set bfd-dont-enforce-src-port [enable|disable]
set bfd-required-min-rx {integer}
set block-land-attack [disable|enable]
set central-nat [enable|disable]
set comments {var-string}
set default-app-port-as-service [enable|disable]
set default-policy-expiry-days {integer}
set default-voip-alg-mode [proxy-based|kernel-helper-based]
set deny-tcp-with-icmp [enable|disable]
set detect-unknown-esp [enable|disable]
set device {string}
set dhcp-proxy [enable|disable]
set dhcp-proxy-interface {string}
set dhcp-proxy-interface-select-method [auto|sdwan|...]
set dhcp-server-ip {user}
set dhcp6-server-ip {user}

FortiOS 7.4.4 CLI Reference 1641

Fortinet Inc.
set discovered-device-timeout {integer}
set dyn-addr-session-check [enable|disable]
set ecmp-max-paths {integer}
set email-portal-check-dns [disable|enable]
set ext-resource-session-check [enable|disable]
set firewall-session-dirty [check-all|check-new|...]
set fqdn-session-check [enable|disable]
set fw-session-hairpin [enable|disable]
set gateway {ipv4-address}
set gateway6 {ipv6-address}
set gui-advanced-policy [enable|disable]
set gui-advanced-wireless-features [enable|disable]
set gui-allow-unnamed-policy [enable|disable]
set gui-antivirus [enable|disable]
set gui-ap-profile [enable|disable]
set gui-application-control [enable|disable]
set gui-casb [enable|disable]
set gui-default-policy-columns <name1>, <name2>, ...
set gui-dhcp-advanced [enable|disable]
set gui-dlp-profile [enable|disable]
set gui-dns-database [enable|disable]
set gui-dnsfilter [enable|disable]
set gui-dos-policy [enable|disable]
set gui-dynamic-device-os-id [enable|disable]
set gui-dynamic-routing [enable|disable]
set gui-email-collection [enable|disable]
set gui-enforce-change-summary [disable|require|...]
set gui-explicit-proxy [enable|disable]
set gui-file-filter [enable|disable]
set gui-fortiap-split-tunneling [enable|disable]
set gui-fortiextender-controller [enable|disable]
set gui-icap [enable|disable]
set gui-implicit-policy [enable|disable]
set gui-ips [enable|disable]
set gui-load-balance [enable|disable]
set gui-local-in-policy [enable|disable]
set gui-multicast-policy [enable|disable]
set gui-multiple-interface-policy [enable|disable]
set gui-object-colors [enable|disable]
set gui-ot [enable|disable]
set gui-policy-based-ipsec [enable|disable]
set gui-policy-disclaimer [enable|disable]
set gui-proxy-inspection [enable|disable]
set gui-route-tag-address-creation [enable|disable]
set gui-security-profile-group [enable|disable]
set gui-spamfilter [enable|disable]
set gui-sslvpn [enable|disable]
set gui-sslvpn-personal-bookmarks [enable|disable]
set gui-sslvpn-realms [enable|disable]
set gui-switch-controller [enable|disable]
set gui-threat-weight [enable|disable]
set gui-traffic-shaping [enable|disable]
set gui-videofilter [enable|disable]
set gui-virtual-patch-profile [enable|disable]
set gui-voip-profile [enable|disable]
set gui-vpn [enable|disable]

FortiOS 7.4.4 CLI Reference 1642

Fortinet Inc.
set gui-waf-profile [enable|disable]
set gui-wan-load-balancing [enable|disable]
set gui-wanopt-cache [enable|disable]
set gui-webfilter [enable|disable]
set gui-webfilter-advanced [enable|disable]
set gui-wireless-controller [enable|disable]
set gui-ztna [enable|disable]
set h323-direct-model [disable|enable]
set http-external-dest [fortiweb|forticache]
set ike-dn-format [with-space|no-space]
set ike-policy-route [enable|disable]
set ike-port {integer}
set ike-quick-crash-detect [enable|disable]
set ike-session-resume [enable|disable]
set ike-tcp-port {integer}
set internet-service-app-ctrl-size {integer}
set internet-service-database-cache [disable|enable]
set ip {ipv4-classnet-host}
set ip6 {ipv6-prefix}
set lan-extension-controller-addr {string}
set link-down-access [enable|disable]
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set location-id {ipv4-address}
set mac-ttl {integer}
set manageip {user}
set manageip6 {ipv6-prefix}
set multicast-forward [enable|disable]
set multicast-skip-policy [enable|disable]
set multicast-ttl-notchange [enable|disable]
set nat46-force-ipv4-packet-forwarding [enable|disable]
set nat46-generate-ipv6-fragment-header [enable|disable]
set nat64-force-ipv6-packet-forwarding [enable|disable]
set ngfw-mode [profile-based|policy-based]
set opmode [nat|transparent]
set policy-offload-level [disable|dos-offload]
set prp-trailer-action [enable|disable]
set sccp-port {integer}
set sctp-session-without-init [enable|disable]
set ses-denied-traffic [enable|disable]
set sip-expectation [enable|disable]
set sip-nat-trace [enable|disable]
set sip-ssl-port {integer}
set sip-tcp-port {integer}
set sip-udp-port {integer}
set snat-hairpin-traffic [enable|disable]
set status [enable|disable]
set strict-src-check [enable|disable]
set tcp-session-without-syn [enable|disable]
set utf8-spam-tagging [enable|disable]
set v4-ecmp-mode [source-ip-based|weight-based|...]
set vdom-type [traffic|lan-extension|...]
set vpn-stats-log {option1}, {option2}, ...
set vpn-stats-period {integer}
set wccp-cache-engine [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1643

disable Disable application bandwidth tracking.

enable Enable application bandwidth tracking.

asymroute Enable/disable IPv4 asymmetric routing. option - disable

Option Description

enable Enable IPv4 asymmetric routing.

disable Disable IPv4 asymmetric routing.

asymroute- Enable/disable ICMP asymmetric routing. option - disable

icmp

Option Description

enable Enable ICMP asymmetric routing.

disable Disable ICMP asymmetric routing.

asymroute6 Enable/disable asymmetric IPv6 routing. option - disable

Option Description

enable Enable asymmetric IPv6 routing.

disable Disable asymmetric IPv6 routing.

enable Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired- BFD desired minimal transmit interval. integer Minimum 250

min-tx value: 1
Maximum
value: 100000

bfd-detect-mult BFD detection multiplier. integer Minimum 3

value: 1
Maximum
value: 50

bfd-dont- Enable to not enforce verifying the source port of option - disable
enforce-src- BFD Packets.
port

Option Description

enable Enable verifying the source port of BFD Packets.

disable Disable verifying the source port of BFD Packets.

bfd-required- BFD required minimal receive interval. integer Minimum 250

min-rx value: 1
Maximum
value: 100000

FortiOS 7.4.4 CLI Reference 1645

Fortinet Inc.
Parameter Description Type Size Default

block-land- Enable/disable blocking of land attacks. option - disable

attack

Option Description

disable Do not block land attack.

enable Block land attack.

central-nat Enable/disable central NAT. option - disable

Option Description

enable Enable central NAT.

disable Disable central NAT.

comments VDOM comments. var-string Maximum

length: 255

default-app- Enable/disable policy service enforcement based option - enable

port-as-service on application default ports.

Option Description

enable Enable setting.

disable Disable setting.

default-policy- Default policy expiry in days. integer Minimum 30

expiry-days value: 0
Maximum
value: 365

default-voip- Configure how the FortiGate handles VoIP traffic option - proxy-
alg-mode when a policy that accepts the traffic doesn't include based
a VoIP profile.

Option Description

proxy-based Use a default proxy-based VoIP ALG.

kernel-helper- Use the SIP session helper.

based

deny-tcp-with- Enable/disable denying TCP by sending an ICMP option - disable

icmp communication prohibited packet.

Option Description

enable Deny TCP with ICMP.

disable Disable denying TCP with ICMP.

FortiOS 7.4.4 CLI Reference 1646

Fortinet Inc.
Parameter Description Type Size Default

detect- Enable/disable detection of unknown ESP packets. option - enable

unknown-esp

Option Description

enable Enable detection of unknown ESP packets and drop the ESP packet if it's
unknown.

disable Disable detection of unknown ESP packets.

device Interface to use for management access for NAT string Maximum
mode. length: 35

dhcp-proxy Enable/disable the DHCP Proxy. option - disable

Option Description

enable Enable the DHCP proxy.

disable Disable the DHCP proxy.

dhcp-proxy- Specify outgoing interface to reach server. string Maximum

interface length: 15

dhcp-proxy- Specify how to select outgoing interface to reach option - auto

interface- server.
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

dhcp-server-ip DHCP Server IPv4 address. user Not Specified

dhcp6-server-ip DHCPv6 server IPv6 address. user Not Specified

discovered- Timeout for discovered devices. integer Minimum 28

device-timeout value: 1
Maximum
value: 365

dyn-addr- Enable/disable dirty session check caused by option - disable

session-check dynamic address updates.

Option Description

enable Enable dirty session check caused by dynamic address updates.

disable Disable dirty session check caused by dynamic address updates.

FortiOS 7.4.4 CLI Reference 1647

Fortinet Inc.
Parameter Description Type Size Default

ecmp-max- Maximum number of Equal Cost Multi-Path. integer Minimum 255

paths value: 1
Maximum
value: 255

email-portal- Enable/disable using DNS to validate email option - enable

check-dns addresses collected by a captive portal.

Option Description

disable Disable email address checking with DNS.

enable Enable email address checking with DNS.

ext-resource- Enable/disable dirty session check caused by option - disable

session-check external resource updates.

Option Description

enable Enable dirty session check caused by external resource updates.

disable Disable dirty session check caused by external resource updates.

firewall- Select how to manage sessions affected by firewall option - check-all

session-dirty policy configuration changes.

Option Description

check-all All sessions affected by a firewall policy change are flushed from the session
table. When new packets are received they are re-evaluated by stateful
inspection and re-added to the session table.

check-new Established sessions for changed firewall policies continue without being
affected by the policy configuration change. New sessions are evaluated
according to the new firewall policy configuration.

check-policy- Sessions are managed individually depending on the firewall policy. Some
option sessions may restart. Some may continue.

fqdn-session- Enable/disable dirty session check caused by option - disable

check FQDN updates.

Option Description

enable Enable dirty session check caused by FQDN updates.

disable Disable dirty session check caused by FQDN updates.

fw-session- Enable/disable checking for a matching policy each option - disable

hairpin time hairpin traffic goes through the FortiGate.

FortiOS 7.4.4 CLI Reference 1648

Fortinet Inc.
Parameter Description Type Size Default

disable Disable the requirement for policy naming on the GUI.

gui-antivirus Enable/disable AntiVirus on the GUI. option - enable

Option Description

enable Enable AntiVirus on the GUI.

disable Disable Data Loss Prevention on the GUI.

gui-dns- Enable/disable DNS database settings on the GUI. option - disable

database

Option Description

enable Enable DNS database settings on the GUI.

disable Disable DNS database settings on the GUI.

FortiOS 7.4.4 CLI Reference 1650

Fortinet Inc.
Parameter Description Type Size Default

gui-dnsfilter Enable/disable DNS Filtering on the GUI. option - enable **

Option Description

enable Enable DNS Filtering on the GUI.

disable Disable DNS Filtering on the GUI.

gui-dos-policy Enable/disable DoS policies on the GUI. option - enable **

gui-explicit- Enable/disable the explicit proxy on the GUI. option - disable

proxy

Option Description

enable Enable the explicit proxy on the GUI.

disable Disable the explicit proxy on the GUI.

gui-file-filter Enable/disable File-filter on the GUI. option - enable **

enable Enable ICAP on the GUI.

disable Disable ICAP on the GUI.

gui-implicit- Enable/disable implicit firewall policies on the GUI. option - enable

policy

Option Description

enable Enable implicit firewall policies on the GUI.

disable Disable implicit firewall policies on the GUI.

FortiOS 7.4.4 CLI Reference 1652

Fortinet Inc.
Parameter Description Type Size Default

gui-ips Enable/disable IPS on the GUI. option - enable **

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable Security Profile Groups on the GUI.

gui-spamfilter Enable/disable Antispam on the GUI. option - disable

patch-profile

Option Description

enable Enable Virtual Patching on the GUI.

disable Disable Virtual Patching on the GUI.

gui-voip-profile Enable/disable VoIP profiles on the GUI. option - disable

Option Description

enable Enable VoIP profiles on the GUI.

disable Disable VoIP profiles on the GUI.

gui-vpn Enable/disable IPsec VPN settings pages on the option - enable

GUI.

Option Description

enable Enable IPsec VPN settings pages on the GUI.

disable Disable IPsec VPN settings pages on the GUI.

enable Enable WAN Optimization and Web Caching on the GUI.

disable Disable WAN Optimization and Web Caching on the GUI.

gui-webfilter Enable/disable Web filtering on the GUI. option - enable **

FortiOS 7.4.4 CLI Reference 1657

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Zero Trust Network Access features on the GUI.

disable Disable Zero Trust Network Access features on the GUI.

h323-direct- Enable/disable H323 direct model. option - disable

model

Option Description

disable Disable H323 direct model.

enable Enable H323 direct model.

http-external- Offload HTTP traffic to FortiWeb or FortiCache. option - fortiweb

dest

Option Description

fortiweb Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache Offload HTTP traffic to FortiCache for external web caching and WAN
optimization.

ike-dn-format Configure IKE ASN.1 Distinguished Name format option - with-space

conventions.

Option Description

with-space Format IKE ASN.1 Distinguished Names with spaces between attribute
names and values.

no-space Format IKE ASN.1 Distinguished Names without spaces between attribute
names and values.

ike-policy-route Enable/disable IKE Policy Based Routing (PBR). option - disable

Option Description

enable Enable IKE Policy Based Routing (PBR).

disable Disable IKE Policy Based Routing (PBR).

ike-port UDP port for IKE/IPsec traffic. integer Minimum 500

value: 1024
Maximum
value: 65535

ike-quick- Enable/disable IKE quick crash detection (RFC option - disable

crash-detect 6290).

FortiOS 7.4.4 CLI Reference 1658

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IKE quick crash detection (RFC 6290).

disable Disable IKE quick crash detection (RFC 6290).

ike-session- Enable/disable IKEv2 session resumption (RFC option - disable

resume 5723).

Option Description

enable Enable IKEv2 session resumption (RFC 5723).

disable Disable IKEv2 session resumption (RFC 5723).

ike-tcp-port TCP port for IKE/IPsec traffic. integer Minimum 4500

value: 1
Maximum
value: 65535

internet- Maximum number of tuple entries. A smaller value integer Minimum 32768
service-app- limits the FortiGate unit from learning about internet value: 0
ctrl-size applications. Maximum
value:
4294967295

internet- Enable/disable Internet Service database caching. option - disable

service-
database-
cache

Option Description

disable Disable Internet Service database caching.

enable Enable Internet Service database caching.

ip IP address and netmask. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
host

ip6 IPv6 address prefix for NAT mode. ipv6-prefix Not Specified ::/0

lan-extension- Controller IP address or FQDN to connect. string Maximum

controller-addr length: 255

link-down- Enable/disable link down access traffic. option - enable

access

FortiOS 7.4.4 CLI Reference 1659

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Allow link down access traffic.

disable Block link down access traffic.

lldp-reception Enable/disable Link Layer Discovery Protocol option - global

(LLDP) reception for this VDOM or apply global
settings to this VDOM.

Option Description

enable Enable LLDP reception for this VDOM.

disable Disable LLDP reception for this VDOM.

global Use the global LLDP reception configuration for this VDOM.

lldp- Enable/disable Link Layer Discovery Protocol option - global

transmission (LLDP) transmission for this VDOM or apply global
settings to this VDOM.

Option Description

enable Enable LLDP transmission for this VDOM.

disable Disable LLDP transmission for this VDOM.

global Use the global LLDP transmission configuration for this VDOM.

location-id Local location ID in the form of an IPv4 address. ipv4- Not Specified 0.0.0.0
address

mac-ttl Duration of MAC addresses in Transparent mode. integer Minimum 300

value: 300
Maximum
value:
8640000

manageip Transparent mode IPv4 management IP address user Not Specified

and netmask.

manageip6 Transparent mode IPv6 management IP address ipv6-prefix Not Specified ::/0
and netmask.

multicast- Enable/disable multicast forwarding. option - enable

forward

Option Description

enable Enable multicast forwarding.

disable Disable multicast forwarding.

enable Enable mandatory IPv6 packet forwarding

disable Disable mandatory IPv6 packet forwarding

FortiOS 7.4.4 CLI Reference 1661

Fortinet Inc.
Parameter Description Type Size Default

ngfw-mode Next Generation Firewall (NGFW) mode. option - profile-

based

Option Description

profile-based Application and web-filtering are configured using profiles applied to policy
entries.

policy-based Application and web-filtering are configured as policy match conditions.

opmode Firewall operation mode (NAT or Transparent). option - nat

Option Description

nat Change to NAT mode.

transparent Change to transparent mode.

policy-offload- Configure firewall policy offload level. option - disable

level *

Option Description

disable Disable policy offloading.

dos-offload Only enable DoS policy offloading.

prp-trailer- Enable/disable action to take on PRP trailer. option - disable

action

Option Description

enable Try to keep PRP trailer.

disable Trim PRP trailer.

sccp-port TCP port the SCCP proxy monitors for SCCP traffic. integer Minimum 2000
value: 0
Maximum
value: 65535

sctp-session- Enable/disable SCTP session creation without option - disable

without-init SCTP INIT.

Option Description

enable Enable SCTP session creation without SCTP INIT.

disable Disable SCTP session creation without SCTP INIT.

enable Record the original SIP source IP address when NAT is used.

disable Do not record the original SIP source IP address when NAT is used.

sip-ssl-port * TCP port the SIP proxy monitors for SIP SSL/TLS integer Minimum 5061
traffic. value: 0
Maximum
value: 65535

sip-tcp-port TCP port the SIP proxy monitors for SIP traffic. integer Minimum 5060
value: 1
Maximum
value: 65535

sip-udp-port UDP port the SIP proxy monitors for SIP traffic. integer Minimum 5060
value: 1
Maximum
value: 65535

snat-hairpin- Enable/disable source NAT (SNAT) for hairpin option - enable

traffic traffic.

Option Description

enable Enable SNAT for hairpin traffic.

disable Disable SNAT for hairpin traffic.

status Enable/disable this VDOM. option - enable

FortiOS 7.4.4 CLI Reference 1663

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this VDOM.

disable Disable this VDOM.

strict-src-check Enable/disable strict source verification. option - disable

source-ip-based Select next hop based on source IP.

weight-based Select next hop based on weight.

usage-based Select next hop based on usage.

source-dest-ip- Select next hop based on both source and destination IPs.
based

vdom-type Vdom type (traffic, lan-extension or admin). option - traffic

Option Description

traffic Change to traffic VDOM

lan-extension Change to lan-extension VDOM

FortiOS 7.4.4 CLI Reference 1664

Fortinet Inc.
Parameter Description Type Size Default

Option Description

admin Change to admin VDOM

vpn-stats-log Enable/disable periodic VPN log statistics for one or option - ipsec pptp
more types of VPN. Separate names with a space. l2tp ssl

Option Description

ipsec IPsec.

pptp PPTP.

l2tp L2TP.

ssl SSL.

vpn-stats- Period to send VPN log statistics. integer Minimum 600

period value: 0
Maximum
value:
4294967295

wccp-cache- Enable/disable WCCP cache engine. option - disable

engine

Option Description

enable Enable WCCP cache engine.

disable Disable WCCP cache engine.

* This parameter may not exist in some models.

** Values may differ between models.

config system sflow

Configure sFlow.
config system sflow
Description: Configure sFlow.
config collectors
Description: sFlow collectors.
edit <id>
set collector-ip {ipv4-address}
set collector-port {integer}
set source-ip {ipv4-address}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
end

FortiOS 7.4.4 CLI Reference 1665

Fortinet Inc.
config collectors

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

collector-ip IP addresses of the sFlow collectors that sFlow ipv4- Not Specified 0.0.0.0
agents added to interfaces in this VDOM send sFlow address
datagrams to.

collector-port UDP port number used for sending sFlow datagrams. integer Minimum 6343
value: 0
Maximum
value: 65535

source-ip Source IP address for sFlow agent. ipv4- Not Specified 0.0.0.0
address

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

config system sit-tunnel

Configure IPv6 tunnel over IPv4.

config system sit-tunnel
Description: Configure IPv6 tunnel over IPv4.
edit <name>
set auto-asic-offload [enable|disable]
set destination {ipv4-address}
set interface {string}
set ip6 {ipv6-prefix}
set source {ipv4-address}
set use-sdwan [disable|enable]
next
end

FortiOS 7.4.4 CLI Reference 1666

Fortinet Inc.
config system sit-tunnel

Parameter Description Type Size Default

auto-asic- Enable/disable tunnel ASIC offloading. option - enable

offload *

Option Description

enable Enable auto ASIC offloading.

disable Disable ASIC offloading.

destination Destination IP address of the tunnel. ipv4- Not 0.0.0.0

address Specified

interface Interface name. string Maximum

length: 15

ip6 IPv6 address of the tunnel. ipv6-prefix Not ::/0

Specified

name Tunnel name. string Maximum

length: 15

source Source IP address of the tunnel. ipv4- Not 0.0.0.0

address Specified

use-sdwan Enable/disable use of SD-WAN to reach remote option - disable

gateway.

Option Description

disable Disable use of SD-WAN to reach remote gateway.

enable Enable use of SD-WAN to reach remote gateway.

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 1667

Fortinet Inc.
config system smc-ntp

This command is available for model(s): FortiGate 1100E, FortiGate 1101E, FortiGate 1800F,
FortiGate 1801F, FortiGate 2600F, FortiGate 2601F, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700F, FortiGate 3701F, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E,
FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 2000E, FortiGate 200E,
FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 3000D, FortiGate 3100D, FortiGate 3200D, FortiGate 3700D,
FortiGate 3960E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001E1, FortiGate 5001E,
FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F,
FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-
POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate
81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E,
FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.

Configure SMC NTP information.

config system smc-ntp
Description: Configure SMC NTP information.
set channel {integer}
config ntpserver
Description: Configure the FortiGate SMC to connect to an NTP server.
edit <id>
set server {ipv4-address}
next
end
set ntpsync [enable|disable]
set syncinterval {integer}
end

config system smc-ntp

Parameter Description Type Size Default

channel SMC NTP client will send NTP packets through this integer Minimum 5
channel. value: 1
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1668

Fortinet Inc.
Parameter Description Type Size Default

ntpsync Enable/disable setting the FortiGate SMC system time option - disable
by synchronizing with an NTP server.

Option Description

enable Enable synchronization with NTP server in SMC.

disable Disable synchronization with NTP server in SMC.

syncinterval SMC NTP synchronization interval. integer Minimum 60

value: 1
Maximum
value:
65535

config ntpserver

Parameter Description Type Size Default

id NTP server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server IP address of the NTP server. ipv4- Not Specified 0.0.0.0

address

config system sms-server

Configure SMS server for sending SMS messages to support user authentication.
config system sms-server
Description: Configure SMS server for sending SMS messages to support user
authentication.
edit <name>
set mail-server {string}
next
end

config system sms-server

Parameter Description Type Size Default

mail-server Email-to-SMS server domain name. string Maximum

length: 63

name Name of SMS server. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1669

Fortinet Inc.
config system snmp community

SNMP community configuration.

config system snmp community
Description: SNMP community configuration.
edit <id>
set events {option1}, {option2}, ...
config hosts
Description: Configure IPv4 SNMP managers (hosts).
edit <id>
set source-ip {ipv4-address}
set ip {user}
set ha-direct [enable|disable]
set host-type [any|query|...]
next
end
config hosts6
Description: Configure IPv6 SNMP managers.
edit <id>
set source-ipv6 {ipv6-address}
set ipv6 {ipv6-prefix}
set ha-direct [enable|disable]
set host-type [any|query|...]
next
end
set mib-view {string}
set name {string}
set query-v1-port {integer}
set query-v1-status [enable|disable]
set query-v2c-port {integer}
set query-v2c-status [enable|disable]
set status [enable|disable]
set trap-v1-lport {integer}
set trap-v1-rport {integer}
set trap-v1-status [enable|disable]
set trap-v2c-lport {integer}
set trap-v2c-rport {integer}
set trap-v2c-status [enable|disable]
set vdoms <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 1670

Fortinet Inc.
config system snmp community

FortiOS 7.4.4 CLI Reference 1671

Fortinet Inc.
Parameter Description Type Size Default

events SNMP trap events. option - cpu-high mem-

low log-full intf-
ip vpn-tun-up
vpn-tun-down
ha-switch ha-
hb-failure ips-
signature ips-
anomaly av-
virus av-
oversize av-
pattern av-
fragmented fm-
if-change bgp-
established
bgp-backward-
transition ha-
member-up ha-
member-down
ent-conf-
change av-
conserve av-
bypass av-
oversize-
passed av-
oversize-
blocked ips-
pkg-update ips-
fail-open
temperature-
high voltage-
alert power-
supply faz-
disconnect faz
fan-failure wc-
ap-up wc-ap-
down fswctl-
session-up
fswctl-session-
down load-
balance-real-
server-down
per-cpu-high
dhcp pool-
usage ospf-
nbr-state-
change ospf-
virtnbr-state-
change **

FortiOS 7.4.4 CLI Reference 1672

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cpu-high Send a trap when CPU usage is high.

mem-low Send a trap when used memory is high, free memory is low, or freeable
memory is high.

log-full Send a trap when log disk space becomes low.

intf-ip Send a trap when an interface IP address is changed.

vpn-tun-up Send a trap when a VPN tunnel comes up.

vpn-tun-down Send a trap when a VPN tunnel goes down.

ha-switch Send a trap after an HA failover when the backup unit has taken over.

ha-hb-failure Send a trap when HA heartbeats are not received.

ips-signature Send a trap when IPS detects an attack.

ips-anomaly Send a trap when IPS finds an anomaly.

av-virus Send a trap when AntiVirus finds a virus.

av-oversize Send a trap when AntiVirus finds an oversized file.

av-pattern Send a trap when AntiVirus finds file matching pattern.

av-fragmented Send a trap when AntiVirus finds a fragmented file.

fm-if-change Send a trap when FortiManager interface changes. Send a FortiManager trap.

fm-conf-change Send a trap when a configuration change is made by a FortiGate administrator

and the FortiGate is managed by FortiManager.

bgp-established Send a trap when a BGP FSM transitions to the established state.

bgp-backward- Send a trap when a BGP FSM goes from a high numbered state to a lower
transition numbered state.

ha-member-up Send a trap when an HA cluster member goes up.

ha-member- Send a trap when an HA cluster member goes down.

down

ent-conf-change Send a trap when an entity MIB change occurs (RFC4133).

av-conserve Send a trap when the FortiGate enters conserve mode.

av-bypass Send a trap when the FortiGate enters bypass mode.

av-oversize- Send a trap when AntiVirus passes an oversized file.

passed

av-oversize- Send a trap when AntiVirus blocks an oversized file.

blocked

FortiOS 7.4.4 CLI Reference 1673

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ips-pkg-update Send a trap when the IPS signature database or engine is updated.

ips-fail-open Send a trap when the IPS network buffer is full.

temperature-high Send a trap when a temperature sensor registers a temperature that is too
high.

voltage-alert Send a trap when a voltage sensor registers a voltage that is outside of the
normal range.

power-supply Send a trap when a power supply fails or restores.

faz-disconnect Send a trap when a FortiAnalyzer disconnects from the FortiGate.

faz Send a trap when Fortianalyzer main server failover and alternate server take
over, or alternate server failover and main server take over.

fan-failure Send a trap when a fan fails.

wc-ap-up Send a trap when a managed FortiAP comes up.

wc-ap-down Send a trap when a managed FortiAP goes down.

fswctl-session-up Send a trap when a FortiSwitch controller session comes up.

fswctl-session- Send a trap when a FortiSwitch controller session goes down.

down

load-balance- Send a trap when a server load balance real server goes down.
real-server-down

device-new Send a trap when a new device is found.

per-cpu-high Send a trap when per-CPU usage is high.

dhcp Send a trap when the DHCP server exhausts the IP pool, an IP address
already is in use, or a DHCP client interface received a DHCP-NAK.

pool-usage Send a trap about ippool usage.

ospf-nbr-state- Send a trap when there has been a change in the state of a non-virtual OSPF
change neighbor.

ospf-virtnbr- Send a trap when there has been a change in the state of an OSPF virtual
state-change neighbor.

id Community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1674

Fortinet Inc.
Parameter Description Type Size Default

mib-view SNMP access control MIB view. string Maximum

length: 32

name Community name. string Maximum

length: 35

query-v1-port SNMP v1 query port. integer Minimum 161

value: 1
Maximum
value: 65535

query-v1- Enable/disable SNMP v1 queries. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

query-v2c- SNMP v2c query port. integer Minimum 161

port value: 0
Maximum
value: 65535

query-v2c- Enable/disable SNMP v2c queries. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

status Enable/disable this SNMP community. option - enable

Option Description

enable Enable setting.

disable Disable setting.

trap-v1-lport SNMP v1 trap local port. integer Minimum 162

value: 1
Maximum
value: 65535

trap-v1-rport SNMP v1 trap remote port. integer Minimum 162

value: 1
Maximum
value: 65535

trap-v1-status Enable/disable SNMP v1 traps. option - enable

FortiOS 7.4.4 CLI Reference 1675

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

trap-v2c-lport SNMP v2c trap local port. integer Minimum 162

value: 1
Maximum
value: 65535

trap-v2c-rport SNMP v2c trap remote port. integer Minimum 162

value: 1
Maximum
value: 65535

trap-v2c- Enable/disable SNMP v2c traps. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

vdoms SNMP access control VDOMs. string Maximum

<name> VDOM name. length: 79

** Values may differ between models.

config hosts

Parameter Description Type Size Default

id Host entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

source-ip Source IPv4 address for SNMP traps. ipv4- Not Specified 0.0.0.0
address

ip IPv4 address of the SNMP manager (host). user Not Specified

ha-direct Enable/disable direct management of HA cluster option - disable

members.

Option Description

enable Enable setting.

FortiOS 7.4.4 CLI Reference 1676

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable setting.

host-type Control whether the SNMP manager sends SNMP option - any
queries, receives SNMP traps, or both. No traps will
be sent when IP type is subnet.

Option Description

any Accept queries from and send traps to this SNMP manager.

query Accept queries from this SNMP manager but do not send traps.

trap Send traps to this SNMP manager but do not accept SNMP queries from this
SNMP manager.

config hosts6

Parameter Description Type Size Default

id Host6 entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

source-ipv6 Source IPv6 address for SNMP traps. ipv6- Not Specified ::
address

ipv6 SNMP manager IPv6 address prefix. ipv6-prefix Not Specified ::/0

ha-direct Enable/disable direct management of HA cluster option - disable

members.

Option Description

enable Enable setting.

disable Disable setting.

host-type Control whether the SNMP manager sends SNMP option - any
queries, receives SNMP traps, or both.

Option Description

any Accept queries from and send traps to this SNMP manager.

query Accept queries from this SNMP manager but do not send traps.

trap Send traps to this SNMP manager but do not accept SNMP queries from this
SNMP manager.

FortiOS 7.4.4 CLI Reference 1677

Fortinet Inc.
config system snmp mib-view

SNMP Access Control MIB View configuration.

config system snmp mib-view
Description: SNMP Access Control MIB View configuration.
edit <name>
set exclude {string}
set include {string}
next
end

config system snmp mib-view

Parameter Description Type Size Default

exclude OID subtrees to be excluded in the view. Maximum 64 string Maximum

allowed. length: 79

include OID subtrees to be included in the view. Maximum 16 string Maximum

allowed. length: 79

name MIB view name. string Maximum

length: 32

config system snmp sysinfo

SNMP system info configuration.

config system snmp sysinfo
Description: SNMP system info configuration.
set append-index [enable|disable]
set contact-info {var-string}
set description {var-string}
set engine-id {string}
set engine-id-type [text|hex|...]
set location {var-string}
set status [enable|disable]
set trap-free-memory-threshold {integer}
set trap-freeable-memory-threshold {integer}
set trap-high-cpu-threshold {integer}
set trap-log-full-threshold {integer}
set trap-low-memory-threshold {integer}
end

FortiOS 7.4.4 CLI Reference 1678

Fortinet Inc.
config system snmp sysinfo

Parameter Description Type Size Default

append-index Enable/disable allowance of appending vdom or option - disable

interface index in some RFC tables.

Option Description

enable Enable setting.

disable Disable setting.

contact-info Contact information. var-string Maximum

length: 255

description System description. var-string Maximum

length: 255

engine-id Local SNMP engineID string (maximum 27 characters). string Maximum

length: 54

engine-id- Local SNMP engineID type (text/hex/mac). option - text

type

Option Description

text Text format.

hex Octets format.

mac MAC address format.

location System location. var-string Maximum

length: 255

status Enable/disable SNMP. option - disable

Option Description

enable Enable setting.

disable Disable setting.

trap-free- Free memory usage when trap is sent. integer Minimum 5

memory- value: 1
threshold Maximum
value: 100

trap-freeable- Freeable memory usage when trap is sent. integer Minimum 60

memory- value: 1
threshold Maximum
value: 100

FortiOS 7.4.4 CLI Reference 1679

Fortinet Inc.
Parameter Description Type Size Default

trap-high-cpu- CPU usage when trap is sent. integer Minimum 80

threshold value: 1
Maximum
value: 100

trap-log-full- Log disk usage when trap is sent. integer Minimum 90

threshold value: 1
Maximum
value: 100

trap-low- Memory usage when trap is sent. integer Minimum 80

memory- value: 1
threshold Maximum
value: 100

config system snmp user

SNMP user configuration.

config system snmp user
Description: SNMP user configuration.
edit <name>
set auth-proto [md5|sha|...]
set auth-pwd {password}
set events {option1}, {option2}, ...
set ha-direct [enable|disable]
set mib-view {string}
set notify-hosts {ipv4-address}
set notify-hosts6 {ipv6-address}
set priv-proto [aes|des|...]
set priv-pwd {password}
set queries [enable|disable]
set query-port {integer}
set security-level [no-auth-no-priv|auth-no-priv|...]
set source-ip {ipv4-address}
set source-ipv6 {ipv6-address}
set status [enable|disable]
set trap-lport {integer}
set trap-rport {integer}
set trap-status [enable|disable]
set vdoms <name1>, <name2>, ...
next
end

config system snmp user

Parameter Description Type Size Default

auth-proto Authentication protocol. option - sha

FortiOS 7.4.4 CLI Reference 1680

Fortinet Inc.
Parameter Description Type Size Default

Option Description

md5 HMAC-MD5-96 authentication protocol.

sha HMAC-SHA-96 authentication protocol.

sha224 HMAC-SHA224 authentication protocol.

sha256 HMAC-SHA256 authentication protocol.

sha384 HMAC-SHA384 authentication protocol.

sha512 HMAC-SHA512 authentication protocol.

auth-pwd Password for authentication protocol. password Not

Specified

FortiOS 7.4.4 CLI Reference 1681

Fortinet Inc.
Parameter Description Type Size Default

events SNMP notifications (traps) to send. option - cpu-high mem-

FortiOS 7.4.4 CLI Reference 1682

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cpu-high Send a trap when CPU usage is high.

mem-low Send a trap when used memory is high, free memory is low, or freeable
memory is high.

log-full Send a trap when log disk space becomes low.

intf-ip Send a trap when an interface IP address is changed.

vpn-tun-up Send a trap when a VPN tunnel comes up.

vpn-tun-down Send a trap when a VPN tunnel goes down.

ha-switch Send a trap after an HA failover when the backup unit has taken over.

ha-hb-failure Send a trap when HA heartbeats are not received.

ips-signature Send a trap when IPS detects an attack.

ips-anomaly Send a trap when IPS finds an anomaly.

av-virus Send a trap when AntiVirus finds a virus.

av-oversize Send a trap when AntiVirus finds an oversized file.

av-pattern Send a trap when AntiVirus finds file matching pattern.

av-fragmented Send a trap when AntiVirus finds a fragmented file.

fm-if-change Send a trap when FortiManager interface changes. Send a FortiManager trap.

fm-conf-change Send a trap when a configuration change is made by a FortiGate administrator

and the FortiGate is managed by FortiManager.

bgp-established Send a trap when a BGP FSM transitions to the established state.

bgp-backward- Send a trap when a BGP FSM goes from a high numbered state to a lower
transition numbered state.

ha-member-up Send a trap when an HA cluster member goes up.

ha-member- Send a trap when an HA cluster member goes down.

down

ent-conf-change Send a trap when an entity MIB change occurs (RFC4133).

av-conserve Send a trap when the FortiGate enters conserve mode.

av-bypass Send a trap when the FortiGate enters bypass mode.

av-oversize- Send a trap when AntiVirus passes an oversized file.

passed

av-oversize- Send a trap when AntiVirus blocks an oversized file.

blocked

FortiOS 7.4.4 CLI Reference 1683

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ips-pkg-update Send a trap when the IPS signature database or engine is updated.

ips-fail-open Send a trap when the IPS network buffer is full.

temperature-high Send a trap when a temperature sensor registers a temperature that is too
high.

voltage-alert Send a trap when a voltage sensor registers a voltage that is outside of the
normal range.

power-supply Send a trap when a power supply fails or restores.

faz-disconnect Send a trap when a FortiAnalyzer disconnects from the FortiGate.

faz Send a trap when Fortianalyzer main server failover and alternate server take
over, or alternate server failover and main server take over.

fan-failure Send a trap when a fan fails.

wc-ap-up Send a trap when a managed FortiAP comes up.

wc-ap-down Send a trap when a managed FortiAP goes down.

fswctl-session-up Send a trap when a FortiSwitch controller session comes up.

fswctl-session- Send a trap when a FortiSwitch controller session goes down.

down

load-balance- Send a trap when a server load balance real server goes down.
real-server-down

device-new Send a trap when a new device is found.

per-cpu-high Send a trap when per-CPU usage is high.

dhcp Send a trap when the DHCP server exhausts the IP pool, an IP address
already is in use, or a DHCP client interface received a DHCP-NAK.

pool-usage Send a trap about ippool usage.

ospf-nbr-state- Send a trap when there has been a change in the state of a non-virtual OSPF
change neighbor.

ospf-virtnbr- Send a trap when there has been a change in the state of an OSPF virtual
state-change neighbor.

ha-direct Enable/disable direct management of HA cluster option - disable

members.

disable Disable setting.

query-port SNMPv3 query port. integer Minimum 161

value: 1
Maximum
value:
65535

security-level Security level for message authentication and option - no-auth-no-priv

encryption.

Option Description

no-auth-no-priv Message with no authentication and no privacy (encryption).

auth-no-priv Message with authentication but no privacy (encryption).

auth-priv Message with authentication and privacy (encryption).

source-ip Source IP for SNMP trap. ipv4- Not 0.0.0.0

address Specified

FortiOS 7.4.4 CLI Reference 1685

Fortinet Inc.
Parameter Description Type Size Default

source-ipv6 Source IPv6 for SNMP trap. ipv6- Not ::

address Specified

status Enable/disable this SNMP user. option - enable

Option Description

enable Enable setting.

disable Disable setting.

trap-lport SNMPv3 local trap port. integer Minimum 162

value: 1
Maximum
value:
65535

trap-rport SNMPv3 trap remote port. integer Minimum 162

value: 1
Maximum
value:
65535

trap-status Enable/disable traps for this SNMP user. option - enable

Option Description

enable Enable setting.

disable Disable setting.

vdoms SNMP access control VDOMs. string Maximum

<name> VDOM name. length: 79

** Values may differ between models.

config system speed-test-schedule

Speed test schedule for each interface.

config system speed-test-schedule
Description: Speed test schedule for each interface.
edit <interface>
set ctrl-port {integer}
set diffserv {user}
set dynamic-server [disable|enable]
set mode [UDP|TCP|...]
set schedules <name1>, <name2>, ...
set server-name {string}
set server-port {integer}
set status [disable|enable]
set update-inbandwidth [disable|enable]

FortiOS 7.4.4 CLI Reference 1686

Fortinet Inc.
set update-inbandwidth-maximum {integer}
set update-inbandwidth-minimum {integer}
set update-outbandwidth [disable|enable]
set update-outbandwidth-maximum {integer}
set update-outbandwidth-minimum {integer}
set update-shaper [disable|local|...]
next
end

config system speed-test-schedule

Parameter Description Type Size Default

ctrl-port Port of the controller to get access token. integer Minimum 5200
value: 1
Maximum
value:
65535

diffserv DSCP used for speed test. user Not

Specified

dynamic-server Enable/disable dynamic server option. option - disable

Option Description

disable Disable dynamic server.

enable Enable dynamic server.The speed test server will be found automatically.

interface Interface name. string Maximum

length: 35

mode Protocol Auto, TCP or UDP used for speed test. option - Auto

Option Description

UDP Protocol UDP for speed test.

TCP Protocol TCP for speed test.

Auto Dynamically selects TCP or UDP based on the speed test setting

schedules Schedules for the interface. string Maximum

<name> Name of a firewall recurring schedule. length: 31

server-name Speed test server name. string Maximum

length: 35

server-port Port of the server to run speed test. integer Minimum 5201
value: 1
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1687

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable scheduled speed test. option - enable

Option Description

disable Disable scheduled speed test.

enable Enable scheduled speed test.

update- Enable/disable bypassing interface's inbound option - disable

inbandwidth bandwidth setting.

Option Description

disable Honor interface's inbandwidth shaping.

enable Ignore interface's inbandwidth shaping.

update- Maximum downloading bandwidth (kbps) to be used integer Minimum 0

inbandwidth- in a speed test. value: 0
maximum Maximum
value:
16776000

update- Minimum downloading bandwidth (kbps) to be integer Minimum 0

inbandwidth- considered effective. value: 0
minimum Maximum
value:
16776000

update- Enable/disable bypassing interface's outbound option - disable

outbandwidth bandwidth setting.

Option Description

disable Honor interface's outbandwidth shaping.

enable Ignore updating interface's outbandwidth shaping.

update- Maximum uploading bandwidth (kbps) to be used in a integer Minimum 0

outbandwidth- speed test. value: 0
maximum Maximum
value:
16776000

update- Minimum uploading bandwidth (kbps) to be integer Minimum 0

outbandwidth- considered effective. value: 0
minimum Maximum
value:
16776000

update-shaper Set egress shaper based on the test result. option - disable

FortiOS 7.4.4 CLI Reference 1688

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable updating egress shaper.

local Update local-side egress shaper.

remote Update remote-side egress shaper.

both Update both local-side and remote-side egress shaper.

config system speed-test-server

The config system speed-test-server command is read-only. Administrators cannot

configure custom servers.

Configure speed test server list.

config system speed-test-server
Description: Configure speed test server list.
edit <name>
config host
Description: Hosts of the server.
edit <id>
set ip {ipv4-address}
set port {integer}
set user {string}
set password {password}
set longitude {string}
set latitude {string}
set distance {integer}
next
end
set timestamp {integer}
next
end

config system speed-test-server

Parameter Description Type Size Default

name Speed test server name. string Maximum

length: 35

timestamp Speed test server timestamp. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1689

Fortinet Inc.
config host

Parameter Description Type Size Default

id Server host ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip Server host IPv4 address. ipv4- Not Specified 0.0.0.0

address

port Server host port number to communicate with client. integer Minimum 5204
value: 1
Maximum
value: 65535

user Speed test host user name. string Maximum

length: 64

password Speed test host password. password Not Specified

longitude Speed test host longitude. string Maximum

length: 7

latitude Speed test host latitude. string Maximum

length: 7

distance Speed test host distance. integer Minimum 0

value: 0
Maximum
value:
4294967295

config system speed-test-setting

Configure speed test setting.

config system speed-test-setting
Description: Configure speed test setting.
set latency-threshold {integer}
set multiple-tcp-stream {integer}
end

FortiOS 7.4.4 CLI Reference 1690

Fortinet Inc.
config system speed-test-setting

Parameter Description Type Size Default

latency- Speed test latency threshold in milliseconds for the Auto integer Minimum 60
threshold mode. If the latency exceeds this threshold, the speed value: 0
test will use the UDP protocol; otherwise, it will use the Maximum
TCP protocol. value: 2000

multiple-tcp- Number of parallel client streams for the TCP protocol integer Minimum 4
stream to run during the speed test. value: 1
Maximum
value: 64

config system ssh-config

Configure SSH config.

config system ssh-config
Description: Configure SSH config.
set ssh-enc-algo {option1}, {option2}, ...
set ssh-hsk {user}
set ssh-hsk-algo {option1}, {option2}, ...
set ssh-hsk-override [disable|enable]
set ssh-hsk-password {password}
set ssh-kex-algo {option1}, {option2}, ...
set ssh-mac-algo {option1}, {option2}, ...
end

config system ssh-config

Parameter Description Type Size Default

ssh-enc-algo Select one or more SSH ciphers. option - aes256-ctr aes256-

[email protected]

Option Description

[email protected] [email protected]

aes128-ctr aes128-ctr

aes192-ctr aes192-ctr

aes256-ctr aes256-ctr

arcfour256 arcfour256

arcfour128 arcfour128

aes128-cbc aes128-cbc

FortiOS 7.4.4 CLI Reference 1691

Fortinet Inc.
Parameter Description Type Size Default

Option Description

3des-cbc 3des-cbc

blowfish-cbc blowfish-cbc

cast128-cbc cast128-cbc

aes192-cbc aes192-cbc

aes256-cbc aes256-cbc

arcfour arcfour

[email protected] [email protected]

ssh-hsk Config SSH host key. user Not Specified

ssh-hsk-algo Select one or more SSH hostkey option - ecdsa-sha2-nistp521

algorithms. ecdsa-sha2-nistp384
ecdsa-sha2-nistp256
rsa-sha2-256 rsa-
sha2-512 ssh-
ed25519

Option Description

ssh-rsa ssh-rsa

ecdsa-sha2- ecdsa-sha2-nistp521
nistp521

ecdsa-sha2- ecdsa-sha2-nistp384
nistp384

ecdsa-sha2- ecdsa-sha2-nistp256
nistp256

rsa-sha2-256 rsa-sha2-256

rsa-sha2-512 rsa-sha2-512

ssh-ed25519 ssh-ed25519

ssh-hsk- Enable/disable SSH host key option - disable

override override in SSH daemon.

Option Description

disable Disable SSH host key override in SSH daemon.

FortiOS 7.4.4 CLI Reference 1692

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable SSH host key override in SSH daemon.

ssh-hsk- Password for ssh-hostkey. password Not Specified

password

ssh-kex-algo Select one or more SSH kex option - diffie-hellman-

algorithms. group14-sha256 diffie-
hellman-group16-
sha512 diffie-hellman-
group18-sha512 diffie-
hellman-group-
exchange-sha256
curve25519-
[email protected]
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

Option Description

diffie-hellman- diffie-hellman-group1-sha1
group1-sha1

diffie-hellman- diffie-hellman-group14-sha1
group14-sha1

diffie-hellman- diffie-hellman-group14-sha256
group14-sha256

diffie-hellman- diffie-hellman-group16-sha512
group16-sha512

diffie-hellman- diffie-hellman-group18-sha512
group18-sha512

diffie-hellman-group- diffie-hellman-group-exchange-sha1
exchange-sha1

diffie-hellman-group- diffie-hellman-group-exchange-sha256
exchange-sha256

curve25519- [email protected]
[email protected]

ecdh-sha2-nistp256 ecdh-sha2-nistp256

ecdh-sha2-nistp384 ecdh-sha2-nistp384

ecdh-sha2-nistp521 ecdh-sha2-nistp521

FortiOS 7.4.4 CLI Reference 1693

Fortinet Inc.
Parameter Description Type Size Default

ssh-mac-algo Select one or more SSH MAC option - hmac-sha2-256 hmac-

algorithms. sha2-256-
[email protected]
hmac-sha2-512 hmac-
sha2-512-
[email protected]

Option Description

hmac-md5 hmac-md5

[email protected] [email protected]

hmac-md5-96 hmac-md5-96

[email protected] [email protected]

hmac-sha1 hmac-sha1

[email protected] [email protected]

hmac-sha2-256 hmac-sha2-256

[email protected] [email protected]

hmac-sha2-512 hmac-sha2-512

[email protected] [email protected]

hmac-ripemd160 hmac-ripemd160

[email protected] [email protected]

config system sso-admin

Configure SSO admin users.

config system sso-admin
Description: Configure SSO admin users.
edit <name>
set accprofile {string}
set vdom <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 1694

Fortinet Inc.
config system sso-admin

Parameter Description Type Size Default

accprofile SSO admin user access profile. string Maximum

length: 35

name SSO admin name. string Maximum

length: 64

vdom <name> Virtual domain(s) that the administrator can access. string Maximum
Virtual domain name. length: 79

config system sso-forticloud-admin

Configure FortiCloud SSO admin users.

config system sso-forticloud-admin
Description: Configure FortiCloud SSO admin users.
edit <name>
set accprofile {string}
set vdom <name1>, <name2>, ...
next
end

config system sso-forticloud-admin

Parameter Description Type Size Default

accprofile FortiCloud SSO admin user access profile. string Maximum

length: 35

name FortiCloud SSO admin name. string Maximum

length: 64

vdom <name> Virtual domain(s) that the administrator can access. string Maximum
Virtual domain name. length: 79

config system sso-fortigate-cloud-admin

Configure FortiCloud SSO admin users.

config system sso-fortigate-cloud-admin
Description: Configure FortiCloud SSO admin users.
edit <name>
set accprofile {string}
set vdom <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 1695

Fortinet Inc.
config system sso-fortigate-cloud-admin

Parameter Description Type Size Default

accprofile FortiCloud SSO admin user access profile. string Maximum

length: 35

name FortiCloud SSO admin name. string Maximum

length: 64

vdom <name> Virtual domain(s) that the administrator can access. string Maximum
Virtual domain name. length: 79

config system standalone-cluster

Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

config system standalone-cluster
Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster
attributes.
set asymmetric-traffic-control [cps-preferred|strict-anti-replay]
config cluster-peer
Description: Configure FortiGate Session Life Support Protocol (FGSP) session
synchronization.
edit <sync-id>
set peervd {string}
set peerip {ipv4-address}
set syncvd <name1>, <name2>, ...
set down-intfs-before-sess-sync <name1>, <name2>, ...
set hb-interval {integer}
set hb-lost-threshold {integer}
set ipsec-tunnel-sync [enable|disable]
set secondary-add-ipsec-routes [enable|disable]
config session-sync-filter
Description: Add one or more filters if you only want to synchronize some
sessions. Use the filter to configure the types of sessions to synchronize.
set srcintf {string}
set dstintf {string}
set srcaddr {ipv4-classnet-any}
set dstaddr {ipv4-classnet-any}
set srcaddr6 {ipv6-network}
set dstaddr6 {ipv6-network}
config custom-service
Description: Only sessions using these custom services are synchronized.
Use source and destination port ranges to define these custom services.
edit <id>
set src-port-range {user}
set dst-port-range {user}
next
end
end
next
end
set encryption [enable|disable]

FortiOS 7.4.4 CLI Reference 1696

Fortinet Inc.
set group-member-id {integer}
set layer2-connection [available|unavailable]
set psksecret {password-3}
set session-sync-dev {user}
set standalone-group-id {integer}
end

config system standalone-cluster

Parameter Description Type Size Default

asymmetric- Asymmetric traffic control mode. option - cps-preferred

traffic-control

Option Description

cps-preferred Connection per second (CPS) preferred.

strict-anti-replay Strict anti-replay check.

encryption Enable/disable encryption when synchronizing option - disable

sessions.

Option Description

enable Enable encryption when synchronizing sessions.

disable Disable encryption when synchronizing sessions.

group- Cluster member ID. integer Minimum 0

member-id value: 0
Maximum
value: 15

layer2- Indicate whether layer 2 connections are present option - unavailable

connection among FGSP members.

Option Description

available There exist layer 2 connections among FGSP members.

unavailable There does not exist layer 2 connection among FGSP members.

psksecret Pre-shared secret for session synchronization password-3 Not

(ASCII string or hexadecimal encoded with a leading Specified
0x).

session-sync- Offload session-sync process to kernel and sync user Not

dev sessions using connected interface(s) directly. Specified

standalone- Cluster group ID. Must be the same for all members. integer Minimum 0
group-id value: 0
Maximum
value: 255

FortiOS 7.4.4 CLI Reference 1697

Fortinet Inc.
config cluster-peer

Parameter Description Type Size Default

sync-id Sync ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

peervd VDOM that contains the session synchronization link string Maximum root
interface on the peer unit. Usually both peers would length: 31
have the same peervd.

peerip IP address of the interface on the peer unit that is ipv4- Not Specified 0.0.0.0
used for the session synchronization link. address

syncvd Sessions from these VDOMs are synchronized using string Maximum
<name> this session synchronization configuration. length: 79
VDOM name.

down-intfs- List of interfaces to be turned down before session string Maximum

before-sess- synchronization is complete. length: 79
sync <name> Interface name.

hb-interval Heartbeat interval. Increase to reduce false positives. integer Minimum 2

value: 1
Maximum
value: 20

hb-lost- Lost heartbeat threshold. Increase to reduce false integer Minimum 10

threshold positives. value: 1
Maximum
value: 60

ipsec-tunnel- Enable/disable IPsec tunnel synchronization. option - enable

sync

Option Description

enable Enable IPsec tunnel synchronization.

disable Disable IPsec tunnel synchronization.

secondary- Enable/disable IKE route announcement on the option - enable

add-ipsec- backup unit.
routes

Option Description

enable Add IKE routes to the backup unit.

disable Do not add IKE routes to the backup unit.

FortiOS 7.4.4 CLI Reference 1698

Fortinet Inc.
config session-sync-filter

Parameter Description Type Size Default

srcintf Only sessions from this interface are synchronized. string Maximum
length: 15

dstintf Only sessions to this interface are synchronized. string Maximum

length: 15

srcaddr Only sessions from this IPv4 address are synchronized. ipv4- Not 0.0.0.0
classnet- Specified 0.0.0.0
any

dstaddr Only sessions to this IPv4 address are synchronized. ipv4- Not 0.0.0.0
classnet- Specified 0.0.0.0
any

srcaddr6 Only sessions from this IPv6 address are synchronized. ipv6- Not ::/0
network Specified

dstaddr6 Only sessions to this IPv6 address are synchronized. ipv6- Not ::/0
network Specified

config custom-service

Parameter Description Type Size Default

id Custom service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src-port-range Custom service source port range. user Not Specified 0-0

dst-port-range Custom service destination port range. user Not Specified 0-0

config system storage

Configure logical storage.

config system storage
Description: Configure logical storage.
edit <name>
set device {string}
set media-status [enable|disable|...]
set order {integer}
set partition {string}
set size {integer}
set status [enable|disable]
set usage [log|wanopt]
set wanopt-mode [mix|wanopt|...]

FortiOS 7.4.4 CLI Reference 1699

Fortinet Inc.
next
end

config system storage

Parameter Description Type Size Default

device Partition device. string Maximum ?

length: 19

media-status The physical status of current media. option - disable

Option Description

enable Storage is enabled.

disable Storage is disabled.

fail Storage have some fail sector.

name Storage name. string Maximum default_n

length: 35

order Set storage order. integer Minimum 0

value: 0
Maximum
value: 255

partition Label of underlying partition. string Maximum <unknown>

length: 16

size Partition size. integer Minimum 0

config system stp

This command is available for model(s): FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 200F, FortiGate 201F, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E,
FortiGate 3200F, FortiGate 3201F, FortiGate 3500F, FortiGate 3501F, FortiGate 3700F,
FortiGate 3701F, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 600F, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E,
FortiGate 81F-POE, FortiGate 81F, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F
3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi
60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 2000E, FortiGate 200E, FortiGate 201E,
FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3960E, FortiGate 3980E,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D, FortiGate VM64.

Configure Spanning Tree Protocol (STP).

config system stp
Description: Configure Spanning Tree Protocol (STP).
set forward-delay {integer}
set hello-time {integer}
set max-age {integer}
set max-hops {integer}
set switch-priority [0|4096|...]
end

FortiOS 7.4.4 CLI Reference 1701

Fortinet Inc.
config system stp

Parameter Description Type Size Default

forward-delay Forward delay. integer Minimum 15

value: 4
Maximum
value: 30

hello-time Hello time. integer Minimum 2

value: 1
Maximum
value: 10

max-age Maximum packet age. integer Minimum 20

value: 6
Maximum
value: 40

max-hops Maximum number of hops. integer Minimum 20

value: 1
Maximum
value: 40

switch-priority STP switch priority; the lower the number the higher the option - 32768
priority (select from 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056,
49152, 53248, and 57344).

Option Description

0 0

4096 4096

8192 8192

12288 12288

16384 16384

20480 20480

24576 24576

28672 28672

32768 32768

36864 36864

40960 40960

45056 45056

49152 49152

FortiOS 7.4.4 CLI Reference 1702

Fortinet Inc.
Parameter Description Type Size Default

Option Description

53248 53248

57344 57344

config system switch-interface

Configure software switch interfaces by grouping physical and WiFi interfaces.

config system switch-interface
Description: Configure software switch interfaces by grouping physical and WiFi
interfaces.
edit <name>
set intra-switch-policy [implicit|explicit]
set mac-ttl {integer}
set member <interface-name1>, <interface-name2>, ...
set span [disable|enable]
set span-dest-port {string}
set span-direction [rx|tx|...]
set span-source-port <interface-name1>, <interface-name2>, ...
set type [switch|hub]
set vdom {string}
next
end

config system switch-interface

Parameter Description Type Size Default

intra-switch- Allow any traffic between switch interfaces or require option - implicit
policy firewall policies to allow traffic between switch
interfaces.

Option Description

implicit Traffic between switch members is implicitly allowed.

explicit Traffic between switch members must match firewall policies.

mac-ttl Duration for which MAC addresses are held in the integer Minimum 300
ARP table. value: 300
Maximum
value:
8640000

member Names of the interfaces that belong to the virtual string Maximum
<interface- switch. length: 79
name> Interface name.

FortiOS 7.4.4 CLI Reference 1703

Fortinet Inc.
Parameter Description Type Size Default

name Interface name (name cannot be in use by any other string Maximum
interfaces, VLANs, or inter-VDOM links). length: 15

span Enable/disable port spanning. Port spanning echoes option - disable

traffic received by the software switch to the span
destination port.

Option Description

disable Disable port spanning.

enable Enable port spanning.

span-dest-port SPAN destination port name. All traffic on the SPAN string Maximum
source ports is echoed to the SPAN destination port. length: 15

span-direction The direction in which the SPAN port operates, option - both
either: rx, tx, or both.

Option Description

rx Copies only received packets from source SPAN ports to the destination
SPAN port.

tx Copies only transmitted packets from source SPAN ports to the destination
SPAN port.

both Copies both received and transmitted packets from source SPAN ports to
the destination SPAN port.

span-source-port Physical interface name. Port spanning echoes all string Maximum
<interface- traffic on the SPAN source ports to the SPAN length: 79
name> destination port.
Physical interface name.

type Type of switch based on functionality: switch for option - switch

normal functionality, or hub to duplicate packets to all
port members.

Option Description

switch Switch for normal switch functionality (available in NAT mode only).

hub Hub to duplicate packets to all member ports.

vdom VDOM that the software switch belongs to. string Maximum
length: 31

config system timezone

Show timezone.

FortiOS 7.4.4 CLI Reference 1704

Fortinet Inc.
config system timezone
Description: Show timezone.
edit <name>
next
end

config system timezone

Parameter Description Type Size Default

name Database name of a timezone. string Maximum

length: 63

config system tos-based-priority

Configure Type of Service (ToS) based priority table to set network traffic priorities.
config system tos-based-priority
Description: Configure Type of Service (ToS) based priority table to set network traffic
priorities.
edit <id>
set priority [low|medium|...]
set tos {integer}
next
end

config system tos-based-priority

Parameter Description Type Size Default

id Item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

priority ToS based priority level to low, medium or high. option - high

Option Description

low Low priority.

medium Medium priority.

high High priority.

tos Value of the ToS byte in the IP datagram header. integer Minimum 0
value: 0
Maximum
value: 15

FortiOS 7.4.4 CLI Reference 1705

Fortinet Inc.
config system vdom-dns

Configure DNS servers for a non-management VDOM.

config system vdom-dns
Description: Configure DNS servers for a non-management VDOM.
set alt-primary {ipv4-address}
set alt-secondary {ipv4-address}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ip6-primary {ipv6-address}
set ip6-secondary {ipv6-address}
set primary {ipv4-address}
set protocol {option1}, {option2}, ...
set secondary {ipv4-address}
set server-hostname <hostname1>, <hostname2>, ...
set server-select-method [least-rtt|failover]
set source-ip {ipv4-address}
set ssl-certificate {string}
set vdom-dns [enable|disable]
end

config system vdom-dns

Parameter Description Type Size Default

alt-primary Alternate primary DNS server. This is not used as a ipv4- Not 0.0.0.0
failover DNS server. address Specified

alt-secondary Alternate secondary DNS server. This is not used as a ipv4- Not 0.0.0.0
failover DNS server. address Specified

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ip6-primary Primary IPv6 DNS server IP address for the VDOM. ipv6- Not ::
address Specified

ip6-secondary Secondary IPv6 DNS server IP address for the VDOM. ipv6- Not ::
address Specified

primary Primary DNS server IP address for the VDOM. ipv4- Not 0.0.0.0
address Specified

FortiOS 7.4.4 CLI Reference 1706

Fortinet Inc.
Parameter Description Type Size Default

protocol DNS transport protocols. option - cleartext

Option Description

cleartext DNS over UDP/53, DNS over TCP/53.

dot DNS over TLS/853.

doh DNS over HTTPS/443.

secondary Secondary DNS server IP address for the VDOM. ipv4- Not 0.0.0.0
address Specified

server- DNS server host name list. string Maximum

hostname DNS server host name list separated by space length: 127
<hostname> (maximum 4 domains).

server-select- Specify how configured servers are prioritized. option - least-rtt

method

Option Description

least-rtt Select servers based on least round trip time.

failover Select servers based on the order they are configured.

source-ip Source IP for communications with the DNS server. ipv4- Not 0.0.0.0
address Specified

ssl-certificate Name of local certificate for SSL connections. string Maximum Fortinet_
length: 35 Factory

vdom-dns Enable/disable configuring DNS servers for the current option - disable
VDOM.

Option Description

enable Enable configuring DNS servers for the current VDOM.

disable Disable configuring DNS servers for the current VDOM.

config system vdom-exception

Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the
defined VDOM scope.
config system vdom-exception
Description: Global configuration objects that can be configured independently across
different ha peers for all VDOMs or for the defined VDOM scope.
edit <id>
set object [log.fortianalyzer.setting|log.fortianalyzer.override-setting|...]
set scope [all|inclusive|...]
set vdom <name1>, <name2>, ...

FortiOS 7.4.4 CLI Reference 1707

Fortinet Inc.
next
end

config system vdom-exception

Parameter Description Type Size Default

id Index. integer Minimum value: 0

1 Maximum
value: 4096

object Name of the configuration object that can option -

be configured independently for all
VDOMs.

Option Description

log.fortianalyzer.setting log.fortianalyzer.setting

log.fortianalyzer.override- log.fortianalyzer.override-setting
setting

log.fortianalyzer2.setting log.fortianalyzer2.setting

log.fortianalyzer2.override- log.fortianalyzer2.override-setting
setting

log.fortianalyzer3.setting log.fortianalyzer3.setting

log.fortianalyzer3.override- log.fortianalyzer3.override-setting
setting

log.fortianalyzer- log.fortianalyzer-cloud.setting
cloud.setting

log.fortianalyzer- log.fortianalyzer-cloud.override-setting
cloud.override-setting

log.syslogd.setting log.syslogd.setting

log.syslogd.override-setting log.syslogd.override-setting

log.syslogd2.setting log.syslogd2.setting

log.syslogd2.override-setting log.syslogd2.override-setting

log.syslogd3.setting log.syslogd3.setting

log.syslogd3.override-setting log.syslogd3.override-setting

log.syslogd4.setting log.syslogd4.setting

log.syslogd4.override-setting log.syslogd4.override-setting

system.gre-tunnel system.gre-tunnel

system.central-management system.central-management

FortiOS 7.4.4 CLI Reference 1708

Fortinet Inc.
Parameter Description Type Size Default

Option Description

system.csf system.csf

user.radius user.radius

log.syslogd.setting log.syslogd.setting

log.syslogd.override-setting log.syslogd.override-setting

firewall.address firewall.address

scope Determine whether the configuration option - all

object can be configured separately for all
VDOMs or if some VDOMs share the same
configuration.

Option Description

all Object configuration independent for all VDOMs.

inclusive Object configuration independent for the listed VDOMs. Other VDOMs use the
global configuration.

exclusive Use the global object configuration for the listed VDOMs. Other VDOMs can
be configured independently.

vdom <name> Names of the VDOMs. string Maximum

VDOM name. length: 79

config system vdom-link

Configure VDOM links.

config system vdom-link
Description: Configure VDOM links.
edit <name>
set type [ppp|ethernet]
set vcluster [vcluster1|vcluster2]
next
end

config system vdom-link

Parameter Description Type Size Default

name VDOM link name (maximum = 11 characters). string Maximum

length: 11

type VDOM link type: PPP or Ethernet. option - ppp

FortiOS 7.4.4 CLI Reference 1709

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ppp PPP VDOM link.

ethernet Ethernet VDOM link.

vcluster Virtual cluster. option - vcluster1

Option Description

vcluster1 Virtual cluster 1.

vcluster2 Virtual cluster 2.

config system vdom-netflow

Configure NetFlow per VDOM.

config system vdom-netflow
Description: Configure NetFlow per VDOM.
config collectors
Description: Netflow collectors.
edit <id>
set collector-ip {string}
set collector-port {integer}
set source-ip {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
set vdom-netflow [enable|disable]
end

config system vdom-netflow

Parameter Description Type Size Default

vdom-netflow Enable/disable NetFlow per VDOM. option - disable

Option Description

enable Enable NetFlow per VDOM.

disable Disable NetFlow per VDOM.

FortiOS 7.4.4 CLI Reference 1710

Fortinet Inc.
config collectors

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 1
Maximum
value: 6

collector-ip Collector IP. string Maximum

length: 63

collector-port NetFlow collector port number. integer Minimum 2055

value: 0
Maximum
value:
65535

source-ip Source IP address for communication with the NetFlow string Maximum
agent. length: 63

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

config system vdom-property

Configure VDOM property.

config system vdom-property
Description: Configure VDOM property.
edit <name>
set custom-service {user}
set description {string}
set dialup-tunnel {user}
set firewall-address {user}
set firewall-addrgrp {user}
set firewall-policy {user}
set ipsec-phase1 {user}
set ipsec-phase1-interface {user}
set ipsec-phase2 {user}
set ipsec-phase2-interface {user}
set log-disk-quota {user}
set onetime-schedule {user}
set proxy {user}

FortiOS 7.4.4 CLI Reference 1711

Fortinet Inc.
set recurring-schedule {user}
set service-group {user}
set session {user}
set snmp-index {integer}
set sslvpn {user}
set user {user}
set user-group {user}
next
end

config system vdom-property

Parameter Description Type Size Default

custom- Maximum guaranteed number of firewall custom user Not Specified

service services.

description Description. string Maximum

length: 127

dialup-tunnel Maximum guaranteed number of dial-up tunnels. user Not Specified

firewall- Maximum guaranteed number of firewall addresses user Not Specified

address (IPv4, IPv6, multicast).

firewall- Maximum guaranteed number of firewall address user Not Specified

addrgrp groups (IPv4, IPv6).

firewall-policy Maximum guaranteed number of firewall policies user Not Specified

(policy, DoS-policy4, DoS-policy6, multicast).

ipsec-phase1 Maximum guaranteed number of VPN IPsec phase 1 user Not Specified
tunnels.

ipsec-phase1- Maximum guaranteed number of VPN IPsec phase1 user Not Specified
interface interface tunnels.

ipsec-phase2 Maximum guaranteed number of VPN IPsec phase 2 user Not Specified
tunnels.

ipsec-phase2- Maximum guaranteed number of VPN IPsec phase2 user Not Specified
interface interface tunnels.

log-disk-quota Log disk quota in megabytes (MB). Range depends user Not Specified
on how much disk space is available.

name VDOM name. string Maximum

length: 31

onetime- Maximum guaranteed number of firewall one-time user Not Specified

schedule schedules.

proxy Maximum guaranteed number of concurrent proxy user Not Specified

users.

FortiOS 7.4.4 CLI Reference 1712

Fortinet Inc.
Parameter Description Type Size Default

recurring- Maximum guaranteed number of firewall recurring user Not Specified

schedule schedules.

service-group Maximum guaranteed number of firewall service user Not Specified

groups.

session Maximum guaranteed number of sessions. user Not Specified

snmp-index Permanent SNMP Index of the virtual domain. integer Minimum 0

value: 1
Maximum
value:
2147483647

sslvpn Maximum guaranteed number of SSL-VPNs. user Not Specified

user Maximum guaranteed number of local users. user Not Specified

user-group Maximum guaranteed number of user groups. user Not Specified

config system vdom-radius-server

Configure a RADIUS server to use as a RADIUS Single Sign On (RSSO) server for this VDOM.
config system vdom-radius-server
Description: Configure a RADIUS server to use as a RADIUS Single Sign On (RSSO) server
for this VDOM.
edit <name>
set radius-server-vdom {string}
set status [enable|disable]
next
end

config system vdom-radius-server

Parameter Description Type Size Default

name Name of the VDOM that you are adding the RADIUS string Maximum
server to. length: 31

radius-server- Use this option to select another VDOM containing a string Maximum
vdom VDOM RSSO RADIUS server to use for the current length: 31
VDOM.

status Enable/disable the RSSO RADIUS server for this option - disable
VDOM.

Option Description

enable Enable the RSSO RADIUS server for this VDOM.

disable Disable the RSSO RADIUS server for this VDOM.

FortiOS 7.4.4 CLI Reference 1713

Fortinet Inc.
config system vdom-sflow

Configure sFlow per VDOM to add or change the IP address and UDP port that FortiGate sFlow agents in this VDOM
use to send sFlow datagrams to an sFlow collector.
config system vdom-sflow
Description: Configure sFlow per VDOM to add or change the IP address and UDP port that
FortiGate sFlow agents in this VDOM use to send sFlow datagrams to an sFlow collector.
config collectors
Description: sFlow collectors.
edit <id>
set collector-ip {ipv4-address}
set collector-port {integer}
set source-ip {ipv4-address}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
set vdom-sflow [enable|disable]
end

config system vdom-sflow

Parameter Description Type Size Default

vdom-sflow Enable/disable the sFlow configuration for the current option - disable
VDOM.

Option Description

enable Enable sFlow for this VDOM.

disable Disable sFlow for this VDOM.

config collectors

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

collector-ip IP addresses of the sFlow collectors that sFlow ipv4- Not Specified 0.0.0.0
agents added to interfaces in this VDOM send sFlow address
datagrams to.

FortiOS 7.4.4 CLI Reference 1714

Fortinet Inc.
Parameter Description Type Size Default

collector-port UDP port number used for sending sFlow datagrams. integer Minimum 6343
value: 0
Maximum
value: 65535

source-ip Source IP address for sFlow agent. ipv4- Not Specified 0.0.0.0
address

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

config system vdom

Configure virtual domain.

config system vdom
Description: Configure virtual domain.
edit <name>
set flag {integer}
set short-name {string}
set vcluster-id {integer}
next
end

config system vdom

Parameter Description Type Size Default

flag Flag. integer Minimum 0

value: 0
Maximum
value:
4294967295

name VDOM name. string Maximum

length: 31

short-name VDOM short name. string Maximum

length: 11

FortiOS 7.4.4 CLI Reference 1715

Fortinet Inc.
Parameter Description Type Size Default

vcluster-id Virtual cluster ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config system vin-alarm

This command is available for model(s): FortiGateRugged 70F 3G4G, FortiGateRugged 70F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate
81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.

Configure vin alarm settings.

config system vin-alarm
Description: Configure vin alarm settings.
set psu-1-initial-voltage {integer}
set psu-1-threshold-low-percent {integer}
set psu-2-initial-voltage {integer}
set psu-2-threshold-low-percent {integer}
set status [disable|enable]
end

FortiOS 7.4.4 CLI Reference 1716

Fortinet Inc.
config system vin-alarm

Parameter Description Type Size Default

psu-1-initial- Initial voltage for the first PSU integer Minimum 0

voltage value: 10
Maximum
value: 125

psu-1- Percentage threshold at which the first PSU voltage integer Minimum 80
threshold-low- drops to trigger a low voltage alarm value: 1
percent Maximum
value: 99

psu-2-initial- Initial voltage for the second PSU integer Minimum 0

voltage value: 10
Maximum
value: 125

psu-2- Percentage threshold at which the second PSU voltage integer Minimum 80
threshold-low- drops to trigger a low voltage alarm value: 1
percent Maximum
value: 99

status Enable/disable vin alarm. option - disable

Option Description

disable Disable vin alarm.

enable Enable vin alarm.

FortiOS 7.4.4 CLI Reference 1717

Fortinet Inc.
config system virtual-switch

This command is available for model(s): FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 200F, FortiGate 201F, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E,
FortiGate 3200F, FortiGate 3201F, FortiGate 3500F, FortiGate 3501F, FortiGate 3700F,
FortiGate 3701F, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E,
FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F,
FortiGate 4400F, FortiGate 4401F, FortiGate 600F, FortiGate 601F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E,
FortiGate 81F-POE, FortiGate 81F, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F
3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi
60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi
81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 1000D, FortiGate 2000E, FortiGate 200E, FortiGate 201E,
FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3960E, FortiGate 3980E,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D, FortiGate VM64.

Configure virtual hardware switch interfaces.

config system virtual-switch
Description: Configure virtual hardware switch interfaces.
edit <name>
set physical-switch {string}
config port
Description: Configure member ports.
edit <name>
set alias {string}
next
end
set span [disable|enable]
set span-dest-port {string}
set span-direction [rx|tx|...]
set span-source-port {string}
set vlan {integer}
next
end

FortiOS 7.4.4 CLI Reference 1718

Fortinet Inc.
config system virtual-switch

Parameter Description Type Size Default

name Name of the virtual switch. string Maximum

length: 15

physical- Physical switch parent. string Maximum

switch length: 15

span * Enable/disable SPAN. option - disable

Option Description

disable Disable SPAN.

enable Enable SPAN.

span-dest- SPAN destination port. string Maximum

port * length: 15

span-direction SPAN direction. option - both

Option Description

rx SPAN receive direction only.

tx SPAN transmit direction only.

both SPAN both directions.

span-source- SPAN source port. string Maximum

port * length: 15

vlan * VLAN. integer Minimum 0

value: 0
Maximum
value:
4294967295

* This parameter may not exist in some models.

config port

Parameter Description Type Size Default

name Physical interface name. string Maximum

length: 15

alias Alias. string Maximum

length: 25

FortiOS 7.4.4 CLI Reference 1719

Fortinet Inc.
config system virtual-wire-pair

Configure virtual wire pairs.

config system virtual-wire-pair
Description: Configure virtual wire pairs.
edit <name>
set member <interface-name1>, <interface-name2>, ...
set outer-vlan-id <vlanid1>, <vlanid2>, ...
set poweroff-bypass [enable|disable]
set poweron-bypass [enable|disable]
set vlan-filter {user}
set wildcard-vlan [enable|disable]
next
end

config system virtual-wire-pair

Parameter Description Type Size Default

member Interfaces belong to the virtual-wire-pair. string Maximum

<interface- Interface name. length: 79
name>

name Virtual-wire-pair name. Must be a unique interface string Maximum

name. length: 11

outer-vlan-id Outer VLAN ID. integer Minimum

<vlanid> * VLAN ID (1 - 4094). value: 1
Maximum
value: 4094

poweroff-bypass Enable/disable interface bypass state when power option - disable

* off.

Option Description

hostname Specified

br IPv6 address or FQDN of the border relay. string Maximum

length: 255

http-password HTTP authentication password. password Not

Specified

FortiOS 7.4.4 CLI Reference 1721

Fortinet Inc.
Parameter Description Type Size Default

http- HTTP authentication user name. string Maximum

username length: 64

interface Interface name. string Maximum

length: 15

ipv4-address Tunnel IPv4 address and netmask. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

mode VNE tunnel mode. option - map-e

Option Description

map-e Map-e mode.

fixed-ip Fixed-ip mode.

ds-lite DS-Lite mode.

ssl-certificate Name of local certificate for SSL connections. string Maximum Fortinet_
length: 35 Factory

status Enable/disable VNE tunnel. option - disable

Option Description

enable Enable VNE tunnel.

disable Disable VNE tunnel.

update-url URL of provisioning server. string Maximum

length: 511

* This parameter may not exist in some models.

config system vxlan

Configure VXLAN devices.

config system vxlan
Description: Configure VXLAN devices.
edit <name>
set dstport {integer}
set evpn-id {integer}
set interface {string}
set ip-version [ipv4-unicast|ipv6-unicast|...]
set learn-from-traffic [enable|disable]
set multicast-ttl {integer}
set remote-ip <ip1>, <ip2>, ...
set remote-ip6 <ip61>, <ip62>, ...
set vni {integer}
next
end

FortiOS 7.4.4 CLI Reference 1722

Fortinet Inc.
config system vxlan

Parameter Description Type Size Default

dstport VXLAN destination port. integer Minimum 4789

value: 1
Maximum
value:
65535

evpn-id EVPN instance. integer Minimum 0

value: 1
Maximum
value:
65535

interface Outgoing interface for VXLAN encapsulated traffic. string Maximum

length: 15

ip-version IP version to use for the VXLAN interface and so for option - ipv4-unicast
communication over the VXLAN. IPv4 or IPv6 unicast or
multicast.

Option Description

ipv4-unicast Use IPv4 unicast addressing over the VXLAN.

ipv6-unicast Use IPv6 unicast addressing over the VXLAN.

ipv4-multicast Use IPv4 multicast addressing over the VXLAN.

ipv6-multicast Use IPv6 multicast addressing over the VXLAN.

learn-from- Enable/disable VXLAN MAC learning from traffic. option - disable

traffic

Option Description

enable Enable VXLAN MAC learning from traffic.

disable Disable VXLAN MAC learning from traffic.

multicast-ttl VXLAN multicast TTL. integer Minimum 0

value: 1
Maximum
value: 255

name VXLAN device or interface name. Must be a unique string Maximum

interface name. length: 15

remote-ip IPv4 address of the VXLAN interface on the device at string Maximum
<ip> the remote end of the VXLAN. length: 15
IPv4 address.

FortiOS 7.4.4 CLI Reference 1723

Fortinet Inc.
Parameter Description Type Size Default

remote-ip6 IPv6 IP address of the VXLAN interface on the device at string Maximum
<ip6> the remote end of the VXLAN. length: 45
IPv6 address.

vni VXLAN network ID. integer Minimum 0

value: 1
Maximum
value:
16777215

config system wccp

Configure WCCP.
config system wccp
Description: Configure WCCP.
edit <service-id>
set assignment-bucket-format [wccp-v2|cisco-implementation]
set assignment-dstaddr-mask {ipv4-netmask-any}
set assignment-method [HASH|MASK|...]
set assignment-srcaddr-mask {ipv4-netmask-any}
set assignment-weight {integer}
set authentication [enable|disable]
set cache-engine-method [GRE|L2]
set cache-id {ipv4-address}
set forward-method [GRE|L2|...]
set group-address {ipv4-address-multicast}
set password {password}
set ports {user}
set ports-defined [source|destination]
set primary-hash {option1}, {option2}, ...
set priority {integer}
set protocol {integer}
set return-method [GRE|L2|...]
set router-id {ipv4-address}
set router-list {user}
set server-list {user}
set server-type [forward|proxy]
set service-type [auto|standard|...]
next
end

config system wccp

Parameter Description Type Size Default

assignment- Assignment bucket format for the WCCP cache option - cisco-
bucket-format engine. implementation

FortiOS 7.4.4 CLI Reference 1724

Fortinet Inc.
Parameter Description Type Size Default

Option Description

wccp-v2 WCCP-v2 bucket format.

cisco-implementation Cisco bucket format.

assignment- Assignment destination address mask. ipv4- Not 0.0.0.0

dstaddr-mask netmask- Specified
any

assignment- Hash key assignment preference. option - HASH

method

Option Description

HASH HASH assignment method.

MASK MASK assignment method.

any HASH or MASK.

assignment- Assignment source address mask. ipv4- Not 0.0.23.65

ports-defined Match method. option -

Option Description

source Source port match.

destination Destination port match.

primary-hash Hash method. option - dst-ip

Option Description

src-ip Source IP hash.

dst-ip Destination IP hash.

src-port Source port hash.

dst-port Destination port hash.

priority Service priority. integer Minimum 0

value: 0
Maximum
value: 255

protocol Service protocol. integer Minimum 0

value: 0
Maximum
value: 255

return-method Method used to decline a redirected packet and option - GRE

return it to the FortiGate unit.

FortiOS 7.4.4 CLI Reference 1726

Fortinet Inc.
Parameter Description Type Size Default

Option Description

GRE GRE encapsulation.

L2 L2 rewrite.

any GRE or L2.

router-id IP address known to all cache engines. If all ipv4- Not 0.0.0.0
cache engines connect to the same FortiGate address Specified
interface, use the default 0.0.0.0.

router-list IP addresses of one or more WCCP routers. user Not

Specified

server-list IP addresses and netmasks for up to four cache user Not

servers. Specified

server-type Cache server type. option - forward

Option Description

forward Forward server.

proxy Proxy server.

service-id Service ID. string Maximum

length: 3

service-type WCCP service type used by the cache server option - auto
for logical interception and redirection of traffic.

Option Description

auto auto

standard Standard service.

dynamic Dynamic service.

FortiOS 7.4.4 CLI Reference 1727

Fortinet Inc.
config system wireless ap-status

This command is available for model(s): FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E
DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F,
FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F,
FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate
81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G,
FortiGateRugged 70F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-
POE, FortiWiFi 81F 2R.

Configure accepted wireless AP.

config system wireless ap-status
Description: Configure accepted wireless AP.
edit <id>
set bssid {mac-address}
set ssid {string}
set status [rogue|accepted|...]
next
end

config system wireless ap-status

Parameter Description Type Size Default

bssid AP's BSSID. mac- Not Specified 00:00:00:00:00:00

address

id AP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1728

Fortinet Inc.
Parameter Description Type Size Default

ssid AP's ssid string Maximum

length: 32

status AP status. option - rogue

Option Description

rogue Rogue.

accepted Accepted.

suppressed Suppressed.

config system wireless settings

Wireless radio configuration.

config system wireless settings
Description: Wireless radio configuration.
set band [802.11a|802.11b|...]
set beacon-interval {integer}
set bgscan [disable|enable]
set bgscan-idle {integer}
set bgscan-interval {integer}
set channel {integer}
set channel-bonding [enable|disable]

FortiOS 7.4.4 CLI Reference 1729

Fortinet Inc.
set geography [World|Americas|...]
set mode [CLIENT|AP|...]
set power-level {integer}
set rogue-scan [enable|disable]
set rogue-scan-mac-adjacency {integer}
set short-guard-interval [enable|disable]
end

config system wireless settings

Parameter Description Type Size Default

band Band. option - 802.11g

Option Description

802.11a 802.11a.

802.11b 802.11b.

802.11g 802.11g.

802.11g-only 802.11g only.

802.11n 802.11n at 2.4G band.

802.11ng-only 802.11ng only at 2.4G band.

802.11n-only 802.11n only at 2.4G band.

802.11n-5G 802.11n at 5G band.

802.11n-5G-only 802.11n only at 5G band.

802.11ac 802.11ac at 5G band.

802.11acn-only 802.11acn only at 5G band.

802.11ac-only 802.11ac only at 5G band.

beacon- Beacon level. integer Minimum 100

interval value: 25
Maximum
value: 1000

bgscan Enable/disable background rogue AP scan. option - disable

Option Description

disable Disable background rogue AP scan.

enable Enable background rogue AP scan.

bgscan-idle Interval between scanning channels. integer Minimum 250

value: 100
Maximum
value: 1000

FortiOS 7.4.4 CLI Reference 1730

Fortinet Inc.
Parameter Description Type Size Default

bgscan- Interval between two rounds of scanning. integer Minimum 120

interval value: 15
Maximum
value: 3600

channel Channel. integer Minimum 0

value: 0
Maximum
value:
4294967295

channel- Supported channel width. option - disable

Option Description

enable Enable rogue scan.

disable Disable rogue scan.

rogue-scan- MAC adjacency. integer Minimum 7

mac- value: 0
adjacency Maximum
value: 31

short-guard- Enable/disable short guard interval. option - disable

interval

Option Description

enable 400 ns long guard interval.

disable 800 ns short guard interval.

config system zone

Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead
of individual interfaces in the zone.
config system zone
Description: Configure zones to group two or more interfaces. When a zone is created you
can configure policies for the zone instead of individual interfaces in the zone.
edit <name>
set description {string}
set interface <interface-name1>, <interface-name2>, ...
set intrazone [allow|deny]
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
next
end

config system zone

Parameter Description Type Size Default

description Description. string Maximum

length: 127

FortiOS 7.4.4 CLI Reference 1732

Fortinet Inc.
Parameter Description Type Size Default

interface Add interfaces to this zone. Interfaces must not be string Maximum
<interface- assigned to another zone or have firewall policies length: 79
name> defined.
Select interfaces to add to the zone.

intrazone Allow or deny traffic routing between different option - deny

interfaces in the same zone.

Option Description

allow Allow traffic between interfaces in the zone.

deny Deny traffic between interfaces in the zone.

name Zone name. string Maximum

length: 35

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Maximum

length: 63

category Tag category. string Maximum

length: 63

tags <name> Tags. string Maximum

Tag name. length: 79

FortiOS 7.4.4 CLI Reference 1733

Fortinet Inc.
user

This section includes syntax for the following commands:

l config user adgrp on page 1734
l config user certificate on page 1735
l config user domain-controller on page 1736
l config user exchange on page 1739
l config user external-identity-provider on page 1742
l config user fortitoken on page 1744
l config user fsso-polling on page 1745
l config user fsso on page 1746
l config user group on page 1750
l config user krb-keytab on page 1755
l config user ldap on page 1756
l config user local on page 1763
l config user nac-policy on page 1767
l config user password-policy on page 1770
l config user peer on page 1771
l config user peergrp on page 1773
l config user pop3 on page 1774
l config user quarantine on page 1775
l config user radius on page 1776
l config user saml on page 1791
l config user security-exempt-list on page 1795
l config user setting on page 1796
l config user tacacs+ on page 1800

config user adgrp

Configure FSSO groups.

config user adgrp
Description: Configure FSSO groups.
edit <name>
set connector-source {string}
set id {integer}
set server-name {string}
next
end

FortiOS 7.4.4 CLI Reference 1734

Fortinet Inc.
config user adgrp

Parameter Description Type Size Default

connector- FSSO connector source. string Maximum

source length: 35

id Group ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name. string Maximum

length: 511

server-name FSSO agent name. string Maximum

length: 35

config user certificate

Configure certificate users.

config user certificate
Description: Configure certificate users.
edit <name>
set common-name {string}
set id {integer}
set issuer {string}
set status [enable|disable]
set type [single-certificate|trusted-issuer]
next
end

config user certificate

Parameter Description Type Size Default

common- Certificate common name. string Maximum

name length: 64

id User ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

issuer CA certificate used for client certificate verification. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 1735

Fortinet Inc.
Parameter Description Type Size Default

name User name. string Maximum

length: 64

status Enable/disable allowing the certificate user to option - enable

none The server is not configured as an Active Directory Domain Server (AD DS).

ds The server is configured as an Active Directory Domain Server (AD DS).

lds The server is an Active Directory Lightweight Domain Server (AD LDS).

adlds-dn AD LDS distinguished name. string Maximum

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ip-address Domain controller IPv4 address. ipv4- Not 0.0.0.0

address Specified

ip6 Domain controller IPv6 address. ipv6- Not ::

address Specified

ldap-server LDAP server name(s). string Maximum

<name> LDAP server name. length: 79

name Domain controller entry name. string Maximum

length: 35

password Password for specified username. password Not

Specified

port Port to be used for communication with the domain integer Minimum 445
controller. value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1738

Fortinet Inc.
Parameter Description Type Size Default

replication- Port to be used for communication with the domain integer Minimum 0
port controller for replication service. Port number 0 value: 0
indicates automatic discovery. Maximum
value:
65535

source-ip- FortiGate IPv4 address to be used for communication ipv4- Not 0.0.0.0
address with the domain controller. address Specified

source-ip6 FortiGate IPv6 address to be used for communication ipv6- Not ::

with the domain controller. address Specified

source-port Source port to be used for communication with the integer Minimum 0
domain controller. value: 0
Maximum
value:
65535

username User name to sign in with. Must have proper string Maximum
permissions for service. length: 64

config extra-server

Parameter Description Type Size Default

id Server ID. integer Minimum 0

value: 1
Maximum
value: 100

ip-address Domain controller IP address. ipv4- Not 0.0.0.0

address Specified

port Port to be used for communication with the domain integer Minimum 445
controller. value: 0
Maximum
value:
65535

source-ip- FortiGate IPv4 address to be used for communication ipv4- Not 0.0.0.0
address with the domain controller. address Specified

source-port Source port to be used for communication with the integer Minimum 0
domain controller. value: 0
Maximum
value:
65535

config user exchange

Configure MS Exchange server entries.

FortiOS 7.4.4 CLI Reference 1739

Fortinet Inc.
config user exchange
Description: Configure MS Exchange server entries.
edit <name>
set auth-level [connect|call|...]
set auth-type [spnego|ntlm|...]
set auto-discover-kdc [enable|disable]
set connect-protocol [rpc-over-tcp|rpc-over-http|...]
set domain-name {string}
set http-auth-type [basic|ntlm]
set ip {ipv4-address-any}
set kdc-ip <ipv41>, <ipv42>, ...
set password {password}
set server-name {string}
set ssl-min-proto-version [default|SSLv3|...]
set username {string}
next
end

config user exchange

Parameter Description Type Size Default

auth-level Authentication security level used for the RPC protocol option - privacy
layer.

Option Description

connect RPC authentication level 'connect'.

call RPC authentication level 'call'.

packet RPC authentication level 'packet'.

integrity RPC authentication level 'integrity'.

privacy RPC authentication level 'privacy'.

auth-type Authentication security type used for the RPC protocol option - kerberos
layer.

Option Description

spnego Negotiate authentication.

ntlm NTLM authentication.

kerberos Kerberos authentication.

auto- Enable/disable automatic discovery of KDC IP option - enable

discover-kdc addresses.

Option Description

enable Enable automatic discovery of KDC IP addresses.

disable Disable automatic discovery of KDC IP addresses.

FortiOS 7.4.4 CLI Reference 1740

Fortinet Inc.
Parameter Description Type Size Default

connect- Connection protocol used to connect to MS Exchange option - rpc-over-

protocol service. https

Option Description

rpc-over-tcp Connect using RPC-over-TCP. Use for MS Exchange 2010 and earlier
versions. Supported in MS Exchange 2013.

rpc-over-http Connect using RPC-over-HTTP. Use for MS Exchange 2016 and later
versions. Supported in MS Exchange 2013.

rpc-over-https Connect using RPC-over-HTTPS. Use for MS Exchange 2016 and later
versions. Supported in MS Exchange 2013.

domain-name MS Exchange server fully qualified domain name. string Maximum

length: 79

http-auth-type Authentication security type used for the HTTP option - ntlm
transport.

Option Description

basic Basic HTTP authentication.

ntlm NTLM HTTP authentication.

ip Server IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

kdc-ip KDC IPv4 addresses for Kerberos authentication. string Maximum

<ipv4> KDC IPv4 addresses for Kerberos authentication. length: 79

name MS Exchange server entry name. string Maximum

length: 35

password Password for the specified username. password Not

Specified

server-name MS Exchange server hostname. string Maximum

length: 63

ssl-min-proto- Minimum SSL/TLS protocol version for HTTPS option - default

version transport.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

FortiOS 7.4.4 CLI Reference 1741

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

username User name used to sign in to the server. Must have string Maximum
proper permissions for service. length: 64

config user external-identity-provider

Configure external identity provider.

config user external-identity-provider
Description: Configure external identity provider.
edit <name>
set group-attr-name {string}
set interface {string}
set interface-select-method [auto|sdwan|...]
set port {integer}
set server-identity-check [disable|enable]
set source-ip {string}
set timeout {integer}
set type {option}
set url {string}
set user-attr-name {string}
set version [v1.0|beta]
next
end

config user external-identity-provider

Parameter Description Type Size Default

group-attr- Group attribute name in authentication query. string Maximum id

name length: 63

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to option - auto

select-method reach server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

FortiOS 7.4.4 CLI Reference 1742

Fortinet Inc.
Parameter Description Type Size Default

Option Description

specify Set outgoing interface manually.

name External identity provider name. string Maximum

length: 35

port External identity provider service port number. integer Minimum 0

value: 0
Maximum
value:
65535

server- Enable/disable server's identity check against option - enable

identity-check its certificate and subject alternative name(s).

Option Description

disable Do not check server's identity against its certificate and subject alternative
name(s).

enable Check server's identity against its certificate and subject alternative name(s).

source-ip Use this IPv4/v6 address to connect to the string Maximum

external identity provider. length: 63

timeout Connection timeout value in seconds. integer Minimum 5

value: 1
Maximum
value: 60

type External identity provider type. option -

Option Description

ms-graph Microsoft Graph server.

url External identity provider URL (e.g. string Maximum

"https://example.com:8080/api/v1"). length: 127

user-attr- User attribute name in authentication query. string Maximum userPrincipalName

name length: 63

version External identity API version. option -

Option Description

v1.0 MS Graph REST API v1.0.

beta MS Graph REST API beta (debug build only).

FortiOS 7.4.4 CLI Reference 1743

Fortinet Inc.
config user fortitoken

Configure FortiToken.
config user fortitoken
Description: Configure FortiToken.
edit <serial-number>
set activation-code {string}
set activation-expire {integer}
set comments {var-string}
set license {string}
set os-ver {string}
set reg-id {string}
set seed {string}
set status [active|lock]
next
end

config user fortitoken

Parameter Description Type Size Default

activation- Mobile token user activation-code. string Maximum

code length: 32

activation- Mobile token user activation-code expire time. integer Minimum 0

expire value: 0
Maximum
value:
4294967295

comments Comment. var-string Maximum

length: 255

license Mobile token license. string Maximum

length: 31

os-ver Device Mobile Version. string Maximum

length: 15

reg-id Device Reg ID. string Maximum

length: 256

seed Token seed. string Maximum

length: 208

serial-number Serial number. string Maximum

length: 16

status Status. option - active

Option Description

active Activate FortiToken.

lock Lock FortiToken.

FortiOS 7.4.4 CLI Reference 1744

Fortinet Inc.
config user fsso-polling

Configure FSSO active directory servers for polling mode.

config user fsso-polling
Description: Configure FSSO active directory servers for polling mode.
edit <id>
config adgrp
Description: LDAP Group Info.
edit <name>
next
end
set default-domain {string}
set ldap-server {string}
set logon-history {integer}
set password {password}
set polling-frequency {integer}
set port {integer}
set server {string}
set smb-ntlmv1-auth [enable|disable]
set smbv1 [enable|disable]
set status [enable|disable]
set user {string}
next
end

config user fsso-polling

Parameter Description Type Size Default

default- Default domain managed by this Active Directory string Maximum

domain server. length: 35

id Active Directory server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ldap-server LDAP server name used in LDAP connection strings. string Maximum
length: 35

logon-history Number of hours of logon history to keep, 0 means integer Minimum 8

keep all history. value: 0
Maximum
value: 48

password Password required to log into this Active Directory password Not Specified
server.

FortiOS 7.4.4 CLI Reference 1745

Fortinet Inc.
Parameter Description Type Size Default

polling- Polling frequency (every 1 to 30 seconds). integer Minimum 10

frequency value: 1
Maximum
value: 30

port Port to communicate with this Active Directory server. integer Minimum 0
value: 0
Maximum
value: 65535

server Host name or IP address of the Active Directory string Maximum

server. length: 63

smb-ntlmv1- Enable/disable support of NTLMv1 for Samba option - disable

auth authentication.

Option Description

enable Enable support of NTLMv1 for Samba authentication.

disable Disable support of NTLMv1 for Samba authentication.

smbv1 Enable/disable support of SMBv1 for Samba. option - disable

Option Description

enable Enable support of SMBv1 for Samba.

disable Disable support of SMBv1 for Samba.

status Enable/disable polling for the status of this Active option - enable
Directory server.

Option Description

enable Enable setting.

disable Disable setting.

user User name required to log into this Active Directory string Maximum
server. length: 35

config adgrp

Parameter Description Type Size Default

name Name. string Maximum

length: 511

config user fsso

Configure Fortinet Single Sign On (FSSO) agents.

FortiOS 7.4.4 CLI Reference 1746

Fortinet Inc.
config user fsso
Description: Configure Fortinet Single Sign On (FSSO) agents.
edit <name>
set group-poll-interval {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ldap-poll [enable|disable]
set ldap-poll-filter {string}
set ldap-poll-interval {integer}
set ldap-server {string}
set logon-timeout {integer}
set password {password}
set password2 {password}
set password3 {password}
set password4 {password}
set password5 {password}
set port {integer}
set port2 {integer}
set port3 {integer}
set port4 {integer}
set port5 {integer}
set server {string}
set server2 {string}
set server3 {string}
set server4 {string}
set server5 {string}
set sni {string}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
set ssl [enable|disable]
set ssl-server-host-ip-check [enable|disable]
set ssl-trusted-cert {string}
set type [default|fortinac]
set user-info-server {string}
next
end

config user fsso

Parameter Description Type Size Default

group-poll- Interval in minutes within to fetch groups integer Minimum 0

interval from FSSO server, or unset to disable. value: 1
Maximum
value: 2880

interface Specify outgoing interface to reach string Maximum

server. length: 15

interface- Specify how to select outgoing interface option - auto

select-method to reach server.

FortiOS 7.4.4 CLI Reference 1747

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ldap-poll Enable/disable automatic fetching of option - disable

groups from LDAP server.

Fortinet Inc.
Parameter Description Type Size Default

port Port of the first FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

port2 Port of the second FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

port3 Port of the third FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

port4 Port of the fourth FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

port5 Port of the fifth FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

server Domain name or IP address of the first string Maximum

FSSO collector agent. length: 63

server2 Domain name or IP address of the string Maximum

second FSSO collector agent. length: 63

server3 Domain name or IP address of the third string Maximum

FSSO collector agent. length: 63

server4 Domain name or IP address of the fourth string Maximum

FSSO collector agent. length: 63

server5 Domain name or IP address of the fifth string Maximum

FSSO collector agent. length: 63

sni Server Name Indication. string Maximum

length: 255

source-ip Source IP for communications to FSSO ipv4- Not 0.0.0.0

agent. address Specified

FortiOS 7.4.4 CLI Reference 1749

Fortinet Inc.
Parameter Description Type Size Default

source-ip6 IPv6 source for communications to FSSO ipv6- Not ::

agent. address Specified

ssl Enable/disable use of SSL. option - disable

Option Description

enable Enable use of SSL.

disable Disable use of SSL.

ssl-server- Enable/disable server host/IP option - disable

host-ip-check verification.

Option Description

enable Enable server host/IP verification.

disable Disable server host/IP verification.

ssl-trusted- Trusted server certificate or CA string Maximum

cert certificate. length: 79

type Server type. option - default

Option Description

default All other unspecified types of servers.

fortinac FortiNAC server.

user-info- LDAP server to get user information. string Maximum

server length: 35

config user group

Configure user groups.

config user group
Description: Configure user groups.
edit <name>
set auth-concurrent-override [enable|disable]
set auth-concurrent-value {integer}
set authtimeout {integer}
set company [optional|mandatory|...]
set email [disable|enable]
set expire {integer}
set expire-type [immediately|first-successful-login]
set group-type [firewall|fsso-service|...]
config guest
Description: Guest User.
edit <id>
set user-id {string}

FortiOS 7.4.4 CLI Reference 1750

Fortinet Inc.
set name {string}
set password {password}
set mobile-phone {string}
set sponsor {string}
set company {string}
set email {string}
set expiration {user}
set comment {var-string}
next
end
set http-digest-realm {string}
set id {integer}
config match
Description: Group matches.
edit <id>
set server-name {string}
set group-name {string}
next
end
set max-accounts {integer}
set member <name1>, <name2>, ...
set mobile-phone [disable|enable]
set multiple-guest-add [disable|enable]
set password [auto-generate|specify|...]
set sms-custom-server {string}
set sms-server [fortiguard|custom]
set sponsor [optional|mandatory|...]
set sso-attribute-value {string}
set user-id [email|auto-generate|...]
set user-name [disable|enable]
next
end

config user group

Parameter Description Type Size Default

auth- Enable/disable overriding the global number of option - disable

concurrent- concurrent authentication sessions for this user
override group.

Option Description

enable Enable auth-concurrent-override.

disable Disable auth-concurrent-override.

auth- Maximum number of concurrent authenticated integer Minimum 0

concurrent- connections per user. value: 0
value Maximum
value: 100

FortiOS 7.4.4 CLI Reference 1751

Fortinet Inc.
Parameter Description Type Size Default

authtimeout Authentication timeout in minutes for this user integer Minimum 0

group. 0 to use the global user setting auth- value: 0
timeout. Maximum
value: 43200

company Set the action for the company guest user field. option - optional

Option Description

optional Optional.

mandatory Mandatory.

disabled Disabled.

email Enable/disable the guest user email address field. option - enable

Option Description

disable Disable setting.

enable Enable setting.

expire Time in seconds before guest user accounts integer Minimum 14400
expire. value: 1
Maximum
value:
31536000

expire-type Determine when the expiration countdown begins. option - immediately

Option Description

immediately Immediately.

first-successful- First successful login.

group-type Set the group to be for firewall authentication, option - firewall

FSSO, RSSO, or guest users.

Option Description

firewall Firewall.

fsso-service Fortinet Single Sign-On Service.

rsso RADIUS based Single Sign-On Service.

guest Guest.

http-digest- Realm attribute for MD5-digest authentication. string Maximum

realm length: 35

FortiOS 7.4.4 CLI Reference 1752

Fortinet Inc.
Parameter Description Type Size Default

id Group ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

max-accounts Maximum number of guest accounts that can be integer Minimum 0

created for this group (0 means unlimited). value: 0
Maximum
value: 1024 **

member Names of users, peers, LDAP severs, RADIUS string Maximum

<name> servers or external idp servers to add to the user length: 511
group.
Group member name.

mobile-phone Enable/disable the guest user mobile phone option - disable

number field.

Option Description

disable Disable setting.

enable Enable setting.

multiple- Enable/disable addition of multiple guests. option - disable

guest-add

Option Description

disable Disable setting.

enable Enable setting.

name Group name. string Maximum

length: 35

password Guest user password type. option - auto-generate

Option Description

auto-generate Automatically generate.

specify Specify.

disable Disable.

sms-custom- SMS server. string Maximum

server length: 35

sms-server Send SMS through FortiGuard or other external option - fortiguard

server.

FortiOS 7.4.4 CLI Reference 1753

Fortinet Inc.
Parameter Description Type Size Default

Option Description

fortiguard Send SMS by FortiGuard.

custom Send SMS by custom server.

sponsor Set the action for the sponsor guest user field. option - optional

Option Description

optional Optional.

mandatory Mandatory.

disabled Disabled.

sso-attribute- Name of the RADIUS user group that this local string Maximum
value user group represents. length: 511

user-id Guest user ID type. option - email

Option Description

email Email address.

auto-generate Automatically generate.

specify Specify.

user-name Enable/disable the guest user name entry. option - disable

Option Description

disable Disable setting.

enable Enable setting.

** Values may differ between models.

config guest

Parameter Description Type Size Default

id Guest ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

user-id Guest ID. string Maximum

length: 64

FortiOS 7.4.4 CLI Reference 1754

Fortinet Inc.
Parameter Description Type Size Default

name Guest name. string Maximum

length: 64

password Guest password. password Not Specified

mobile-phone Mobile phone. string Maximum

length: 35

sponsor Set the action for the sponsor guest user field. string Maximum
length: 35

company Set the action for the company guest user field. string Maximum
length: 35

email Email. string Maximum

length: 64

expiration Expire time. user Not Specified

comment Comment. var-string Maximum

length: 255

config match

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server-name Name of remote auth server. string Maximum

length: 35

group-name Name of matching user or group on remote string Maximum

authentication server. length: 511

config user krb-keytab

Configure Kerberos keytab entries.

config user krb-keytab
Description: Configure Kerberos keytab entries.
edit <name>
set keytab {string}
set ldap-server <name1>, <name2>, ...
set pac-data [enable|disable]
set principal {string}
next
end

FortiOS 7.4.4 CLI Reference 1755

Fortinet Inc.
config user krb-keytab

Parameter Description Type Size Default

keytab Base64 coded keytab file containing a pre-shared key. string Maximum
length: 8191

ldap-server LDAP server name(s). string Maximum

<name> LDAP server name. length: 79

name Kerberos keytab entry name. string Maximum

length: 35

pac-data Enable/disable parsing PAC data in the ticket. option - enable

Option Description

enable Enable parsing PAC data in the ticket.

disable Disable parsing PAC data in the ticket.

principal Kerberos service principal. For example, string Maximum

HTTP/[email protected]. length: 511

config user ldap

Configure LDAP server entries.

config user ldap
Description: Configure LDAP server entries.
edit <name>
set account-key-cert-field [othername|rfc822name|...]
set account-key-filter {string}
set account-key-processing [same|strip]
set antiphish [enable|disable]
set ca-cert {string}
set client-cert {string}
set client-cert-auth [enable|disable]
set cnid {string}
set dn {string}
set group-filter {string}
set group-member-check [user-attr|group-object|...]
set group-object-filter {string}
set group-search-base {string}
set interface {string}
set interface-select-method [auto|sdwan|...]
set member-attr {string}
set obtain-user-info [enable|disable]
set password {password}
set password-attr {string}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set port {integer}
set search-type {option1}, {option2}, ...

FortiOS 7.4.4 CLI Reference 1756

Fortinet Inc.
set secondary-server {string}
set secure [disable|starttls|...]
set server {string}
set server-identity-check [enable|disable]
set source-ip {string}
set source-port {integer}
set ssl-min-proto-version [default|SSLv3|...]
set status-ttl {integer}
set tertiary-server {string}
set two-factor [disable|fortitoken-cloud]
set two-factor-authentication [fortitoken|email|...]
set two-factor-filter {string}
set two-factor-notification [email|sms]
set type [simple|anonymous|...]
set user-info-exchange-server {string}
set username {string}
next
end

config user ldap

Parameter Description Type Size Default

account-key- Define subject option - othername

cert-field identity field in
certificate for
user access
right checking.

Option Description

othername Other name in SAN.

rfc822name RFC822 email address in SAN.

dnsname DNS name in SAN.

cn CN in subject.

account-key- Account key string Maximum (&(userPrincipalName=%s)(!

filter filter, using the length: (UserAccountControl:1.2.840.113556.1.4.803:=
UPN as the 2047 2)))
search filter.

account-key- Account key option - same

processing processing
operation. The
FortiGate will
keep either the
whole domain or
strip the domain
from the subject
identity.

FortiOS 7.4.4 CLI Reference 1757

Fortinet Inc.
Parameter Description Type Size Default

Option Description

same Same as subject identity field.

strip Strip domain string from subject identity field.

antiphish Enable/disable option - disable

AntiPhishing
credential
backend.

member-attr Name of string Maximum memberOf

attribute from length: 63
which to get
group
membership.

name LDAP server string Maximum

entry name. length: 35

FortiOS 7.4.4 CLI Reference 1759

Fortinet Inc.
Parameter Description Type Size Default

obtain-user-info Enable/disable option - enable

obtaining of user
information.

Option Description

enable Enable obtaining of user information.

disable Disable obtaining of user information.

password Password for password Not

initial binding. Specified

password-attr Name of string Maximum userPassword

attribute to get length: 35
password hash.

password- Enable/disable option - disable

expiry-warning password expiry
warnings.

Option Description

enable Enable password expiry warnings.

disable Disable password expiry warnings.

password- Enable/disable option - disable

renewal online password
renewal.

Option Description

enable Enable online password renewal.

disable Disable online password renewal.

port Port to be used integer Minimum 389

for value: 1
communication Maximum
with the LDAP value:
server. 65535

search-type Search type. option -

Option Description

recursive Recursively retrieve the user-group chain information of a user in a particular

Microsoft AD domain.

FortiOS 7.4.4 CLI Reference 1760

Fortinet Inc.
Parameter Description Type Size Default

secondary- Secondary string Maximum

server LDAP server CN length: 63
domain name or
IP.

secure Port to be used option - disable

for
authentication.

Option Description

disable No SSL.

starttls Use StartTLS.

ldaps Use LDAPS.

server LDAP server CN string Maximum

domain name or length: 63
IP.

server-identity- Enable/disable option - enable

check LDAP server
identity check
(verify server
domain name/IP
address against
the server
certificate).

Option Description

enable Enable server identity check.

disable Disable server identity check.

source-ip FortiGate IP string Maximum

address to be length: 63
used for
communication
with the LDAP
server.

source-port Source port to integer Minimum 0

be used for value: 0
communication Maximum
with the LDAP value:
server. 65535

FortiOS 7.4.4 CLI Reference 1761

Fortinet Inc.
Parameter Description Type Size Default

ssl-min-proto- Minimum option - default

version supported
protocol version
for SSL/TLS
connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

status-ttl Time for which integer Minimum 300

server value: 0
reachability is Maximum
cached so that value: 600
when a server is
unreachable, it
will not be retried
for at least this
period of time.

tertiary-server Tertiary LDAP string Maximum

server CN length: 63
domain name or
IP.

two-factor Enable/disable option - disable

two-factor
authentication.

Option Description

disable disable two-factor authentication.

fortitoken-cloud FortiToken Cloud Service.

two-factor- Authentication option -

authentication method by
FortiToken
Cloud.

FortiOS 7.4.4 CLI Reference 1762

Fortinet Inc.
Parameter Description Type Size Default

Option Description

fortitoken FortiToken authentication.

email Email one time password.

sms SMS one time password.

two-factor-filter Filter used to string Maximum

synchronize length:
users to 2047
FortiToken
Cloud.

two-factor- Notification option -

notification method for user
activation by
FortiToken
Cloud.

Option Description

email Email notification for activation code.

sms SMS notification for activation code.

type Authentication option - simple

type for LDAP
searches.

Option Description

simple Simple password authentication without search.

anonymous Bind using anonymous user search.

regular Bind using username/password and then search.

user-info- MS Exchange string Maximum

exchange- server from length: 35
server which to fetch
user information.

username Username (full string Maximum

DN) for initial length: 511
binding.

config user local

Configure local users.

FortiOS 7.4.4 CLI Reference 1763

Fortinet Inc.
config user local
Description: Configure local users.
edit <name>
set auth-concurrent-override [enable|disable]
set auth-concurrent-value {integer}
set authtimeout {integer}
set email-to {string}
set fortitoken {string}
set id {integer}
set ldap-server {string}
set passwd {password}
set passwd-policy {string}
set passwd-time {user}
set ppk-identity {string}
set ppk-secret {password-3}
set qkd-profile {string}
set radius-server {string}
set sms-custom-server {string}
set sms-phone {string}
set sms-server [fortiguard|custom]
set status [enable|disable]
set tacacs+-server {string}
set two-factor [disable|fortitoken|...]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set type [password|radius|...]
set username-sensitivity [disable|enable]
set workstation {string}
next
end

config user local

Parameter Description Type Size Default

auth-concurrent- Enable/disable overriding the policy-auth- option - disable

override concurrent under config system global.

Option Description

enable Enable auth-concurrent-override.

disable Disable auth-concurrent-override.

auth-concurrent- Maximum number of concurrent logins permitted integer Minimum 0

value from the same user. value: 0
Maximum
value: 100

authtimeout Time in minutes before the authentication timeout integer Minimum 0

for a user is reached. value: 0
Maximum
value: 1440

FortiOS 7.4.4 CLI Reference 1764

Fortinet Inc.
Parameter Description Type Size Default

email-to Two-factor recipient's email address. string Maximum

length: 63

fortitoken Two-factor recipient's FortiToken serial number. string Maximum

length: 16

id User ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ldap-server Name of LDAP server with which the user must string Maximum
authenticate. length: 35

name Local user name. string Maximum

length: 64

passwd User's password. password Not Specified

passwd-policy Password policy to apply to this user, as defined string Maximum

in config user password-policy. length: 35

passwd-time Time of the last password update. user Not Specified

ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum

length: 35

ppk-secret IKEv2 Postquantum Preshared Key (ASCII string password-3 Not Specified
or hexadecimal encoded with a leading 0x).

qkd-profile Quantum Key Distribution (QKD) profile. string Maximum

length: 35

radius-server Name of RADIUS server with which the user must string Maximum
authenticate. length: 35

sms-custom- Two-factor recipient's SMS server. string Maximum

server length: 35

sms-phone Two-factor recipient's mobile phone number. string Maximum

length: 15

sms-server Send SMS through FortiGuard or other external option - fortiguard

server.

Option Description

fortiguard Send SMS by FortiGuard.

custom Send SMS by custom server.

status Enable/disable allowing the local user to option - enable

authenticate with the FortiGate unit.

FortiOS 7.4.4 CLI Reference 1765

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable user.

disable Disable user.

tacacs+-server Name of TACACS+ server with which the user string Maximum
must authenticate. length: 35

type Authentication method. option - password

Option Description

password Password authentication.

radius RADIUS server authentication.

tacacs+ TACACS+ server authentication.

ldap LDAP server authentication.

FortiOS 7.4.4 CLI Reference 1766

Fortinet Inc.
Parameter Description Type Size Default

username- Enable/disable case and accent sensitivity when option - enable

sensitivity performing username matching (accents are
stripped and case is ignored when disabled).

Option Description

disable Ignore case and accents. Username at prompt not required to match case or
accents.

enable Do not ignore case and accents. Username at prompt must be an exact
match.

workstation Name of the remote user workstation, if you want string Maximum
to limit the user to authenticate only from a length: 35
particular workstation.

config user nac-policy

Configure NAC policy matching pattern to identify matching NAC devices.

config user nac-policy
Description: Configure NAC policy matching pattern to identify matching NAC devices.
edit <name>
set category [device|firewall-user|...]
set description {string}
set ems-tag {string}
set family {string}
set firewall-address {string}
set fortivoice-tag {string}
set host {string}
set hw-vendor {string}
set hw-version {string}
set mac {string}
set match-period {integer}
set match-type [dynamic|override]
set os {string}
set severity <severity-num1>, <severity-num2>, ...
set src {string}
set ssid-policy {string}
set status [enable|disable]
set sw-version {string}
set switch-fortilink {string}
set switch-group <name1>, <name2>, ...
set switch-mac-policy {string}
set type {string}
set user {string}
set user-group {string}
next
end

FortiOS 7.4.4 CLI Reference 1767

Fortinet Inc.
config user nac-policy

Parameter Description Type Size Default

category Category of NAC policy. option - device

Option Description

device Device category.

firewall-user Firewall user category.

ems-tag EMS Tag category.

fortivoice-tag FortiVoice Tag category.

vulnerability Vulnerability category.

description Description for the NAC policy matching pattern. string Maximum
length: 63

ems-tag NAC policy matching EMS tag. string Maximum

length: 79

family NAC policy matching family. string Maximum

length: 31

firewall-address Dynamic firewall address to associate MAC which string Maximum

* match this policy. length: 79

fortivoice-tag NAC policy matching FortiVoice tag. string Maximum

length: 79

host NAC policy matching host. string Maximum

length: 64

hw-vendor NAC policy matching hardware vendor. string Maximum

length: 15

hw-version NAC policy matching hardware version. string Maximum

length: 15

mac NAC policy matching MAC address. string Maximum

length: 17

match-period Number of days the matched devices will be retained integer Minimum 0
(0 - always retain) value: 0
Maximum
value: 120

match-type Match and retain the devices based on the type. option - dynamic

Option Description

dynamic Matched devices will be removed on dynamic events like link-down,device-

inactivity,switch-offline.

FortiOS 7.4.4 CLI Reference 1768

Fortinet Inc.
Parameter Description Type Size Default

Option Description

override Matched devices will be retained until the match-period.

name NAC policy name. string Maximum

user NAC policy matching user. string Maximum

length: 64

user-group NAC policy matching user group. string Maximum

length: 35

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 1769

Fortinet Inc.
config user password-policy

Configure user password policy.

config user password-policy
Description: Configure user password policy.
edit <name>
set expire-days {integer}
set expire-status [enable|disable]
set expired-password-renewal [enable|disable]
set min-change-characters {integer}
set min-lower-case-letter {integer}
set min-non-alphanumeric {integer}
set min-number {integer}
set min-upper-case-letter {integer}
set minimum-length {integer}
set reuse-password [enable|disable]
set warn-days {integer}
next
end

config user password-policy

Parameter Description Type Size Default

expire-days Time in days before the user's password expires. integer Minimum 180
value: 0
Maximum
value: 999

expire-status Enable/disable password expiration. option - disable

Option Description

enable Passwords expire after expire-day days.

disable Passwords do not expire.

expired- Enable/disable renewal of a password that already is option - disable

password- expired.
renewal

Option Description

enable Enable renewal of a password that already is expired.

disable Disable renewal of a password that already is expired.

min-change- Minimum number of unique characters in new integer Minimum 0

characters password which do not exist in old password. value: 0
Maximum
value: 128

FortiOS 7.4.4 CLI Reference 1770

Fortinet Inc.
Parameter Description Type Size Default

min-lower-case- Minimum number of lowercase characters in integer Minimum 0

letter password. value: 0
Maximum
value: 128

min-non- Minimum number of non-alphanumeric characters in integer Minimum 0

alphanumeric password. value: 0
Maximum
value: 128

min-number Minimum number of numeric characters in password. integer Minimum 0

value: 0
Maximum
value: 128

min-upper- Minimum number of uppercase characters in integer Minimum 0

case-letter password. value: 0
Maximum
value: 128

minimum-length Minimum password length. integer Minimum 8

value: 8
Maximum
value: 128

name Password policy name. string Maximum

length: 35

reuse-password Enable/disable reuse of password. If both reuse- option - enable

password and min-change-characters are enabled,
min-change-characters overrides.

Option Description

enable Users are allowed to reuse the same password.

disable Users must create a new password.

warn-days Time in days before a password expiration warning integer Minimum 15

message is displayed to the user upon login. value: 0
Maximum
value: 30

config user peer

Configure peer users.

config user peer
Description: Configure peer users.
edit <name>
set ca {string}
set cn {string}

FortiOS 7.4.4 CLI Reference 1771

Fortinet Inc.
set cn-type [string|email|...]
set mandatory-ca-verify [enable|disable]
set mfa-mode [none|password|...]
set mfa-password {password}
set mfa-server {string}
set mfa-username {string}
set ocsp-override-server {string}
set passwd {password}
set subject {string}
set two-factor [enable|disable]
next
end

config user peer

Parameter Description Type Size Default

ca Name of the CA certificate. string Maximum

length: 127

cn Peer certificate common name. string Maximum

length: 255

cn-type Peer certificate common name type. option - string

Option Description

string Normal string.

email Email address.

FQDN Fully Qualified Domain Name.

ipv4 IPv4 address.

ipv6 IPv6 address.

mandatory- Determine what happens to the peer if the CA certificate option - enable
ca-verify is not installed. Disable to automatically consider the
peer certificate as valid.

Option Description

enable Enable setting.

disable Disable setting.

mfa-mode MFA mode for remote peer option - none

authentication/authorization.

Option Description

none None.

FortiOS 7.4.4 CLI Reference 1772

Fortinet Inc.
Parameter Description Type Size Default

Option Description

password Specified username/password.

subject-identity Subject identity extracted from certificate.

mfa-password Unified password for remote authentication. This field password Not
may be left empty when RADIUS authentication is used, Specified
in which case the FortiGate will use the RADIUS
username as a password.

mfa-server Name of a remote authenticator. Performs client access string Maximum

right check. length: 35

mfa- Unified username for remote authentication. string Maximum

username length: 35

name Peer name. string Maximum

length: 35

ocsp- Online Certificate Status Protocol (OCSP) server for string Maximum
override- certificate retrieval. length: 35
server

passwd Peer's password used for two-factor authentication. password Not

Specified

subject Peer certificate name constraints. string Maximum

length: 255

two-factor Enable/disable two-factor authentication, applying option - disable

certificate and password-based authentication.

Option Description

enable Enable 2-factor authentication.

disable Disable 2-factor authentication.

config user peergrp

Configure peer groups.

config user peergrp
Description: Configure peer groups.
edit <name>
set member <name1>, <name2>, ...
next
end

FortiOS 7.4.4 CLI Reference 1773

Fortinet Inc.
config user peergrp

Parameter Description Type Size Default

member <name> Peer group members. string Maximum

Peer group member name. length: 35

name Peer group name. string Maximum

length: 35

config user pop3

POP3 server entry configuration.

config user pop3
Description: POP3 server entry configuration.
edit <name>
set port {integer}
set secure [none|starttls|...]
set server {string}
set ssl-min-proto-version [default|SSLv3|...]
next
end

config user pop3

Parameter Description Type Size Default

name POP3 server entry name. string Maximum

length: 35

port POP3 service port number. integer Minimum 0

value: 0
Maximum
value:
65535

secure SSL connection. option - starttls

Option Description

none None.

starttls Use StartTLS.

pop3s Use POP3 over SSL.

server Server domain name or IP address. string Maximum

length: 63

FortiOS 7.4.4 CLI Reference 1774

Fortinet Inc.
Parameter Description Type Size Default

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

config user quarantine

Configure quarantine support.

config user quarantine
Description: Configure quarantine support.
set firewall-groups {string}
set quarantine [enable|disable]
config targets
Description: Quarantine entry to hold multiple MACs.
edit <entry>
set description {string}
config macs
Description: Quarantine MACs.
edit <mac>
set description {string}
set drop [disable|enable]
set parent {string}
next
end
next
end
set traffic-policy {string}
end

config user quarantine

Parameter Description Type Size Default

firewall- Firewall address group which includes all quarantine string Maximum
groups MAC address. length: 79

quarantine Enable/disable quarantine. option - enable

FortiOS 7.4.4 CLI Reference 1775

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable quarantine.

disable Disable quarantine.

traffic-policy * Traffic policy for quarantined MACs. string Maximum

length: 63

* This parameter may not exist in some models.

config targets

Parameter Description Type Size Default

entry Quarantine entry name. string Maximum

length: 63

description Description for the quarantine entry. string Maximum

length: 63

config macs

Parameter Description Type Size Default

mac Quarantine MAC. mac- Not 00:00:00:00:00:00

address Specified

description Description for the quarantine MAC. string Maximum

length: 63

drop Enable/disable dropping of quarantined device option - disable

traffic.

Option Description

disable Sends quarantined device traffic to FortiGate.

enable Blocks quarantined device traffic to FortiGate.

parent Parent entry name. string Maximum

length: 63

config user radius

Configure RADIUS server entries.

config user radius
Description: Configure RADIUS server entries.
edit <name>
set account-key-cert-field [othername|rfc822name|...]

FortiOS 7.4.4 CLI Reference 1776

Fortinet Inc.
set account-key-processing [same|strip]
config accounting-server
Description: Additional accounting servers.
edit <id>
set status [enable|disable]
set server {string}
set secret {password}
set port {integer}
set source-ip {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
set acct-all-servers [enable|disable]
set acct-interim-interval {integer}
set all-usergroup [disable|enable]
set auth-type [auto|ms_chap_v2|...]
set ca-cert {string}
set call-station-id-type [legacy|IP|...]
set class <name1>, <name2>, ...
set client-cert {string}
set delimiter [plus|comma]
set group-override-attr-type [filter-Id|class]
set h3c-compatibility [enable|disable]
set interface {string}
set interface-select-method [auto|sdwan|...]
set mac-case [uppercase|lowercase]
set mac-password-delimiter [hyphen|single-hyphen|...]
set mac-username-delimiter [hyphen|single-hyphen|...]
set nas-id {string}
set nas-id-type [legacy|custom|...]
set nas-ip {ipv4-address}
set password-encoding [auto|ISO-8859-1]
set password-renewal [enable|disable]
set radius-coa [enable|disable]
set radius-port {integer}
set rsso [enable|disable]
set rsso-context-timeout {integer}
set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
set rsso-ep-one-ip-only [enable|disable]
set rsso-flush-ip-session [enable|disable]
set rsso-log-flags {option1}, {option2}, ...
set rsso-log-period {integer}
set rsso-radius-response [enable|disable]
set rsso-radius-server-port {integer}
set rsso-secret {password}
set rsso-validate-request-secret [enable|disable]
set secondary-secret {password}
set secondary-server {string}
set secret {password}
set server {string}
set server-identity-check [enable|disable]
set source-ip {string}
set sso-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute-key {string}

FortiOS 7.4.4 CLI Reference 1777

Fortinet Inc.
set sso-attribute-value-override [enable|disable]
set status-ttl {integer}
set switch-controller-acct-fast-framedip-detect {integer}
set switch-controller-nas-ip-dynamic [enable|disable]
set switch-controller-service-type {option1}, {option2}, ...
set tertiary-secret {password}
set tertiary-server {string}
set timeout {integer}
set tls-min-proto-version [default|SSLv3|...]
set transport-protocol [udp|tcp|...]
set use-management-vdom [enable|disable]
set username-case-sensitive [enable|disable]
next
end

config user radius

Parameter Description Type Size Default

account-key- Define subject identity field in certificate for user option - othername
cert-field access right checking.

Option Description

othername Other name in SAN.

rfc822name RFC822 email address in SAN.

dnsname DNS name in SAN.

cn CN in subject.

account-key- Account key processing operation. The option - same

processing FortiGate will keep either the whole domain or
strip the domain from the subject identity.

Option Description

same Same as subject identity field.

strip Strip domain string from subject identity field.

acct-all-servers Enable/disable sending of accounting messages option - disable

to all configured servers.

Option Description

enable Send accounting messages to all configured servers.

disable Send accounting message only to servers that are confirmed to be

reachable.

FortiOS 7.4.4 CLI Reference 1778

Fortinet Inc.
Parameter Description Type Size Default

acct-interim- Time in seconds between each accounting integer Minimum 0

interval interim update message. value: 60
Maximum
value: 86400

all-usergroup Enable/disable automatically including this option - disable

RADIUS server in all user groups.

Option Description

disable Do not automatically include this server in a user group.

enable Include this RADIUS server in every user group.

auth-type Authentication methods/protocols permitted for option - auto

this RADIUS server.

Option Description

auto Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2 Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap Microsoft Challenge Handshake Authentication Protocol.

chap Challenge Handshake Authentication Protocol.

pap Password Authentication Protocol.

ca-cert CA of server to trust under TLS. string Maximum

length: 79

call-station-id- Calling & Called station identifier type option - legacy

type configuration , this option is not available for
802.1x authentication.

Option Description

legacy Calling & Called station identifier is the value previously used by each
daemon.

IP Calling & Called station identifier is the value of IP address.

MAC Calling & Called station identifier is the value of MAC address.

class <name> Class attribute name(s). string Maximum

Class name. length: 79

client-cert Client certificate to use under TLS. string Maximum

length: 35

delimiter Configure delimiter to be used for separating option - plus

profile group names in the SSO attribute.

FortiOS 7.4.4 CLI Reference 1779

Fortinet Inc.
Parameter Description Type Size Default

Option Description

plus Plus character "+".

comma Comma character ",".

group-override- RADIUS attribute type to override user group option -

attr-type information.

Option Description

filter-Id Filter-Id

class Class

h3c- Enable/disable compatibility with the H3C, a option - disable

compatibility mechanism that performs security checking for
authentication.

Option Description

enable Enable H3C compatibility.

disable Disable H3C compatibility.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

mac-case MAC authentication case. option - lowercase

nas-id Custom NAS identifier. string Maximum

length: 255

nas-id-type NAS identifier type configuration. option - legacy

Option Description

legacy NAS-ID value is the value previously used by each daemon.

custom NAS-ID value is customized.

hostname NAS-ID value is hostname or HA group name if applicable.

nas-ip IP address used to communicate with the ipv4- Not Specified 0.0.0.0
RADIUS server and used as NAS-IP-Address address
and Called-Station-ID attributes.

password- Password encoding. option - auto

encoding

Option Description

auto Use original password encoding.

ISO-8859-1 Use ISO-8859-1 password encoding.

password- Enable/disable password renewal. option - enable

renewal

FortiOS 7.4.4 CLI Reference 1781

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable password renewal.

disable Disable password renewal.

radius-coa Enable to allow a mechanism to change the option - disable

attributes of an authentication, authorization,
and accounting session after it is authenticated.

Option Description

enable Enable RADIUS CoA.

disable Disable RADIUS CoA.

radius-port RADIUS service port number. integer Minimum 0

value: 0
Maximum
value: 65535

rsso Enable/disable RADIUS based single sign on option - disable

feature.

Option Description

enable Enable RADIUS based single sign on feature.

disable Disable RADIUS based single sign on feature.

rsso-context- Time in seconds before the logged out user is integer Minimum 28800
timeout removed from the "user context list" of logged on value: 0
users. Maximum
value:
4294967295

rsso-endpoint- RADIUS attributes used to extract the user end option - Calling-
attribute point identifier from the RADIUS Start record. Station-Id

Option Description

User-Name Use this attribute.

NAS-IP-Address Use this attribute.

Framed-IP- Use this attribute.

Address

Framed-IP- Use this attribute.

Netmask

Filter-Id Use this attribute.

FortiOS 7.4.4 CLI Reference 1782

Fortinet Inc.
Parameter Description Type Size Default

Option Description

Login-IP-Host Use this attribute.

Reply-Message Use this attribute.

Callback- Use this attribute.

Number

Callback-Id Use this attribute.

Framed-Route Use this attribute.

Framed-IPX- Use this attribute.

Network

Class Use this attribute.

Called-Station-Id Use this attribute.

Calling-Station- Use this attribute.

NAS-Identifier Use this attribute.

Proxy-State Use this attribute.

Login-LAT- Use this attribute.

Service

Login-LAT-Node Use this attribute.

Login-LAT- Use this attribute.

Group

Framed- Use this attribute.

AppleTalk-Zone

Acct-Session-Id Use this attribute.

Acct-Multi- Use this attribute.

Session-Id

rsso-endpoint- RADIUS attributes used to block a user. option -

block-attribute

Option Description

User-Name Use this attribute.

NAS-IP-Address Use this attribute.

Framed-IP- Use this attribute.

Address

FortiOS 7.4.4 CLI Reference 1783

Fortinet Inc.
Parameter Description Type Size Default

Option Description

Framed-IP- Use this attribute.

Netmask

Filter-Id Use this attribute.

Login-IP-Host Use this attribute.

Reply-Message Use this attribute.

Callback- Use this attribute.

Number

Callback-Id Use this attribute.

Framed-Route Use this attribute.

Framed-IPX- Use this attribute.

Network

Class Use this attribute.

Called-Station-Id Use this attribute.

Calling-Station- Use this attribute.

NAS-Identifier Use this attribute.

Proxy-State Use this attribute.

Login-LAT- Use this attribute.

Service

Login-LAT-Node Use this attribute.

Login-LAT- Use this attribute.

Group

Framed- Use this attribute.

AppleTalk-Zone

Acct-Session-Id Use this attribute.

Acct-Multi- Use this attribute.

Session-Id

rsso-ep-one-ip- Enable/disable the replacement of old IP option - disable

only addresses with new ones for the same endpoint
on RADIUS accounting Start messages.

FortiOS 7.4.4 CLI Reference 1784

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable replacement of old IP address with new IP address for the same
endpoint on RADIUS accounting start.

disable Disable replacement of old IP address with new IP address for the same
endpoint on RADIUS accounting start.

rsso-flush-ip- Enable/disable flushing user IP sessions on option - disable

session RADIUS accounting Stop messages.

Option Description

enable Enable flush user IP sessions on RADIUS accounting stop.

disable Disable flush user IP sessions on RADIUS accounting stop.

rsso-log-flags Events to log. option - protocol-error

profile-
missing
accounting-
stop-missed
accounting-
event
endpoint-
block radiusd-
other

Option Description

protocol-error Enable this log type.

profile-missing Enable this log type.

accounting-stop- Enable this log type.

missed

accounting- Enable this log type.

event

endpoint-block Enable this log type.

radiusd-other Enable this log type.

none Disable all logging.

rsso-log-period Time interval in seconds that group event log integer Minimum 0
messages will be generated for dynamic profile value: 0
events. Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1785

Fortinet Inc.
Parameter Description Type Size Default

rsso-radius- Enable/disable sending RADIUS response option - disable

response packets after receiving Start and Stop records.

Option Description

enable Enable sending RADIUS response packets.

disable Disable sending RADIUS response packets.

rsso-radius- UDP port to listen on for RADIUS Start and Stop integer Minimum 1813
server-port records. value: 0
Maximum
value: 65535

rsso-secret RADIUS secret used by the RADIUS accounting password Not Specified
server.

rsso-validate- Enable/disable validating the RADIUS request option - disable

request-secret shared secret in the Start or End record.

Option Description

enable Enable validating RADIUS request shared secret.

disable Disable validating RADIUS request shared secret.

secondary- Secret key to access the secondary server. password Not Specified
secret

secondary- Secondary RADIUS CN domain name or IP string Maximum

server address. length: 63

secret Pre-shared secret key used to access the password Not Specified
primary RADIUS server.

server Primary RADIUS server CN domain name or IP string Maximum

address. length: 63

server-identity- Enable/disable RADIUS server identity check option - enable

check (verify server domain name/IP address against
the server certificate).

Option Description

enable Enable server identity check.

disable Disable server identity check.

source-ip Source IP address for communications to the string Maximum

RADIUS server. length: 63

FortiOS 7.4.4 CLI Reference 1786

Fortinet Inc.
Parameter Description Type Size Default

sso-attribute RADIUS attribute that contains the profile group option - Class
name to be extracted from the RADIUS Start
record.

Option Description

User-Name Use this attribute.

NAS-IP-Address Use this attribute.

Framed-IP- Use this attribute.

Address

Framed-IP- Use this attribute.

Netmask

Filter-Id Use this attribute.

Login-IP-Host Use this attribute.

Reply-Message Use this attribute.

Callback- Use this attribute.

Number

Callback-Id Use this attribute.

Framed-Route Use this attribute.

Framed-IPX- Use this attribute.

Network

Class Use this attribute.

Called-Station-Id Use this attribute.

Calling-Station- Use this attribute.

NAS-Identifier Use this attribute.

Proxy-State Use this attribute.

Login-LAT- Use this attribute.

Service

Login-LAT-Node Use this attribute.

Login-LAT- Use this attribute.

Group

Framed- Use this attribute.

AppleTalk-Zone

Acct-Session-Id Use this attribute.

FortiOS 7.4.4 CLI Reference 1787

Fortinet Inc.
Parameter Description Type Size Default

Option Description

Acct-Multi- Use this attribute.

Session-Id

sso-attribute- Key prefix for SSO group value in the SSO string Maximum
key attribute. length: 35

sso-attribute- Enable/disable override old attribute value with option - enable

value-override new value for the same endpoint.

Option Description

enable Enable override old attribute value with new value for the same endpoint.

disable Disable override old attribute value with new value for the same endpoint.

status-ttl Time for which server reachability is cached so integer Minimum 300
that when a server is unreachable, it will not be value: 0
retried for at least this period of time. Maximum
value: 600

switch- Switch controller accounting message Framed- integer Minimum 2

controller-acct- IP detection from DHCP snooping. value: 2
fast-framedip- Maximum
detect value: 600

switch- Enable/Disable switch-controller nas-ip dynamic option - disable

controller-nas- to dynamically set nas-ip.
ip-dynamic *

Option Description

enable Enable dynamic NAS-IP setting.

disable Disable dynamic NAS-IP setting.

switch- RADIUS service type. option -

controller-
service-type

Option Description

login User should be connected to a host.

framed User use Framed Protocol.

callback-login User disconnected and called back.

callback-framed User disconnected and called back, then a Framed Protocol.

outbound User granted access to outgoing devices.

FortiOS 7.4.4 CLI Reference 1788

Fortinet Inc.
Parameter Description Type Size Default

Option Description

administrative User granted access to the administrative unsigned interface.

nas-prompt User provided a command prompt on the NAS.

authenticate- Authentication requested, and no auth info needs to be returned.

only

callback-nas- User disconnected and called back, then provided a command prompt.
prompt

call-check Used by the NAS in an Access-Request packet, Access-Accept to answer

the call.

callback- User disconnected and called back, granted access to the admin unsigned
administrative interface.

tertiary-secret Secret key to access the tertiary server. password Not Specified

tertiary-server Tertiary RADIUS CN domain name or IP string Maximum

address. length: 63

timeout Time in seconds to retry connecting server. integer Minimum 5

value: 1
Maximum
value: 300

tls-min-proto- Minimum supported protocol version for TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

transport- Transport protocol to be used. option - udp

protocol

Option Description

udp UDP.

tcp TCP.

tls TLS over TCP.

FortiOS 7.4.4 CLI Reference 1789

Fortinet Inc.
Parameter Description Type Size Default

use- Enable/disable using management VDOM to option - disable

management- send requests.
vdom

Option Description

enable Send requests using the management VDOM.

disable Send requests using the current VDOM.

username-case- Enable/disable case sensitive user names. option - disable

sensitive

Option Description

enable Enable username case-sensitive.

disable Disable username case-sensitive.

* This parameter may not exist in some models.

config accounting-server

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Status. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

server Server CN domain name or IP address. string Maximum

length: 63

secret Secret key. password Not Specified

port RADIUS accounting port number. integer Minimum 0

value: 0
Maximum
value: 65535

source-ip Source IP address for communications to the string Maximum

RADIUS server. length: 63

FortiOS 7.4.4 CLI Reference 1790

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Maximum

length: 15

config user saml

SAML server entry configuration.

config user saml
Description: SAML server entry configuration.
edit <name>
set adfs-claim [enable|disable]
set cert {string}
set clock-tolerance {integer}
set digest-method [sha1|sha256]
set entity-id {string}
set group-claim-type [email|given-name|...]
set group-name {string}
set idp-cert {string}
set idp-entity-id {string}
set idp-single-logout-url {string}
set idp-single-sign-on-url {string}
set limit-relaystate [enable|disable]
set reauth [enable|disable]
set single-logout-url {string}
set single-sign-on-url {string}
set user-claim-type [email|given-name|...]
set user-name {string}
next
end

config user saml

Parameter Description Type Size Default

adfs-claim Enable/disable ADFS Claim for user/group attribute in option - disable

assertion statement.

FortiOS 7.4.4 CLI Reference 1791

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable ADFS Claim for user/group attribute in assertion statement.

disable Disable ADFS Claim for user/group attribute in assertion statement.

cert Certificate to sign SAML messages. string Maximum

length: 35

clock- Clock skew tolerance in seconds. integer Minimum 15

tolerance value: 0
Maximum
value: 300

digest- Digest method algorithm. option - sha1

method

Option Description

sha1 Digest Method Algorithm is SHA1.

sha256 Digest Method Algorithm is SHA256.

entity-id SP entity ID. string Maximum

length: 255

group-claim- Group claim in assertion statement. option - group

type

Option Description

email E-mail address of the user.

given-name Given name of the user.

name Unique name of the user.

upn User principal name (UPN) of the user.

common-name Common name of the user.

email-adfs-1x E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group Group that the user is a member of.

upn-adfs-1x User principal name (UPN) of the user.

role Role that the user has.

sur-name Surname of the user

ppid Private identifier of the user.

name-identifier SAML name identifier of the user.

FortiOS 7.4.4 CLI Reference 1792

Fortinet Inc.
Parameter Description Type Size Default

Option Description

authentication- Method used to authenticate the user.

method

deny-only-group- Deny-only group SID of the user.

sid

deny-only- Deny-only primary SID of the user.

primary-sid

deny-only- Deny-only primary group SID of the user.

primary-group-
sid

group-sid Group SID of the user.

primary-group- Primary group SID of the user.

sid

primary-sid Primary SID of the user.

windows- Domain account name of the user in the form of <domain>\<user>.

account-name

group-name Group name in assertion statement. string Maximum

length: 255

idp-cert IDP Certificate name. string Maximum

length: 35

idp-entity-id IDP entity ID. string Maximum

length: 255

idp-single- IDP single logout url. string Maximum

logout-url length: 255

idp-single- IDP single sign-on URL. string Maximum

sign-on-url length: 255

limit- Enable/disable limiting of relay-state parameter when it option - disable

relaystate exceeds SAML 2.0 specification limits (80 bytes).

Option Description

enable Enable limiting of relay-state parameter when it exceeds SAML 2.0

specification limits (80 bytes).

disable Disable limiting of relay-state parameter when it exceeds SAML 2.0

specification limits (80 bytes).

name SAML server entry name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1793

Fortinet Inc.
Parameter Description Type Size Default

reauth Enable/disable signalling of IDP to force user re- option - disable

authentication.

Option Description

enable Enable signalling of IDP to force user re-authentication.

disable Disable signalling of IDP to force user re-authentication.

single-logout- SP single logout URL. string Maximum

url length: 255

single-sign- SP single sign-on URL. string Maximum

on-url length: 255

user-claim- User name claim in assertion statement. option - upn

type

Option Description

email E-mail address of the user.

given-name Given name of the user.

name Unique name of the user.

upn User principal name (UPN) of the user.

common-name Common name of the user.

email-adfs-1x E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group Group that the user is a member of.

upn-adfs-1x User principal name (UPN) of the user.

role Role that the user has.

sur-name Surname of the user

ppid Private identifier of the user.

name-identifier SAML name identifier of the user.

authentication- Method used to authenticate the user.

method

deny-only-group- Deny-only group SID of the user.

sid

deny-only- Deny-only primary SID of the user.

primary-sid

FortiOS 7.4.4 CLI Reference 1794

Fortinet Inc.
Parameter Description Type Size Default

Option Description

deny-only- Deny-only primary group SID of the user.

primary-group-
sid

group-sid Group SID of the user.

primary-group- Primary group SID of the user.

sid

primary-sid Primary SID of the user.

windows- Domain account name of the user in the form of <domain>\<user>.

account-name

user-name User name in assertion statement. string Maximum

length: 255

config user security-exempt-list

Configure security exemption list.

config user security-exempt-list
Description: Configure security exemption list.
edit <name>
set description {string}
config rule
Description: Configure rules for exempting users from captive portal
authentication.
edit <id>
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set service <name1>, <name2>, ...
next
end
next
end

config user security-exempt-list

Parameter Description Type Size Default

description Description. string Maximum

length: 127

name Name of the exempt list. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1795

Fortinet Inc.
config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

srcaddr Source addresses or address groups. string Maximum

<name> Address or group name. length: 79

dstaddr Destination addresses or address groups. string Maximum

<name> Address or group name. length: 79

service Destination services. string Maximum

<name> Service name. length: 79

config user setting

Configure user authentication setting.

config user setting
Description: Configure user authentication setting.
set auth-blackout-time {integer}
set auth-ca-cert {string}
set auth-cert {string}
set auth-http-basic [enable|disable]
set auth-invalid-max {integer}
set auth-lockout-duration {integer}
set auth-lockout-threshold {integer}
set auth-on-demand [always|implicitly]
set auth-portal-timeout {integer}
config auth-ports
Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and
TELNET.
edit <id>
set type [http|https|...]
set port {integer}
next
end
set auth-secure-http [enable|disable]
set auth-src-mac [enable|disable]
set auth-ssl-allow-renegotiation [enable|disable]
set auth-ssl-max-proto-version [sslv3|tlsv1|...]
set auth-ssl-min-proto-version [default|SSLv3|...]
set auth-ssl-sigalgs [no-rsa-pss|all]
set auth-timeout {integer}
set auth-timeout-type [idle-timeout|hard-timeout|...]
set auth-type {option1}, {option2}, ...
set default-user-password-policy {string}
set per-policy-disclaimer [enable|disable]

FortiOS 7.4.4 CLI Reference 1796

Fortinet Inc.
set radius-ses-timeout-act [hard-timeout|ignore-timeout]
end

config user setting

Parameter Description Type Size Default

auth-blackout- Time in seconds an IP address is denied access integer Minimum 0

time after failing to authenticate five times within one value: 0
minute. Maximum
value: 3600

auth-ca-cert HTTPS CA certificate for policy authentication. string Maximum

length: 35

auth-cert HTTPS server certificate for policy authentication. string Maximum

length: 35

auth-http-basic Enable/disable use of HTTP basic authentication for option - disable

identity-based firewall policies.

Option Description

enable Enable setting.

disable Disable setting.

auth-invalid- Maximum number of failed authentication attempts integer Minimum 5

max before the user is blocked. value: 1
Maximum
value: 100

auth-lockout- Lockout period in seconds after too many login integer Minimum 0
duration failures. value: 0
Maximum
value:
4294967295

auth-lockout- Maximum number of failed login attempts before integer Minimum 3

threshold login lockout is triggered. value: 1
Maximum
value: 10

auth-on- Always/implicitly trigger firewall authentication on option - implicitly

demand demand.

Option Description

always Always trigger firewall authentication on demand.

implicitly Implicitly trigger firewall authentication on demand.

FortiOS 7.4.4 CLI Reference 1797

Fortinet Inc.
Parameter Description Type Size Default

auth-portal- Time in minutes before captive portal user have to integer Minimum 3
timeout re-authenticate. value: 1
Maximum
value: 30

auth-secure- Enable/disable redirecting HTTP user authentication option - disable

http to more secure HTTPS.

Option Description

enable Enable setting.

disable Disable setting.

auth-src-mac Enable/disable source MAC for user identity. option - enable

Option Description

enable Enable source MAC for user identity.

disable Disable source MAC for user identity.

auth-ssl-allow- Allow/forbid SSL re-negotiation for HTTPS option - disable

renegotiation authentication.

Option Description

enable Allow SSL re-negotiation.

disable Forbid SSL re-negotiation.

auth-ssl-max- Maximum supported protocol version for SSL/TLS option -

proto-version connections.

Option Description

sslv3 SSLv3.

tlsv1 TLSv1.

tlsv1-1 TLSv1.1.

tlsv1-2 TLSv1.2.

tlsv1-3 TLSv1.3.

auth-ssl-min- Minimum supported protocol version for SSL/TLS option - default

proto-version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

FortiOS 7.4.4 CLI Reference 1798

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

auth-ssl- Set signature algorithms related to HTTPS option - all

sigalgs authentication.

Option Description

no-rsa-pss Disable RSA-PSS signature algorithms for HTTPS authentication.

all Enable all supported signature algorithms for HTTPS authentication.

auth-timeout Time in minutes before the firewall user integer Minimum 5

authentication timeout requires the user to re- value: 1
authenticate. Maximum
value: 1440

auth-timeout- Control if authenticated users have to login again option - idle-

type after a hard timeout, after an idle timeout, or after a timeout
session timeout.

Option Description

idle-timeout Idle timeout.

hard-timeout Hard timeout.

new-session New session timeout.

auth-type Supported firewall policy authentication option - http https

protocols/methods. ftp telnet

Option Description

http Allow HTTP authentication.

https Allow HTTPS authentication.

ftp Allow FTP authentication.

telnet Allow TELNET authentication.

default-user- Default password policy to apply to all local users string Maximum
password- unless otherwise specified, as defined in config user length: 35
policy password-policy.

FortiOS 7.4.4 CLI Reference 1799

Fortinet Inc.
Parameter Description Type Size Default

per-policy- Enable/disable per policy disclaimer. option - disable

disclaimer

Option Description

enable Enable per policy disclaimer.

disable Disable per policy disclaimer.

radius-ses- Set the RADIUS session timeout to a hard timeout or option - hard-
timeout-act to ignore RADIUS server session timeouts. timeout

Option Description

hard-timeout Use session timeout from RADIUS as hard-timeout.

ignore-timeout Ignore session timeout from RADIUS.

config auth-ports

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Service type. option - http

Option Description

http HTTP service.

https HTTPS service.

ftp FTP service.

telnet TELNET service.

port Non-standard port for firewall user authentication. integer Minimum 1024
value: 1
Maximum
value: 65535

config user tacacs+

Configure TACACS+ server entries.

config user tacacs+
Description: Configure TACACS+ server entries.
edit <name>

FortiOS 7.4.4 CLI Reference 1800

Fortinet Inc.
set authen-type [mschap|chap|...]
set authorization [enable|disable]
set interface {string}
set interface-select-method [auto|sdwan|...]
set key {password}
set port {integer}
set secondary-key {password}
set secondary-server {string}
set server {string}
set source-ip {string}
set status-ttl {integer}
set tertiary-key {password}
set tertiary-server {string}
next
end

config user tacacs+

Parameter Description Type Size Default

authen-type Allowed authentication protocols/methods. option - auto

Option Description

mschap MSCHAP.

chap CHAP.

pap PAP.

ascii ASCII.

auto Use PAP, MSCHAP, and CHAP (in that order).

authorization Enable/disable TACACS+ authorization. option - disable

Option Description

enable Enable TACACS+ authorization.

disable Disable TACACS+ authorization.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.4.4 CLI Reference 1801

Fortinet Inc.
Parameter Description Type Size Default

key Key to access the primary server. password Not

Specified

name TACACS+ server entry name. string Maximum

length: 35

port Port number of the TACACS+ server. integer Minimum 49

value: 1
Maximum
value:
65535

secondary-key Key to access the secondary server. password Not

Specified

secondary- Secondary TACACS+ server CN domain name or IP string Maximum

server address. length: 63

server Primary TACACS+ server CN domain name or IP string Maximum

address. length: 63

source-ip Source IP address for communications to TACACS+ string Maximum

server. length: 63

status-ttl Time for which server reachability is cached so that integer Minimum 300
when a server is unreachable, it will not be retried for value: 0
at least this period of time. Maximum
value: 600

tertiary-key Key to access the tertiary server. password Not

Specified

tertiary-server Tertiary TACACS+ server CN domain name or IP string Maximum

address. length: 63

FortiOS 7.4.4 CLI Reference 1802

Fortinet Inc.
videofilter

This section includes syntax for the following commands:

l config videofilter keyword on page 1803
l config videofilter profile on page 1804
l config videofilter youtube-key on page 1807

config videofilter keyword

Configure video filter keywords.

config videofilter keyword
Description: Configure video filter keywords.
edit <id>
set comment {var-string}
set match [or|and]
set name {string}
config word
Description: List of keywords.
edit <name>
set comment {var-string}
set pattern-type [wildcard|regex]
set status [enable|disable]
next
end
next
end

config videofilter keyword

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

match Keyword matching logic. option - or

Option Description

or Match any keyword.

FortiOS 7.4.4 CLI Reference 1803

Fortinet Inc.
Parameter Description Type Size Default

Option Description

and Match all keywords.

name Name. string Maximum

length: 35

config word

Parameter Description Type Size Default

name Name. string Maximum

length: 79

comment Comment. var-string Maximum

length: 255

pattern-type Pattern type. option - wildcard

Option Description

wildcard Wildcard pattern.

regex Perl regular expression.

status Enable(consider)/disable(ignore) this keyword. option - enable

Option Description

enable Consider this keyword.

disable Ignore this keyword.

config videofilter profile

Configure VideoFilter profile.

config videofilter profile
Description: Configure VideoFilter profile.
edit <name>
set comment {var-string}
set dailymotion [enable|disable]
config filters
Description: YouTube filter entries.
edit <id>
set comment {var-string}
set type [category|channel|...]
set keyword {integer}
set category {string}
set channel {string}
set action [allow|monitor|...]
set log [enable|disable]

FortiOS 7.4.4 CLI Reference 1804

Fortinet Inc.
next
end
set replacemsg-group {string}
set vimeo [enable|disable]
set youtube [enable|disable]
next
end

config videofilter profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

dailymotion Enable/disable Dailymotion video source. option - enable

Option Description

enable Enable Dailymotion source.

disable Disable Dailymotion source.

name Name. string Maximum

length: 35

replacemsg- Replacement message group. string Maximum

group length: 35

vimeo Enable/disable Vimeo video source. option - enable

Option Description

enable Enable Vimeo source.

disable Disable Vimeo source.

youtube Enable/disable YouTube video source. option - enable

Option Description

enable Enable YouTube source.

disable Disable YouTube source.

FortiOS 7.4.4 CLI Reference 1805

Fortinet Inc.
config filters

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

comment Comment. var-string Maximum

length: 255

type Filter type. option - category

Option Description

category Filter videos by FortiGuard category.

channel Filter videos by channel ID.

title Filter videos by title.

description Filter videos by description.

keyword Video filter keyword ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category FortiGuard category ID. string Maximum

length: 7

channel Channel ID. string Maximum

length: 255

action Video filter action. option - monitor

Option Description

allow Allow videos to be accessed.

monitor Monitor videos.

block Block videos.

log Enable/disable logging. option - enable

Option Description

enable Enable logging.

disable Disable logging.

FortiOS 7.4.4 CLI Reference 1806

Fortinet Inc.
config videofilter youtube-key

Configure YouTube API keys.

config videofilter youtube-key
Description: Configure YouTube API keys.
edit <id>
set key {string}
next
end

config videofilter youtube-key

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

key Key. string Maximum

length: 47

FortiOS 7.4.4 CLI Reference 1807

Fortinet Inc.
virtual-patch

This section includes syntax for the following commands:

l config virtual-patch profile on page 1808

config virtual-patch profile

Configure virtual-patch profile.

config virtual-patch profile
Description: Configure virtual-patch profile.
edit <name>
set action [pass|block]
set comment {var-string}
config exemption
Description: Exempt devices or rules.
edit <id>
set status [enable|disable]
set rule <id1>, <id2>, ...
set device <mac1>, <mac2>, ...
next
end
set log [enable|disable]
set severity {option1}, {option2}, ...
next
end

config virtual-patch profile

Parameter Description Type Size Default

action Action (pass/block). option - block

Option Description

pass Allows session that match the profile.

block Blocks sessions that match the profile.

comment Comment. var-string Maximum

length: 255

log Enable/disable logging of detection. option - enable

Option Description

enable Enable logging.

FortiOS 7.4.4 CLI Reference 1808

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging.

name Profile name. string Maximum

length: 35

severity Relative severity of the signature (low, medium, high, option - low medium
critical). high critical

Option Description

low low

medium medium

high high

critical critical

config exemption

Parameter Description Type Size Default

id IDs. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Enable/disable exemption. option - enable

Option Description

enable Enable exemption.

disable Disable exemption.

rule <id> Patch signature rule IDs. integer Minimum

Rule IDs. value: 0
Maximum
value:
4294967295

device <mac> Device MAC addresses. mac- Not Specified

Device MAC address. address

FortiOS 7.4.4 CLI Reference 1809

Fortinet Inc.
voip

This section includes syntax for the following commands:

l config voip profile on page 1810

config voip profile

Configure VoIP profiles.

config voip profile
Description: Configure VoIP profiles.
edit <name>
set comment {var-string}
set feature-set [ips|voipd]
config msrp
Description: MSRP.
set status [disable|enable]
set log-violations [disable|enable]
set max-msg-size {integer}
set max-msg-size-action [pass|block|...]
end
config sccp
Description: SCCP.
set status [disable|enable]
set block-mcast [disable|enable]
set verify-header [disable|enable]
set log-call-summary [disable|enable]
set log-violations [disable|enable]
set max-calls {integer}
end
config sip
Description: SIP.
set status [disable|enable]
set rtp [disable|enable]
set nat-port-range {user}
set open-register-pinhole [disable|enable]
set open-contact-pinhole [disable|enable]
set strict-register [disable|enable]
set register-rate {integer}
set register-rate-track [none|src-ip|...]
set invite-rate {integer}
set invite-rate-track [none|src-ip|...]
set max-dialogs {integer}
set max-line-length {integer}
set block-long-lines [disable|enable]
set block-unknown [disable|enable]
set call-keepalive {integer}
set block-ack [disable|enable]
set block-bye [disable|enable]
set block-cancel [disable|enable]

FortiOS 7.4.4 CLI Reference 1810

Fortinet Inc.
set block-info [disable|enable]
set block-invite [disable|enable]
set block-message [disable|enable]
set block-notify [disable|enable]
set block-options [disable|enable]
set block-prack [disable|enable]
set block-publish [disable|enable]
set block-refer [disable|enable]
set block-register [disable|enable]
set block-subscribe [disable|enable]
set block-update [disable|enable]
set register-contact-trace [disable|enable]
set open-via-pinhole [disable|enable]
set open-record-route-pinhole [disable|enable]
set rfc2543-branch [disable|enable]
set log-violations [disable|enable]
set log-call-summary [disable|enable]
set nat-trace [disable|enable]
set subscribe-rate {integer}
set subscribe-rate-track [none|src-ip|...]
set message-rate {integer}
set message-rate-track [none|src-ip|...]
set notify-rate {integer}
set notify-rate-track [none|src-ip|...]
set refer-rate {integer}
set refer-rate-track [none|src-ip|...]
set update-rate {integer}
set update-rate-track [none|src-ip|...]
set options-rate {integer}
set options-rate-track [none|src-ip|...]
set ack-rate {integer}
set ack-rate-track [none|src-ip|...]
set prack-rate {integer}
set prack-rate-track [none|src-ip|...]
set info-rate {integer}
set info-rate-track [none|src-ip|...]
set publish-rate {integer}
set publish-rate-track [none|src-ip|...]
set bye-rate {integer}
set bye-rate-track [none|src-ip|...]
set cancel-rate {integer}
set cancel-rate-track [none|src-ip|...]
set preserve-override [disable|enable]
set no-sdp-fixup [disable|enable]
set contact-fixup [disable|enable]
set max-idle-dialogs {integer}
set block-geo-red-options [disable|enable]
set hosted-nat-traversal [disable|enable]
set hnt-restrict-source-ip [disable|enable]
set call-id-regex {var-string}
set content-type-regex {var-string}
set max-body-length {integer}
set unknown-header [discard|pass|...]
set malformed-request-line [discard|pass|...]
set malformed-header-via [discard|pass|...]
set malformed-header-from [discard|pass|...]

FortiOS 7.4.4 CLI Reference 1811

Fortinet Inc.
set malformed-header-to [discard|pass|...]
set malformed-header-call-id [discard|pass|...]
set malformed-header-cseq [discard|pass|...]
set malformed-header-rack [discard|pass|...]
set malformed-header-rseq [discard|pass|...]
set malformed-header-contact [discard|pass|...]
set malformed-header-record-route [discard|pass|...]
set malformed-header-route [discard|pass|...]
set malformed-header-expires [discard|pass|...]
set malformed-header-content-type [discard|pass|...]
set malformed-header-content-length [discard|pass|...]
set malformed-header-max-forwards [discard|pass|...]
set malformed-header-allow [discard|pass|...]
set malformed-header-p-asserted-identity [discard|pass|...]
set malformed-header-no-require [discard|pass|...]
set malformed-header-no-proxy-require [discard|pass|...]
set malformed-header-sdp-v [discard|pass|...]
set malformed-header-sdp-o [discard|pass|...]
set malformed-header-sdp-s [discard|pass|...]
set malformed-header-sdp-i [discard|pass|...]
set malformed-header-sdp-c [discard|pass|...]
set malformed-header-sdp-b [discard|pass|...]
set malformed-header-sdp-z [discard|pass|...]
set malformed-header-sdp-k [discard|pass|...]
set malformed-header-sdp-a [discard|pass|...]
set malformed-header-sdp-t [discard|pass|...]
set malformed-header-sdp-r [discard|pass|...]
set malformed-header-sdp-m [discard|pass|...]
set provisional-invite-expiry-time {integer}
set ips-rtp [disable|enable]
set ssl-mode [off|full]
set ssl-send-empty-frags [enable|disable]
set ssl-client-renegotiation [allow|deny|...]
set ssl-algorithm [high|medium|...]
set ssl-pfs [require|deny|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-client-certificate {string}
set ssl-server-certificate {string}
set ssl-auth-client {string}
set ssl-auth-server {string}
end
next
end

config voip profile

Parameter Description Type Size Default

comment Comment. var-string Maximum

length: 255

feature-set IPS or voipd (SIP-ALG) inspection feature set. option - voipd

FortiOS 7.4.4 CLI Reference 1812

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ips IPS Engine feature set for ips-voip-filter.

voipd SIP ALG feature set for voip-profile.

name Profile name. string Maximum

length: 35

config msrp

Parameter Description Type Size Default

status Enable/disable MSRP. option - enable

Option Description

disable Disable status.

enable Enable status.

log-violations Enable/disable logging of MSRP violations. option - enable

Option Description

disable Disable status.

enable Enable status.

max-msg-size Maximum allowable MSRP message size. integer Minimum 0

value: 0
Maximum
value:
65535

max-msg- Action for violation of max-msg-size. option - pass

size-action

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

monitor Pass and log matching traffic.

FortiOS 7.4.4 CLI Reference 1813

Fortinet Inc.
config sccp

Parameter Description Type Size Default

status Enable/disable SCCP. option - enable

Option Description

disable Disable status.

enable Enable status.

block-mcast Enable/disable block multicast RTP connections. option - disable

Option Description

disable Disable status.

enable Enable status.

verify-header Enable/disable verify SCCP header content. option - disable

Option Description

disable Disable status.

enable Enable status.

log-call- Enable/disable log summary of SCCP calls. option - disable

summary

Option Description

disable Disable status.

enable Enable status.

log-violations Enable/disable logging of SCCP violations. option - disable

Option Description

disable Disable status.

enable Enable status.

max-calls Maximum calls per minute per SCCP client (max integer Minimum 0
65535). value: 0
Maximum
value:
65535

FortiOS 7.4.4 CLI Reference 1814

Fortinet Inc.
config sip

Parameter Description Type Size Default

status Enable/disable SIP. option - enable

Option Description

disable Disable status.

enable Enable status.

rtp Enable/disable create pinholes for RTP traffic to option - enable

traverse firewall.

Option Description

disable Disable status.

enable Enable status.

nat-port-range RTP NAT port range. user Not Specified 5117-

65533

Fortinet Inc.
Parameter Description Type Size Default

register-rate- Track the packet protocol field. option - none

track

Option Description

none None.

src-ip Source IP.

dest-ip Destination IP.

invite-rate INVITE request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295

invite-rate-track Track the packet protocol field. option - none

Option Description

none None.

src-ip Source IP.

dest-ip Destination IP.

max-dialogs Maximum number of concurrent calls/dialogs (per integer Minimum 0

policy). value: 0
Maximum
value:
4294967295

max-line-length Maximum SIP header line length. integer Minimum 998

value: 78
Maximum
value: 4096

block-long- Enable/disable block requests with headers option - enable

block-message Enable/disable block MESSAGE requests. option - disable

FortiOS 7.4.4 CLI Reference 1817

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable status.

enable Enable status.

block-notify Enable/disable block NOTIFY requests. option - disable

Option Description

disable Disable status.

enable Enable status.

block-options Enable/disable block OPTIONS requests and no option - disable

OPTIONS as notifying message for redundancy
either.

Option Description

disable Disable status.

enable Enable status.

block-prack Enable/disable block prack requests. option - disable

Option Description

disable Disable status.

enable Enable status.

block-publish Enable/disable block PUBLISH requests. option - disable

disable Disable status.

enable Enable status.

block-update Enable/disable block UPDATE requests. option - disable

FortiOS 7.4.4 CLI Reference 1819

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable status.

enable Enable status.

log-violations Enable/disable logging of SIP violations. option - disable

Option Description

disable Disable status.

enable Enable status.

log-call- Enable/disable logging of SIP call summary. option - enable

summary

Option Description

disable Disable status.

enable Enable status.

nat-trace Enable/disable preservation of original IP in SDP i option - enable

line.

Option Description

disable Disable status.

enable Enable status.

subscribe-rate SUBSCRIBE request rate limit (per second, per integer Minimum 0
policy). value: 0
Maximum
value:
4294967295

subscribe-rate- Track the packet protocol field. option - none

track

Option Description

none None.

src-ip Source IP.

dest-ip Destination IP.

FortiOS 7.4.4 CLI Reference 1820

Fortinet Inc.
Parameter Description Type Size Default

Fortinet Inc.
Parameter Description Type Size Default

Fortinet Inc.
Parameter Description Type Size Default

prack-rate PRACK request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295

prack-rate- Track the packet protocol field. option - none

track

Option Description

none None.

src-ip Source IP.

Option Description

none None.

src-ip Source IP.

dest-ip Destination IP.

cancel-rate CANCEL request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295

cancel-rate- Track the packet protocol field. option - none

track

Option Description

none None.

src-ip Source IP.

dest-ip Destination IP.

preserve- Override i line to preserve original IPs. option - disable

override

Option Description

disable Disable status.

enable Enable status.

no-sdp-fixup Enable/disable no SDP fix-up. option - disable

Option Description

disable Disable status.

enable Enable status.

contact-fixup Fixup contact anyway even if contact's IP:port option - enable

doesn't match session's IP:port.

FortiOS 7.4.4 CLI Reference 1824

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable status.

enable Enable status.

disable Disable status.

enable Enable status.

call-id-regex Validate PCRE regular expression for Call-Id header var-string Maximum
value. length: 511

content-type- Validate PCRE regular expression for Content-Type var-string Maximum

regex header value. length: 511

max-body- Maximum SIP message body length (0 meaning no integer Minimum 0

length limit). value: 0
Maximum
value:
4294967295

pass Bypass malformed messages.

discard Discard malformed messages.

pass Bypass malformed messages.

discard Discard malformed messages.

pass Bypass malformed messages.

discard Discard malformed messages.

discard Discard malformed messages.

pass Bypass malformed messages.

respond Respond with error code.

malformed- Action for malformed SDP v line. option - pass

header-sdp-v

Option Description

discard Discard malformed messages.

pass Bypass malformed messages.

respond Respond with error code.

malformed- Action for malformed SDP o line. option - pass

header-sdp-o

Option Description

discard Discard malformed messages.

pass Bypass malformed messages.

respond Respond with error code.

malformed- Action for malformed SDP s line. option - pass

header-sdp-s

Option Description

discard Discard malformed messages.

pass Bypass malformed messages.

respond Respond with error code.

malformed- Action for malformed SDP i line. option - pass

header-sdp-i

FortiOS 7.4.4 CLI Reference 1830

respond Respond with error code.

provisional- Expiry time for provisional INVITE. integer Minimum 210

invite-expiry- value: 10
time Maximum
value: 3600

ips-rtp Enable/disable allow IPS on RTP. option - enable

Option Description

disable Disable status.

enable Enable status.

ssl-mode * SSL/TLS mode for encryption & decryption of traffic. option - off

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version to negotiate. option - tls-1.3

version *

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-client- Name of Certificate to offer to server if requested. string Maximum

certificate * length: 35

ssl-server- Name of Certificate return to the client in every SSL string Maximum
certificate * connection. length: 35

ssl-auth-client * Require a client certificate and authenticate it with string Maximum

the peer/peergrp. length: 35

ssl-auth-server Authenticate the server's certificate with the string Maximum

* peer/peergrp. length: 35

* This parameter may not exist in some models.

FortiOS 7.4.4 CLI Reference 1834

Fortinet Inc.
vpn

This section includes syntax for the following commands:

l config vpn certificate ca on page 1835
l config vpn certificate crl on page 1837
l config vpn certificate local on page 1839
l config vpn certificate ocsp-server on page 1843
l config vpn certificate remote on page 1844
l config vpn certificate setting on page 1845
l config vpn ipsec concentrator on page 1850
l config vpn ipsec fec on page 1851
l config vpn ipsec forticlient on page 1853
l config vpn ipsec manualkey-interface on page 1853
l config vpn ipsec manualkey on page 1856
l config vpn ipsec phase1-interface on page 1858
l config vpn ipsec phase1 on page 1888
l config vpn ipsec phase2-interface on page 1913
l config vpn ipsec phase2 on page 1922
l config vpn kmip-server on page 1931
l config vpn l2tp on page 1933
l config vpn pptp on page 1934
l config vpn qkd on page 1935
l config vpn ssl client on page 1936
l config vpn ssl settings on page 1938
l config vpn ssl web host-check-software on page 1952
l config vpn ssl web portal on page 1954
l config vpn ssl web realm on page 1976
l config vpn ssl web user-bookmark on page 1977
l config vpn ssl web user-group-bookmark on page 1985

config vpn certificate ca

CA certificate.
config vpn certificate ca
Description: CA certificate.
edit <name>
set auto-update-days {integer}
set auto-update-days-warning {integer}
set ca {user}
set ca-identifier {string}
set est-url {string}

FortiOS 7.4.4 CLI Reference 1835

Fortinet Inc.
set fabric-ca [disable|enable]
set obsolete [disable|enable]
set range [global|vdom]
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set ssl-inspection-trusted [enable|disable]
next
end

config vpn certificate ca

Parameter Description Type Size Default

auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate. value: 0
Maximum
value:
4294967295

auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated. value: 0
Maximum
value:
4294967295

ca CA certificate as a PEM file. user Not Specified

ca-identifier CA identifier of the SCEP server. string Maximum

length: 255

est-url URL of the EST server. string Maximum

length: 255

fabric-ca Enable/disable synchronization of CA across Security option - disable

Fabric.

Option Description

disable Disable synchronization of CA across Security Fabric.

enable Enable synchronization of CA across Security Fabric.

name Name. string Maximum

length: 79

obsolete Enable/disable this CA as obsoleted. option - disable

Option Description

disable Alive.

enable Obsolete.

FortiOS 7.4.4 CLI Reference 1836

Fortinet Inc.
Parameter Description Type Size Default

range Either global or VDOM IP address range for the CA option - vdom
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-url URL of the SCEP server. string Maximum

length: 255

source CA certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for communications to the SCEP ipv4- Not Specified 0.0.0.0
server. address

ssl- Enable/disable this CA as a trusted CA for SSL option - enable

inspection- inspection.
trusted

Option Description

enable Trusted CA for SSL inspection.

disable Untrusted CA for SSL inspection.

config vpn certificate crl

Certificate Revocation List as a PEM file.

config vpn certificate crl
Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set http-url {string}
set ldap-password {password}
set ldap-server {string}
set ldap-username {string}
set range [global|vdom]
set scep-cert {string}
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set update-interval {integer}

FortiOS 7.4.4 CLI Reference 1837

Fortinet Inc.
set update-vdom {string}
next
end

config vpn certificate crl

Parameter Description Type Size Default

crl Certificate Revocation List as a PEM file. user Not Specified

http-url HTTP server URL for CRL auto-update. string Maximum

length: 255

ldap- LDAP server user password. password Not Specified

password

ldap-server LDAP server name for CRL auto-update. string Maximum

length: 35

ldap- LDAP server user name. string Maximum

username length: 63

name Name. string Maximum

length: 35

range Either global or VDOM IP address range for the option - vdom
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-cert Local certificate for SCEP communication for CRL string Maximum Fortinet_
auto-update. length: 35 CA_SSL

scep-url SCEP server URL for CRL auto-update. string Maximum

length: 255

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address

FortiOS 7.4.4 CLI Reference 1838

Fortinet Inc.
Parameter Description Type Size Default

update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295

update-vdom VDOM for CRL update. string Maximum root

length: 31

config vpn certificate local

Local keys and certificates.

config vpn certificate local
Description: Local keys and certificates.
edit <name>
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-renew-window {integer}
set acme-rsa-key-size {integer}
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set ca-identifier {string}
set certificate {user}
set cmp-path {string}
set cmp-regeneration-method [keyupate|renewal]
set cmp-server {string}
set cmp-server-cert {string}
set comments {string}
set csr {user}
set enroll-protocol [none|scep|...]
set est-ca-id {string}
set est-client-cert {string}
set est-http-password {string}
set est-http-username {string}
set est-server {string}
set est-server-cert {string}
set est-srp-password {string}
set est-srp-username {string}
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set name-encoding [printable|utf8]
set password {password}
set private-key {user}
set private-key-retain [enable|disable]
set range [global|vdom]
set scep-password {password}
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set state {user}

FortiOS 7.4.4 CLI Reference 1839

Fortinet Inc.
next
end

config vpn certificate local

Parameter Description Type Size Default

acme-ca-url The URL for the ACME CA string Maximum https://acme-

server. length: 255 v02.api.letsencrypt.org/directory

acme-domain A valid domain that resolves string Maximum

to this FortiGate unit. length: 255

acme-email Contact email address that is string Maximum

required by some CAs like length: 255
LetsEncrypt.

acme-renew- Beginning of the renewal integer Minimum 30

window window. value: 1
Maximum
value: 100

acme-rsa-key- Length of the RSA private key integer Minimum 2048

size of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096

auto- Number of days to wait integer Minimum 0

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

auto- Number of days to wait integer Minimum 0

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295

ca-identifier CA identifier of the CA server string Maximum

for signing via SCEP. length: 255

certificate PEM format certificate. user Not Specified

cmp-path Path location inside CMP string Maximum

server. length: 255

cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method

FortiOS 7.4.4 CLI Reference 1840

Fortinet Inc.
Parameter Description Type Size Default

Option Description

keyupate Key Update.

renewal Renewal.

cmp-server Address and port for CMP string Maximum

server (format = length: 63
address:port).

cmp-server- CMP server certificate. string Maximum

cert length: 79

comments Comment. string Maximum

length: 511

csr Certificate Signing Request. user Not Specified

enroll-protocol Certificate enrollment option - none

protocol.

Option Description

none None (default).

scep Simple Certificate Enrollment Protocol.

cmpv2 Certificate Management Protocol Version 2.

acme2 Automated Certificate Management Environment Version 2.

est Enrollment over Secure Transport.

est-ca-id CA identifier of the CA server string Maximum

for signing via EST. length: 255

est-client-cert Certificate used to string Maximum

authenticate this FortiGate to length: 79
EST server.

est-http- HTTP Authentication string Maximum

password password for signing via EST. length: 63

est-http- HTTP Authentication string Maximum

username username for signing via length: 63
EST.

est-server Address and port for EST string Maximum

server (e.g. length: 255
https://example.com:1234).

est-server-cert EST server's certificate must string Maximum

be verifiable by this certificate length: 79
to be authenticated.

FortiOS 7.4.4 CLI Reference 1841

Fortinet Inc.
Parameter Description Type Size Default

est-srp- EST SRP authentication string Maximum

password password. length: 63

est-srp- EST SRP authentication string Maximum

username username. length: 63

ike-localid Local ID the FortiGate uses string Maximum

for authentication as a VPN length: 63
client.

ike-localid-type IKE local ID type. option - asn1dn

Option Description

asn1dn ASN.1 distinguished name.

fqdn Fully qualified domain name.

name Name. string Maximum

length: 35

name-encoding Name encoding method for option - printable

auto-regeneration.

Option Description

printable Printable encoding (default).

utf8 UTF-8 encoding.

password Password as a PEM file. password Not Specified

private-key PEM format key encrypted user Not Specified

with a password.

private-key- Enable/disable retention of option - disable

retain private key during SCEP
renewal.

Option Description

enable Keep the existing private key during SCEP renewal.

disable Generate a new private key during SCEP renewal.

range Either a global or VDOM IP option - vdom

address range for the
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

FortiOS 7.4.4 CLI Reference 1842

Fortinet Inc.
Parameter Description Type Size Default

scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.

scep-url SCEP server URL. string Maximum

length: 255

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the SCEP address
server.

state Certificate Signing Request user Not Specified

State.

config vpn certificate ocsp-server

OCSP server configuration.

config vpn certificate ocsp-server
Description: OCSP server configuration.
edit <name>
set cert {string}
set secondary-cert {string}
set secondary-url {string}
set source-ip {string}
set unavail-action [revoke|ignore]
set url {string}
next
end

config vpn certificate ocsp-server

Parameter Description Type Size Default

cert OCSP server certificate. string Maximum

length: 127

name OCSP server entry name. string Maximum

length: 35

FortiOS 7.4.4 CLI Reference 1843

Fortinet Inc.
Parameter Description Type Size Default

secondary- Secondary OCSP server certificate. string Maximum

cert length: 127

secondary-url Secondary OCSP server URL. string Maximum

length: 127

source-ip Source IP address for dynamic AIA and OCSP queries. string Maximum
length: 63

unavail-action Action when server is unavailable (revoke the certificate option - revoke
or ignore the result of the check).

Option Description

revoke Revoke certificate if server is unavailable.

ignore Ignore OCSP check if server is unavailable.

url OCSP server URL. string Maximum

length: 127

config vpn certificate remote

Remote certificate as a PEM file.

config vpn certificate remote
Description: Remote certificate as a PEM file.
edit <name>
set range [global|vdom]
set remote {user}
set source [factory|user|...]
next
end

config vpn certificate remote

Parameter Description Type Size Default

name Name. string Maximum

length: 35

range Either the global or VDOM IP address range for the option - vdom
remote certificate.

Option Description

global Global range.

vdom VDOM IP address range.

FortiOS 7.4.4 CLI Reference 1844

Fortinet Inc.
Parameter Description Type Size Default

remote Remote certificate. user Not

Specified

source Remote certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

config vpn certificate setting

VPN certificate setting.

config vpn certificate setting
Description: VPN certificate setting.
set cert-expire-warning {integer}
set certname-dsa1024 {string}
set certname-dsa2048 {string}
set certname-ecdsa256 {string}
set certname-ecdsa384 {string}
set certname-ecdsa521 {string}
set certname-ed25519 {string}
set certname-ed448 {string}
set certname-rsa1024 {string}
set certname-rsa2048 {string}
set certname-rsa4096 {string}
set check-ca-cert [enable|disable]
set check-ca-chain [enable|disable]
set cmp-key-usage-checking [enable|disable]
set cmp-save-extra-certs [enable|disable]
set cn-allow-multi [disable|enable]
set cn-match [substring|value]
config crl-verification
Description: CRL verification options.
set expiry [ignore|revoke]
set leaf-crl-absence [ignore|revoke]
set chain-crl-absence [ignore|revoke]
end
set interface {string}
set interface-select-method [auto|sdwan|...]
set ocsp-default-server {string}
set ocsp-option [certificate|server]
set ocsp-status [enable|mandatory|...]
set proxy {string}
set proxy-password {password}
set proxy-port {integer}
set proxy-username {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]

FortiOS 7.4.4 CLI Reference 1845

Fortinet Inc.
set strict-ocsp-check [enable|disable]
set subject-match [substring|value]
set subject-set [subset|superset]
end

config vpn certificate setting

Parameter Description Type Size Default

cert-expire- Number of days before a certificate expires to send a integer Minimum 14

warning warning. Set to 0 to disable sending of the warning. value: 0
Maximum
value: 100

certname- 1024 bit DSA key certificate for re-signing server string Maximum Fortinet_
dsa1024 certificates for SSL inspection. length: 35 SSL_
DSA1024

certname- 2048 bit DSA key certificate for re-signing server string Maximum Fortinet_
dsa2048 certificates for SSL inspection. length: 35 SSL_
DSA2048

certname- 256 bit ECDSA key certificate for re-signing server string Maximum Fortinet_
ecdsa256 certificates for SSL inspection. length: 35 SSL_
ECDSA256

certname- 384 bit ECDSA key certificate for re-signing server string Maximum Fortinet_
ecdsa384 certificates for SSL inspection. length: 35 SSL_
ECDSA384

certname- 521 bit ECDSA key certificate for re-signing server string Maximum Fortinet_
ecdsa521 certificates for SSL inspection. length: 35 SSL_
ECDSA521

certname- 253 bit EdDSA key certificate for re-signing server string Maximum Fortinet_
ed25519 certificates for SSL inspection. length: 35 SSL_
ED25519

certname- 456 bit EdDSA key certificate for re-signing server string Maximum Fortinet_
ed448 certificates for SSL inspection. length: 35 SSL_ED448

certname- 1024 bit RSA key certificate for re-signing server string Maximum Fortinet_
rsa1024 certificates for SSL inspection. length: 35 SSL_
RSA1024

how to do CN value matching with certificate subject
name.

FortiOS 7.4.4 CLI Reference 1847

Fortinet Inc.
Parameter Description Type Size Default

Option Description

substring Find a match if the name being searched for is a part or the same as a
certificate CN.

value Find a match if the name being searched for is same as a certificate CN.

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ocsp-default- Default OCSP server. string Maximum

server length: 35

ocsp-option Specify whether the OCSP URL is from certificate or option - server
configured OCSP server.

Option Description

certificate Use URL from certificate.

server Use URL from configured OCSP server.

ocsp-status Enable/disable receiving certificates using the OCSP. option - disable

Option Description

enable OCSP is performed if CRL is not checked.

mandatory If cert is not revoked by CRL, OCSP is performed.

disable OCSP is not performed.

proxy Proxy server FQDN or IP for OCSP/CA queries during string Maximum
certificate verification. length: 127

proxy- Proxy server password. password Not

password Specified

FortiOS 7.4.4 CLI Reference 1848

Fortinet Inc.
Parameter Description Type Size Default

proxy-port Proxy server port. integer Minimum 8080

value: 1
Maximum
value:
65535

proxy- Proxy server user name. string Maximum

username length: 63

source-ip Source IP address for dynamic AIA and OCSP string Maximum
queries. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

strict-ocsp- Enable/disable strict mode OCSP checking. option - disable

check

Option Description

enable Enable strict mode OCSP checking.

disable Disable strict mode OCSP checking.

subject-match When searching for a matching certificate, control option - substring

how to do RDN value matching with certificate subject
name.

Option Description

substring Find a match if the name being searched for is a part or the same as a
certificate subject RDN.

value Find a match if the name being searched for is same as a certificate subject
RDN.

subject-set When searching for a matching certificate, control option - subset

how to do RDN set matching with certificate subject
name.

FortiOS 7.4.4 CLI Reference 1849

Fortinet Inc.
Parameter Description Type Size Default

Option Description

subset Find a match if the name being searched for is a subset of a certificate subject.

superset Find a match if the name being searched for is a superset of a certificate
subject.

config crl-verification

Parameter Description Type Size Default

expiry CRL verification option when CRL is expired. option - ignore

Concentrator configuration.
config vpn ipsec concentrator
Description: Concentrator configuration.
edit <id>
set member <name1>, <name2>, ...
set name {string}
set src-check [disable|enable]
next
end

FortiOS 7.4.4 CLI Reference 1850

Fortinet Inc.
config vpn ipsec concentrator

Parameter Description Type Size Default

id Concentrator ID. integer Minimum 0

value: 1
Maximum
value:
65535

member Names of up to 3 VPN tunnels to add to the string Maximum

<name> concentrator. length: 79
Member name.

name Concentrator name. string Maximum

length: 35

src-check Enable to check source address of phase 2 selector. option - disable

Disable to check only the destination selector.

Option Description

disable Ignore source selector when choosing tunnel.

enable Use source selector to choose tunnel.

config vpn ipsec fec

Configure Forward Error Correction (FEC) mapping profiles.

config vpn ipsec fec
Description: Configure Forward Error Correction (FEC) mapping profiles.
edit <name>
config mappings
Description: FEC redundancy mapping table.
edit <seqno>
set base {integer}
set redundant {integer}
set packet-loss-threshold {integer}
set latency-threshold {integer}
set bandwidth-up-threshold {integer}
set bandwidth-down-threshold {integer}
set bandwidth-bi-threshold {integer}
next
end
next
end

FortiOS 7.4.4 CLI Reference 1851

Fortinet Inc.
config vpn ipsec fec

Parameter Description Type Size Default

name Profile name. string Maximum

length: 35

config mappings

Parameter Description Type Size Default

seqno Sequence number. integer Minimum 0

value: 0
Maximum
value: 64

base Number of base FEC packets. integer Minimum 0

value: 1
Maximum
value: 20

redundant Number of redundant FEC packets. integer Minimum 0

value: 1
Maximum
value: 5

packet-loss- Apply FEC parameters when packet loss is >= integer Minimum 0
threshold threshold. value: 0
Maximum
value: 100

latency- Apply FEC parameters when latency is <= threshold integer Minimum 0
threshold (0 means no threshold). value: 0
Maximum
value:
4294967295

bandwidth- Apply FEC parameters when available up bandwidth integer Minimum 0

up-threshold is >= threshold (kbps, 0 means no threshold). value: 0
Maximum
value:
4294967295

bandwidth- Apply FEC parameters when available down integer Minimum 0

down- bandwidth is >= threshold (kbps, 0 means no value: 0
threshold threshold). Maximum
value:
4294967295

FortiOS 7.4.4 CLI Reference 1852

Fortinet Inc.
Parameter Description Type Size Default

bandwidth-bi- Apply FEC parameters when available bi-bandwidth integer Minimum 0

threshold is >= threshold (kbps, 0 means no threshold). value: 0
Maximum
value:
4294967295

config vpn ipsec forticlient

Configure FortiClient policy realm.

config vpn ipsec forticlient
Description: Configure FortiClient policy realm.
edit <realm>
set phase2name {string}
set status [enable|disable]
set usergroupname {string}
next
end

config vpn ipsec forticlient

Parameter Description Type Size Default

phase2name Phase 2 tunnel name that you defined in the string Maximum
FortiClient dialup configuration. length: 35

realm FortiClient realm name. string Maximum

length: 35

status Enable/disable this FortiClient configuration. option - enable

Option Description

enable Enable setting.

disable Disable setting.

usergroupname User group name for FortiClient users. string Maximum

length: 35

config vpn ipsec manualkey-interface

Configure IPsec manual keys.

config vpn ipsec manualkey-interface
Description: Configure IPsec manual keys.
edit <name>
set addr-type [4|6]
set auth-alg [null|md5|...]

FortiOS 7.4.4 CLI Reference 1853

Fortinet Inc.
set auth-key {user}
set enc-alg [null|des|...]
set enc-key {user}
set interface {string}
set ip-version [4|6]
set local-gw {ipv4-address-any}
set local-gw6 {ipv6-address}
set local-spi {user}
set npu-offload [enable|disable]
set remote-gw {ipv4-address}
set remote-gw6 {ipv6-address}
set remote-spi {user}
next
end

config vpn ipsec manualkey-interface

Parameter Description Type Size Default

addr-type IP version to use for IP packets. option - 4

Option Description

4 Use IPv4 addressing for IP packets.

6 Use IPv6 addressing for IP packets.

auth-alg Authentication algorithm. Must be the same for both option - null
ends of the tunnel.

Option Description

null null

md5 md5

sha1 sha1

sha256 sha256

sha384 sha384

sha512 sha512

auth-key Hexadecimal authentication key in 16-digit (8-byte) user Not

segments separated by hyphens. Specified

enc-alg Encryption algorithm. Must be the same for both ends of option - null
the tunnel.

Option Description

null null

des des

FortiOS 7.4.4 CLI Reference 1854

Fortinet Inc.
Parameter Description Type Size Default

Option Description

3des 3des

aes128 aes128

aes192 aes192

aes256 aes256

aria128 aria128

aria192 aria192

aria256 aria256

seed seed

enc-key Hexadecimal encryption key in 16-digit (8-byte) user Not

segments separated by hyphens. Specified

interface Name of the physical, aggregate, or VLAN interface. string Maximum

length: 15

ip-version IP version to use for VPN interface. option - 4

Option Description

4 Use IPv4 addressing for gateways.

6 Use IPv6 addressing for gateways.

local-gw IPv4 address of the local gateway's external interface. ipv4- Not 0.0.0.0
address- Specified
any

local-gw6 Local IPv6 address of VPN gateway. ipv6- Not ::

address Specified

local-spi Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns user Not
between two traffic streams with different encryption Specified
rules.

name IPsec tunnel name. string Maximum

length: 15

npu-offload * Enable/disable offloading IPsec VPN manual key option - enable

sessions to NPUs.

Option Description

enable Enable NPU offloading.

disable Disable NPU offloading.

FortiOS 7.4.4 CLI Reference 1855

Fortinet Inc.
Parameter Description Type Size Default

remote-gw IPv4 address of the remote gateway's external ipv4- Not 0.0.0.0
interface. address Specified

remote-gw6 Remote IPv6 address of VPN gateway. ipv6- Not ::

address Specified

remote-spi Remote SPI, a hexadecimal 8-digit (4-byte) tag. user Not

Discerns between two traffic streams with different Specified
encryption rules.

* This parameter may not exist in some models.

config vpn ipsec manualkey

Configure IPsec manual keys.

config vpn ipsec manualkey
Description: Configure IPsec manual keys.
edit <name>
set authentication [null|md5|...]
set authkey {user}
set enckey {user}
set encryption [null|des|...]
set interface {string}
set local-gw {ipv4-address-any}
set localspi {user}
set npu-offload [enable|disable]
set remote-gw {ipv4-address}
set remotespi {user}
next
end

config vpn ipsec manualkey

Parameter Description Type Size Default

authentication Authentication algorithm. Must be the same for both option - null
ends of the tunnel.

Option Description

null Null.

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

FortiOS 7.4.4 CLI Reference 1856

Fortinet Inc.
Parameter Description Type Size Default

authkey Hexadecimal authentication key in 16-digit (8-byte) user Not

segments separated by hyphens. Specified

enckey Hexadecimal encryption key in 16-digit (8-byte) user Not

segments separated by hyphens. Specified

encryption Encryption algorithm. Must be the same for both ends option - null
of the tunnel.

Option Description

null Null.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

aria128 ARIA128.

aria192 ARIA192.

aria256 ARIA256.

seed Seed.

interface Name of the physical, aggregate, or VLAN interface. string Maximum

length: 15

local-gw Local gateway. ipv4- Not 0.0.0.0

address- Specified
any

localspi Local SPI, a hexadecimal 8-digit (4-byte) tag. user Not

Discerns between two traffic streams with different Specified
encryption rules.

name IPsec tunnel name. string Maximum

length: 35

npu-offload * Enable/disable NPU offloading. option - enable

Option Description

enable Enable NPU offloading.

disable Disable NPU offloading.

remote-gw Peer gateway. ipv4- Not 0.0.0.0

address Specified

FortiOS 7.4.4 CLI Reference 1857

Fortinet Inc.
Parameter Description Type Size Default

remotespi Remote SPI, a hexadecimal 8-digit (4-byte) tag. user Not

Discerns between two traffic streams with different Specified
encryption rules.

* This parameter may not exist in some models.

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
Description: Configure VPN remote gateway.
edit <name>
set acct-verify [enable|disable]
set add-gw-route [enable|disable]
set add-route [disable|enable]
set aggregate-member [enable|disable]
set aggregate-weight {integer}
set assign-ip [disable|enable]
set assign-ip-from [range|usrgrp|...]
set authmethod [psk|signature]
set authmethod-remote [psk|signature]
set authpasswd {password}
set authusr {string}
set authusrgrp {string}
set auto-discovery-crossover [allow|block]
set auto-discovery-forwarder [enable|disable]
set auto-discovery-offer-interval {integer}
set auto-discovery-psk [enable|disable]
set auto-discovery-receiver [enable|disable]
set auto-discovery-sender [enable|disable]
set auto-discovery-shortcuts [independent|dependent]
set auto-negotiate [enable|disable]
set azure-ad-autoconnect [enable|disable]
set backup-gateway <address1>, <address2>, ...
set banner {var-string}
set cert-id-validation [enable|disable]
set cert-peer-username-strip [disable|enable]
set cert-peer-username-validation [none|othername|...]
set cert-trust-store [local|ems]
set certificate <name1>, <name2>, ...
set childless-ike [enable|disable]
set client-auto-negotiate [disable|enable]
set client-keep-alive [disable|enable]
set client-resume [enable|disable]
set client-resume-interval {integer}
set comments {var-string}
set default-gw {ipv4-address}
set default-gw-priority {integer}
set dev-id {string}
set dev-id-notification [disable|enable]
set dhcp-ra-giaddr {ipv4-address}

FortiOS 7.4.4 CLI Reference 1858

Fortinet Inc.
set dhcp6-ra-linkaddr {ipv6-address}
set dhgrp {option1}, {option2}, ...
set digital-signature-auth [enable|disable]
set distance {integer}
set dns-mode [manual|auto]
set domain {string}
set dpd [disable|on-idle|...]
set dpd-retrycount {integer}
set dpd-retryinterval {user}
set eap [enable|disable]
set eap-cert-auth [enable|disable]
set eap-exclude-peergrp {string}
set eap-identity [use-id-payload|send-request]
set ems-sn-check [enable|disable]
set encap-local-gw4 {ipv4-address}
set encap-local-gw6 {ipv6-address}
set encap-remote-gw4 {ipv4-address}
set encap-remote-gw6 {ipv6-address}
set encapsulation [none|gre|...]
set encapsulation-address [ike|ipv4|...]
set enforce-unique-id [disable|keep-new|...]
set esn [require|allow|...]
set exchange-fgt-device-id [enable|disable]
set exchange-interface-ip [enable|disable]
set exchange-ip-addr4 {ipv4-address}
set exchange-ip-addr6 {ipv6-address}
set fallback-tcp-threshold {integer}
set fec-base {integer}
set fec-codec [rs|xor]
set fec-egress [enable|disable]
set fec-health-check {string}
set fec-ingress [enable|disable]
set fec-mapping-profile {string}
set fec-receive-timeout {integer}
set fec-redundant {integer}
set fec-send-timeout {integer}
set fgsp-sync [enable|disable]
set fortinet-esp [enable|disable]
set fragmentation [enable|disable]
set fragmentation-mtu {integer}
set group-authentication [enable|disable]
set group-authentication-secret {password-3}
set ha-sync-esp-seqno [enable|disable]
set idle-timeout [enable|disable]
set idle-timeoutinterval {integer}
set ike-version [1|2]
set inbound-dscp-copy [enable|disable]
set include-local-lan [disable|enable]
set interface {string}
set internal-domain-list <domain-name1>, <domain-name2>, ...
set ip-delay-interval {integer}
set ip-fragmentation [pre-encapsulation|post-encapsulation]
set ip-version [4|6]
set ipv4-dns-server1 {ipv4-address}
set ipv4-dns-server2 {ipv4-address}
set ipv4-dns-server3 {ipv4-address}

FortiOS 7.4.4 CLI Reference 1859

Fortinet Inc.
set ipv4-end-ip {ipv4-address}
config ipv4-exclude-range
Description: Configuration Method IPv4 exclude ranges.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
next
end
set ipv4-name {string}
set ipv4-netmask {ipv4-netmask}
set ipv4-split-exclude {string}
set ipv4-split-include {string}
set ipv4-start-ip {ipv4-address}
set ipv4-wins-server1 {ipv4-address}
set ipv4-wins-server2 {ipv4-address}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-dns-server3 {ipv6-address}
set ipv6-end-ip {ipv6-address}
config ipv6-exclude-range
Description: Configuration method IPv6 exclude ranges.
edit <id>
set start-ip {ipv6-address}
set end-ip {ipv6-address}
next
end
set ipv6-name {string}
set ipv6-prefix {integer}
set ipv6-split-exclude {string}
set ipv6-split-include {string}
set ipv6-start-ip {ipv6-address}
set keepalive {integer}
set keylife {integer}
set kms {string}
set link-cost {integer}
set local-gw {ipv4-address}
set local-gw6 {ipv6-address}
set localid {string}
set localid-type [auto|fqdn|...]
set loopback-asymroute [enable|disable]
set mesh-selector-type [disable|subnet|...]
set mode [aggressive|main]
set mode-cfg [disable|enable]
set mode-cfg-allow-client-selector [disable|enable]
set monitor <name1>, <name2>, ...
set monitor-hold-down-delay {integer}
set monitor-hold-down-time {user}
set monitor-hold-down-type [immediate|delay|...]
set monitor-hold-down-weekday [everyday|sunday|...]
set monitor-min {integer}
set nattraversal [enable|disable|...]
set negotiate-timeout {integer}
set net-device [enable|disable]
set network-id {integer}
set network-overlay [disable|enable]
set npu-offload [enable|disable]

FortiOS 7.4.4 CLI Reference 1860

Fortinet Inc.
set packet-redistribution [enable|disable]
set passive-mode [enable|disable]
set peer {string}
set peergrp {string}
set peerid {string}
set peertype [any|one|...]
set ppk [disable|allow|...]
set ppk-identity {string}
set ppk-secret {password-3}
set priority {integer}
set proposal {option1}, {option2}, ...
set psksecret {password-3}
set psksecret-remote {password-3}
set qkd [disable|allow|...]
set qkd-profile {string}
set reauth [disable|enable]
set rekey [enable|disable]
set remote-gw {ipv4-address}
set remote-gw-country {string}
set remote-gw-end-ip {ipv4-address-any}
set remote-gw-match [any|ipmask|...]
set remote-gw-start-ip {ipv4-address-any}
set remote-gw-subnet {ipv4-classnet-any}
set remote-gw6 {ipv6-address}
set remote-gw6-country {string}
set remote-gw6-end-ip {ipv6-address}
set remote-gw6-match [any|ipprefix|...]
set remote-gw6-start-ip {ipv6-address}
set remote-gw6-subnet {ipv6-network}
set remotegw-ddns {string}
set rsa-signature-format [pkcs1|pss]
set rsa-signature-hash-override [enable|disable]
set save-password [disable|enable]
set send-cert-chain [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set split-include-service {string}
set suite-b [disable|suite-b-gcm-128|...]
set transport [udp|udp-fallback-tcp|...]
set type [static|dynamic|...]
set unity-support [disable|enable]
set usrgrp {string}
set vni {integer}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
next
end

config vpn ipsec phase1-interface

Parameter Description Type Size Default

enable Enable use as an aggregate member.

disable Disable use as an aggregate member.

aggregate- Link weight for aggregate. integer Minimum 1

weight value: 1
Maximum
value: 100

assign-ip Enable/disable assignment of IP to IPsec option - enable

interface via configuration method.

Option Description

disable Do not assign an IP address to the IPsec interface.

enable Assign an IP address to the IPsec interface.

assign-ip-from Method by which the IP address will be option - range

assigned.

FortiOS 7.4.4 CLI Reference 1862

Fortinet Inc.
Parameter Description Type Size Default

Option Description

range Assign IP address from locally defined range.

usrgrp Assign IP address via user group.

dhcp Assign IP address via DHCP.

name Assign IP address from firewall address or group.

authmethod Authentication method. option - psk

Option Description

psk PSK authentication method.

signature Signature authentication method.

authmethod- Authentication method (remote side). option -

remote

Option Description

psk PSK authentication method.

signature Signature authentication method.

authpasswd XAuth password (max 35 characters). password Not Specified

authusr XAuth user name. string Maximum

length: 64

authusrgrp Authentication user group. string Maximum

length: 35

auto-discovery- Allow/block set-up of short-cut tunnels option - allow

crossover between different network IDs.

Option Description

allow Allow set-up of short-cut tunnels between different network IDs.

block Block set-up of short-cut tunnels between different network IDs.

auto-discovery- Enable/disable forwarding auto-discovery option - disable

forwarder short-cut messages.

Option Description

enable Enable forwarding auto-discovery short-cut messages.

disable Disable forwarding auto-discovery short-cut messages.

FortiOS 7.4.4 CLI Reference 1863

Fortinet Inc.
Parameter Description Type Size Default

auto-discovery- Interval between shortcut offer messages integer Minimum 5

offer-interval in seconds. value: 1
Maximum
value: 300

auto-discovery- Enable/disable use of pre-shared secrets option - disable

psk for authentication of auto-discovery
tunnels.

Option Description

enable Enable use of pre-shared-secret authentication for auto-discovery tunnels.

enable Enable automatic initiation of IKE SA negotiation.

disable Disable automatic initiation of IKE SA negotiation.

FortiOS 7.4.4 CLI Reference 1864

Fortinet Inc.
Parameter Description Type Size Default

azure-ad- Enable/disable Azure AD Auto-Connect option - disable

autoconnect for FortiClient.

Option Description

enable Enable Azure AD Auto-Connect for FortiClient.

disable Disable Azure AD Auto-Connect for FortiClient.

backup-gateway Instruct unity clients about the backup string Maximum

<address> gateway address(es). length: 79
Address of backup gateway.

banner Message that unity client should display var-string Maximum

after connecting. length: 1024

cert-id-validation Enable/disable cross validation of peer ID option - enable

and the identity in the peer's certificate as
specified in RFC 4945.

Option Description

enable Enable cross validation of peer ID and the identity in the peer's certificate as
specified in RFC 4945.

disable Disable cross validation of peer ID and the identity in the peer's certificate
as specified in RFC 4945.

cert-peer- Enable/disable domain stripping on option - disable

username-strip certificate identity.

Option Description

disable Disable domain stripping on certificate identity.

enable Enable domain stripping on certificate identity.

cert-peer- Enable/disable cross validation of peer option - none

username- username and the identity in the peer's
validation certificate.

Option Description

none Disable cross validation of peer username and the identity in the peer's
certificate.

othername Validate principal name in SAN othername.

rfc822name Validate RFC822 email address in SAN.

cn Validate CN in subject.

cert-trust-store CA certificate trust store. option - local

FortiOS 7.4.4 CLI Reference 1865

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local Use local CA certificate.

ems Use EMS CA certificate.

disable Disable allowing the VPN client to keep the tunnel up when there is no
traffic.

enable Enable allowing the VPN client to keep the tunnel up when there is no
traffic.

client-resume Enable/disable resumption of offline option - disable

FortiClient sessions. When a FortiClient
enabled laptop is closed or enters
sleep/hibernate mode, enabling this
feature allows FortiClient to keep the
tunnel during this period, and allows
users to immediately resume using the
IPsec tunnel when the device wakes up.

FortiOS 7.4.4 CLI Reference 1866

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable client session resumption.

disable Disable client session resumption.

client-resume- Maximum time in seconds during which a integer Minimum 1800

interval VPN client may resume using a tunnel value: 120
after a client PC has entered sleep mode Maximum
or temporarily lost its network connection. value: 172800

comments Comment. var-string Maximum

length: 255

default-gw IPv4 address of default route gateway to ipv4-address Not Specified 0.0.0.0
use for traffic exiting the interface.

default-gw- Priority for default gateway route. A integer Minimum 0

priority higher priority number signifies a less value: 0
preferred route. Maximum
value:
4294967295

dev-id Device ID carried by the device ID string Maximum

notification. length: 63

dev-id- Enable/disable device ID notification. option - disable

notification

Option Description

disable Disable device ID notification.

enable Enable device ID notification.

dhcp-ra-giaddr Relay agent gateway IP address to use in ipv4-address Not Specified 0.0.0.0
the giaddr field of DHCP requests.

dhcp6-ra- Relay agent IPv6 link address to use in ipv6-address Not Specified ::
linkaddr DHCP6 requests.

dhgrp DH group. option - 14

Option Description

1 DH Group 1.

2 DH Group 2.

5 DH Group 5.

14 DH Group 14.

15 DH Group 15.

FortiOS 7.4.4 CLI Reference 1867

Fortinet Inc.
Parameter Description Type Size Default

Option Description

16 DH Group 16.

17 DH Group 17.

18 DH Group 18.

19 DH Group 19.

20 DH Group 20.

21 DH Group 21.

27 DH Group 27.

28 DH Group 28.

29 DH Group 29.

30 DH Group 30.

31 DH Group 31.

32 DH Group 32.

digital-signature- Enable/disable IKEv2 Digital Signature option - disable

auth Authentication (RFC 7427).

Option Description

enable Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable Disable IKEv2 Digital Signature Authentication (RFC 7427).

distance Distance for routes added by IKE. integer Minimum 15

value: 1
Maximum
value: 255

dns-mode DNS server mode. option - manual

Option Description

manual Manually configure DNS servers.

auto Use default DNS servers.

domain Instruct unity clients about the single string Maximum

default DNS domain. length: 63

dpd Dead Peer Detection mode. option - on-demand

FortiOS 7.4.4 CLI Reference 1868

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable Dead Peer Detection.

on-idle Trigger Dead Peer Detection when IPsec is idle.

on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is
received from the peer.

dpd-retrycount Number of DPD retry attempts. integer Minimum 3

value: 0
Maximum
value: 10

dpd-retryinterval DPD retry interval. user Not Specified

eap Enable/disable IKEv2 EAP option - disable

authentication.

Option Description

enable Enable IKEv2 EAP authentication.

disable Disable IKEv2 EAP authentication.

eap-cert-auth Enable/disable peer certificate option - disable

authentication in addition to EAP if peer is
a FortiClient endpoint.

Option Description

enable Enable peer certificate authentication in addition to EAP if peer is a

FortiClient endpoint.

disable Disable peer certificate authentication in addition to EAP if peer is a

FortiClient endpoint.

eap-exclude- Peer group excluded from EAP string Maximum

peergrp authentication. length: 35

eap-identity IKEv2 EAP peer identity type. option - use-id-payload

Option Description

use-id-payload Use IKEv2 IDi payload to resolve peer identity.

send-request Use EAP identity request to resolve peer identity.

ems-sn-check Enable/disable verification of EMS serial option - disable

number.

FortiOS 7.4.4 CLI Reference 1869

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable EMS serial number verification.

disable Disable EMS serial number verification.

encap-local-gw4 Local IPv4 address of GRE/VXLAN ipv4-address Not Specified 0.0.0.0

tunnel.

encap-local-gw6 Local IPv6 address of GRE/VXLAN ipv6-address Not Specified ::

tunnel.

encap-remote- Remote IPv4 address of GRE/VXLAN ipv4-address Not Specified 0.0.0.0

gw4 tunnel.

encap-remote- Remote IPv6 address of GRE/VXLAN ipv6-address Not Specified ::

gw6 tunnel.

encapsulation Enable/disable GRE/VXLAN/VPNID option - none

encapsulation.

Option Description

none No additional encapsulation.

gre GRE encapsulation.

vxlan VXLAN encapsulation.

vpn-id-ipip VPN ID with IPIP encapsulation.

encapsulation- Source for GRE/VXLAN tunnel address. option - ike

address

Option Description

ike Use IKE/IPsec gateway addresses.

ipv4 Specify separate GRE/VXLAN tunnel address.

ipv6 Specify separate GRE/VXLAN tunnel address.

enforce-unique- Enable/disable peer ID uniqueness option - disable

id check.

Option Description

disable Disable peer ID uniqueness enforcement.

keep-new Enforce peer ID uniqueness, keep new connection if collision found.

keep-old Enforce peer ID uniqueness, keep old connection if collision found.

FortiOS 7.4.4 CLI Reference 1870

Fortinet Inc.
Parameter Description Type Size Default

esn * Extended sequence number (ESN) option - disable

negotiation.

Option Description

require Require extended sequence number.

allow Allow extended sequence number.

disable Disable extended sequence number.

exchange-fgt- Enable/disable device identifier exchange option - disable

device-id with peer FortiGate units for use of VPN
monitor data by FortiManager.

Option Description

enable Enable exchange of FortiGate device identifier.

disable Disable exchange of FortiGate device identifier.

exchange- Enable/disable exchange of IPsec option - disable

interface-ip interface IP address.

Option Description

enable Enable exchange of IPsec interface IP address.

disable Disable exchange of IPsec interface IP address.

exchange-ip- IPv4 address to exchange with peers. ipv4-address Not Specified 0.0.0.0
addr4

exchange-ip- IPv6 address to exchange with peers. ipv6-address Not Specified ::

addr6

fallback-tcp- Timeout in seconds before falling back integer Minimum 15

threshold IKE/IPsec traffic to tcp. value: 1
Maximum
value: 300

fec-base Number of base Forward Error Correction integer Minimum 10

packets. value: 1
Maximum
value: 20

fec-codec Forward Error Correction option - rs

encoding/decoding algorithm.

Option Description

rs Reed-Solomon FEC algorithm.

FortiOS 7.4.4 CLI Reference 1871

Fortinet Inc.
Parameter Description Type Size Default

Option Description

xor XOR FEC algorithm.

fec-egress Enable/disable Forward Error Correction option - disable

for egress IPsec traffic.

Option Description

enable Enable Forward Error Correction for egress IPsec traffic.

disable Disable Forward Error Correction for egress IPsec traffic.

fec-health-check SD-WAN health check. string Maximum

length: 35

fec-ingress Enable/disable Forward Error Correction option - disable

for ingress IPsec traffic.

Option Description

enable Enable Forward Error Correction for ingress IPsec traffic.

disable Disable Forward Error Correction for ingress IPsec traffic.

fec-mapping- Forward Error Correction (FEC) mapping string Maximum

profile profile. length: 35

fec-receive- Timeout in milliseconds before dropping integer Minimum 50

timeout Forward Error Correction packets. value: 1
Maximum
value: 1000

fec-redundant Number of redundant Forward Error integer Minimum 1

Correction packets. value: 1
Maximum
value: 5

fec-send-timeout Timeout in milliseconds before sending integer Minimum 5

Forward Error Correction packets. value: 1
Maximum
value: 1000

fgsp-sync Enable/disable IPsec syncing of tunnels option - disable

for FGSP IPsec.

Option Description

enable Enable IPsec syncing of tunnels to other cluster members.

disable Disable IPsec syncing of tunnels to other cluster members.

FortiOS 7.4.4 CLI Reference 1872

Fortinet Inc.
Parameter Description Type Size Default

fortinet-esp Enable/disable Fortinet ESP option - disable

encapsulaton.

Option Description

idle-timeout Enable/disable IPsec tunnel idle timeout. option - disable

Option Description

enable Enable IPsec tunnel idle timeout.

disable Disable IPsec tunnel idle timeout.

FortiOS 7.4.4 CLI Reference 1873

Fortinet Inc.
Parameter Description Type Size Default

idle- IPsec tunnel idle timeout in minutes. integer Minimum 15

timeoutinterval value: 5
Maximum
value: 43200

ike-version IKE protocol version. option - 1

Option Description

1 Use IKEv1 protocol.

2 Use IKEv2 protocol.

inbound-dscp- Enable/disable copy the dscp in the ESP option - disable

copy header to the inner IP Header.

Option Description

enable Enable copy the dscp in the ESP header to the inner IP Header.

disable Disable copy the dscp in the ESP header to the inner IP Header.

include-local-lan Enable/disable allow local LAN access on option - disable

unity clients.

Option Description

disable Disable local LAN access on Unity clients.

enable Enable local LAN access on Unity clients.

interface Local physical, aggregate, or VLAN string Maximum

outgoing interface. length: 35

internal-domain- One or more internal domain names in string Maximum

list <domain- quotes separated by spaces. length: 79
name> Domain name.

ip-delay-interval IP address reuse delay interval in integer Minimum 0

seconds. value: 0
Maximum
value: 28800

ip-fragmentation Determine whether IP packets are option - post-encapsulation

fragmented before or after IPsec
encapsulation.

Option Description

pre- Fragment before IPsec encapsulation.

encapsulation

FortiOS 7.4.4 CLI Reference 1874

Fortinet Inc.
Parameter Description Type Size Default

Option Description

post- Fragment after IPsec encapsulation (RFC compliant).

encapsulation

ip-version IP version to use for VPN interface. option - 4

Option Description

4 Use IPv4 addressing for gateways.

6 Use IPv6 addressing for gateways.

ipv4-dns-server1 IPv4 DNS server 1. ipv4-address Not Specified 0.0.0.0

ipv4-dns-server2 IPv4 DNS server 2. ipv4-address Not Specified 0.0.0.0

ipv4-dns-server3 IPv4 DNS server 3. ipv4-address Not Specified 0.0.0.0

ipv4-end-ip End of IPv4 range. ipv4-address Not Specified 0.0.0.0

ipv4-name IPv4 address name. string Maximum

length: 79

ipv4-netmask IPv4 Netmask. ipv4- Not Specified 255.255.255.255

netmask

ipv4-split- IPv4 subnets that should not be sent over string Maximum
exclude the IPsec tunnel. length: 79

ipv4-split-include IPv4 split-include subnets. string Maximum

length: 79

ipv4-start-ip Start of IPv4 range. ipv4-address Not Specified 0.0.0.0

ipv4-wins- WINS server 1. ipv4-address Not Specified 0.0.0.0

server1

ipv4-wins- WINS server 2. ipv4-address Not Specified 0.0.0.0

server2

ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified ::

ipv6-dns-server2 IPv6 DNS server 2. ipv6-address Not Specified ::

ipv6-dns-server3 IPv6 DNS server 3. ipv6-address Not Specified ::

ipv6-end-ip End of IPv6 range. ipv6-address Not Specified ::

ipv6-name IPv6 address name. string Maximum

length: 79

FortiOS 7.4.4 CLI Reference 1875

Fortinet Inc.
Parameter Description Type Size Default

ipv6-prefix IPv6 prefix. integer Minimum 128

value: 1
Maximum
value: 128

ipv6-split- IPv6 subnets that should not be sent over string Maximum
exclude the IPsec tunnel. length: 79

ipv6-split-include IPv6 split-include subnets. string Maximum

length: 79

ipv6-start-ip Start of IPv6 range. ipv6-address Not Specified ::

keepalive NAT-T keep alive interval. integer Minimum 10

value: 5
Maximum
value: 900

keylife Time to wait in seconds before phase 1 integer Minimum 86400

encryption key expires. value: 120
Maximum
value: 172800

kms Key Management Services server. string Maximum

length: 35

link-cost VPN tunnel underlay link cost. integer Minimum 0

value: 0
Maximum
value: 255

local-gw IPv4 address of the local gateway's ipv4-address Not Specified 0.0.0.0
external interface.

local-gw6 IPv6 address of the local gateway's ipv6-address Not Specified ::

external interface.

localid Local ID. string Maximum

length: 63

localid-type Local ID type. option - auto

Option Description

auto Select ID type automatically.

fqdn Use fully qualified domain name.

user-fqdn Use user fully qualified domain name.

keyid Use key-id string.

address Use local IP address.

asn1dn Use ASN.1 distinguished name.

FortiOS 7.4.4 CLI Reference 1876

Fortinet Inc.
Parameter Description Type Size Default

loopback- Enable/disable asymmetric routing for option - enable

asymroute IKE traffic on loopback interface.

Option Description

enable Allow ingress/egress IKE traffic to be routed over different interfaces.

disable Ingress/egress IKE traffic must be routed over the same interface.

mesh-selector- Add selectors containing subsets of the option - disable

type configuration depending on traffic.

Option Description

disable Disable.

subnet Enable addition of matching subnet selector.

host Enable addition of host to host selector.

mode The ID protection mode used to establish option - main

a secure channel.

Option Description

aggressive Aggressive mode.

main Main mode.

mode-cfg Enable/disable configuration method. option - disable

Option Description

disable Disable Configuration Method.

enable Enable Configuration Method.

mode-cfg-allow- Enable/disable mode-cfg client to use option - disable

client-selector custom phase2 selectors.

Option Description

disable Mode-cfg client to use wildcard selectors.

enable Mode-cfg client to use custom selectors.

monitor <name> IPsec interface as backup for primary string Maximum

interface. length: 79
IPsec interface as backup for primary
interface.

FortiOS 7.4.4 CLI Reference 1877

Fortinet Inc.
Parameter Description Type Size Default

monitor-hold- Time to wait in seconds before recovery integer Minimum 0

down-delay once primary re-establishes. value: 0
Maximum
value:
31536000

monitor-hold- Time of day at which to fail back to user Not Specified

down-time primary after it re-establishes.

monitor-hold- Recovery time method when primary option - immediate

down-type interface re-establishes.

Option Description

immediate Fail back immediately after primary recovers.

delay Number of seconds to delay fail back after primary recovers.

time Specify a time at which to fail back after primary recovers.

monitor-hold- Day of the week to recover once primary option - sunday

down-weekday re-establishes.

Option Description

everyday Every Day.

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

monitor-min Minimum number of links to become integer Minimum 0

degraded before activating this interface. value: 0
Zero (0) means all links must be down Maximum
before activating this interface. value:
4294967295

name IPsec remote gateway name. string Maximum

length: 15

nattraversal Enable/disable NAT traversal. option - enable

FortiOS 7.4.4 CLI Reference 1878

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IPsec NAT traversal.

packet- Enable/disable packet distribution (RPS) option - disable

redistribution * on the IPsec interface.

Option Description

enable Enable packet redistribution.

disable Disable packet redistribution.

passive-mode Enable/disable IPsec passive mode for option - disable

static tunnels.

FortiOS 7.4.4 CLI Reference 1879

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable IPsec passive mode.

disable Disable IPsec passive mode.

peer Accept this peer certificate. string Maximum

length: 35

peergrp Accept this peer certificate group. string Maximum

length: 35

peerid Accept this peer identity. string Maximum

length: 255

peertype Accept this peer type. option - peer

Option Description

any Accept any peer ID.

one Accept this peer ID.

dialup Accept peer ID in dialup group.

peer Accept this peer certificate.

peergrp Accept this peer certificate group.

ppk Enable/disable IKEv2 Postquantum option - disable

Preshared Key (PPK).

Option Description

disable Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-identity IKEv2 Postquantum Preshared Key string Maximum

Identity. length: 35

ppk-secret IKEv2 Postquantum Preshared Key password-3 Not Specified

(ASCII string or hexadecimal encoded
with a leading 0x).

priority Priority for routes added by IKE. integer Minimum 1

value: 1
Maximum
value: 65535

proposal Phase1 proposal. option -

FortiOS 7.4.4 CLI Reference 1880

Fortinet Inc.
Parameter Description Type Size Default

Option Description

des-md5 des-md5

des-sha1 des-sha1

des-sha256 des-sha256

des-sha384 des-sha384

des-sha512 des-sha512

3des-md5 3des-md5

3des-sha1 3des-sha1

3des-sha256 3des-sha256

3des-sha384 3des-sha384

3des-sha512 3des-sha512

aes128-md5 aes128-md5

aes128-sha1 aes128-sha1

aes128-sha256 aes128-sha256

aes128-sha384 aes128-sha384

aes128-sha512 aes128-sha512

aes128gcm-prfsha1 aes128gcm-prfsha1

aes128gcm-prfsha256 aes128gcm-prfsha256

aes128gcm-prfsha384 aes128gcm-prfsha384

aes128gcm-prfsha512 aes128gcm-prfsha512

aes192-md5 aes192-md5

aes192-sha1 aes192-sha1

aes192-sha256 aes192-sha256

aes192-sha384 aes192-sha384

aes192-sha512 aes192-sha512

aes256-md5 aes256-md5

aes256-sha1 aes256-sha1

aes256-sha256 aes256-sha256

aes256-sha384 aes256-sha384

aes256-sha512 aes256-sha512

FortiOS 7.4.4 CLI Reference 1881

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aes256gcm-prfsha1 aes256gcm-prfsha1

aes256gcm-prfsha256 aes256gcm-prfsha256

aes256gcm-prfsha384 aes256gcm-prfsha384

aes256gcm-prfsha512 aes256gcm-prfsha512

chacha20poly1305-prfsha1 chacha20poly1305-prfsha1

chacha20poly1305-prfsha256 chacha20poly1305-prfsha256

chacha20poly1305-prfsha384 chacha20poly1305-prfsha384

chacha20poly1305-prfsha512 chacha20poly1305-prfsha512

aria128-md5 aria128-md5

aria128-sha1 aria128-sha1

aria128-sha256 aria128-sha256

aria128-sha384 aria128-sha384

aria128-sha512 aria128-sha512

aria192-md5 aria192-md5

aria192-sha1 aria192-sha1

aria192-sha256 aria192-sha256

aria192-sha384 aria192-sha384

aria192-sha512 aria192-sha512

aria256-md5 aria256-md5

aria256-sha1 aria256-sha1

aria256-sha256 aria256-sha256

aria256-sha384 aria256-sha384

aria256-sha512 aria256-sha512

seed-md5 seed-md5

seed-sha1 seed-sha1

seed-sha256 seed-sha256

seed-sha384 seed-sha384

seed-sha512 seed-sha512

FortiOS 7.4.4 CLI Reference 1882

Fortinet Inc.
Parameter Description Type Size Default

psksecret Pre-shared secret for PSK authentication password-3 Not Specified

(ASCII string or hexadecimal encoded
with a leading 0x).

psksecret- Pre-shared secret for remote side PSK password-3 Not Specified
remote authentication (ASCII string or
hexadecimal encoded with a leading 0x).

qkd Enable/disable use of Quantum Key option - disable

Distribution (QKD) server.

Option Description

disable Disable use of a Quantum Key Distribution (QKD) server.

allow Allow, but do not require, use of a Quantum Key Distribution (QKD) server.

require Require use of a Quantum Key Distribution (QKD) server.

qkd-profile Quantum Key Distribution (QKD) server string Maximum

profile. length: 35

reauth Enable/disable re-authentication upon option - disable

IKE SA lifetime expiration.

Option Description

disable Disable IKE SA re-authentication.

enable Enable IKE SA re-authentication.

rekey Enable/disable phase1 rekey. option - enable

Option Description

enable Enable phase1 rekey.

disable Disable phase1 rekey.

remote-gw IPv4 address of the remote gateway's ipv4-address Not Specified 0.0.0.0
external interface.

remote-gw- IPv4 addresses associated to a specific string Maximum

country country. length: 2

remote-gw-end- Last IPv4 address in the range. ipv4- Not Specified 0.0.0.0
ip address-any

remote-gw- Set type of IPv4 remote gateway address option - any

match matching.

FortiOS 7.4.4 CLI Reference 1883

Fortinet Inc.
Parameter Description Type Size Default

Option Description

any Match any IPv4 gateway address.

ipmask Match IPv4 gateway address and mask.

iprange Match IPv4 gateway address range.

geography Match IPv4 gateway address from a specified country.

remote-gw-start- First IPv4 address in the range. ipv4- Not Specified 0.0.0.0
ip address-any

remote-gw- IPv4 address and subnet mask. ipv4- Not Specified 0.0.0.0 0.0.0.0
subnet classnet-any

remote-gw6 IPv6 address of the remote gateway's ipv6-address Not Specified ::

external interface.

remote-gw6- IPv6 addresses associated to a specific string Maximum

country country. length: 2

remote-gw6-end- Last IPv6 address in the range. ipv6-address Not Specified ::

remote-gw6- Set type of IPv6 remote gateway address option - any

match matching.

Option Description

any Match any IPv6 gateway address.

ipprefix Match IPv6 gateway address and prefix.

iprange Match IPv6 gateway address range.

geography Match IPv6 gateway address from a specified country.

remote-gw6- First IPv6 address in the range. ipv6-address Not Specified ::

start-ip

remote-gw6- IPv6 address and prefix. ipv6-network Not Specified ::/0

subnet

remotegw-ddns Domain name of remote gateway. For string Maximum

example, name.ddns.com. length: 63

rsa-signature- Digital Signature Authentication RSA option - pkcs1

format signature format.

Option Description

pkcs1 RSASSA PKCS#1 v1.5.

pss RSASSA Probabilistic Signature Scheme (PSS).

FortiOS 7.4.4 CLI Reference 1884

Fortinet Inc.
Parameter Description Type Size Default

alg algorithms.

Option Description

sha1 SHA1.

sha2-256 SHA2-256.

sha2-384 SHA2-384.

sha2-512 SHA2-512.

split-include- Split-include services. string Maximum

service length: 79

suite-b Use Suite-B. option - disable

Option Description

disable Do not use UI suite.

suite-b-gcm-128 Use Suite-B-GCM-128.

suite-b-gcm-256 Use Suite-B-GCM-256.

transport Set IKE transport protocol. option - udp

FortiOS 7.4.4 CLI Reference 1885

Fortinet Inc.
Parameter Description Type Size Default

Option Description

udp Use UDP transport for IKE.

udp-fallback-tcp Use UDP transport for IKE, with fallback to TCP transport.

tcp Use TCP transport for IKE.

type Remote gateway type. option - static

Option Description

static Remote VPN gateway has fixed IP address.

dynamic Remote VPN gateway has dynamic IP address.

ddns Remote VPN gateway has dynamic IP address and is a dynamic DNS
client.

unity-support Enable/disable support for Cisco UNITY option - enable

Configuration Method extensions.

Option Description

disable Disable Cisco Unity Configuration Method Extensions.

enable Enable Cisco Unity Configuration Method Extensions.

usrgrp User group name for dialup peers. string Maximum

length: 35

vni VNI of VXLAN tunnel. integer Minimum 0

value: 1
Maximum
value:
16777215

wizard-type GUI VPN Wizard Type. option - custom

Option Description

custom Custom VPN configuration.

dialup-forticlient Dial Up - FortiClient Windows, Mac and Android.

dialup-ios Dial Up - iPhone / iPad Native IPsec Client.

dialup-android Dial Up - Android Native IPsec Client.

dialup-windows Dial Up - Windows Native IPsec Client.

dialup-cisco Dial Up - Cisco IPsec Client.

static-fortigate Site to Site - FortiGate.

FortiOS 7.4.4 CLI Reference 1886

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dialup-fortigate Dial Up - FortiGate.

static-cisco Site to Site - Cisco.

dialup-cisco-fw Dialup Up - Cisco Firewall.

simplified-static- Site to Site - FortiGate (SD-WAN).

fortigate

hub-fortigate- Hub role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery

spoke-fortigate- Spoke role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery

xauthtype XAuth type. option - disable

Option Description

disable Disable.

client Enable as client.

pap Enable as server PAP.

chap Enable as server CHAP.

auto Enable as server auto.

* This parameter may not exist in some models.

config ipv4-exclude-range

Parameter Description Type Size Default

id ID. integer Minimum 0

FortiOS 7.4.4 CLI Reference 1890

Fortinet Inc.
set remote-gw6-end-ip {ipv6-address}
set remote-gw6-match [any|ipprefix|...]
set remote-gw6-start-ip {ipv6-address}
set remote-gw6-subnet {ipv6-network}
set remotegw-ddns {string}
set rsa-signature-format [pkcs1|pss]
set rsa-signature-hash-override [enable|disable]
set save-password [disable|enable]
set send-cert-chain [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set split-include-service {string}
set suite-b [disable|suite-b-gcm-128|...]
set transport [udp|udp-fallback-tcp|...]
set type [static|dynamic|...]
set unity-support [disable|enable]
set usrgrp {string}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
next
end

config vpn ipsec phase1

Parameter Description Type Size Default

acct-verify Enable/disable verification of RADIUS option - disable

accounting record.

Option Description

enable Enable verification of RADIUS accounting record.

disable Disable verification of RADIUS accounting record.

add-gw-route Enable/disable automatically add a route to option - disable

the remote gateway.

Option Description

enable Automatically add a route to the remote gateway.

disable Do not automatically add a route to the remote gateway.

add-route Enable/disable control addition of a route to option - disable

peer destination selector.

Option Description

disable Do not add a route to destination of peer selector.

enable Add route to destination of peer selector.

assign-ip Enable/disable assignment of IP to IPsec option - enable

interface via configuration method.

FortiOS 7.4.4 CLI Reference 1891

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not assign an IP address to the IPsec interface.

enable Assign an IP address to the IPsec interface.

assign-ip-from Method by which the IP address will be option - range

assigned.

Option Description

range Assign IP address from locally defined range.

usrgrp Assign IP address via user group.

dhcp Assign IP address via DHCP.

name Assign IP address from firewall address or group.

authmethod Authentication method. option - psk

Option Description

psk PSK authentication method.

signature Signature authentication method.

authmethod- Authentication method (remote side). option -

remote

Option Description

psk PSK authentication method.

signature Signature authentication method.

authpasswd XAuth password (max 35 characters). password Not

Specified

authusr XAuth user name. string Maximum

length: 64

authusrgrp Authentication user group. string Maximum

length: 35

auto-negotiate Enable/disable automatic initiation of IKE option - enable

SA negotiation.

Option Description

enable Enable automatic initiation of IKE SA negotiation.

disable Disable automatic initiation of IKE SA negotiation.

FortiOS 7.4.4 CLI Reference 1892

Fortinet Inc.
Parameter Description Type Size Default

azure-ad- Enable/disable Azure AD Auto-Connect for option - disable

autoconnect FortiClient.

Option Description

enable Enable Azure AD Auto-Connect for FortiClient.

disable Disable Azure AD Auto-Connect for FortiClient.

backup-gateway Instruct unity clients about the backup string Maximum

<address> gateway address(es). length: 79
Address of backup gateway.

banner Message that unity client should display var-string Maximum

after connecting. length: 1024

cert-id-validation Enable/disable cross validation of peer ID option - enable

and the identity in the peer's certificate as
specified in RFC 4945.

Option Description

enable Enable cross validation of peer ID and the identity in the peer's certificate as
specified in RFC 4945.

disable Disable cross validation of peer ID and the identity in the peer's certificate
as specified in RFC 4945.

cert-peer- Enable/disable domain stripping on option - disable

username-strip certificate identity.

Option Description

disable Disable domain stripping on certificate identity.

enable Enable domain stripping on certificate identity.

cert-peer- Enable/disable cross validation of peer option - none

username- username and the identity in the peer's
validation certificate.

Option Description

none Disable cross validation of peer username and the identity in the peer's
certificate.

othername Validate principal name in SAN othername.

rfc822name Validate RFC822 email address in SAN.

cn Validate CN in subject.

cert-trust-store CA certificate trust store. option - local

FortiOS 7.4.4 CLI Reference 1893

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local Use local CA certificate.

ems Use EMS CA certificate.

disable Disable allowing the VPN client to keep the tunnel up when there is no
traffic.

enable Enable allowing the VPN client to keep the tunnel up when there is no
traffic.

client-resume Enable/disable resumption of offline option - disable

FortiClient sessions. When a FortiClient
enabled laptop is closed or enters
sleep/hibernate mode, enabling this feature
allows FortiClient to keep the tunnel during
this period, and allows users to immediately
resume using the IPsec tunnel when the
device wakes up.

FortiOS 7.4.4 CLI Reference 1894

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable client session resumption.

disable Disable client session resumption.

client-resume- Maximum time in seconds during which a integer Minimum 1800

interval VPN client may resume using a tunnel after value: 120
a client PC has entered sleep mode or Maximum
temporarily lost its network connection. value:
172800

comments Comment. var-string Maximum

length: 255

dev-id Device ID carried by the device ID string Maximum

notification. length: 63

dev-id- Enable/disable device ID notification. option - disable

notification

Option Description

disable Disable device ID notification.

enable Enable device ID notification.

dhcp-ra-giaddr Relay agent gateway IP address to use in ipv4-address Not 0.0.0.0

the giaddr field of DHCP requests. Specified

dhcp6-ra- Relay agent IPv6 link address to use in ipv6-address Not ::

linkaddr DHCP6 requests. Specified

dhgrp DH group. option - 14

Option Description

1 DH Group 1.

2 DH Group 2.

5 DH Group 5.

14 DH Group 14.

15 DH Group 15.

16 DH Group 16.

17 DH Group 17.

18 DH Group 18.

19 DH Group 19.

FortiOS 7.4.4 CLI Reference 1895

Fortinet Inc.
Parameter Description Type Size Default

Option Description

20 DH Group 20.

21 DH Group 21.

27 DH Group 27.

28 DH Group 28.

29 DH Group 29.

30 DH Group 30.

31 DH Group 31.

32 DH Group 32.

digital-signature- Enable/disable IKEv2 Digital Signature option - disable

auth Authentication (RFC 7427).

Option Description

enable Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable Disable IKEv2 Digital Signature Authentication (RFC 7427).

distance Distance for routes added by IKE. integer Minimum 15

value: 1
Maximum
value: 255

dns-mode DNS server mode. option - manual

Option Description

manual Manually configure DNS servers.

auto Use default DNS servers.

domain Instruct unity clients about the single default string Maximum
DNS domain. length: 63

dpd Dead Peer Detection mode. option - on-demand

Option Description

disable Disable Dead Peer Detection.

on-idle Trigger Dead Peer Detection when IPsec is idle.

on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is
received from the peer.

FortiOS 7.4.4 CLI Reference 1896

Fortinet Inc.
Parameter Description Type Size Default

dpd-retrycount Number of DPD retry attempts. integer Minimum 3

value: 0
Maximum
value: 10

dpd-retryinterval DPD retry interval. user Not

Specified

eap Enable/disable IKEv2 EAP authentication. option - disable

Option Description

enable Enable IKEv2 EAP authentication.

disable Disable IKEv2 EAP authentication.

eap-cert-auth Enable/disable peer certificate option - disable

authentication in addition to EAP if peer is a
FortiClient endpoint.

Option Description

enable Enable peer certificate authentication in addition to EAP if peer is a

FortiClient endpoint.

disable Disable peer certificate authentication in addition to EAP if peer is a

FortiClient endpoint.

eap-exclude- Peer group excluded from EAP string Maximum

peergrp authentication. length: 35

eap-identity IKEv2 EAP peer identity type. option - use-id-payload

enable Enable exchange of FortiGate device identifier.

disable Disable exchange of FortiGate device identifier.

enable Enable Forward Error Correction for ingress IPsec traffic.

disable Disable Forward Error Correction for ingress IPsec traffic.

fec-mapping- Forward Error Correction (FEC) mapping string Maximum

profile profile. length: 35

fec-receive- Timeout in milliseconds before dropping integer Minimum 50

timeout Forward Error Correction packets. value: 1
Maximum
value: 1000

fec-redundant Number of redundant Forward Error integer Minimum 1

Correction packets. value: 1
Maximum
value: 5

fec-send-timeout Timeout in milliseconds before sending integer Minimum 5

Forward Error Correction packets. value: 1
Maximum
value: 1000

fgsp-sync Enable/disable IPsec syncing of tunnels for option - disable

FGSP IPsec.

Option Description

enable Enable IPsec syncing of tunnels to other cluster members.

enable Enable IPsec tunnel idle timeout.

disable Disable IPsec tunnel idle timeout.

idle- IPsec tunnel idle timeout in minutes. integer Minimum 15

ipv4-netmask IPv4 Netmask. ipv4- Not 255.255.255.255

netmask Specified

FortiOS 7.4.4 CLI Reference 1901

Fortinet Inc.
Parameter Description Type Size Default

value: 1
Maximum
value: 128

ipv6-split- IPv6 subnets that should not be sent over string Maximum
exclude the IPsec tunnel. length: 79

ipv6-split-include IPv6 split-include subnets. string Maximum

length: 79

ipv6-start-ip Start of IPv6 range. ipv6-address Not ::

Specified

keepalive NAT-T keep alive interval. integer Minimum 10

value: 5
Maximum
value: 900

FortiOS 7.4.4 CLI Reference 1902

Fortinet Inc.
Parameter Description Type Size Default

keylife Time to wait in seconds before phase 1 integer Minimum 86400

encryption key expires. value: 120
Maximum
value:
172800

kms Key Management Services server. string Maximum

length: 35

link-cost VPN tunnel underlay link cost. integer Minimum 0

value: 0
Maximum
value: 255

local-gw Local VPN gateway. ipv4-address Not 0.0.0.0

Specified

localid Local ID. string Maximum

length: 63

localid-type Local ID type. option - auto

Option Description

auto Select ID type automatically.

fqdn Use fully qualified domain name.

user-fqdn Use user fully qualified domain name.

keyid Use key-id string.

address Use local IP address.

asn1dn Use ASN.1 distinguished name.

loopback- Enable/disable asymmetric routing for IKE option - enable

asymroute traffic on loopback interface.

Option Description

enable Allow ingress/egress IKE traffic to be routed over different interfaces.

disable Ingress/egress IKE traffic must be routed over the same interface.

mesh-selector- Add selectors containing subsets of the option - disable

type configuration depending on traffic.

Option Description

disable Disable.

subnet Enable addition of matching subnet selector.

host Enable addition of host to host selector.

FortiOS 7.4.4 CLI Reference 1903

Fortinet Inc.
Parameter Description Type Size Default

mode ID protection mode used to establish a option - main

secure channel.

Option Description

aggressive Aggressive mode.

main Main mode.

mode-cfg Enable/disable configuration method. option - disable

Option Description

disable Disable Configuration Method.

enable Enable Configuration Method.

mode-cfg-allow- Enable/disable mode-cfg client to use option - disable

client-selector custom phase2 selectors.

Option Description

disable Mode-cfg client to use wildcard selectors.

enable Mode-cfg client to use custom selectors.

name IPsec remote gateway name. string Maximum

length: 35

nattraversal Enable/disable NAT traversal. option - enable

Option Description

enable Enable IPsec NAT traversal.

disable Disable IPsec NAT traversal.

forced Force IPsec NAT traversal on.

negotiate- IKE SA negotiation timeout in seconds. integer Minimum 30

timeout value: 1
Maximum
value: 300

network-id VPN gateway network ID. integer Minimum 0

value: 0
Maximum
value: 255

network-overlay Enable/disable network overlays. option - disable

FortiOS 7.4.4 CLI Reference 1904

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable network overlays.

enable Enable network overlays.

npu-offload * Enable/disable offloading NPU. option - enable

Option Description

enable Enable NPU offloading.

disable Disable NPU offloading.

peer Accept this peer certificate. string Maximum

length: 35

peergrp Accept this peer certificate group. string Maximum

length: 35

peerid Accept this peer identity. string Maximum

length: 255

peertype Accept this peer type. option - peer

Option Description

any Accept any peer ID.

one Accept this peer ID.

dialup Accept peer ID in dialup group.

peer Accept this peer certificate.

peergrp Accept this peer certificate group.

ppk Enable/disable IKEv2 Postquantum option - disable

Preshared Key (PPK).

Option Description

disable Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-identity IKEv2 Postquantum Preshared Key string Maximum

Identity. length: 35

ppk-secret IKEv2 Postquantum Preshared Key (ASCII password-3 Not

string or hexadecimal encoded with a Specified
leading 0x).

FortiOS 7.4.4 CLI Reference 1905

Fortinet Inc.
Parameter Description Type Size Default

priority Priority for routes added by IKE. integer Minimum 1

value: 1
Maximum
value: 65535

proposal Phase1 proposal. option -

Option Description

des-md5 des-md5

des-sha1 des-sha1

des-sha256 des-sha256

des-sha384 des-sha384

des-sha512 des-sha512

3des-md5 3des-md5

3des-sha1 3des-sha1

3des-sha256 3des-sha256

3des-sha384 3des-sha384

3des-sha512 3des-sha512

aes128-md5 aes128-md5

aes128-sha1 aes128-sha1

aes128-sha256 aes128-sha256

aes128-sha384 aes128-sha384

aes128-sha512 aes128-sha512

aes128gcm-prfsha1 aes128gcm-prfsha1

aes128gcm-prfsha256 aes128gcm-prfsha256

aes128gcm-prfsha384 aes128gcm-prfsha384

aes128gcm-prfsha512 aes128gcm-prfsha512

aes192-md5 aes192-md5

aes192-sha1 aes192-sha1

aes192-sha256 aes192-sha256

aes192-sha384 aes192-sha384

aes192-sha512 aes192-sha512

aes256-md5 aes256-md5

FortiOS 7.4.4 CLI Reference 1906

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aes256-sha1 aes256-sha1

aes256-sha256 aes256-sha256

aes256-sha384 aes256-sha384

aes256-sha512 aes256-sha512

aes256gcm-prfsha1 aes256gcm-prfsha1

aes256gcm-prfsha256 aes256gcm-prfsha256

aes256gcm-prfsha384 aes256gcm-prfsha384

aes256gcm-prfsha512 aes256gcm-prfsha512

chacha20poly1305-prfsha1 chacha20poly1305-prfsha1

chacha20poly1305-prfsha256 chacha20poly1305-prfsha256

chacha20poly1305-prfsha384 chacha20poly1305-prfsha384

chacha20poly1305-prfsha512 chacha20poly1305-prfsha512

aria128-md5 aria128-md5

aria128-sha1 aria128-sha1

aria128-sha256 aria128-sha256

aria128-sha384 aria128-sha384

aria128-sha512 aria128-sha512

aria192-md5 aria192-md5

aria192-sha1 aria192-sha1

aria192-sha256 aria192-sha256

aria192-sha384 aria192-sha384

aria192-sha512 aria192-sha512

aria256-md5 aria256-md5

aria256-sha1 aria256-sha1

aria256-sha256 aria256-sha256

aria256-sha384 aria256-sha384

aria256-sha512 aria256-sha512

seed-md5 seed-md5

seed-sha1 seed-sha1

FortiOS 7.4.4 CLI Reference 1907

Fortinet Inc.
Parameter Description Type Size Default

Option Description

seed-sha256 seed-sha256

seed-sha384 seed-sha384

seed-sha512 seed-sha512

psksecret Pre-shared secret for PSK authentication password-3 Not

(ASCII string or hexadecimal encoded with Specified
a leading 0x).

psksecret- Pre-shared secret for remote side PSK password-3 Not

remote authentication (ASCII string or hexadecimal Specified
encoded with a leading 0x).

qkd Enable/disable use of Quantum Key option - disable

Distribution (QKD) server.

Option Description

disable Disable use of a Quantum Key Distribution (QKD) server.

allow Allow, but do not require, use of a Quantum Key Distribution (QKD) server.

require Require use of a Quantum Key Distribution (QKD) server.

qkd-profile Quantum Key Distribution (QKD) server string Maximum

profile. length: 35

reauth Enable/disable re-authentication upon IKE option - disable

SA lifetime expiration.

Option Description

disable Disable IKE SA re-authentication.

enable Enable IKE SA re-authentication.

rekey Enable/disable phase1 rekey. option - enable

Option Description

enable Enable phase1 rekey.

disable Disable phase1 rekey.

remote-gw Remote VPN gateway. ipv4-address Not 0.0.0.0

Specified

remote-gw- IPv4 addresses associated to a specific string Maximum

country country. length: 2

FortiOS 7.4.4 CLI Reference 1908

Fortinet Inc.
Parameter Description Type Size Default

remote-gw-end- Last IPv4 address in the range. ipv4- Not 0.0.0.0

ip address-any Specified

remote-gw- Set type of IPv4 remote gateway address option - any

match matching.

Option Description

any Match any IPv4 gateway address.

ipmask Match IPv4 gateway address and mask.

iprange Match IPv4 gateway address range.

geography Match IPv4 gateway address from a specified country.

remote-gw-start- First IPv4 address in the range. ipv4- Not 0.0.0.0

ip address-any Specified

remote-gw- IPv4 address and subnet mask. ipv4- Not 0.0.0.0 0.0.0.0
subnet classnet-any Specified

remote-gw6- IPv6 addresses associated to a specific string Maximum

country country. length: 2

remote-gw6-end- Last IPv6 address in the range. ipv6-address Not ::

ip Specified

remote-gw6- Set type of IPv6 remote gateway address option - any

match matching.

Option Description

any Match any IPv6 gateway address.

ipprefix Match IPv6 gateway address and prefix.

iprange Match IPv6 gateway address range.

geography Match IPv6 gateway address from a specified country.

remote-gw6- First IPv6 address in the range. ipv6-address Not ::

start-ip Specified

remote-gw6- IPv6 address and prefix. ipv6-network Not ::/0

subnet Specified

remotegw-ddns Domain name of remote gateway. For string Maximum

enable Enable sending certificate chain.

disable Disable sending certificate chain.

signature-hash- Digital Signature Authentication hash option - sha2-512

alg algorithms.

Option Description

sha1 SHA1.

sha2-256 SHA2-256.

sha2-384 SHA2-384.

sha2-512 SHA2-512.

split-include- Split-include services. string Maximum

service length: 79

suite-b Use Suite-B. option - disable

Option Description

disable Do not use UI suite.

FortiOS 7.4.4 CLI Reference 1910

Fortinet Inc.
Parameter Description Type Size Default

Option Description

suite-b-gcm-128 Use Suite-B-GCM-128.

suite-b-gcm-256 Use Suite-B-GCM-256.

transport Set IKE transport protocol. option - udp

Option Description

udp Use UDP transport for IKE.

udp-fallback-tcp Use UDP transport for IKE, with fallback to TCP transport.

tcp Use TCP transport for IKE.

type Remote gateway type. option - static

Option Description

static Remote VPN gateway has fixed IP address.

dynamic Remote VPN gateway has dynamic IP address.

ddns Remote VPN gateway has dynamic IP address and is a dynamic DNS
client.

unity-support Enable/disable support for Cisco UNITY option - enable

Configuration Method extensions.

Option Description

disable Disable Cisco Unity Configuration Method Extensions.

enable Enable Cisco Unity Configuration Method Extensions.

usrgrp User group name for dialup peers. string Maximum

length: 35

wizard-type GUI VPN Wizard Type. option - custom

Option Description

custom Custom VPN configuration.

dialup-forticlient Dial Up - FortiClient Windows, Mac and Android.

dialup-ios Dial Up - iPhone / iPad Native IPsec Client.

dialup-android Dial Up - Android Native IPsec Client.

dialup-windows Dial Up - Windows Native IPsec Client.

dialup-cisco Dial Up - Cisco IPsec Client.

FortiOS 7.4.4 CLI Reference 1911

Fortinet Inc.
Parameter Description Type Size Default

Option Description

static-fortigate Site to Site - FortiGate.

dialup-fortigate Dial Up - FortiGate.

static-cisco Site to Site - Cisco.

dialup-cisco-fw Dialup Up - Cisco Firewall.

simplified-static- Site to Site - FortiGate (SD-WAN).

fortigate

hub-fortigate- Hub role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery

spoke-fortigate- Spoke role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery

xauthtype XAuth type. option - disable

Option Description

disable Disable.

client Enable as client.

pap Enable as server PAP.

chap Enable as server CHAP.

auto Enable as server auto.

* This parameter may not exist in some models.

config ipv4-exclude-range

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Option Description

phase1 Add route according to phase1 add-route setting.

enable Add route for remote proxy ID.

disable Do not add route for remote proxy ID.

auto-discovery- Enable/disable forwarding short-cut messages. option - phase1

forwarder

Option Description

phase1 Forward short-cut messages according to the phase1 auto-discovery-

forwarder setting.

enable Enable forwarding auto-discovery short-cut messages.

enable Enable setting.

disable Disable setting.

dhgrp Phase2 DH group. option - 14

Option Description

1 DH Group 1.

2 DH Group 2.

5 DH Group 5.

14 DH Group 14.

15 DH Group 15.

16 DH Group 16.

17 DH Group 17.

18 DH Group 18.

19 DH Group 19.

20 DH Group 20.

21 DH Group 21.

27 DH Group 27.

28 DH Group 28.

29 DH Group 29.

30 DH Group 30.

31 DH Group 31.

32 DH Group 32.

FortiOS 7.4.4 CLI Reference 1915

Fortinet Inc.
Parameter Description Type Size Default

diffserv Enable/disable applying DSCP value to the option - disable

IPsec tunnel outer IP header.

Option Description

enable Enable setting.

disable Disable setting.

diffservcode DSCP value to be applied to the IPsec tunnel user Not Specified
outer IP header.

dst-addr-type Remote proxy ID type. option - subnet

Option Description

subnet IPv4 subnet.

range IPv4 range.

ip IPv4 IP.

name IPv4 firewall address or group name.

subnet6 IPv6 subnet.

range6 IPv6 range.

ip6 IPv6 IP.

name6 IPv6 firewall address or group name.

dst-end-ip Remote proxy ID IPv4 end. ipv4- Not Specified 0.0.0.0

address-any

dst-end-ip6 Remote proxy ID IPv6 end. ipv6- Not Specified ::

address

dst-name Remote proxy ID name. string Maximum

length: 79

dst-name6 Remote proxy ID name. string Maximum

length: 79

dst-port Quick mode destination port. integer Minimum 0

value: 0
Maximum
value: 65535

dst-start-ip Remote proxy ID IPv4 start. ipv4- Not Specified 0.0.0.0

address-any

dst-start-ip6 Remote proxy ID IPv6 start. ipv6- Not Specified ::

address

FortiOS 7.4.4 CLI Reference 1916

Fortinet Inc.
Parameter Description Type Size Default

dst-subnet Remote proxy ID IPv4 subnet. ipv4- Not Specified 0.0.0.0

classnet-any 0.0.0.0

dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0

encapsulation ESP encapsulation mode. option - tunnel-mode

Option Description

tunnel-mode Use tunnel mode encapsulation.

transport-mode Use transport mode encapsulation.

inbound-dscp- Enable/disable copying of the DSCP in the ESP option - phase1

copy header to the inner IP header.

Option Description

phase1 copy the DCSP in the ESP header to the inner IP Header according to the
phase1 inbound_dscp_copy setting.

enable Enable copying of the DSCP in the ESP header to the inner IP header.

disable Disable copying of the DSCP in the ESP header to the inner IP header.

null-md5 null-md5

null-sha1 null-sha1

null-sha256 null-sha256

null-sha384 null-sha384

FortiOS 7.4.4 CLI Reference 1918

Fortinet Inc.
Parameter Description Type Size Default

Option Description

null-sha512 null-sha512

des-null des-null

des-md5 des-md5

des-sha1 des-sha1

des-sha256 des-sha256

des-sha384 des-sha384

des-sha512 des-sha512

3des-null 3des-null

3des-md5 3des-md5

3des-sha1 3des-sha1

3des-sha256 3des-sha256

3des-sha384 3des-sha384

3des-sha512 3des-sha512

aes128-null aes128-null

aes128-md5 aes128-md5

aes128-sha1 aes128-sha1

aes128-sha256 aes128-sha256

aes128-sha384 aes128-sha384

aes128-sha512 aes128-sha512

aes128gcm aes128gcm

aes192-null aes192-null

aes192-md5 aes192-md5

aes192-sha1 aes192-sha1

aes192-sha256 aes192-sha256

aes192-sha384 aes192-sha384

aes192-sha512 aes192-sha512

aes256-null aes256-null

aes256-md5 aes256-md5

aes256-sha1 aes256-sha1

FortiOS 7.4.4 CLI Reference 1919

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aes256-sha256 aes256-sha256

aes256-sha384 aes256-sha384

aes256-sha512 aes256-sha512

aes256gcm aes256gcm

chacha20poly1305 chacha20poly1305

aria128-null aria128-null

aria128-md5 aria128-md5

aria128-sha1 aria128-sha1

aria128-sha256 aria128-sha256

aria128-sha384 aria128-sha384

aria128-sha512 aria128-sha512

aria192-null aria192-null

aria192-md5 aria192-md5

aria192-sha1 aria192-sha1

aria192-sha256 aria192-sha256

aria192-sha384 aria192-sha384

aria192-sha512 aria192-sha512

aria256-null aria256-null

aria256-md5 aria256-md5

aria256-sha1 aria256-sha1

aria256-sha256 aria256-sha256

aria256-sha384 aria256-sha384

aria256-sha512 aria256-sha512

seed-null seed-null

seed-md5 seed-md5

seed-sha1 seed-sha1

seed-sha256 seed-sha256

seed-sha384 seed-sha384

seed-sha512 seed-sha512

FortiOS 7.4.4 CLI Reference 1920

Fortinet Inc.
Parameter Description Type Size Default

protocol Quick mode protocol selector. integer Minimum 0

value: 0
Maximum
value: 255

replay Enable/disable replay detection. option - enable

Option Description

enable Enable setting.

disable Disable setting.

route-overlap Action for overlapping routes. option - use-new

Option Description

use-old Use the old route and do not add the new route.

use-new Delete the old route and add the new route.

allow Allow overlapping routes.

single-source Enable/disable single source IP restriction. option - disable

Option Description

enable Only single source IP will be accepted.

disable Source IP range will be accepted.

src-addr-type Local proxy ID type. option - subnet

Option Description

subnet IPv4 subnet.

range IPv4 range.

ip IPv4 IP.

name IPv4 firewall address or group name.

subnet6 IPv6 subnet.

range6 IPv6 range.

ip6 IPv6 IP.

name6 IPv6 firewall address or group name.

src-end-ip Local proxy ID end. ipv4- Not Specified 0.0.0.0

address-any

FortiOS 7.4.4 CLI Reference 1921

Fortinet Inc.
Parameter Description Type Size Default

src-end-ip6 Local proxy ID IPv6 end. ipv6- Not Specified ::

address

src-name Local proxy ID name. string Maximum

length: 79

src-name6 Local proxy ID name. string Maximum

length: 79

src-port Quick mode source port. integer Minimum 0

value: 0
Maximum
value: 65535

src-start-ip Local proxy ID start. ipv4- Not Specified 0.0.0.0

address-any

src-start-ip6 Local proxy ID IPv6 start. ipv6- Not Specified ::

address

src-subnet Local proxy ID subnet. ipv4- Not Specified 0.0.0.0

classnet-any 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2
Description: Configure VPN autokey tunnel.
edit <name>
set add-route [phase1|enable|...]
set auto-negotiate [enable|disable]
set comments {var-string}
set dhcp-ipsec [enable|disable]
set dhgrp {option1}, {option2}, ...
set diffserv [enable|disable]
set diffservcode {user}
set dst-addr-type [subnet|range|...]
set dst-end-ip {ipv4-address-any}
set dst-end-ip6 {ipv6-address}
set dst-name {string}
set dst-name6 {string}
set dst-port {integer}
set dst-start-ip {ipv4-address-any}
set dst-start-ip6 {ipv6-address}
set dst-subnet {ipv4-classnet-any}
set dst-subnet6 {ipv6-prefix}
set encapsulation [tunnel-mode|transport-mode]
set inbound-dscp-copy [phase1|enable|...]
set initiator-ts-narrow [enable|disable]
set ipv4-df [enable|disable]

FortiOS 7.4.4 CLI Reference 1922

Fortinet Inc.
set keepalive [enable|disable]
set keylife-type [seconds|kbs|...]
set keylifekbs {integer}
set keylifeseconds {integer}
set l2tp [enable|disable]
set pfs [enable|disable]
set phase1name {string}
set proposal {option1}, {option2}, ...
set protocol {integer}
set replay [enable|disable]
set route-overlap [use-old|use-new|...]
set selector-match [exact|subset|...]
set single-source [enable|disable]
set src-addr-type [subnet|range|...]
set src-end-ip {ipv4-address-any}
set src-end-ip6 {ipv6-address}
set src-name {string}
set src-name6 {string}
set src-port {integer}
set src-start-ip {ipv4-address-any}
set src-start-ip6 {ipv6-address}
set src-subnet {ipv4-classnet-any}
set src-subnet6 {ipv6-prefix}
set use-natip [enable|disable]
next
end

config vpn ipsec phase2

Parameter Description Type Size Default

add-route Enable/disable automatic route addition. option - phase1

Option Description

phase1 Add route according to phase1 add-route setting.

enable Add route for remote proxy ID.

disable Do not add route for remote proxy ID.

auto-negotiate Enable/disable IPsec SA auto-negotiation. option - disable

Option Description

enable Enable setting.

disable Disable setting.

comments Comment. var-string Maximum

length: 255

dhcp-ipsec Enable/disable DHCP-IPsec. option - disable

FortiOS 7.4.4 CLI Reference 1923

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

dhgrp Phase2 DH group. option - 14

Option Description

1 DH Group 1.

2 DH Group 2.

5 DH Group 5.

14 DH Group 14.

15 DH Group 15.

16 DH Group 16.

17 DH Group 17.

18 DH Group 18.

19 DH Group 19.

20 DH Group 20.

21 DH Group 21.

27 DH Group 27.

28 DH Group 28.

29 DH Group 29.

30 DH Group 30.

31 DH Group 31.

32 DH Group 32.

diffserv Enable/disable applying DSCP value to the option - disable

IPsec tunnel outer IP header.

Option Description

enable Enable setting.

disable Disable setting.

diffservcode DSCP value to be applied to the IPsec tunnel user Not Specified
outer IP header.

dst-addr-type Remote proxy ID type. option - subnet

FortiOS 7.4.4 CLI Reference 1924

Fortinet Inc.
Parameter Description Type Size Default

Option Description

subnet IPv4 subnet.

range IPv4 range.

ip IPv4 IP.

name IPv4 firewall address or group name.

dst-end-ip Remote proxy ID IPv4 end. ipv4- Not Specified 0.0.0.0

address-any

dst-end-ip6 Remote proxy ID IPv6 end. ipv6- Not Specified ::

address

dst-name Remote proxy ID name. string Maximum

length: 79

dst-name6 Remote proxy ID name. string Maximum

length: 79

dst-port Quick mode destination port. integer Minimum 0

value: 0
Maximum
value: 65535

dst-start-ip Remote proxy ID IPv4 start. ipv4- Not Specified 0.0.0.0

address-any

dst-start-ip6 Remote proxy ID IPv6 start. ipv6- Not Specified ::

address

dst-subnet Remote proxy ID IPv4 subnet. ipv4- Not Specified 0.0.0.0

classnet-any 0.0.0.0

dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0

encapsulation ESP encapsulation mode. option - tunnel-mode

Option Description

tunnel-mode Use tunnel mode encapsulation.

transport-mode Use transport mode encapsulation.

inbound-dscp- Enable/disable copying of the DSCP in the ESP option - phase1

copy header to the inner IP header.

Option Description

phase1 copy the DCSP in the ESP header to the inner IP Header according to the
phase1 inbound_dscp_copy setting.

FortiOS 7.4.4 CLI Reference 1925

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable copying of the DSCP in the ESP header to the inner IP header.

disable Disable copying of the DSCP in the ESP header to the inner IP header.

Option Description

seconds Key life in seconds.

kbs Key life in kilobytes.

both Key life both.

keylifekbs Phase2 key life in number of kilobytes of traffic. integer Minimum 5120
value: 5120
Maximum
value:
4294967295

keylifeseconds Phase2 key life in time in seconds. integer Minimum 43200

value: 120
Maximum
value: 172800

FortiOS 7.4.4 CLI Reference 1926

Fortinet Inc.
Parameter Description Type Size Default

l2tp Enable/disable L2TP over IPsec. option - disable

Option Description

enable Enable L2TP over IPsec.

disable Disable L2TP over IPsec.

name IPsec tunnel name. string Maximum

length: 35

pfs Enable/disable PFS feature. option - enable

Option Description

enable Enable setting.

disable Disable setting.

phase1name Phase 1 determines the options required for string Maximum

phase 2. length: 35

proposal Phase2 proposal. option -

Option Description

null-md5 null-md5

null-sha1 null-sha1

null-sha256 null-sha256

null-sha384 null-sha384

null-sha512 null-sha512

des-null des-null

des-md5 des-md5

des-sha1 des-sha1

des-sha256 des-sha256

des-sha384 des-sha384

des-sha512 des-sha512

3des-null 3des-null

3des-md5 3des-md5

3des-sha1 3des-sha1

3des-sha256 3des-sha256

FortiOS 7.4.4 CLI Reference 1927

Fortinet Inc.
Parameter Description Type Size Default

Option Description

3des-sha384 3des-sha384

3des-sha512 3des-sha512

aes128-null aes128-null

aes128-md5 aes128-md5

aes128-sha1 aes128-sha1

aes128-sha256 aes128-sha256

aes128-sha384 aes128-sha384

aes128-sha512 aes128-sha512

aes128gcm aes128gcm

aes192-null aes192-null

aes192-md5 aes192-md5

aes192-sha1 aes192-sha1

aes192-sha256 aes192-sha256

aes192-sha384 aes192-sha384

aes192-sha512 aes192-sha512

aes256-null aes256-null

aes256-md5 aes256-md5

aes256-sha1 aes256-sha1

aes256-sha256 aes256-sha256

aes256-sha384 aes256-sha384

aes256-sha512 aes256-sha512

aes256gcm aes256gcm

chacha20poly1305 chacha20poly1305

aria128-null aria128-null

aria128-md5 aria128-md5

aria128-sha1 aria128-sha1

aria128-sha256 aria128-sha256

aria128-sha384 aria128-sha384

aria128-sha512 aria128-sha512

FortiOS 7.4.4 CLI Reference 1928

Fortinet Inc.
Parameter Description Type Size Default

Option Description

aria192-null aria192-null

aria192-md5 aria192-md5

aria192-sha1 aria192-sha1

aria192-sha256 aria192-sha256

aria192-sha384 aria192-sha384

aria192-sha512 aria192-sha512

aria256-null aria256-null

aria256-md5 aria256-md5

aria256-sha1 aria256-sha1

aria256-sha256 aria256-sha256

aria256-sha384 aria256-sha384

aria256-sha512 aria256-sha512

seed-null seed-null

seed-md5 seed-md5

seed-sha1 seed-sha1

seed-sha256 seed-sha256

seed-sha384 seed-sha384

seed-sha512 seed-sha512

protocol Quick mode protocol selector. integer Minimum 0

value: 0
Maximum
value: 255

replay Enable/disable replay detection. option - enable

Option Description

enable Enable setting.

disable Disable setting.

route-overlap Action for overlapping routes. option - use-new

Option Description

use-old Use the old route and do not add the new route.

FortiOS 7.4.4 CLI Reference 1929

Fortinet Inc.
Parameter Description Type Size Default

Option Description

use-new Delete the old route and add the new route.

allow Allow overlapping routes.

selector-match Match type to use when comparing selectors. option - auto

Option Description

exact Match selectors exactly.

subset Match selectors by subset.

auto Use subset or exact match depending on selector address type.

single-source Enable/disable single source IP restriction. option - disable

Option Description

enable Only single source IP will be accepted.

disable Source IP range will be accepted.

src-addr-type Local proxy ID type. option - subnet

Option Description

subnet IPv4 subnet.

range IPv4 range.

ip IPv4 IP.

name IPv4 firewall address or group name.

src-end-ip Local proxy ID end. ipv4- Not Specified 0.0.0.0

address-any

src-end-ip6 Local proxy ID IPv6 end. ipv6- Not Specified ::

address

src-name Local proxy ID name. string Maximum

length: 79

src-name6 Local proxy ID name. string Maximum

length: 79

src-port Quick mode source port. integer Minimum 0

value: 0
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1930

Fortinet Inc.
Parameter Description Type Size Default

src-start-ip Local proxy ID start. ipv4- Not Specified 0.0.0.0

address-any

src-start-ip6 Local proxy ID IPv6 start. ipv6- Not Specified ::

address

src-subnet Local proxy ID subnet. ipv4- Not Specified 0.0.0.0

classnet-any 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0

use-natip Enable to use the FortiGate public IP as the option - enable

source selector when outbound NAT is used.

Option Description

enable Replace source selector with interface IP when using outbound NAT.

disable Do not modify source selector when using outbound NAT.

config vpn kmip-server

KMIP server entry configuration.

config vpn kmip-server
Description: KMIP server entry configuration.
edit <name>
set interface {string}
set interface-select-method [auto|sdwan|...]
set password {password}
set server-identity-check [enable|disable]
config server-list
Description: KMIP server list.
edit <id>
set status [enable|disable]
set server {string}
set port {integer}
set cert {string}
next
end
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set username {string}
next
end

FortiOS 7.4.4 CLI Reference 1931

Fortinet Inc.
config vpn kmip-server

Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Maximum

length: 15

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

name KMIP server entry name. string Maximum

length: 35

password Password to use for connectivity to the KMIP server. password Not
Specified

server- Enable/disable KMIP server identity check (verify server option - disable
identity-check FQDN/IP address against the server certificate).

Option Description

enable Enable server identity check.

disable Disable server identity check.

source-ip FortiGate IP address to be used for communication with string Maximum

the KMIP server. length: 63

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

username User name to use for connectivity to the KMIP server. string Maximum
length: 63

FortiOS 7.4.4 CLI Reference 1932

Fortinet Inc.
config server-list

Parameter Description Type Size Default

id ID integer Minimum 0
value: 0
Maximum
value:
4294967295

status Enable/disable KMIP server. option - enable

Option Description

enable Enable server.

disable Disable server.

server KMIP server FQDN or IP address. string Maximum

length: 63

port KMIP server port. integer Minimum 5696

value: 0
Maximum
value: 65535

cert Client certificate to use for connectivity to the KMIP string Maximum
server. length: 35

config vpn l2tp

Configure L2TP.
config vpn l2tp
Description: Configure L2TP.
set compress [enable|disable]
set eip {ipv4-address}
set enforce-ipsec [enable|disable]
set hello-interval {integer}
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set sip {ipv4-address}
set status [enable|disable]
set usrgrp {string}
end

config vpn l2tp

Parameter Description Type Size Default

compress Enable/disable data compression. option - disable

FortiOS 7.4.4 CLI Reference 1933

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable compress

disable Disable compress

eip End IP. ipv4- Not 0.0.0.0

address Specified

enforce-ipsec Enable/disable IPsec enforcement. option - disable

Option Description

enable Enable enforce-ipsec

disable Disable enforce-ipsec

hello-interval L2TP hello message interval in seconds. integer Minimum 60

value: 0
Maximum
value: 3600

lcp-echo- Time in seconds between PPPoE Link Control Protocol integer Minimum 5
interval (LCP) echo requests. value: 0
Maximum
value:
32767

lcp-max- Maximum number of missed LCP echo messages integer Minimum 3

echo-fails before disconnect. value: 0
Maximum
value:
32767

sip Start IP. ipv4- Not 0.0.0.0

address Specified

status Enable/disable FortiGate as a L2TP gateway. option - disable

Option Description

enable Enable setting.

disable Disable setting.

usrgrp User group. string Maximum

length: 35

config vpn pptp

Configure PPTP.

FortiOS 7.4.4 CLI Reference 1934

Fortinet Inc.
config vpn pptp
Description: Configure PPTP.
set eip {ipv4-address}
set ip-mode [range|usrgrp]
set local-ip {ipv4-address}
set sip {ipv4-address}
set status [enable|disable]
set usrgrp {string}
end

config vpn pptp

Parameter Description Type Size Default

eip End IP. ipv4- Not 0.0.0.0

address Specified

ip-mode IP assignment mode for PPTP client. option - range

Option Description

range PPTP client IP from manual config (range from sip to eip).

usrgrp PPTP client IP from user-group defined server.

local-ip Local IP to be used for peer's remote IP. ipv4- Not 0.0.0.0
address Specified

sip Start IP. ipv4- Not 0.0.0.0

address Specified

status Enable/disable FortiGate as a PPTP gateway. option - disable

Option Description

enable Enable setting.

disable Disable setting.

usrgrp User group. string Maximum

length: 35

config vpn qkd

Configure Quantum Key Distribution servers

config vpn qkd
Description: Configure Quantum Key Distribution servers
edit <name>
set certificate <name1>, <name2>, ...
set comment {var-string}
set id {string}
set peer {string}
set port {integer}

FortiOS 7.4.4 CLI Reference 1935

Fortinet Inc.
set server {string}
next
end

config vpn qkd

Parameter Description Type Size Default

certificate Names of up to 4 certificates to offer to the KME. string Maximum

<name> Certificate name. length: 79

comment Comment. var-string Maximum

length: 255

id Quantum Key Distribution ID assigned by the KME. string Maximum

length: 291

name Quantum Key Distribution configuration name. string Maximum

length: 35

peer Authenticate Quantum Key Device's certificate with the string Maximum
peer/peergrp. length: 35

port Port to connect to on the KME. integer Minimum 0

value: 1
Maximum
value:
65535

server IPv4, IPv6 or DNS address of the KME. string Maximum

length: 63

config vpn ssl client

Client.
config vpn ssl client
Description: Client.
edit <name>
set certificate {string}
set class-id {integer}
set comment {var-string}
set distance {integer}
set interface {string}
set ipv4-subnets {string}
set ipv6-subnets {string}
set peer {string}
set port {integer}
set priority {integer}
set psk {password-3}
set realm {string}
set server {string}
set source-ip {string}

FortiOS 7.4.4 CLI Reference 1936

Fortinet Inc.
set status [enable|disable]
set user {string}
next
end

config vpn ssl client

Parameter Description Type Size Default

certificate Certificate to offer to SSL-VPN server if it requests string Maximum

one. length: 35

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

comment Comment. var-string Maximum

length: 255

distance Distance for routes added by SSL-VPN. integer Minimum 10

value: 1
Maximum
value: 255

interface SSL interface to send/receive traffic over. string Maximum

length: 15

ipv4-subnets IPv4 subnets that the client is protecting. string Maximum

length: 79

ipv6-subnets IPv6 subnets that the client is protecting. string Maximum

length: 79

name SSL-VPN tunnel name. string Maximum

length: 35

peer Authenticate peer's certificate with the peer/peergrp. string Maximum

length: 35

port SSL-VPN server port. integer Minimum 443

value: 1
Maximum
value: 65535

priority Priority for routes added by SSL-VPN. integer Minimum 1

value: 1
Maximum
value: 65535

psk Pre-shared secret to authenticate with the server password-3 Not Specified
(ASCII string or hexadecimal encoded with a leading
0x).

FortiOS 7.4.4 CLI Reference 1937

Fortinet Inc.
Parameter Description Type Size Default

realm Realm name configured on SSL-VPN server. string Maximum

length: 35

server IPv4, IPv6 or DNS address of the SSL-VPN server. string Maximum
length: 63

source-ip IPv4 or IPv6 address to use as a source for the SSL- string Maximum
VPN connection to the server. length: 63

status Enable/disable this SSL-VPN client configuration. option - enable

Option Description

enable Enable the SSL-VPN configuration.

disable Disable the SSL-VPN configuration.

user Username to offer to the peer to authenticate the string Maximum

client. length: 35

config vpn ssl settings

Configure SSL-VPN.
config vpn ssl settings
Description: Configure SSL-VPN.
set algorithm [high|medium|...]
set auth-session-check-source-ip [enable|disable]
set auth-timeout {integer}
config authentication-rule
Description: Authentication rule for SSL-VPN.
edit <id>
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set portal {string}
set realm {string}
set client-cert [enable|disable]
set user-peer {string}
set cipher [any|high|...]
set auth [any|local|...]
next
end
set auto-tunnel-static-route [enable|disable]
set banned-cipher {option1}, {option2}, ...
set browser-language-detection [enable|disable]
set check-referer [enable|disable]
set ciphersuite {option1}, {option2}, ...
set client-sigalgs [no-rsa-pss|all]

FortiOS 7.4.4 CLI Reference 1938

Fortinet Inc.
set default-portal {string}
set deflate-compression-level {integer}
set deflate-min-data-size {integer}
set dns-server1 {ipv4-address}
set dns-server2 {ipv4-address}
set dns-suffix {var-string}
set dtls-heartbeat-fail-count {integer}
set dtls-heartbeat-idle-timeout {integer}
set dtls-heartbeat-interval {integer}
set dtls-hello-timeout {integer}
set dtls-max-proto-ver [dtls1-0|dtls1-2]
set dtls-min-proto-ver [dtls1-0|dtls1-2]
set dtls-tunnel [enable|disable]
set dual-stack-mode [enable|disable]
set encode-2f-sequence [enable|disable]
set encrypt-and-store-password [enable|disable]
set force-two-factor-auth [enable|disable]
set header-x-forwarded-for [pass|add|...]
set hsts-include-subdomains [enable|disable]
set http-compression [enable|disable]
set http-only-cookie [enable|disable]
set http-request-body-timeout {integer}
set http-request-header-timeout {integer}
set https-redirect [enable|disable]
set idle-timeout {integer}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-wins-server1 {ipv6-address}
set ipv6-wins-server2 {ipv6-address}
set login-attempt-limit {integer}
set login-block-time {integer}
set login-timeout {integer}
set port {integer}
set port-precedence [enable|disable]
set reqclientcert [enable|disable]
set saml-redirect-port {integer}
set server-hostname {string}
set servercert {string}
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set source-interface <name1>, <name2>, ...
set ssl-client-renegotiation [disable|enable]
set ssl-insert-empty-fragment [enable|disable]
set ssl-max-proto-ver [tls1-0|tls1-1|...]
set ssl-min-proto-ver [tls1-0|tls1-1|...]
set status [enable|disable]
set transform-backward-slashes [enable|disable]
set tunnel-addr-assigned-method [first-available|round-robin]
set tunnel-connect-without-reauth [enable|disable]
set tunnel-ip-pools <name1>, <name2>, ...
set tunnel-ipv6-pools <name1>, <name2>, ...
set tunnel-user-session-timeout {integer}
set unsafe-legacy-renegotiation [enable|disable]
set url-obscuration [enable|disable]

FortiOS 7.4.4 CLI Reference 1939

Fortinet Inc.
set user-peer {string}
set wins-server1 {ipv4-address}
set wins-server2 {ipv4-address}
set x-content-type-options [enable|disable]
set ztna-trusted-client [enable|disable]
end

FortiOS 7.4.4 CLI Reference 1940

Fortinet Inc.
Parameter Description Type Size Default

Option Description

RSA Ban the use of cipher suites using RSA key.

DHE Ban the use of cipher suites using authenticated ephemeral DH key
agreement.

ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key
agreement.

DSS Ban the use of cipher suites using DSS authentication.

ECDSA Ban the use of cipher suites using ECDSA authentication.

AES Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES Ban the use of cipher suites using triple DES

SHA1 Ban the use of cipher suites using HMAC-SHA1.

SHA256 Ban the use of cipher suites using HMAC-SHA256.

SHA384 Ban the use of cipher suites using HMAC-SHA384.

STATIC Ban the use of cipher suites using static keys.

CHACHA20 Ban the use of cipher suites using ChaCha20.

ARIA Ban the use of cipher suites using ARIA.

AESCCM Ban the use of cipher suites using AESCCM.

browser- Enable/disable overriding the configured system option - enable

language- language based on the preferred language of
detection the browser.

Option Description

enable Enable setting.

disable Disable setting.

check-referer Enable/disable verification of referer field in option - disable

HTTP request header.

Option Description

enable Enable verification of referer field in HTTP request header.

disable Disable verification of referer field in HTTP request header.

FortiOS 7.4.4 CLI Reference 1941

Fortinet Inc.
Parameter Description Type Size Default

ciphersuite Select one or more TLS 1.3 ciphersuites to option - TLS-AES-128-

enable. Does not affect ciphers in TLS 1.2 and GCM-SHA256
below. At least one must be enabled. To disable TLS-AES-256-
all, set ssl-max-proto-ver to tls1-2 or below. GCM-SHA384
TLS-
CHACHA20-
POLY1305-
SHA256

Option Description

TLS-AES-128- Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

GCM-SHA256

TLS-AES-256- Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

GCM-SHA384

TLS- Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

CHACHA20-
POLY1305-
SHA256

TLS-AES-128- Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

CCM-SHA256

TLS-AES-128- Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

CCM-8-SHA256

client-sigalgs Set signature algorithms related to client option - all

authentication. Affects TLS version <= 1.2 only.

Option Description

no-rsa-pss Disable RSA-PSS signature algorithms for client authentication.

all Enable all supported signature algorithms for client authentication.

default-portal Default SSL-VPN portal. string Maximum

length: 35

deflate- Compression level (0~9). integer Minimum 6

compression- value: 0
level Maximum
value: 9

deflate-min- Minimum amount of data that triggers integer Minimum 300

data-size compression. value: 200
Maximum
value: 65535

FortiOS 7.4.4 CLI Reference 1942

Fortinet Inc.
Parameter Description Type Size Default

dns-server1 DNS server 1. ipv4- Not Specified 0.0.0.0

address

dns-server2 DNS server 2. ipv4- Not Specified 0.0.0.0

address

dns-suffix DNS suffix used for SSL-VPN clients. var-string Maximum

length: 253

dtls-heartbeat- Number of missing heartbeats before the integer Minimum 3

fail-count connection is considered dropped. value: 3
Maximum
value: 10

dtls-heartbeat- Idle timeout before DTLS heartbeat is sent. integer Minimum 3

idle-timeout value: 3
Maximum
value: 10

dtls-heartbeat- Interval between DTLS heartbeat. integer Minimum 3

interval value: 3
Maximum
value: 10

dtls-hello- SSLVPN maximum DTLS hello timeout. integer Minimum 10

timeout value: 10
Maximum
value: 60

dtls-max-proto- DTLS maximum protocol version. option - dtls1-2

ver

Option Description

dtls1-0 DTLS version 1.0.

dtls1-2 DTLS version 1.2.

dtls-min-proto- DTLS minimum protocol version. option - dtls1-0

ver

Option Description

dtls1-0 DTLS version 1.0.

dtls1-2 DTLS version 1.2.

dtls-tunnel Enable/disable DTLS to prevent eavesdropping, option - enable

tampering, or message forgery.

FortiOS 7.4.4 CLI Reference 1943

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

dual-stack- Tunnel mode: enable parallel IPv4 and IPv6 option - disable
mode tunnel. Web mode: support IPv4 and IPv6
bookmarks in the portal.

Option Description

enable Enable setting.

Option Description

enable Enable setting.

disable Disable setting.

header-x- Forward the same, add, or remove HTTP option - add

forwarded-for header.

Option Description

pass Forward the same HTTP header.

add Add the HTTP header.

remove Remove the HTTP header.

enable Enable setting.

disable Disable setting.

http-request- SSL-VPN session is disconnected if an HTTP integer Minimum 30

body-timeout request body is not received within this time. value: 0
Maximum
value:
4294967295

http-request- SSL-VPN session is disconnected if an HTTP integer Minimum 20

header-timeout request header is not received within this time. value: 0
Maximum
value:
4294967295

https-redirect Enable/disable redirect of port 80 to SSL-VPN option - disable

port.

Option Description

enable Enable setting.

disable Disable setting.

idle-timeout SSL-VPN disconnects if idle for specified time in integer Minimum 300
seconds. value: 0
Maximum
value: 259200

FortiOS 7.4.4 CLI Reference 1945

Fortinet Inc.
Parameter Description Type Size Default

ipv6-dns- IPv6 DNS server 1. ipv6- Not Specified ::

server1 address

ipv6-dns- IPv6 DNS server 2. ipv6- Not Specified ::

server2 address

ipv6-wins- IPv6 WINS server 1. ipv6- Not Specified ::

server1 address

ipv6-wins- IPv6 WINS server 2. ipv6- Not Specified ::

server2 address

login-attempt- SSL-VPN maximum login attempt times before integer Minimum 2

limit block. value: 0
Maximum
value:
4294967295

login-block-time Time for which a user is blocked from logging in integer Minimum 60
after too many failed login attempts. value: 0
Maximum
value:
4294967295

login-timeout SSLVPN maximum login timeout. integer Minimum 30

value: 10
Maximum
value: 180

port SSL-VPN access port. integer Minimum 10443

value: 1
Maximum
value: 65535

port- Enable/disable, Enable means that if SSL-VPN option - enable

precedence connections are allowed on an interface admin
GUI connections are blocked on that interface.

Option Description

enable Enable setting.

disable Disable setting.

reqclientcert Enable/disable to require client certificates for all option - disable

SSL-VPN users.

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 1946

Fortinet Inc.
Parameter Description Type Size Default

saml-redirect- SAML local redirect port in the machine running integer Minimum 8020
port FortiClient. 0 is to disable redirection on FGT value: 0
side. Maximum
value: 65535

server- Server hostname for HTTPS. When set, will be string Maximum
hostname used for SSL VPN web proxy host header for length: 255
any redirection.

servercert Name of the server certificate to be used for string Maximum

SSL-VPNs. length: 35

source-address Source address of incoming traffic. string Maximum

<name> Address name. length: 79

source- Enable/disable negated source address match. option - disable

address-negate

Option Description

enable Enable setting.

disable Disable setting.

source- IPv6 source address of incoming traffic. string Maximum

address6 IPv6 address name. length: 79
<name>

source- Enable/disable negated source IPv6 address option - disable

address6- match.
negate

Option Description

enable Enable setting.

disable Disable setting.

source- SSL-VPN source interface of incoming traffic. string Maximum

interface Interface name. length: 35
<name>

ssl-client- Enable/disable to allow client renegotiation by option - disable

renegotiation the server if the tunnel goes down.

Option Description

disable Abort any SSL connection that attempts to renegotiate.

enable Allow a SSL client to renegotiate.

FortiOS 7.4.4 CLI Reference 1947

Fortinet Inc.
Parameter Description Type Size Default

ssl-insert- Enable/disable insertion of empty fragment. option - enable

empty-fragment

Option Description

backward- in URLs.
slashes

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.4.4 CLI Reference 1948

Fortinet Inc.
Parameter Description Type Size Default

tunnel-addr- Method used for assigning address for tunnel. option - first-available
assigned-
method

Option Description

first-available Assign the first available address from the pools.

round-robin Assign the available address from the pool with a round robin fashion.

tunnel-connect- Enable/disable tunnel connection without re- option - disable

without-reauth authorization if previous connection dropped.

Option Descript

Pentera Value Proposition 2023
No ratings yet
Pentera Value Proposition 2023
20 pages
RailTel PSCDL-RFP-Vol-2 Merged Modified
No ratings yet
RailTel PSCDL-RFP-Vol-2 Merged Modified
324 pages
Central Web Authentication On The WLC and ISE Configuration Example - Cisco
No ratings yet
Central Web Authentication On The WLC and ISE Configuration Example - Cisco
17 pages
Submarine Backgrounder May 2013
No ratings yet
Submarine Backgrounder May 2013
8 pages
FortiOS 7.2.5 CLI Reference
No ratings yet
FortiOS 7.2.5 CLI Reference
2,268 pages
FortiSwitch-7.0.8-FortiSwitch Devices Managed by FortiOS 7.0
No ratings yet
FortiSwitch-7.0.8-FortiSwitch Devices Managed by FortiOS 7.0
214 pages
Standalone PDF (1)
No ratings yet
Standalone PDF (1)
1,050 pages
Manual
No ratings yet
Manual
60 pages
Datasheet NE40-X8
No ratings yet
Datasheet NE40-X8
18 pages
01 Huawei High-Quality 10 Gbps CloudCampus Solution
No ratings yet
01 Huawei High-Quality 10 Gbps CloudCampus Solution
80 pages
Cyber Security and Reliability in A Digital Cloud
No ratings yet
Cyber Security and Reliability in A Digital Cloud
95 pages
Guidance - AI - Education (UNESCO)
No ratings yet
Guidance - AI - Education (UNESCO)
48 pages
Strengthening American Cybersecurity Act
No ratings yet
Strengthening American Cybersecurity Act
211 pages
CloudEngine 8800, 7800, 6800 and 5800 Series Switches Quick Start Guide
No ratings yet
CloudEngine 8800, 7800, 6800 and 5800 Series Switches Quick Start Guide
14 pages
S200, S300, S500, S1700, S2700, S5700, and S6700 V200R022C00 Upgrade Guide
No ratings yet
S200, S300, S500, S1700, S2700, S5700, and S6700 V200R022C00 Upgrade Guide
144 pages
FortiOS 7.2.8 Administration Guide
No ratings yet
FortiOS 7.2.8 Administration Guide
3,364 pages
Unit 3 SE PDF
No ratings yet
Unit 3 SE PDF
78 pages
Technical Analysis On The Cyber Organizational Criminology of Dictatorial Military Conducts - Experience From Human Trafficking and Coercions by Military Cyber Aggressions
No ratings yet
Technical Analysis On The Cyber Organizational Criminology of Dictatorial Military Conducts - Experience From Human Trafficking and Coercions by Military Cyber Aggressions
19 pages
MQ11 02 DR 0000 Ee1001 - R3 PDF
No ratings yet
MQ11 02 DR 0000 Ee1001 - R3 PDF
13 pages
Ne40 Switch Fabric Units
No ratings yet
Ne40 Switch Fabric Units
9 pages
JB-08-Q1CO-004 Rev.1
No ratings yet
JB-08-Q1CO-004 Rev.1
18 pages
Design Guide for High-Quality 10 Gbps Office Campus Networks (Cloud Management)
No ratings yet
Design Guide for High-Quality 10 Gbps Office Campus Networks (Cloud Management)
198 pages
Identifying and Estimating Cybersecurity Risk For Enterprise Risk Management
No ratings yet
Identifying and Estimating Cybersecurity Risk For Enterprise Risk Management
61 pages
Prac Win10 Nlbs10
No ratings yet
Prac Win10 Nlbs10
11 pages
Malware Test: Report Generated by Nessus™ Wed, 06 Oct 2021 14:47:14 - 03
No ratings yet
Malware Test: Report Generated by Nessus™ Wed, 06 Oct 2021 14:47:14 - 03
261 pages
Kaspersky Security Center Hosted-English
No ratings yet
Kaspersky Security Center Hosted-English
580 pages
Modern Cyberrange Ogpe - Thesis
No ratings yet
Modern Cyberrange Ogpe - Thesis
133 pages
Huawei Draft New
No ratings yet
Huawei Draft New
79 pages
Core Xt Event Analysis
No ratings yet
Core Xt Event Analysis
1,859 pages
NIST Cybersecurity Framework 2.0 Core Discussion Draft 4-2023 Final PDF
No ratings yet
NIST Cybersecurity Framework 2.0 Core Discussion Draft 4-2023 Final PDF
26 pages
DARPA Call For Disruptive Capabilities For Future Warfare Tactical Technology Office
No ratings yet
DARPA Call For Disruptive Capabilities For Future Warfare Tactical Technology Office
35 pages
DoD Enterprise DevSecOps 2.0 Fundamentals
No ratings yet
DoD Enterprise DevSecOps 2.0 Fundamentals
45 pages
Datasheet NSO
No ratings yet
Datasheet NSO
7 pages
SG 007 SD Wan SD Lan Design Arch Guide
No ratings yet
SG 007 SD Wan SD Lan Design Arch Guide
120 pages
GlobalCrossing A PDF
No ratings yet
GlobalCrossing A PDF
36 pages
T Rec G.987 201010 I!!pdf e
No ratings yet
T Rec G.987 201010 I!!pdf e
26 pages
RF 2.2.3.2 Server Setup Guide
100% (1)
RF 2.2.3.2 Server Setup Guide
19 pages
Cisco - Nso Solution Overview
No ratings yet
Cisco - Nso Solution Overview
6 pages
Plano Clave: Chancay Multipurpose Terminal New First Stage, Peru Detailed Engineering Layout Plan For Curb of CI Area
No ratings yet
Plano Clave: Chancay Multipurpose Terminal New First Stage, Peru Detailed Engineering Layout Plan For Curb of CI Area
1 page
Ocni - 2 L: Im Plem Enting C Isco D Ata C Enter N Etw Orking
No ratings yet
Ocni - 2 L: Im Plem Enting C Isco D Ata C Enter N Etw Orking
356 pages
Spectrum Convergence - Lockheed Martin
No ratings yet
Spectrum Convergence - Lockheed Martin
6 pages
2022 Special 301 Report
No ratings yet
2022 Special 301 Report
88 pages
SCCA FRD v2-9
No ratings yet
SCCA FRD v2-9
56 pages
CyberSecurity Framework & Satellite Command and Control
No ratings yet
CyberSecurity Framework & Satellite Command and Control
67 pages
Devasc Module 5
No ratings yet
Devasc Module 5
90 pages
F-35 Joint Strike Fighter (JSF) Program: Updated May 2, 2022
No ratings yet
F-35 Joint Strike Fighter (JSF) Program: Updated May 2, 2022
48 pages
Chancay Multipurpose Terminal New First Stage, Peru: The Factual Report of Onshore Geotechnical Investigation (Phase 2)
No ratings yet
Chancay Multipurpose Terminal New First Stage, Peru: The Factual Report of Onshore Geotechnical Investigation (Phase 2)
531 pages
Segment Routing Research Testing
No ratings yet
Segment Routing Research Testing
15 pages
Attachment 1 - SOW_832469265.1731524331424 (2)
No ratings yet
Attachment 1 - SOW_832469265.1731524331424 (2)
48 pages
Sky Atp Admin Guide PDF
No ratings yet
Sky Atp Admin Guide PDF
126 pages
Communication Protocols and Standards
No ratings yet
Communication Protocols and Standards
7 pages
L2VPN Services Over Segment Routing For Traffic Engineering Policy
No ratings yet
L2VPN Services Over Segment Routing For Traffic Engineering Policy
50 pages
LST 0704 - 0
No ratings yet
LST 0704 - 0
15 pages
BRKNMS-2945-Succeeding With Network Automation Using Cisco NSO
No ratings yet
BRKNMS-2945-Succeeding With Network Automation Using Cisco NSO
86 pages
Aranet PRO PRO Plus UserGuide-Ver-9-2
100% (1)
Aranet PRO PRO Plus UserGuide-Ver-9-2
88 pages
Oysn - Sana'a International
No ratings yet
Oysn - Sana'a International
40 pages
FortiGate-310B Install Guide
No ratings yet
FortiGate-310B Install Guide
64 pages
A QoS-Guaranteed and Congestion-Controlled SDN Routing
No ratings yet
A QoS-Guaranteed and Congestion-Controlled SDN Routing
16 pages
(CLI Reference) - FortiOS 7.6.0
No ratings yet
(CLI Reference) - FortiOS 7.6.0
2,394 pages
FortiOS 7.4.1 CLI Reference
No ratings yet
FortiOS 7.4.1 CLI Reference
2,190 pages
Functional Overview: Oracle Warehouse Management System & Oracle Mobile Supply Chain Application
No ratings yet
Functional Overview: Oracle Warehouse Management System & Oracle Mobile Supply Chain Application
26 pages
Session 8-13 Rev
No ratings yet
Session 8-13 Rev
13 pages
ETL - PPT v0.2
No ratings yet
ETL - PPT v0.2
20 pages
How To Integrate Applications Release R12 With Custom Applications
No ratings yet
How To Integrate Applications Release R12 With Custom Applications
15 pages
ETL Interview+Prep
No ratings yet
ETL Interview+Prep
24 pages
ETHIOPIAN HIGHER UNIVERSITY PLACEMENT SYSTEM Final Proposal
67% (3)
ETHIOPIAN HIGHER UNIVERSITY PLACEMENT SYSTEM Final Proposal
15 pages
Curriculum Vitae: B.E - (Electronics & Comm.) From (RGPV University)
No ratings yet
Curriculum Vitae: B.E - (Electronics & Comm.) From (RGPV University)
3 pages
Akamai Web Application and Api Protection
No ratings yet
Akamai Web Application and Api Protection
6 pages
Connectrix Cisco - How To Configure Call Home On Cisco MDS Using CLI and DCNM Web Client - Dell India
No ratings yet
Connectrix Cisco - How To Configure Call Home On Cisco MDS Using CLI and DCNM Web Client - Dell India
3 pages
Quiz # 1 Course
No ratings yet
Quiz # 1 Course
1 page
Banglore BPO
No ratings yet
Banglore BPO
2 pages
Parallel DBMS Vendors
No ratings yet
Parallel DBMS Vendors
14 pages
Enabling Technologies
No ratings yet
Enabling Technologies
12 pages
Question1 SWE201c2
No ratings yet
Question1 SWE201c2
9 pages
Nmap Anonymization With Proxychains
No ratings yet
Nmap Anonymization With Proxychains
14 pages
Internship report 5th sem
No ratings yet
Internship report 5th sem
30 pages
SAP Download Manager Installation
No ratings yet
SAP Download Manager Installation
9 pages
Using DNS Sinkhole Feature To Block DNS Queries
No ratings yet
Using DNS Sinkhole Feature To Block DNS Queries
8 pages
Lecture 6 Process Management by FQ
No ratings yet
Lecture 6 Process Management by FQ
24 pages
Cyber Security Checklist
No ratings yet
Cyber Security Checklist
2 pages
State of the software supply chain_2024-FINAL-10-10-24
No ratings yet
State of the software supply chain_2024-FINAL-10-10-24
69 pages
Information Systems Controls For System Reliability - Part 1: Information Security
No ratings yet
Information Systems Controls For System Reliability - Part 1: Information Security
23 pages
Relational Algebra
No ratings yet
Relational Algebra
4 pages
EthioRobot - Advanced AI Language Model Customized Specifically For Ethiopia
100% (1)
EthioRobot - Advanced AI Language Model Customized Specifically For Ethiopia
1 page
Eureka Forbes
No ratings yet
Eureka Forbes
4 pages
Blood Bank Management System Project Report Documentation PDF
No ratings yet
Blood Bank Management System Project Report Documentation PDF
9 pages
SE Prac3
No ratings yet
SE Prac3
5 pages
Chapter Two UML Diagram.ppt
No ratings yet
Chapter Two UML Diagram.ppt
30 pages
CIT-506 Infomation Technology Innovation in Business
50% (2)
CIT-506 Infomation Technology Innovation in Business
10 pages
Sweety
No ratings yet
Sweety
1 page