Fortigate Cli Ref 54 PDF

#
FortiOS - CLI Reference
VERSION 5.4.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
December-16-15
FortiOS - CLI Reference
01-540-99686-20151216
Change Log
Change Log
Date Change Description
December 16, 2015 New FortiOS 5.4.0 release.
CLI Reference for FortiOS 5.4 3

Fortinet Technologies Inc.
How this guide is organized Introduction
Introduction
This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).
How this guide is organized
This document contains the following sections:
Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGate
unit boot-up.
config describes the commands for each configuration branch of the FortiOS CLI. The command branches and
commands are in alphabetical order. The information in this section has been extracted and formatted from
FortiOS source code. The extracted information includes the command syntax, command descriptions (extracted
from CLI help) and default values. This is the first version of this content produced in this way. You can send
comments about this content to techdoc@fortinet.com.
execute describes execute commands.
get describes get commands.
tree describes the tree command.
Availability of commands and options
Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an error
message if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to
verify the commands and options that are available.
Commands and options may not be available for the following reasons:
FortiGate model
All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.
Hardware configuration
For example, some AMC module commands are only available when an AMC module is installed.
FortiOS Carrier, FortiGate Voice, FortiWiFi, etc
Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes
commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

Managing Firmware with the FortiGate BIOS Accessing the BIOS
Managing Firmware with the FortiGate BIOS
FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-
based manager or by using the CLI execute restore command. From the console, you can also interrupt the
FortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.
Using the BIOS, you can:
l view system information

l format the boot device
l load firmware and reboot (see )
l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )
Accessing the BIOS
The BIOS menu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,
“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOS
menu appears. If you are too late, the boot-up process continues as usual.
Navigating the menu

The main BIOS menu looks like this:
[C]: Configure TFTP parameters
[R]: Review TFTP paramters
[T]: Initiate TFTP firmware transfer
[F]: Format boot device
[Q]: Quit menu and continue to boot
[I]: System Information
[B]: Boot with backup firmare and set as default
[Q]: Quit menu and continue to boot
[H]: Display this list of options
Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the “Enter” line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.
Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.

Loading firmware Managing Firmware with the FortiGate BIOS
The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.
Configuring TFTP parameters

Starting from the main BIOS menu
[C]: Configure TFTP parameters.
Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.
Choose port and whether to use DHCP

[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].
Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.
The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.
TFTP and filename

[T]: Set remote TFTP server IP address.
Enter remote TFTP server IP address [192.168.1.145]:
[F]: Set firmware file name.
Enter firmware file name [image.out]:
Enter [Q] to return to the main menu.
Initiating TFTP firmware transfer

[T]: Initiate TFTP firmware transfer.

Managing Firmware with the FortiGate BIOS Booting the backup firmware
Please connect TFTP server to Ethernet port 'WAN1'.
MAC: 00:09:0f:b5:55:28
Connect to tftp server 192.168.1.145 ...
##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................
Booting the backup firmware
You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press ‘Y’ or ‘y’ to boot default image.

Booting the backup firmware config
config
Use the config commands to change your FortiGate's configuration.
The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help) and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@fortinet.com

alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end

Description
Configuration Description Default Value
username Email from address. (Empty)
mailto1 Destination email address 1. (Empty)
filter-mode Filter mode. category
email-interval Interval between each email. 5
IPS-logs Enable/disable IPS Logs. disable
firewall-authentication- Enable/disable logging of firewall authentication disable

failure-logs failures.
HA-logs Enable/disable HA Logs. disable
IPsec-errors-logs Enable/disable IPsec errors logs. disable
FDS-update-logs Enable/disable FortiGuard update logs. disable
PPP-errors-logs Enable/disable PPP errors logs. disable
sslvpn-authentication- Enable/disable logging of SSL-VPN disable

errors-logs authentication error.
antivirus-logs Enable/disable antivirus logs. disable
webfilter-logs Enable/disable web filter logging. disable
configuration-changes- Enable/disable logging of configuration changes. disable

logs
violation-traffic-logs Enable/disable logging of violation traffic. disable
admin-login-logs Enable/disable logging of administrator disable

login/logouts.
FDS-license-expiring- Enable/disable FortiGuard license expiration disable

warning warning.
log-disk-usage-warning Enable/disable logging of disk usage warning. disable

fortiguard-log-quota- Enable/disable warning of FortiCloud log quota. disable
warning
amc-interface-bypass- Enable/disable Fortinet Advanced Mezzanine disable

mode Card (AMC) interface bypass mode.
FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable
FDS-license-expiring- Number of days to end alert email prior to 15

days FortiGuard license expiration (1 - 100 days).
local-disk-usage Percentage at which to send alert email prior to 75

disk usage exceeding this threshold (1 - 99
percent).
emergency-interval Emergency alert interval in minutes. 1
alert-interval Alert alert interval in minutes. 2
critical-interval Critical alert interval in minutes. 3
error-interval Error alert interval in minutes. 5
warning-interval Warning alert interval in minutes. 10
notification-interval Notification alert interval in minutes. 20
information-interval Information alert interval in minutes. 30
debug-interval Debug alert interval in minutes. 60
severity Lowest severity level to log. alert

antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end

Description
mode Mode to use for heuristics. disable

antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
andled}
dled}
end
config imap
edit <name_str>
andled}
dled}
set executables {default | virus}
end
config pop3
edit <name_str>
andled}
dled}
end
config smtp
edit <name_str>
andled}
dled}
end
config mapi
edit <name_str>
andled}
dled}
end
config nntp
edit <name_str>
andled}
dled}
end
config smb
edit <name_str>
andled}
dled}
end
config nac-quar
edit <name_str>
set infected {none | quar-src-ip | quar-interface}
set expiry <user>
set log {enable | disable}
end
set av-virus-log {enable | disable}
set av-block-log {enable | disable}
set scan-mode {quick | full}
end

Description
name Profile name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
inspection-mode Inspection mode. flow-based
ftgd-analytics Submit suspicious or supposedly clean files to disable

FortiSandbox.
analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10
analytics-wl-filetype Do not submit files matching this file-pattern table 0

to the FortiSandbox.
analytics-bl-filetype Only submit files matching this file-pattern table 0

to the FortiSandbox.
analytics-db Use signature database from FortiSandbox to disable

supplement the AV signature databases.
mobile-malware-db Use mobile malware signature database. enable
http HTTP. Details below
Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
ftp FTP. Details below

options (Empty)
archive-log (Empty)
emulator enable
imap IMAP. Details below

options (Empty)
archive-log (Empty)
emulator enable
executables default
pop3 POP3. Details below

options (Empty)
archive-log (Empty)
emulator enable
executables default
smtp SMTP. Details below

options (Empty)
archive-log (Empty)
emulator enable
executables default
mapi MAPI. Details below

options (Empty)
archive-log (Empty)
emulator enable
executables default
nntp NNTP. Details below

options (Empty)
archive-log (Empty)
emulator enable
smb SMB. Details below

options (Empty)
archive-log (Empty)
emulator enable
nac-quar Quarantine settings. Details below

infected none
expiry 5m
log disable
av-virus-log Enable/disable logging for antivirus scanning. enable
av-block-log Enable/disable logging for antivirus file blocking. enable
scan-mode Choose between full scan mode and quick scan full
mode.

antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | p
op3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end

Description
agelimit Age limit for quarantined files. 0
maxfilesize Maximum file size to quarantine. 0
quarantine-quota Quarantine quota. 0
drop-infected Ignore infected files from a protocol. (Empty)
store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s https ftps mapi
drop-blocked Drop blocked files from a protocol. (Empty)
store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s ftps mapi
drop-heuristic Ignore heuristically caught files from a protocol. (Empty)
store-heuristic Quarantine heuristically caught files from a imap smtp pop3 http ftp
protocol. nntp imaps smtps
pop3s https ftps mapi
lowspace Action when the disk is almost full. ovrw-old
destination Quarantine destination: disk/FortiAnalyzer. disk

antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end

Description
default-db Select AV database to be used for AV scanning. extended
grayware Enable/disable detection of grayware. disable

application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end

Description
tag Signature tag. (Empty)
name Application name. (Empty)
id Application ID. 0
signature Signature text. (Empty)
category Application category ID. 0
protocol Application protocol. (Empty)
technology Application technology. (Empty)
behavior Application behavior. (Empty)
vendor Application vendor. (Empty)

application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
set log {disable | enable}
set log-packet {disable | enable}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
set session-ttl <integer>
set shaper <string>
set shaper-reverse <string>
set per-ip-shaper <string>
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
end

Description
name List name. (Empty)
comment comments (Empty)
other-application-action Action for other applications. pass
app-replacemsg Enable/disable replacement messages for enable

blocked applications.
other-application-log Enable/disable logging of other applications. disable
unknown-application- Action for unknown applications. pass

action
unknown-application- Enable/disable logging of unknown applications. disable

log
p2p-black-list Action for p2p black list. (Empty)
deep-app-inspection Enable/disable deep application inspection. disable
options Options. allow-dns
entries Application list entries. (Empty)

application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

Description
name Application name. (Empty)
id Application ID. 0
category Application category ID. 0
sub-category Application sub-category ID. 0
popularity Application popularity. 0
risk Application risk. 0
protocol Application protocol. (Empty)
technology Application technology. (Empty)
behavior Application behavior. (Empty)
vendor Application vendor. (Empty)
parameter Application parameter name. (Empty)
metadata Meta data. (Empty)

application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

Description
id Rule ID. 0
tags Applied object tags. (Empty)

certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

Description
name Name. (Empty)
ca CA certificate. (Empty)
range CA certificate range. global
source CA certificate source. user
trusted Enable/disable trusted CA. enable
scep-url URL of SCEP server. (Empty)
auto-update-days Days to auto-update before expired, 0=disabled. 0
auto-update-days- Days to send update before auto-update 0

warning (0=disabled).
source-ip Source IP for communications to SCEP server. 0.0.0.0

certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-cert <string>
set update-interval <integer>
end

Description
name Name. (Empty)
crl Certificate Revocation List. (Empty)
range CRL range. global
source CRL source. user
update-vdom Virtual domain for CRL update. root
ldap-server LDAP server. (Empty)
ldap-username Login name for LDAP server. (Empty)
ldap-password Login password for LDAP server. (Empty)
http-url URL of HTTP server for CRL update. (Empty)
scep-url URL of CA server for CRL update via SCEP. (Empty)
scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL
update-interval Second between updates, 0=disabled. 0
source-ip Source IP for communications to CA 0.0.0.0

(HTTP/SCEP) server.

certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

Description
name Name. (Empty)
password Password. (Empty)
comments Comment. (Empty)
private-key Private key. (Empty)
certificate Certificate. (Empty)
csr Certificate Signing Request. (Empty)
state Certificate Signing Request State. (Empty)
range Certificate range. global
source Certificate source. user
auto-regenerate-days Days to auto-regenerate before expired, 0

0=disabled.
auto-regenerate-days- Days to send warning before auto-regeneration, 0

warning 0=disabled.
scep-password SCEP server challenge password for auto- (Empty)

regeneration.
ca-identifier CA identifier of the CA server for signing via (Empty)

SCEP.
name-encoding Name encoding for auto-regeneration. printable
ike-localid IKE local ID. (Empty)
ike-localid-type IKE local ID type. asn1dn

dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end

Description
id ID. 0
name Name of table. (Empty)
entries Configure file patterns used by DLP blocking. (Empty)

dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end

Description
name DLP Server. (Empty)
server-type DLP Server. samba
server Server location (can be IP or IPv6 address). (Empty)
period Select periodic server checking. none
vdom Select source on management or current VDOM. mgmt
scan-subdirectories Enable/disable scanning of subdirectories. enable
scan-on-creation Enable/disable force scan of server to happen enable

when document source is created or edited.
remove-deleted Enable/disable removing chunks of files deleted enable

from the server.
keep-modified Enable/disable retaining old chunks of modified enable

files.
username Login username. (Empty)
password Login password. (Empty)
file-path File path on server. (Empty)
file-pattern File patterns to fingerprint (wildcard). *
sensitivity DLP fingerprint sensitivity defined for these files. (Empty)
tod-hour Time of day to run scans (hour part, 24 hour 1

clock).
tod-min Time of day to run scans (min). 0
weekday Day of week to run scans. sunday
date Date within a month to run scans. 1

dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end

Description
name DLP Sensitivity Levels. (Empty)

dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq
| msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | a
im | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim |
icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
end

Description
name Name. (Empty)
filter Configure DLP filters. (Empty)
dlp-log Enable/disable logging for data leak prevention. enable
nac-quar-log Enable/disable logging for NAC quarantine disable

creation.
flow-based Enable/disable flow-based data leak prevention. disable
options options
full-archive-proto Protocols to always content archive. (Empty)
summary-proto Protocols to always log summary. (Empty)

dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end

Description
storage-device Storage name. (Empty)
size Maximum total size of files within the storage 16

(MB).
db-mode Method of maintaining database size. stop-adding
cache-mem-percent Maximum percentage of available memory 2

allocated to caching (1 - 15%).
chunk-size Maximum fingerprint chunk size. **Changing will 2800

flush the entire database**.

dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set action {block | monitor}
end
end
set log-all-url {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end

Description
urlfilter URL filter settings. Details below

urlfilter-table 0
ftgd-dns FortiGuard DNS Filter settings. Details below

options (Empty)
filters (Empty)
log-all-url Enable/disable log all URLs visited. disable
block-action Action to take for blocked domains. redirect
redirect-portal IP address of the SDNS portal. 0.0.0.0
block-botnet Enable/disable block of botnet C&C. disable

dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end

Description
id ID. 0
entries DNS URL filter. (Empty)

endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end

Description
id Endpoint client ID. 0
ftcl-uid Endpoint FortiClient UID. (Empty)
src-ip Endpoint client IP address. 0.0.0.0
src-mac Endpoint client MAC address. 00:00:00:00:00:00
info Endpoint client information. (Empty)
ad-groups Endpoint client AD logon groups. (Empty)

endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end

Description
peer-name Peer name. (Empty)
peer-ip Peer connecting IP. 0.0.0.0

endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set view-profile-details {enable | disable}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set scan-download-file {enable | disable}
set sandbox-scan {enable | disable}
set sandbox-address <string>
set wait-sandbox-result {enable | disable}
set use-sandbox-signature {enable | disable}
set block-malicious-website {enable | disable}
set block-attack-channel {enable | disable}
set av-scheduled-scan {enable | disable}
set av-scan-type {quick | full | custom}
set av-scan-folder <string>
set av-scan-schedule {daily | weekly | monthly}
set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | fr
iday | saturday}
set av-scan-day-of-month <integer>
set av-scan-time <user>
config av-scan-exclusions
edit <name_str>
set id <integer>
set type {file | folder}
set name <string>
end
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set monitor-unknown-application {enable | disable}
set install-ca-certificate {enable | disable}
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-schedule {daily | weekly | monthly}
set forticlient-vuln-scan-on-registration {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set disable-unregister-option {enable | disable}
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-server <string>
set forticlient-log-ssl-upload {enable | disable}
set forticlient-log-upload-schedule {hourly | daily}
set forticlient-update-from-fmg {enable | disable}
config forticlient-update-server
edit <name_str>
set name <string>
end
set forticlient-update-failover-to-fdn {enable | disable}
set forticlient-settings-lock {enable | disable}
set forticlient-settings-lock-passwd <password>
set auto-vpn-when-off-net {enable | disable}
set auto-vpn-name <user>
set client-log-when-on-net {enable | disable}
set forticlient-ad {enable | disable}
set fsso-ma {enable | disable}
set fsso-ma-server <string>
set fsso-ma-psk <password>
set allow-personal-vpn {enable | disable}
set disable-user-disconnect {enable | disable}
set vpn-before-logon {enable | disable}
set vpn-captive-portal {enable | disable}
set forticlient-ui-options {av | wf | af | vpn | vs}
set forticlient-advanced-cfg {enable | disable}
set forticlient-advanced-cfg-buffer <var-string>
config extra-buffer-entries
edit <name_str>
set id <integer>
set buffer <var-string>
end
end
config forticlient-android-settings
edit <name_str>
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
end
end
config forticlient-ios-settings
edit <name_str>
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <name_str>
set name <string>
set vpn-configuration-name <string>
set vpn-configuration-content <var-string>
end
set distribute-configuration-profile {enable | disable}
set configuration-name <string>
set configuration-content <var-string>
end
set description <var-string>
config src-addr
edit <name_str>
set name <string>
end
config device-groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config user-groups
edit <name_str>
set name <string>
end
config on-net-addr
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
end

Description
profile-name Profile name. (Empty)
forticlient-winmac- FortiClient settings for Windows/Mac platform. Details below

settings

view-profile-details enable
forticlient-av enable
av-realtime-protection enable
scan-download-file enable
sandbox-scan disable
sandbox-address (Empty)
wait-sandbox-result disable
use-sandbox-signature disable
block-malicious-website disable
block-attack-channel disable
av-scheduled-scan disable
av-scan-type quick
av-scan-folder (Empty)
av-scan-schedule daily
av-scan-day-of-week sunday
av-scan-day-of-month 0
av-scan-time 00:00
av-scan-exclusions (Empty)
forticlient-application-firewall disable
forticlient-application-firewall-list (Empty)
monitor-unknown-application disable
install-ca-certificate disable
forticlient-wf enable
forticlient-wf-profile default
disable-wf-when-protected enable
forticlient-vuln-scan disable
forticlient-vuln-scan-schedule monthly
forticlient-vuln-scan-on-registration enable
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)
disable-unregister-option disable
forticlient-log-upload disable
forticlient-log-upload-server (Empty)
forticlient-log-ssl-upload enable
forticlient-log-upload-schedule daily
forticlient-update-from-fmg disable
forticlient-update-server (Empty)
forticlient-update-failover-to-fdn enable
forticlient-settings-lock disable
forticlient-settings-lock-passwd (Empty)
auto-vpn-when-off-net disable
auto-vpn-name (Empty)
client-log-when-on-net disable
forticlient-ad disable
fsso-ma disable
fsso-ma-server (Empty)
fsso-ma-psk (Empty)
allow-personal-vpn enable
disable-user-disconnect disable
vpn-before-logon disable
vpn-captive-portal disable
forticlient-ui-options av wf vpn
forticlient-advanced-cfg disable
forticlient-advanced-cfg-buffer (Empty)
extra-buffer-entries (Empty)
forticlient-android- FortiClient settings for Android platform. Details below

settings

forticlient-wf disable
forticlient-wf-profile (Empty)
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)
forticlient-ios-settings FortiClient settings for iOS platform. Details below

forticlient-wf disable
forticlient-wf-profile (Empty)
client-vpn-provisioning disable
client-vpn-settings (Empty)
distribute-configuration-profile disable
configuration-name (Empty)
configuration-content (Empty)
description Description. (Empty)
src-addr Source addresses. (Empty)
device-groups Device groups. (Empty)
users Users. (Empty)
user-groups User groups. (Empty)
on-net-addr Addresses for on-net detection. (Empty)
replacemsg-override- Specify endpoint control replacement message (Empty)

group override group.

endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end

Description
uid FortiClient UID. (Empty)
vdom Registering vdom. (Empty)
ip Endpoint IP address. 0.0.0.0
mac Endpoint MAC address. 00:00:00:00:00:00
status FortiClient registration status. 1
flag FortiClient registration flag. 0
reg-fortigate Registering FortiGate SN. (Empty)

endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
end

Description
forticlient-reg-key- Enable/disable enforcement of FortiClient disable

enforce registration key.
forticlient-reg-key FortiClient registration key. (Empty)
forticlient-reg-timeout FortiClient registration license timeout (days, min 7

= 1, max = 180, 0 = unlimited).
download-custom-link Customized URL for downloading FortiClient. (Empty)
download-location FortiClient download location. fortiguard
forticlient-keepalive- Interval between two KeepAlive messages from 60

interval FortiClient (in seconds).
forticlient-sys-update- Interval between two system update messages 720

interval from FortiClient (in minutes).

extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end

Description
id FortiExtender serial number. (Empty)
admin FortiExtender Administration (enable or disable). disable
ifname FortiExtender interface name. (Empty)
vdom VDOM 0
role FortiExtender work role(Primary, Secondary, none

None).
mode FortiExtender mode. standalone
dial-mode Dial mode (dial-on-demand or always-connect). always-connect
redial Number of redials allowed based on failed none

attempts.
redundant-intf Redundant interface. (Empty)
dial-status Dial status. 0
conn-status Connection status. 0
ext-name FortiExtender name. (Empty)
quota-limit-mb Monthly quota limit (MB). 0
billing-start-day Billing start day. 1
at-dial-script Initialization AT commands specific to the (Empty)

MODEM.
modem-passwd MODEM password. (Empty)
initiated-update Allow/disallow network initiated updates to the disable

MODEM.
modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte
ppp-username PPP username. (Empty)

ppp-password PPP password. (Empty)
ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto
ppp-echo-request Enable/disable PPP echo request. disable
wimax-carrier WiMax carrier. (Empty)
wimax-realm WiMax realm. (Empty)
wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls
sim-pin SIM PIN. (Empty)
access-point-name Access point name(APN). (Empty)
multi-mode MODEM mode of operation(3G,LTE,etc). auto
roaming Enable/disable MODEM roaming. disable
cdma-nai NAI for CDMA MODEMS. (Empty)
aaa-shared-secret AAA shared secret. (Empty)
ha-shared-secret HA shared secret. (Empty)
primary-ha Primary HA. (Empty)
secondary-ha Secondary HA. (Empty)
cdma-aaa-spi CDMA AAA SPI. (Empty)
cdma-ha-spi CDMA HA SPI. (Empty)

firewall.ipmacbinding/setting
CLI Syntax
config firewall.ipmacbinding setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

Description
bindthroughfw Enable/disable going through firewall. disable
bindtofw Enable/disable going to firewall. disable
undefinedhost Allow/block traffic for undefined hosts. block

firewall.ipmacbinding/table
CLI Syntax
config firewall.ipmacbinding table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set name <string>
end

Description
seq-num Entry number. 0
ip IP address. 0.0.0.0
mac MAC address. 00:00:00:00:00:00
name Name (optional, default = no name). noname
status Enable/disable IP-mac binding. disable

firewall.schedule/group
CLI Syntax
config firewall.schedule group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end

Description
name Schedule group name. (Empty)
member Schedule group member. (Empty)
color GUI icon color. 0

firewall.schedule/onetime
CLI Syntax
config firewall.schedule onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end

Description
name Onetime schedule name. (Empty)
start Start time and date. 00:00 2001/01/01
end End time and date. 00:00 2001/01/01
expiration-days Generate event log before schedule expires (1- 3

100 days, 0 = disable).

firewall.schedule/recurring
CLI Syntax
config firewall.schedule recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end

Description
name Recurring schedule name. (Empty)
start Start time. 00:00
end End time. 00:00
day weekday sunday

firewall.service/category
CLI Syntax
config firewall.service category
edit <name_str>
set name <string>
end

Description
name Service category name. (Empty)

firewall.service/custom
CLI Syntax
config firewall.service custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set check-reset-range {disable | strict | default}
set color <integer>
set visibility {enable | disable}
end

Description
name Custom service name. (Empty)
explicit-proxy Enable/disable explicit web proxy service. disable
category Service category. (Empty)
protocol Protocol type. TCP/UDP/SCTP
iprange Start IP-End IP. 0.0.0.0
fqdn Fully qualified domain name. (Empty)
protocol-number IP protocol number. 0
icmptype ICMP type. (Empty)
icmpcode ICMP code. (Empty)
tcp-portrange Multiple TCP port ranges. (Empty)
udp-portrange Multiple UDP port ranges. (Empty)
sctp-portrange Multiple SCTP port ranges. (Empty)
tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 = 0

default).
tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 = 0

default).
tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0
udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 = 0

default).
session-ttl Session TTL (300 - 604800, 0 = default). 0
check-reset-range Enable/disable RST check. default
visibility Enable/disable service visibility. enable

firewall.service/group
CLI Syntax
config firewall.service group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set color <integer>
end

Description
name Address group name. (Empty)
member Address group member. (Empty)
explicit-proxy Enable/disable explicit web proxy service group. disable

firewall.shaper/per-ip-shaper
CLI Syntax
config firewall.shaper per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end

Description
name Traffic shaper name. (Empty)
max-bandwidth Maximum bandwidth value (0 - 16776000). 0
bandwidth-unit Bandwidth unit (default = kbps). kbps
max-concurrent- Maximum concurrent session (0 - 2097000). 0

session
diffserv-forward Forward (original) traffic DiffServ. disable
diffserv-reverse Reverse (reply) traffic DiffServ. disable
diffservcode-forward Forward (original) traffic DiffServ code point 000000

value.
diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

firewall.shaper/traffic-shaper
CLI Syntax
config firewall.shaper traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end

Description
name Traffic shaper name. (Empty)
guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0
maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0
bandwidth-unit Bandwidth unit (default = kbps). kbps
priority Traffic priority. high
per-policy Enable/disable use a separate shaper for each disable

policy.
diffserv Enable/disable traffic DiffServ. disable
diffservcode Traffic DiffServ code point value. 000000

firewall.ssl/setting
CLI Syntax
config firewall.ssl setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end

Description
proxy-connect-timeout Time limit to make an internal connection to the 30

appropriate proxy process (1 - 60 sec).
ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048

negotiation.
ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable

(SSL 3.0 & TLS 1.0 only).
no-matching-cipher- Bypass or drop the connection when no matching bypass

action cipher was found.
cert-cache-capacity Maximum capacity of the host certificate cache (0 200

- 500).
cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10
session-cache-capacity Obsolete. 500
session-cache-timeout Number of minutes to keep SSL session state. 20

firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

Description
name Address name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000
subnet IP address and netmask. 0.0.0.0 0.0.0.0
type Type. ipmask
start-ip Start IP. 0.0.0.0
end-ip End IP. 0.0.0.0
fqdn Fully qualified domain name. (Empty)
country Country name. (Empty)
wildcard-fqdn Wildcard FQDN. (Empty)
cache-ttl Minimal TTL of individual IP addresses in FQDN 0

cache.
wildcard IP address and wildcard netmask. 0.0.0.0 0.0.0.0
visibility Enable/disable address visibility. enable
associated-interface Associated interface name. (Empty)
allow-routing Enable/disable use of this address in the static disable

route configuration.

firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

Description

0000-000000000000
type Type. ipprefix
ip6 IPv6 address prefix. ::/0
start-ip Start IP. ::
end-ip End IP. ::
visibility Enable/disable address visibility. enable

firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

Description

0000-000000000000
member Address group member. (Empty)
visibility Enable/disable address group visibility. enable
allow-routing Enable/disable use of this group in the static route disable

configuration.

firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

Description
name IPv6 address group name. (Empty)

0000-000000000000
visibility Enable/disable address group6 visibility. enable
member IPv6 address group member. (Empty)

firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end

Description
groups Group name. (Empty)
portal-addr Address (or domain name) of authentication (Empty)

portal.
portal-addr6 IPv6 address (or domain name) of authentication (Empty)

portal.
identity-based-route Name of identity-based routing rule. (Empty)

firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end

Description
policyid Policy ID. 0
status Enable/disable policy status. enable
orig-addr Original address. (Empty)
dst-addr Destination address. (Empty)
nat-ippool IP pool names for translated address. (Empty)
protocol Protocol (0 - 255). 0
orig-port Original port. 0
nat-port Translated port or port range. 0

firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end

Description
id ID. 0
src Source IP. 0.0.0.0
dst Destination IP. 0.0.0.0
netmask Network mask. 255.255.255.255

firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set action {pass | block | proxy}
set threshold <integer>
set threshold(default) <integer>
end
end

Description
interface Interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
service Service name. (Empty)
anomaly Anomaly. (Empty)

firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
end
end

Description
anomaly Anomaly. (Empty)

firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dst-
advanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

Description

0000-000000000000
type Address type. url
host Host address (Empty)
host-regex Host regular expression. (Empty)
path URL path regular expression. (Empty)
category FortiGuard category ID. (Empty)
method HTTP methods. (Empty)
ua User agent. (Empty)
header-name HTTP header. (Empty)
header HTTP header regular expression. (Empty)
case-sensitivity Case sensitivity in pattern. disable
header-group HTTP header group. (Empty)
visibility Enable/disable address visibility. disable

firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

Description
type Address group type. src

0000-000000000000
member Address group members. (Empty)
visibility Enable/disable address visibility. disable

firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
set logtraffic-start {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
set disclaimer {disable | domain | policy | user}
end
set webproxy-forward-server <string>
set webproxy-profile <string>
set transparent {enable | disable}
set webcache {enable | disable}
set webcache-https {disable | any | enable}
set disclaimer {disable | domain | policy | user}
config tags
edit <name_str>
set name <string>
set name <string>
end
set label <string>
set global-label <string>
set comments <var-string>
end

Description

0000-000000000000
proxy Explicit proxy type. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. [srcaddr or srcaddr6(web (Empty)

proxy only) must be set].
dstaddr Destination address name. [dstaddr or (Empty)

dstaddr6(web proxy only) must be set].
srcaddr-negate Enable/disable negated source address match. disable
dstaddr-negate Enable/disable negated destination address disable

match.
service-negate Enable/disable negated service match. disable
action Policy action. deny
schedule Schedule name. (Empty)
logtraffic Enable/disable policy log traffic. utm
srcaddr6 IPv6 source address (web proxy only). [srcaddr6 (Empty)

or srcaddr must be set].
dstaddr6 IPv6 destination address (web proxy only). (Empty)

[dstaddr6 or dstaddr must be set].
identity-based Enable/disable identity-based policy. disable
ip-based Enable/disable IP-based authentication. disable
active-auth-method Active authentication method. basic

sso-auth-method SSO authentication method. none
require-tfa Enable/disable requirement of 2-factor disable

authentication.
web-auth-cookie Enable/disable Web authentication cookie. disable
transaction-based Enable/disable transaction based authentication. disable
identity-based-policy Identity-based policy. (Empty)
webproxy-forward- Web proxy forward server. (Empty)

server
webproxy-profile Web proxy profile. (Empty)
transparent Use IP address of client to connect to server. disable
webcache Enable/disable web cache. disable
webcache-https Enable/disable web cache for HTTPS. disable
disclaimer Web proxy disclaimer setting. disable
utm-status Enable AV/web/IPS protection profile. disable
profile-type profile type single
profile-group profile group (Empty)
av-profile Antivirus profile. (Empty)
webfilter-profile Web filter profile. (Empty)
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor DLP sensor. (Empty)
ips-sensor IPS sensor. (Empty)
application-list Application list. (Empty)
casi-profile CASI profile. (Empty)
icap-profile ICAP profile. (Empty)
waf-profile Web application firewall profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)
ssl-ssh-profile SSL SSH Profile. (Empty)
replacemsg-override- Specify authentication replacement message (Empty)

logtraffic-start Enable/disable policy log traffic start. disable
label Label for section view. (Empty)
global-label Label for global view. (Empty)
scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end

Description
name Name. (Empty)
comments Description/comments. (Empty)
rule Rule. (Empty)

firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set address-type {ipv4 | ipv6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set casi-profile-status {enable | disable}
set ips-sensor-status {enable | disable}
set dsri {enable | disable}
set av-profile-status {enable | disable}
set webfilter-profile-status {enable | disable}
set spamfilter-profile-status {enable | disable}
set dlp-sensor-status {enable | disable}
set label <string>
end

Description
logtraffic Enable/disable interface log traffic. utm
address-type Policy address type. ipv4
application-list-status Enable/disable application control. disable
application-list Application list name. (Empty)
casi-profile-status Enable/disable CASI. disable
casi-profile CASI profile name. (Empty)
ips-sensor-status Enable/disable IPS sensor. disable
ips-sensor IPS sensor name. (Empty)
dsri Enable/disable DSRI. disable
av-profile-status Enable/disable antivirus. disable
webfilter-profile-status Enable/disable web filter profile. disable
spamfilter-profile-status Enable/disable spam filter. disable
dlp-sensor-status Enable/disable DLP sensor. disable


label Label. (Empty)

firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set address-type {ipv4 | ipv6}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set label <string>
end

Description
logtraffic Enable/disable interface log traffic. utm
address-type Policy address type. ipv6
srcaddr6 IPv6 source address name. (Empty)
dstaddr6 IPv6 destination address name. (Empty)
service6 Service name. (Empty)
webfilter-profile-status Enable/disable web filter profile. disable


label Label. (Empty)

firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end

Description
transid IP translation ID. 0
type IP translation type. SCTP
startip Start IP. 0.0.0.0
endip End IP. 0.0.0.0
map-startip Mapped start IP. 0.0.0.0

firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
end

Description
name IP pool name. (Empty)
type IP pool type. overload
startip Start IP. 0.0.0.0
endip End IP. 0.0.0.0
source-startip Source start IP. 0.0.0.0
source-endip Source end IP. 0.0.0.0
block-size Block size. 128
num-blocks-per-user Number of blocks per user (1 - 128). 8
permit-any-host Enable/disable full cone. disable
arp-reply Enable/disable ARP reply. enable
arp-intf ARP reply interface. Any if unset. (Empty)

firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
end

Description
name IPv6 pool name. (Empty)
startip Start IP. ::
endip End IP. ::

firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end

Description
hop-opt Block packets with Hop-by-Hop Options header. disable
dest-opt Block packets with Destination Options header. disable
hdopt-type Block specific Hop-by-Hop and/or Destination (Empty)

Option types (maximum 7 types, each between 0
and 255).
routing Block packets with Routing header. enable
routing-type Block specific Routing header types (maximum 7 0

types, each between 0 and 255).
fragment Block packets with Fragment header. disable
auth Block packets with Authentication header. disable
no-next Block packets with No Next header. disable

firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end

Description
name Monitor name. (Empty)
type Monitor type. (Empty)
interval Detect interval. 10
timeout Detect request timeout. 2
retry Number of detect tries before bring server down. 3
port Service port. 0
http-get HTTP get URL string. (Empty)
http-match String for matching HTTP-get response. (Empty)
http-max-redirects The maximum number of HTTP redirects to be 0

allowed.

firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set auto-asic-offload {enable | disable}
end

Description
policyid User defined local in policy ID. 0
ha-mgmt-intf-only Enable/disable dedication of HA management disable

interface only for local-in policy.
intf Source interface name. (Empty)
action Local-In policy action. deny
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end

Description
policyid User defined local in policy ID. 0
intf Source interface name. (Empty)
action Local-In policy action. deny

firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

Description
name Multicast address name. (Empty)
type type multicastrange
subnet Broadcast address and subnet. 0.0.0.0 0.0.0.0
start-ip Start IP. 0.0.0.0
end-ip End IP. 0.0.0.0
visibility Enable/disable multicast address visibility. enable
associated-interface Associated interface name. (Empty)

firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

Description
name IPv6 multicast address name. (Empty)
ip6 IPv6 address prefix. ::/0
visibility Enable/disable multicast address visibility. enable

firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set start-port <integer>
set end-port <integer>
end

Description
id Policy ID. 0
logtraffic Enable/disable policy log traffic. disable
srcintf Source interface name. (Empty)
snat Enable/disable NAT source address. disable
snat-ip NAT source address. 0.0.0.0
dnat NAT destination address. 0.0.0.0
action Policy action. accept
protocol Protocol number. 0
start-port Start port number. 1
end-port End port number. 65535

firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
end

Description
id Policy ID. 0
status Enable/disable multicast IPv6 policy status. enable
logtraffic Enable/disable multicast IPv6 policy log traffic. disable
srcintf IPv6 source interface name. (Empty)
dstintf IPv6 destination interface name. (Empty)
srcaddr IPv6 source address name. (Empty)
dstaddr IPv6 destination address name. (Empty)
action Policy action. accept

firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set dnsfilter-profile <string>
set voip-profile <string>
set capture-packet {enable | disable}
set wanopt {enable | disable}
set wanopt-detection {active | passive | off}
set wanopt-passive-opt {default | transparent | non-transparent}
set wanopt-profile <string>
set wanopt-peer <string>
set webcache {enable | disable}
set webcache-https {disable | ssl-server | any | enable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set nat {enable | disable}
set permit-any-host {enable | disable}
set permit-stun-host {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set wccp {enable | disable}
set ntlm {enable | disable}
set ntlm-guest {enable | disable}
config ntlm-enabled-browsers
edit <name_str>
set user-agent-string <string>
end
set fsso {enable | disable}
set wsso {enable | disable}
set rsso {enable | disable}
set fsso-agent-for-ntlm <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field_id <string>
end
config tags
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
end

Description
name Policy name. (Empty)

0000-000000000000
rtp-nat Enable/disable use of this policy for RTP NAT. disable
rtp-addr RTP NAT address name. (Empty)
send-deny-packet Enable/disable return of deny-packet. disable
firewall-session-dirty Packet session management. check-all
schedule-timeout Enable/disable schedule timeout. disable
utm-status Enable AV/web/IPS protection profile. disable
dnsfilter-profile DNS filter profile. (Empty)

voip-profile VoIP profile. (Empty)
capture-packet Enable/disable capture packets. disable
wanopt Enable/disable WAN optimization. disable
wanopt-detection WAN optimization auto-detection mode. active
wanopt-passive-opt WAN optimization passive mode options. This default

option decides what IP address will be used to
connect server.
wanopt-profile WAN optimization profile. (Empty)
wanopt-peer WAN optimization peer. (Empty)
webcache Enable/disable web cache. disable
webcache-https Enable/disable web cache for HTTPS. disable
traffic-shaper Traffic shaper. (Empty)
traffic-shaper-reverse Traffic shaper. (Empty)

per-ip-shaper Per-IP shaper. (Empty)
nat Enable/disable policy NAT. disable
permit-any-host Enable/disable permit any host in. disable
permit-stun-host Enable/disable permit stun host in. disable
fixedport Enable/disable policy fixed port. disable
ippool Enable/disable policy IP pool. disable
poolname Policy IP pool names. (Empty)
session-ttl Session TTL. 0
vlan-cos-fwd VLAN forward direction user priority. 255
vlan-cos-rev VLAN reverse direction user priority. 255
inbound Enable/disable policy inbound. disable
outbound Enable/disable policy outbound. disable
natinbound Enable/disable policy NAT inbound. disable
natoutbound Enable/disable policy NAT outbound. disable
wccp Enable/disable Web Cache Coordination Protocol disable

(WCCP).
ntlm Enable/disable NTLM authentication. disable
ntlm-guest Enable/disable guest user for NTLM disable

authentication.
ntlm-enabled-browsers User agent strings for NTLM enabled browsers. (Empty)
fsso Enable/disable Fortinet Single Sign-On. disable
wsso Enable/disable WiFi Single Sign-On. enable
rsso Enable/disable RADIUS Single Sign-On. disable
fsso-agent-for-ntlm Specify FSSO agent for NTLM authentication. (Empty)
groups User authentication groups. (Empty)

users User name. (Empty)
devices Devices or device groups. (Empty)
auth-path Enable/disable authentication-based routing. disable
disclaimer Enable/disable user authentication disclaimer. disable
vpntunnel Policy VPN tunnel. (Empty)
natip NAT address. 0.0.0.0 0.0.0.0
match-vip Enable/disable match DNATed packet. disable
diffserv-forward Enable/disable forward (original) traffic DiffServ. disable
diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable
diffservcode-forward Forward (original) traffic DiffServ code point 000000

value.
diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000
tcp-mss-sender TCP MSS value of sender. 0
tcp-mss-receiver TCP MSS value of receiver. 0
auth-cert HTTPS server certificate for policy authentication. (Empty)
auth-redirect-addr HTTP-to-HTTPS redirect address for firewall (Empty)

authentication.
redirect-url URL redirection after disclaimer/authentication. (Empty)
identity-based-route Name of identity-based routing rule. (Empty)
block-notification Enable/disable block notification. disable
custom-log-fields Log custom fields. (Empty)


match.
timeout-send-rst Enable/disable sending of RST packet upon TCP disable

session expiration.
captive-portal-exempt Enable/disable exemption of captive portal. disable
ssl-mirror Enable/disable SSL mirror. disable
ssl-mirror-intf Mirror interface name. (Empty)


firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set uuid <uuid>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

Description

0000-000000000000
status Policy status. enable
logtraffic Enable/disable traffic log. disable
traffic-shaper-reverse Reverse traffic shaper. (Empty)
per-ip-shaper Per IP traffic shaper. (Empty)

firewall/policy6
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
config service
edit <name_str>
set name <string>
end
set nat {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set send-deny-packet {enable | disable}
set vpntunnel <string>
set label <string>
config tags
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
end
end

Description
name Policy name. (Empty)

0000-000000000000
vlan-cos-fwd VLAN forward direction user priority. 255
vlan-cos-rev VLAN reverse direction user priority. 255
utm-status Enable AV/web/ips protection profile. disable

traffic-shaper-reverse Traffic shaper. (Empty)
per-ip-shaper Per-IP shaper. (Empty)
nat Enable/disable policy NAT. disable
ippool Enable/disable policy IP pool. disable
inbound Enable/disable policy inbound. disable
outbound Enable/disable policy outbound. disable
natinbound Enable/disable policy NAT inbound. disable
natoutbound Enable/disable policy NAT outbound. disable
send-deny-packet Enable/disable return of deny-packet. disable
vpntunnel Policy VPN tunnel. (Empty)
diffserv-forward Enable/disable forward (original) traffic DiffServ. disable
diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) Traffic DiffServ code point 000000
value.
diffservcode-rev Reverse (reply) Traffic DiffServ code point value. 000000
rsso Enable/disable RADIUS Single Sign-On. disable


match.
devices Devices or device groups. (Empty)
timeout-send-rst Enable/disable sending of RST packet upon TCP disable

session expiration.
ssl-mirror Enable/disable SSL mirror. disable
ssl-mirror-intf Mirror interface name. (Empty)

firewall/policy64
CLI Syntax
edit <name_str>
set uuid <uuid>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config poolname
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

Description

0000-000000000000
logtraffic Enable/disable policy log traffic. disable
per-ip-shaper Per-IP traffic shaper. (Empty)
ippool Enable/disable policy64 IP pool. disable

firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
end

Description
name Profile group name. (Empty)

firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
end
config imap
edit <name_str>
set ports <integer>
set options {fragmail | oversize | no-content-summary}
end
config mapi
edit <name_str>
set ports <integer>
end
config pop3
edit <name_str>
set ports <integer>
end
config smtp
edit <name_str>
set ports <integer>
set options {fragmail | oversize | no-content-summary | splice}
set server-busy {enable | disable}
end
config nntp
edit <name_str>
set ports <integer>
set options {oversize | no-content-summary | splice}
end
end
config dns
edit <name_str>
set ports <integer>
end
config mail-signature
edit <name_str>
end
set rpc-over-http {enable | disable}
end

Description
name Name. (Empty)
oversize-log Enable/disable log antivirus oversize file blocking. disable
switching-protocols-log Enable/disable log HTTP/HTTPS switching disable

protocols.
http HTTP. Details below

ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
range-block disable
post-lang (Empty)
fortinet-bar disable
fortinet-bar-port 8011
streaming-content-bypass enable
switching-protocols bypass
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable
block-page-status-code 200
retry-count 0
ftp FTP. Details below

ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
oversize-limit 10
scan-bzip2 enable

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
scan-bzip2 enable
mapi MAPI Details below

ports (Empty)
status enable
options (Empty)
oversize-limit 10
scan-bzip2 enable

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
scan-bzip2 enable

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
scan-bzip2 enable
server-busy disable
nntp NNTP. Details below

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
scan-bzip2 enable
dns DNS. Details below

ports (Empty)
status enable
mail-signature Mail signature. Details below

status disable
signature (Empty)
rpc-over-http Enable/disable inspection of RPC over HTTP. enable

firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
set name <string>
end
end

Description
id Shaping policy ID. 0
status Enable/disable traffic shaping policy. enable
ip-version IP version. 4
srcaddr Source address. (Empty)
dstaddr Destination address. (Empty)
srcaddr6 IPv6 source address. (Empty)
dstaddr6 IPv6 destination address. (Empty)
application Application ID list. (Empty)
app-category Application category ID list. (Empty)
url-category URL category ID list. (Empty)
dstintf Destination interface list. (Empty)
traffic-shaper Forward traffic shaper. (Empty)
per-ip-shaper Per IP shaper. (Empty)

firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set ipv6 {enable | disable}
set non-ip {enable | disable}
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
end
set max-packet-count <integer>
end

Description
id Sniffer ID. 0
status Enable/disable sniffer status. enable
logtraffic Enable/disable sniffer log traffic. utm
ipv6 Enable/disable sniffer for IPv6 packets. disable
non-ip Enable/disable sniffer for non-IP packets. disable
host Host list (IP or IP/mask or IP range). (Empty)
port Port list. (Empty)
protocol IP protocol list. (Empty)
vlan VLAN list. (Empty)
webfilter-profile-status Enable/disable web filter. disable

ips-dos-status Enable/disable IPS DoS anomaly detection. disable
anomaly Configure anomaly. (Empty)

max-packet-count Maximum packet count. 4000

firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0}
set ssl-max-version {ssl-3.0 | tls-1.0}
set url-rewrite {enable | disable}
end

Description
name Server name. (Empty)
ip Server IP address. 0.0.0.0
port Server service port. 0
ssl-mode SSL/TLS mode for encryption & decryption of full

traffic.
add-header-x- Enable/disable add X-Forwarded-Proto header to enable

forwarded-proto forwarded requests.
mapped-port Mapped server service port. 0
ssl-cert Name of certificate for SSL connections to this (Empty)

server.

negotiation.
ssl-algorithm Relative strength of encryption algorithms high

accepted in negotiation.
ssl-client-renegotiation Allow/block client renegotiation by server. allow
ssl-min-version Lowest SSL/TLS version to negotiate. ssl-3.0
ssl-max-version Highest SSL/TLS version to negotiate. tls-1.0
ssl-send-empty-frags Enable/disable send empty fragments to avoid enable

attack on CBC IV.
url-rewrite Enable/disable rewrite URL. disable

firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
end
config imaps
edit <name_str>
set ports <integer>
end
config pop3s
edit <name_str>
set ports <integer>
end
config smtps
edit <name_str>
set ports <integer>
end
config ssh
edit <name_str>
set ports <integer>
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
end

Description
name Name. (Empty)
ssl ssl Details below

inspect-all disable
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow
https https Details below

ports (Empty)
status deep-inspection
ftps ftps Details below

ports (Empty)
imaps imaps Details below

ports (Empty)
client-cert-request inspect

pop3s pop3s Details below

ports (Empty)
smtps smtps Details below

ports (Empty)
ssh ssh Details below

ports (Empty)
inspect-all disable
block (Empty)
log (Empty)
whitelist Enable/disable exempt servers by FortiGuard disable

whitelist.
ssl-exempt Servers to exempt from SSL inspection. (Empty)
server-cert-mode Re-sign or replace the server's certificate. re-sign
use-ssl-server Enable/disable to use SSL server table for SSL disable

offloading.
caname CA certificate used by SSL Inspection. Fortinet_CA_SSL
untrusted-caname Untrusted CA certificate used by SSL Inspection. Fortinet_CA_Untrusted
certname Certificate containing the key to use when re- Fortinet_SSL

signing server certificates for SSL inspection.

server-cert Certificate used by SSL Inspection to replace Fortinet_SSL
server certificate.
ssl-server SSL servers. (Empty)
ssl-invalid-server-cert- Enable/disable SSL server certificate validation disable

log logging.
rpc-over-https Enable/disable inspection of RPC over HTTPS. enable

firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set ttl <user>
end

Description
id ID. 0
status status enable
action Action. deny
ttl TTL range. (Empty)

firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
set monitor <string>
set client-ip <user>
end
set http-cookie-domain-from-host {disable | enable}
set http-cookie-domain <string>
set http-cookie-path <string>
set http-cookie-generation <integer>
set http-cookie-age <integer>
set http-cookie-share {disable | same-ip}
set https-cookie-secure {disable | enable}
set http-multiplex {enable | disable}
set http-ip-header {enable | disable}
set http-ip-header-name <string>
set outlook-web-access {disable | enable}
set weblogic-server {disable | enable}
set websphere-server {disable | enable}
set ssl-mode {half | full}
set ssl-certificate <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low | custom}
config ssl-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128-
GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITH-
AES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITH-
CAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256-
CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBC-
SHA | TLS-RSA-WITH-DES-CBC-SHA}
SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
set ssl-http-location-conversion {enable | disable}
set ssl-http-match-host {enable | disable}
set max-embryonic-connections <integer>
set color <integer>
end

Description
name Virtual IP name. (Empty)
id Custom defined ID. 0

0000-000000000000
type VIP type: static NAT, load balance., server load static-nat
balance
dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL in 0

DNS response, default = 0).
ldb-method Load balance method. static
src-filter Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)
extip Start external IP - end external IP. 0.0.0.0
mappedip Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)
mapped-addr Mapped address. (Empty)
extintf External interface. (Empty)
server-type Server type. (Empty)
persistence Persistence. none
nat-source-vip Enable/disable force NAT as VIP when server disable

goes out.
portforward Enable/disable port forward. disable
protocol Mapped port protocol. tcp
extport External service port. 0
mappedport Mapped service port. 0

gratuitous-arp-interval Interval between sending gratuitous ARPs 0
(seconds, 0 to disable).
srcintf-filter Source interface filter. (Empty)
portmapping-type Port mapping type. 1-to-1
realservers Real servers. (Empty)
http-cookie-domain- Enable/disable use of HTTP cookie domain from disable

from-host host field in HTTP.
http-cookie-domain HTTP cookie domain. (Empty)
http-cookie-path HTTP cookie path. (Empty)
http-cookie-generation Generation of HTTP cookie to be accepted. 0

Changing invalidates all existing cookies.
http-cookie-age Number of minutes the web browser should keep 60

cookie (0 = forever).
http-cookie-share Share HTTP cookies across different virtual same-ip

servers.
https-cookie-secure Enable/disable verification of cookie inserted into disable

HTTPS is marked as secure.
http-multiplex Enable/disable multiplex HTTP disable

requests/responses over a single TCP
connection.
http-ip-header Add additional HTTP header containing client's disable

original IP address.
http-ip-header-name Name of HTTP header containing client's IP (Empty)

address (X-Forwarded-For is used if empty).
outlook-web-access Enable/disable adding HTTP header indicating disable

SSL offload for Outlook Web Access server.
weblogic-server Enable/disable adding HTTP header indicating disable

SSL offload for WebLogic server.
websphere-server Enable/disable adding HTTP header indicating disable

SSL offload for WebSphere server.

ssl-mode SSL/TLS mode for encryption & decryption of half
traffic.
ssl-certificate Name of Certificate to offer in every SSL (Empty)

connection.

negotiation.

accepted in negotiation.
ssl-cipher-suites SSL/TLS cipher suites ordered by priority. (Empty)
ssl-pfs SSL Perfect Forward Secrecy. allow
ssl-min-version Lowest SSL/TLS version to negotiate. tls-1.0
ssl-max-version Highest SSL/TLS version to negotiate. tls-1.2
ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable

(SSL 3.0 & TLS 1.0 only).
ssl-client-renegotiation Allow/block client renegotiation by server. allow
ssl-client-session-state- Control Client to FortiGate SSL session state both

type preservation.
ssl-client-session-state- Number of minutes to keep client to FortiGate 30

timeout SSL session state.
ssl-client-session-state- Maximum number of client to FortiGate SSL 1000

max session states to keep.
ssl-server-session- Control FortiGate to server SSL session state both

state-type preservation.
ssl-server-session- Number of minutes to keep FortiGate to Server 60

state-timeout SSL session state.
ssl-server-session- Maximum number of FortiGate to Server SSL 100

state-max session states to keep.
ssl-http-location- Enable/disable location conversion on HTTP disable

conversion response header.

ssl-http-match-host Enable/disable HTTP host matching for location disable
conversion.
monitor Health monitors. (Empty)
max-embryonic- Maximum number of incomplete connections. 1000

connections

firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp}
set extport <user>
set color <integer>
end

Description
name VIP46 name. (Empty)
id Custom defined id. 0

0000-000000000000
src-filter Source IP filter (x.x.x.x/x). (Empty)
extip Start-external-IP [-end-external-IP]. 0.0.0.0
mappedip Start-mapped-IP [-end mapped-IP]. ::
arp-reply Enable ARP reply. enable
portforward Enable port forward. disable

firewall/vip6
CLI Syntax
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp | sctp}
set extport <user>
set color <integer>
end

Description
name Virtual ip6 name. (Empty)
id Custom defined ID. 0

0000-000000000000
type VIP type: static NAT. static-nat
src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)
extip Start external IP - end external IP. ::
mappedip Start mapped IP -end mapped IP. ::
portforward Enable/disable port forward. disable

firewall/vip64
CLI Syntax
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp}
set extport <user>
set color <integer>
end

Description
name VIP64 name. (Empty)
id Custom defined id. 0

0000-000000000000
src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)
extip Start-external-IP [-End-external-IP]. ::
mappedip Start-mapped-IP [-End-mapped-IP]. 0.0.0.0
arp-reply Enable ARP reply. enable
portforward Enable port forward. disable

firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

Description
name VIP group name. (Empty)

0000-000000000000
interface interface (Empty)
member VIP group member. (Empty)

firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

Description
name VIP46 group name. (Empty)

0000-000000000000
member VIP46 group member. (Empty)

firewall/vipgrp6
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

Description
name IPv6 VIP group name. (Empty)

0000-000000000000
member VIP group6 member. (Empty)

firewall/vipgrp64
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

Description
name VIP64 group name. (Empty)

0000-000000000000
member VIP64 group member. (Empty)

ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end

Description
status Enable/disable explicit ftp proxy. disable
incoming-port Accept incoming FTP requests on ports other 21

than port 21.
incoming-ip accept incoming ftp requests from this ip. An 0.0.0.0

interface must have this IP address.
outgoing-ip outgoing FTP requests will leave this ip. An (Empty)

sec-default-action Default action to allow or deny when no ftp-proxy deny

firewall policy exists.

gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end

Description
preferences Preferences. "c2lkY2FyZQlGRkZGR

kYJMDAwMDAwCW1v
bm9zcGFjZQkxMHB0C
Tk5OTkJMAphZG1pbgl
GRkZGRkYJMDAw
MDAwCW1vbm9zcGFj
ZQkxMHB0CTUwMAk
wCg=="

icap/profile
CLI Syntax
config icap profile
edit <name_str>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end

Description
name ICAP profile name. (Empty)
request Enable/disable control of an HTTP request disable

passing tolerance to ICAP server.
response Enable/disable control of an HTTP response disable

passing to ICAP server.
streaming-content- Enable/disable control over streaming content disable

bypass being sent to ICAP server or bypassed.
request-server ICAP server to use for an HTTP request. (Empty)
response-server ICAP server to use for an HTTP response. (Empty)
request-failure Action to take if the ICAP server cannot be error

contacted when processing an HTTP request.
response-failure Action to take if the ICAP server cannot be error

contacted when processing an HTTP response.
request-path Path component of the ICAP URI that identifies (Empty)

the HTTP request processing service.
response-path Path component of the ICAP URI that identifies (Empty)

the HTTP response processing service.
methods The allowed HTTP methods that will be sent to delete get head options
ICAP server for further processing. post put trace other

icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end

Description
ip-version IP version. 4
ip-address IPv4 address of the ICAP server. 0.0.0.0
ip6-address IPv6 address of the ICAP server. ::
port ICAP server port. 1344
max-connections Maximum number of concurrent connections to 100

ICAP server.

ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set action {pass | block}
end

Description
tag Signature tag. (Empty)
signature Signature text. (Empty)
sig-name Signature name. (Empty)
rule-id Signature ID. 0
severity severity (Empty)
location Vulnerable location. (Empty)
os Vulnerable operating systems. (Empty)
application Vulnerable applications. (Empty)
protocol Vulnerable service. (Empty)
status Enable/disable status. enable
log Enable/disable logging. enable
log-packet Enable/disable packet logging. disable
action Action. pass

ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end

Description
version Internal category version. 0

ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end

Description
name Decoder name. (Empty)
parameter IPS group parameters. (Empty)

ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end

Description
fail-open Enable/disable IPS fail open option. enable
database IPS database selection. extended
traffic-submit Enable/disable submit attack characteristics to disable

FortiGuard Service.
anomaly-mode Blocking mode for rate-based anomaly. continuous
session-limit-mode Counter mode for session-limit anomaly. heuristic
intelligent-mode Enable/disable intelligent scan mode. enable
socket-size IPS socket buffer size. 128
engine-count Number of engines (0: use recommended 0

setting).
algorithm Signature matching algorithm. engine-pick
sync-session-ttl Enable/disable use of kernel session TTL for IPS disable

sessions.
np-accel-mode Network Processor acceleration mode. basic
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other disable

than CPU 0
cp-accel-mode Content Processor acceleration mode. advanced
skype-client-public- Comma-separated client external IP address for (Empty)

ipaddr decrypting Skype protocol.
default-app-cat-mask Default enabled application category mask. 1844674407370955161

5
deep-app-insp-timeout Timeout for Deep application inspection (1 - 0

2147483647 sec., 0 = use recommended setting).
deep-app-insp-db-limit Limit on number of entries in deep application 0

inspection database (1 - 2147483647, 0 = use
recommended setting)

exclude-signatures Excluded signatures. industrial

ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set service <user>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

Description
name Rule name. (Empty)
status Enable/disable status. enable
log Enable/disable logging. enable
log-packet Enable/disable packet logging. disable
action Action. pass
group Group. (Empty)
severity Severity. (Empty)
location Vulnerable location. (Empty)
os Vulnerable operation systems. (Empty)
application Vulnerable applications. (Empty)
service Vulnerable service. (Empty)
rule-id Rule ID. 0
rev Revision. 0
date Date. 0
metadata Meta data. (Empty)

ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

Description
id Rule ID. 0

ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
set os <user>
set status {disable | enable | default}
set action {pass | block | reset | default}
set quarantine-expiry <integer>
end
config override
edit <name_str>
set action {pass | block | reset}
set quarantine-expiry <integer>
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end

Description
name Sensor name. (Empty)
block-malicious-url Enable/disable malicious URL blocking. disable
entries IPS sensor filter. (Empty)
filter IPS sensor filter. (Empty)
override IPS override rule. (Empty)

ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end

Description
packet-log-history Number of packets to be recorded before alert (1 1

- 255).
packet-log-post-attack Number of packets to be recorded after attack (0 0

- 255).
packet-log-memory Maximum memory can be used by packet log (64 256

- 8192 kB).
ips-packet-quota IPS packet quota. 0

log.disk/filter
CLI Syntax
config log.disk filter
edit <name_str>
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

Description
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out traffic enable

messages.
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
event Enable/disable log event messages. enable
system Enable/disable log system activity messages. enable
radius Enable/disable log RADIUS messages. enable
ipsec Enable/disable log IPsec negotiation messages. enable
dhcp Enable/disable log DHCP service messages. enable
ppp Enable/disable log L2TP/PPTP/PPPoE enable

messages.
admin Enable/disable log admin login/logout messages. enable
ha Enable/disable log HA activity messages. enable
auth Enable/disable log firewall authentication enable

messages.
pattern Enable/disable log pattern update messages. enable

sslvpn-log-auth Enable/disable log SSL user authentication. enable
sslvpn-log-adm Enable/disable log SSL administration. enable
sslvpn-log-session Enable/disable log SSL session. enable
vip-ssl Enable/disable log VIP SSL messages. enable
ldb-monitor Enable/disable log VIP real server health enable

monitoring messages.
wan-opt Enable/disable log WAN optimization messages. enable
wireless-activity Enable/disable log wireless activity. enable
cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable

minutes.
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include

log.disk/setting
CLI Syntax
config log.disk setting
edit <name_str>
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

Description
status Enable/disable local disk log. disable
ips-archive Enable/disable IPS packet archive. enable
max-log-file-size Maximum log file size in MB before rolling. 20
max-policy-packet- Maximum size of policy sniffer in MB (0 = 10

capture-size unlimited).
roll-schedule Frequency to check log file for rolling. daily
roll-day Days of week to roll logs. sunday
roll-time Time to roll logs (hh:mm). 00:00
diskfull Policy to apply when disk is full. overwrite
log-quota Disk log quota (MB). 0
dlp-archive-quota DLP archive quota (MB). 0
report-quota Report quota (MB). 0
maximum-log-age Delete log files older than (days). 7
upload Enable/disable upload of log files upon rolling. disable
upload-destination Server type. ftp-server
uploadip IP address of log uploading server. 0.0.0.0
uploadport Port of the log uploading server. 21
source-ip Source IP address of the disk log uploading. 0.0.0.0
uploaduser User account in the uploading server. (Empty)
uploadpass Password of the user account in the uploading (Empty)

server.
uploaddir Log file uploading remote directory. (Empty)

uploadtype Types of log files that need to be uploaded. traffic event virus
webfilter IPS spamfilter
dlp-archive anomaly
voip dlp app-ctrl waf
netscan gtp
uploadzip Enable/disable compression of uploaded logs. disable
uploadsched Scheduled upload (disable = upload when disable

rolling).
uploadtime Time of scheduled upload. 0
upload-delete-files Delete log files after uploading (default=enable). enable
upload-ssl-conn Enable/disable SSL communication when default

uploading.
full-first-warning- Log full first warning threshold (1 - 98, default = 75

threshold 75).
full-second-warning- Log full second warning threshold (2 - 99, default 90

threshold = 90).
full-final-warning- Log full final warning threshold (3 - 100, default = 95

threshold 95).

log.fortianalyzer/filter
CLI Syntax
config log.fortianalyzer filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortianalyzer/override-filter
CLI Syntax
config log.fortianalyzer override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortianalyzer/override-setting
CLI Syntax
config log.fortianalyzer override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

Description
override Enable/disable override FortiAnalyzer settings or disable

use the global settings.
use-management- Enable/disable use of management VDOM IP disable

vdom address as source IP for logs sent to
FortiAnalyzer.
status Enable/disable FortiAnalyzer. disable
server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256
enc-algorithm Enable/disable sending of FortiAnalyzer log data high

with SSL encryption.
conn-timeout FortiAnalyzer connection time-out in seconds (for 10

status and log buffer).
monitor-keepalive- Time between OFTP keepalives in seconds (for 5

period status and log buffer).
monitor-failure-retry- Time between FortiAnalyzer connection retries in 5

period seconds (for status and log buffer).
mgmt-name Hidden management name of FortiAnalyzer. (Empty)
faz-type Hidden setting index of FortiAnalyzer. 4
source-ip Source IPv4 or IPv6 address used to (Empty)

communicate with FortiAnalyzer.
__change_ip Hidden attribute. 0
upload-option Enable/disable logging to hard disk and then realtime

upload to FortiAnalyzer.
upload-interval Frequency to check log file for upload. daily
upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59
reliable Enable/disable reliable logging to FortiAnalyzer. disable

log.fortianalyzer/setting
CLI Syntax
config log.fortianalyzer setting
edit <name_str>
set server <string>
end

Description




mgmt-name Hidden management name of FortiAnalyzer. FGh_Log1



log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set server <string>
end

Description







log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set server <string>
end

Description







log.fortiguard/filter
CLI Syntax
config log.fortiguard filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortiguard/override-filter
CLI Syntax
config log.fortiguard override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.fortiguard/override-setting
CLI Syntax
config log.fortiguard override-setting
edit <name_str>
end

Description
override Enable/disable override FortiGuard settings or disable

use the global settings.
status Enable FortiCloud. disable

upload to FortiCloud.
upload-day Days of week to roll logs. (Empty)
upload-time Time to roll logs (hh:mm). 00:00

log.fortiguard/setting
CLI Syntax
config log.fortiguard setting
edit <name_str>
end

Description
status Enable FortiCloud. disable

upload to FortiCloud.
upload-day Days of week to roll logs. (Empty)
upload-time Time to roll logs (hh:mm). 00:00
enc-algorithm Enable/disable sending of FortiCloud log data high

source-ip Source IP address used to connect FortiCloud. 0.0.0.0

log.memory/filter
CLI Syntax
config log.memory filter
edit <name_str>
rmation | debug}
set radius {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
end

Description

messages.
radius Enable/disable log RADIUS messages. enable
ipsec Enable/disable log IPsec negotiation messages. enable
dhcp Enable/disable log DHCP service messages. enable
ppp Enable/disable log L2TP/PPTP/PPPoE enable

messages.
admin Enable/disable log admin login/logout messages. enable
ha Enable/disable log HA activity messages. enable
auth Enable/disable log firewall authentication enable

messages.
pattern Enable/disable log pattern update messages. enable
sslvpn-log-auth Enable/disable log SSL user authentication. enable

sslvpn-log-adm Enable/disable log SSL administration. enable
sslvpn-log-session Enable/disable log SSL session. enable
vip-ssl Enable/disable log VIP SSL messages. enable
ldb-monitor Enable/disable log VIP real server health enable

monitoring messages.
cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable

minutes.

log.memory/global-setting
CLI Syntax
config log.memory global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

Description
max-size Maximum memory buffer size for log (byte). 163840
full-first-warning- Log full first warning threshold (1 - 98, default = 75

threshold 75).
full-second-warning- Log full second warning threshold (2 - 99, default 90

threshold = 90).
full-final-warning- Log full final warning threshold (3 - 100, default = 95

threshold 95).

log.memory/setting
CLI Syntax
config log.memory setting
edit <name_str>
set diskfull {overwrite}
end

Description
status Enable/disable memory buffer log. enable
diskfull Action when memory is full. overwrite

log.syslogd/filter
CLI Syntax
config log.syslogd filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.syslogd/override-filter
CLI Syntax
config log.syslogd override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.syslogd/override-setting
CLI Syntax
config log.syslogd override-setting
edit <name_str>
set server <string>
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
end

Description
override Enable/disable override syslog settings. disable
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)

log.syslogd/setting
CLI Syntax
config log.syslogd setting
edit <name_str>
set server <string>
set port <integer>
end

Description

log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set server <string>
set port <integer>
end

Description

log.syslogd3/filter
CLI Syntax
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

CLI Syntax
edit <name_str>
set server <string>
set port <integer>
end

Description

log.syslogd4/filter
CLI Syntax
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

CLI Syntax
edit <name_str>
set server <string>
set port <integer>
end

Description

log.webtrends/filter
CLI Syntax
config log.webtrends filter
edit <name_str>
rmation | debug}
set filter <string>
end

Description

messages.

log.webtrends/setting
CLI Syntax
config log.webtrends setting
edit <name_str>
set server <string>
end

Description
status Enable/disable WebTrends logging. disable
server Address of the remote WebTrends. (Empty)

log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end

Description
id ID. (Empty)
name Field name. (Empty)
value Field value. (Empty)

log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set endpoint {enable | disable}
set compliance-check {enable | disable}
end

Description
vpn Enable/disable log VPN messages. enable
user Enable/disable log user activity messages. enable
router Enable/disable log router activity. enable
endpoint Enable/disable log for endpoint events. enable
ha Enable/disable log for ha events. enable
compliance-check Enable/disable log for PCI DSS compliance enable

check.

log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end

Description
resolve-hosts Resolve IP addresses to hostnames on the GUI enable

using reverse DNS lookup.
resolve-apps Resolve unknown applications on the GUI using enable

remote application database.
fortiview-unscanned- Enable/disable inclusion of unscanned traffic in disable

apps FortiView application charts.
fortiview-local-traffic Enable/disable inclusion of local-in traffic in disable

FortiView realtime charts.
location GUI log location display. memory

log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end

Description
resolve-ip Add resolved domain name into traffic log if disable

possible.
resolve-port Add resolved service name into traffic log if enable

possible.
log-user-in-upper Enable/disable collect log with user-in-upper. disable
fwpolicy-implicit-log Enable/disable collect firewall implicit policy log. disable
fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log. disable
log-invalid-packet Enable/disable collect invalid packet traffic log. disable
local-in-allow Enable/disable collect local-in-allow log. disable
local-in-deny-unicast Enable/disable collect local-in-deny-unicast log. disable
local-in-deny-broadcast Enable/disable collect local-in-deny-broadcast disable

log.
local-out Enable/disable collect local-out log. disable
daemon-log Enable/disable collect daemon log. disable
neighbor-event Enable/disable collect neighbor event log. disable
brief-traffic-format Enable/disable use of brief format for traffic log. disable
user-anonymize Enable/disable anonymize log user name. disable
fortiview-weekly-data Enable/disable FortiView weekly data. disable

log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
end
config application
edit <name_str>
set id <integer>
end
end

Description
status Enable/disable threat weight status. enable
level Level to score mapping. Details below

low 5
medium 10
high 30
critical 50
blocked-connection Score level for blocked connections for threat high

weight.
failed-connection Score level for failed connections for threat low

weight.
malware-detected Score level for detected malware for threat critical

weight.
url-block-detected Score level for URL blocking for threat weight. high
botnet-connection- Score level for detected botnet connection for critical

detected threat weight.
ips IPS reputation settings. Details below

info-severity disable
low-severity low
medium-severity medium
high-severity high
critical-severity critical
web Web-based threat weight settings. (Empty)
geolocation Geolocation-based threat weight settings. (Empty)
application Application-control based threat weight settings. (Empty)

netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end

Description
asset-id Asset ID. 0
name Name of this asset. (Empty)
scheduled Enable/disable include asset in scheduled disable

vulnerability scan.
addr-type IP address or range. ip
start-ip IP address of asset or start of asset range. 0.0.0.0
end-ip End of asset range. 0.0.0.0
auth-windows Enable/disable authenticate on Windows hosts. disable
auth-unix Enable/disable authenticate on UNIX hosts. disable
win-username User name for Windows hosts. (Empty)
win-password Password for Windows hosts. (Empty)
unix-username User name for Unix hosts. (Empty)
unix-password Password for Unix hosts. (Empty)

netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end

Description
scan-mode Level of vulnerability scanning to perform on quick

ports.
scheduled-pause Enable/disable set time during which scanning disable

should pause.
time Time of day to start the scan. 00:00
pause-from Time of day to pause scanning. 00:00
pause-to Time of day to resume scanning. 00:00
recurrence Frequency at which the scans should recur. weekly
day-of-week Day of the week on which to run the scan. sunday
day-of-month Day of the month on which to run the scan. 1
tcp-ports TCP ports scanned. (Empty)
udp-ports UDP ports scanned. (Empty)
tcp-scan Enable/disable TCP port scan. auto
udp-scan Enable/disable UDP port scan. auto
service-detection Enable/disable service detection. auto
os-detection Enable/disable OS detection. auto

report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
end
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set caption <string>
set caption-font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
set extra-y-legend <string>
end
config category-series
edit <name_str>
end
config value-series
edit <name_str>
end
set title <string>
set title-font-size <integer>
set background <string>
set color-palette <string>
set legend {enable | disable}
set legend-font-size <integer>
config column
edit <name_str>
set id <integer>
set header-value <string>
set detail-value <string>
set footer-value <string>
set detail-unit <string>
set footer-unit <string>
config mapping
edit <name_str>
set id <integer>
set op {none | greater | greater-equal | less | less-equal | equal | betwe
en}
set value-type {integer | string}
set value1 <string>
set value2 <string>
set displayname <string>
end
end
end

Description
name Chart Widget Name (Empty)
policy Used by monitor policy. 0
type Chart type. graph
period Time period. last24h
drill-down-charts Drill down charts. (Empty)
dataset Bind dataset to chart. (Empty)
category Category. misc
favorite Favorite. no
graph-type Graph type. none
style Style. auto
dimension Dimension. 3D
x-series X-series of chart. Details below

databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle 45-degree
is-category yes
scale-unit day
scale-step 1
scale-direction decrease
scale-format YYYY-MM-DD-HH-MM
unit (Empty)
y-series Y-series of chart. Details below

databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle horizontal
group (Empty)
unit (Empty)
extra-y disable
extra-databind (Empty)
y-legend (Empty)
extra-y-legend (Empty)
category-series Category series of pie chart. Details below

databind (Empty)
font-size 0
value-series Value series of pie chart. Details below

databind (Empty)
title Chart title. (Empty)
title-font-size Font size of chart title. 0
background Chart background. (Empty)
color-palette Color palette (system will pick color automatically (Empty)

by default).
legend Enable/Disable Legend area. enable
legend-font-size Font size of legend area. 0
column Table column definition. (Empty)

report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end

Description
name Name. (Empty)
policy Used by monitor policy. 0
query SQL query statement. (Empty)
field Fields. (Empty)
parameters Parameters. (Empty)

report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set type {text | image}
set style <string>
end
end
end
config body-item
edit <name_str>
set id <integer>
set type {text | image | chart | misc}
set style <string>
set top-n <integer>
set hide {enable | disable}
config parameters
edit <name_str>
set id <integer>
set name <string>
set value <string>
end
set text-component {text | heading1 | heading2 | heading3}
set list-component {bullet | numbered}
config list
edit <name_str>
set id <integer>
end
set chart <string>
set chart-options {include-no-data | hide-title | show-caption}
set drill-down-items <string>
set drill-down-types <string>
set table-column-widths <string>
set table-caption-style <string>
set table-head-style <string>
set table-odd-row-style <string>
set table-even-row-style <string>
set misc-component {hline | page-break | column-break | section-start}
set column <integer>
set title <string>
end
end

Description
name Report layout name. (Empty)
title Report title. (Empty)
subtitle Report subtitle. (Empty)
style-theme Report style theme. (Empty)
options Report layout options. include-table-of-content

auto-numbering-
heading view-chart-as-
heading
format Report format. html
schedule-type Report schedule type. daily
day Schedule days of week to generate report. sunday
time Schedule time to generate report [hh:mm]. 00:00
cutoff-option Cutoff-option is either run-time or custom. run-time
cutoff-time Custom cutoff time to generate report [hh:mm]. 00:00
email-send Enable/disable sending emails after reports are disable

generated.
email-recipients Email recipients for generated reports. (Empty)
max-pdf-report Maximum number of PDF reports to keep at one 31

time (oldest report is overwritten).
page Configure report page. Details below

paper a4
column-break-before (Empty)
page-break-before (Empty)
options (Empty)
header {"style":"","header-item":[]}
footer {"style":"","footer-item":[]}
body-item Configure report body item. (Empty)

report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end

Description
pdf-report Enable/disable PDF report. enable
fortiview Enable/disable historical FortiView. enable
report-source Report log source. forward-traffic
web-browsing- Web browsing time calculation threshold (3 - 15 3

threshold min).

report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end

Description
name Report style name. (Empty)
options Report style options. (Empty)
font-family Font family. (Empty)
font-style Font style. normal
font-weight Font weight. normal
font-size Font size. (Empty)
line-height Text line height. (Empty)
fg-color Foreground color. (Empty)
bg-color Background color. (Empty)
align Alignment. (Empty)
width Width. (Empty)
height Height. (Empty)
margin-top Margin top. (Empty)
margin-right Margin right. (Empty)
margin-bottom Margin bottom. (Empty)
margin-left Margin left. (Empty)
border-top Border top. " none "
border-right Border right. " none "
border-bottom Border bottom. " none "
border-left Border left. " none "
padding-top Padding top. (Empty)
padding-right Padding right. (Empty)

padding-bottom Padding bottom. (Empty)
padding-left Padding left. (Empty)
column-span Column span. none
column-gap Column gap. (Empty)

report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set heading1-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end

Description
name Report theme name. (Empty)
page-orient Report page orientation. portrait
column-count Report page column count. 1
default-html-style Default HTML report style. (Empty)
default-pdf-style Default PDF report style. (Empty)
page-style Report page style. (Empty)
page-header-style Report page header style. (Empty)
page-footer-style Report page footer style. (Empty)
report-title-style Report title style. (Empty)
report-subtitle-style Report subtitle style. (Empty)
toc-title-style Table of contents title style. (Empty)
toc-heading1-style Table of contents heading style. (Empty)
heading1-style Report heading style. (Empty)
normal-text-style Normal text style. (Empty)
bullet-list-style Bullet list style. (Empty)
numbered-list-style Numbered list style. (Empty)

image-style Image style. (Empty)
hline-style Horizontal line style. (Empty)
graph-chart-style Graph chart style. (Empty)
table-chart-style Table chart style. (Empty)
table-chart-caption- Table chart caption style. (Empty)

style
table-chart-head-style Table chart head row style. (Empty)
table-chart-odd-row- Table chart odd row style. (Empty)

style
table-chart-even-row- Table chart even row style. (Empty)

style

router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end

Description
name Name. (Empty)
rule Rule. (Empty)

router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end

Description
name Name. (Empty)
rule Rule. (Empty)

router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end

Description
name AS path list name. (Empty)
rule AS path list rule. (Empty)

router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
end

Description
name Name of the entry. (Empty)
device Output interface. (Empty)
gateway Gateway IP address. 0.0.0.0

router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
end
end

Description
neighbor neighbor (Empty)

router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config aggregate-address6
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config neighbor
edit <name_str>
set ip <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set restart-time <integer>
config conditional-advertise
edit <name_str>
set advertise-routemap <string>
set condition-routemap <string>
set condition-type {exist | non-exist}
end
end
config neighbor-group
edit <name_str>
set name <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set restart-time <integer>
end
config neighbor-range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set max-neighbor-num <integer>
set neighbor-group <string>
end
config network
edit <name_str>
set id <integer>
set backdoor {enable | disable}
set route-map <string>
end
config network6
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set backdoor {enable | disable}
end
config redistribute
edit <name_str>
set name <string>
end
config redistribute6
edit <name_str>
set name <string>
end
end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end

Description
as Router AS number. 0
router-id Router ID. 0.0.0.0
keepalive-timer Frequency to send keep alive requests. 60
holdtime-timer Number of seconds to mark peer as dead. 180
always-compare-med Enable/disable always compare MED. disable
bestpath-as-path- Enable/disable ignore AS path. disable

ignore
bestpath-cmp-confed- Enable/disable compare federation AS path disable

aspath length.
bestpath-cmp-routerid Enable/disable compare router ID for identical disable

EBGP paths.
bestpath-med-confed Enable/disable compare MED among disable

confederation paths.
bestpath-med-missing- Enable/disable treat missing MED as least disable

as-worst preferred.
client-to-client- Enable/disable client-to-client route reflection. enable

reflection
dampening Enable/disable route-flap dampening. disable
deterministic-med Enable/disable enforce deterministic comparison disable

of MED.
ebgp-multipath Enable/disable EBGP multi-path. disable
ibgp-multipath Enable/disable IBGP multi-path. disable
enforce-first-as Enable/disable enforce first AS for EBGP routes. enable
fast-external-failover Enable/disable reset peer BGP session if link enable

goes down.
log-neighbour-changes Enable logging of BGP neighbour's changes enable

network-import-check Enable/disable ensure BGP network route exists enable
in IGP.
ignore-optional- Don't send unknown optional capability enable

capability notification message
cluster-id Route reflector cluster ID. 0.0.0.0
confederation-identifier Confederation identifier. 0
confederation-peers Confederation peers. (Empty)
dampening-route-map Criteria for dampening. (Empty)
dampening- Reachability half-life time for penalty (min). 15

reachability-half-life
dampening-reuse Threshold to reuse routes. 750
dampening-suppress Threshold to suppress routes. 2000
dampening-max- Maximum minutes a route can be suppressed. 60

suppress-time
dampening- Unreachability half-life time for penalty (min). 15

unreachability-half-life
default-local- Default local preference. 100

preference
scan-time Background scanner interval (sec). 60
distance-external Distance for routes external to the AS. 20
distance-internal Distance for routes internal to the AS. 200
distance-local Distance for routes local to the AS. 200
synchronization Enable/disable only advertise routes from iBGP if disable

routes present in an IGP.
graceful-restart Enable/disable BGP graceful restart capabilities. disable
graceful-restart-time Time needed for neighbors to restart (sec). 120
graceful-stalepath-time Time to hold stale paths of restarting neighbor 360

(sec).

graceful-update-delay Route advertisement/selection delay after restart 120
(sec).
aggregate-address BGP aggregate address table. (Empty)
aggregate-address6 BGP IPv6 aggregate address table. (Empty)
neighbor BGP neighbor table. (Empty)
neighbor-group BGP neighbor group table. (Empty)
neighbor-range BGP neighbor range table. (Empty)
network BGP network table. (Empty)
network6 BGP IPv6 network table. (Empty)
redistribute BGP IPv4 redistribute table. (Empty)
redistribute6 BGP IPv6 redistribute table. (Empty)
admin-distance Administrative distance modifications. (Empty)

router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set regexp <string>
set match <string>
end
end

Description
name Community list name. (Empty)
type Community list type. standard
rule Community list rule. (Empty)

router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-keychain-l1 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
set hello-multiplier-l2 <integer>
set hello-padding {enable | disable}
set lsp-interval <integer>
set lsp-retransmit-interval <integer>
set metric-l1 <integer>
set metric-l2 <integer>
set wide-metric-l1 <integer>
set wide-metric-l2 <integer>
set auth-send-only-l1 {enable | disable}
set auth-send-only-l2 {enable | disable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set priority-l1 <integer>
set priority-l2 <integer>
set mesh-group {enable | disable}
set mesh-group-id <integer>
end
config summary-address
edit <name_str>
set id <integer>
set level {level-1-2 | level-1 | level-2}
end
config redistribute
edit <name_str>
set protocol <string>
set metric <integer>
set metric-type {external | internal}
set level {level-1-2 | level-1 | level-2}
set routemap <string>
end
end

Description
is-type IS type. level-1-2
auth-mode-l1 Level 1 authentication mode. password
auth-mode-l2 Level 2 authentication mode. password
auth-password-l1 Authentication password for level 1 PDUs. (Empty)
auth-password-l2 Authentication password for level 2 PDUs. (Empty)
auth-keychain-l1 Authentication key-chain for level 1 PDUs. (Empty)
auth-keychain-l2 Authentication key-chain for level 2 PDUs. (Empty)
auth-sendonly-l1 Enable/disable level 1 authentication send-only. disable
auth-sendonly-l2 Enable/disable level 2 authentication send-only. disable
ignore-lsp-errors Enable/disable ignoring of LSP errors with bad disable

checksums.
lsp-gen-interval-l1 Minimum interval for level 1 LSP regenerating. 30
lsp-gen-interval-l2 Minimum interval for level 2 LSP regenerating. 30
lsp-refresh-interval LSP refresh time in seconds. 900
max-lsp-lifetime Maximum LSP lifetime in seconds. 1200
spf-interval-exp-l1 Level 1 SPF calculation delay. 500 50000
spf-interval-exp-l2 Level 2 SPF calculation delay. 500 50000
dynamic-hostname Enable/disable dynamic hostname. disable
adjacency-check Enable/disable adjacency check. disable
overload-bit Enable/disable signal other routers not to use us disable

in SPF.
overload-bit-suppress Suppress overload-bit for the specific prefixes. (Empty)
overload-bit-on-startup Overload-bit only temporarily after reboot. 0

default-originate Enable/disable control distribution of default disable
information.
metric-style Use old-style (ISO 10589) or new-style packet narrow

formats
redistribute-l1 Enable/disable redistribute level 1 routes into disable

level 2.
redistribute-l1-list Access-list for redistribute l1 to l2. (Empty)
redistribute-l2 Enable/disable redistribute level 2 routes into disable

level 1.
redistribute-l2-list Access-list for redistribute l2 to l1. (Empty)
isis-net IS-IS net configuration. (Empty)
isis-interface IS-IS interface configuration. (Empty)
summary-address IS-IS summary addresses. (Empty)
redistribute IS-IS redistribute protocols. (Empty)

router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end

Description
name Key-chain name. (Empty)
key Key. (Empty)

router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set igmp-state-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set neighbour-filter <string>
set hello-interval <integer>
set hello-holdtime <integer>
set cisco-exclude-genid {enable | disable}
set dr-priority <integer>
set propagation-delay <integer>
set state-refresh-interval <integer>
set rp-candidate {enable | disable}
set rp-candidate-group <string>
set rp-candidate-priority <integer>
set rp-candidate-interval <integer>
set multicast-flow <string>
set static-group <string>
config join-group
edit <name_str>
set address <ipv4-address-any>
end
config igmp
edit <name_str>
set access-group <string>
set version {3 | 2 | 1}
set immediate-leave-group <string>
set last-member-query-interval <integer>
set last-member-query-count <integer>
set query-max-response-time <integer>
set query-interval <integer>
set query-timeout <integer>
set router-alert-check {enable | disable}
end
end
end

Description
route-threshold Generate warnings when number of multicast 2147483647

routes exceeds this number.
route-limit Maximum number of multicast routes. 2147483647
igmp-state-limit Maximum IGMP memberships (system wide). 3200
multicast-routing Enable/disable multicast routing. disable
pim-sm-global PIM sparse-mode global settings. Details below

message-interval 60
join-prune-holdtime 210
accept-register-list (Empty)
bsr-candidate disable
bsr-interface (Empty)
bsr-priority 0
bsr-hash 10
bsr-allow-quick-refresh disable
cisco-register-checksum disable
cisco-register-checksum-group (Empty)
cisco-crp-prefix disable
cisco-ignore-rp-set-priority disable
register-rp-reachability enable
register-source disable
register-source-interface (Empty)
register-source-ip 0.0.0.0
register-supression 60
null-register-retries 1
rp-register-keepalive 185
spt-threshold enable
spt-threshold-group (Empty)
ssm disable
ssm-range (Empty)
register-rate-limit 0
rp-address (Empty)
interface PIM interfaces. (Empty)

router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end

Description
name Name. (Empty)
flows Multicast-flow entries. (Empty)

router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end

Description
multicast-routing Enable/disable multicast routing. disable
interface PIM interfaces. (Empty)
pim-sm-global PIM sparse-mode global settings. Details below

register-rate-limit 0
rp-address (Empty)

router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set rfc1583-compatible {enable | disable}
set spf-timers <user>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
edit <name_str>
set name <string>
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set cost <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
set poll-interval <integer>
set cost <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
edit <name_str>
set id <integer>
set tag <integer>
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set metric-type {1 | 2}
set tag <integer>
end
end

Description
abr-type Area border router type. standard
auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000

second.
distance-external Administrative external distance. 110
distance-inter-area Administrative inter-area distance. 110
distance-intra-area Administrative intra-area distance. 110
database-overflow Enable/disable database overflow. disable
database-overflow- Database overflow maximum LSAs. 10000

max-lsas
database-overflow- Database overflow time to recover (sec). 300

time-to-recover
default-information- Enable/disable generation of default route. disable

originate
default-information- Default information metric. 10

metric
default-information- Default information metric type. 2

metric-type
default-information- Default information route map. (Empty)

route-map
default-metric Default metric of redistribute routes. 10
distance Distance of the route. 110
rfc1583-compatible Enable/disable RFC1583 compatibility. disable
router-id Router ID. 0.0.0.0
spf-timers SPF calculation frequency. 5 10
bfd Bidirectional Forwarding Detection (BFD). disable

log-neighbour-changes Enable logging of OSPF neighbour's changes enable
distribute-list-in Filter incoming routes. (Empty)
distribute-route-map-in Filter incoming external routes by route-map. (Empty)
restart-mode OSPF restart mode (graceful or LLS). none
restart-period Graceful restart period. 120
area OSPF area configuration. (Empty)
ospf-interface OSPF interface configuration. (Empty)
network OSPF network configuration. (Empty)
neighbor OSPF neighbor configuration are used when (Empty)

OSPF runs on non-broadcast media
passive-interface Passive interface configuration. (Empty)
summary-address IP address summary configuration. (Empty)
distribute-list Distribute list configuration. (Empty)
redistribute Redistribute configuration. (Empty)

router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
end
config virtual-link
edit <name_str>
set name <string>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set cost <integer>
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
config neighbor
edit <name_str>
set ip6 <ipv6-address>
set poll-interval <integer>
set cost <integer>
end
end
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set metric-type {1 | 2}
end
edit <name_str>
set id <integer>
set tag <integer>
end
end

Description
abr-type Area border router type. standard
auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000

second.

originate
log-neighbour-changes Enable logging of OSPFv3 neighbour's changes enable
default-information- Default information metric. 10

metric
default-information- Default information metric type. 2

metric-type
default-information- Default information route map. (Empty)

route-map
default-metric Default metric of redistribute routes. 20
router-id A.B.C.D, in IPv4 address format. 0.0.0.0
spf-timers SPF calculation frequency. 5 10
area OSPF6 area configuration. (Empty)
ospf6-interface OSPF6 interface configuration. (Empty)
summary-address IPv6 address summary configuration. (Empty)

router/policy
CLI Syntax
config router policy
edit <name_str>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set start-source-port <integer>
set end-source-port <integer>
set output-device <string>
set tos <user>
set tos-mask <user>
end

Description
seq-num Sequence number. 0
input-device Incoming interface name. (Empty)
src Source IP and mask (x.x.x.x/x). (Empty)
src-negate Enable/disable negated source address match. disable
dst Destination IP and mask (x.x.x.x/x). (Empty)
dst-negate Enable/disable negated destination address disable

match.
action Action of the policy route. permit
start-port Start destination port number. 1
end-port End destination port number. 65535
start-source-port Start source port number. 1
end-source-port End source port number. 65535
gateway IP address of gateway. 0.0.0.0
output-device Outgoing interface name. (Empty)
tos Type of service bit pattern. 0x00
tos-mask Type of service evaluated bits. 0x00

router/policy6
CLI Syntax
config router policy6
edit <name_str>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set output-device <string>
set tos <user>
set tos-mask <user>
end

Description
input-device Incoming interface name. (Empty)
src Source IPv6 prefix. ::/0
dst Destination IPv6 prefix. ::/0
gateway IPv6 address of gateway. ::
output-device Outgoing interface name. (Empty)
tos Terms of service bit pattern. 0x00
tos-mask Terms of service evaluated bits. 0x00

router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

Description
name Name. (Empty)
rule Rule. (Empty)

router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

Description
name Name. (Empty)
rule Rule. (Empty)

router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
end
edit <name_str>
set id <integer>
set listname <string>
end
config neighbor
edit <name_str>
set id <integer>
end
config network
edit <name_str>
set id <integer>
end
config offset-list
edit <name_str>
set id <integer>
set offset <integer>
end
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
set version {1 | 2}
config interface
edit <name_str>
set name <string>
set auth-keychain <string>
set auth-mode {none | text | md5}
set auth-string <password>
set receive-version {1 | 2}
set send-version {1 | 2}
set send-version2-broadcast {disable | enable}
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

Description

originate
default-metric Default metric. 1
max-out-metric Maximum metric allowed to output(0 means 'not 0

set').
recv-buffer-size Receiving buffer size. 655360
distance distance (Empty)
distribute-list Distribute list. (Empty)
network network (Empty)
offset-list Offset list. (Empty)
update-timer Update timer. 30
timeout-timer Timeout timer. 180
garbage-timer Garbage timer. 120
version RIP version. 2
interface RIP interface configuration. (Empty)

router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set access-list6 <string>
end
edit <name_str>
set id <integer>
set listname <string>
end
config neighbor
edit <name_str>
set id <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
end
config offset-list
edit <name_str>
set id <integer>
set access-list6 <string>
set offset <integer>
end
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
config interface
edit <name_str>
set name <string>
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

Description

originate
default-metric Default metric. 1
max-out-metric Maximum metric allowed to output(0 means 'not 0

set').
distance distance (Empty)
distribute-list Distribute list. (Empty)
network Network. (Empty)
aggregate-address Aggregate address. (Empty)
offset-list Offset list. (Empty)
update-timer Update timer. 30
timeout-timer Timeout timer. 180
garbage-timer Garbage timer. 120
interface RIPng interface configuration. (Empty)

router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
end
config set-extcommunity-soo
edit <name_str>
end
set set-ip-nexthop <ipv4-address>
set set-ip6-nexthop <ipv6-address>
set set-ip6-nexthop-local <ipv6-address>
set set-local-preference <integer>
set set-metric <integer>
set set-metric-type {1 | 2}
set set-originator-id <ipv4-address-any>
set set-origin {none | egp | igp | incomplete}
set set-tag <integer>
set set-weight <integer>
set set-flags <integer>
set match-flags <integer>
end
end

Description
name Name. (Empty)
rule Rule. (Empty)

router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end

Description
show-filter Prefix-list as filter for showing routes. (Empty)
hostname Hostname for this virtual domain router. (Empty)

router/static
CLI Syntax
config router static
edit <name_str>
set dst <ipv4-classnet>
set device <string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end

Description
seq-num Entry number. 0
dst Destination IP and mask for this route. 0.0.0.0 0.0.0.0
gateway Gateway IP for this route. 0.0.0.0
distance Administrative distance (1 - 255). 10
weight Administrative weight (0 - 255). 0
priority Administrative priority (0 - 4294967295). 0
device Enable/disable gateway out interface. (Empty)
blackhole Enable/disable black hole. disable
dynamic-gateway Enable use of dynamic gateway retrieved from a disable

DHCP or PPP server.
virtual-wan-link Enable/disable egress through the virtual-wan- disable

link.
dstaddr Name of firewall address or address group. (Empty)
internet-service Application ID in the Internet service database. 0
internet-service-custom Application name in the Internet service custom (Empty)

database.

router/static6
CLI Syntax
config router static6
edit <name_str>
set dst <ipv6-network>
set device <string>
set devindex <integer>
set blackhole {enable | disable}
end

Description
dst Destination IPv6 prefix for this route. ::/0
gateway Gateway IPv6 address for this route. ::
device Gateway out interface or tunnel. (Empty)
devindex Device index (0 - 4294967295). 0
priority Administrative priority (0 - 4294967295). 0
blackhole Enable/disable black hole. disable

spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end

Description
id ID. 0
entries Anti-spam black/white list entries. (Empty)

spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end

Description
id ID. 0
entries Spam filter banned word. (Empty)

spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set server <string>
set action {reject | spam}
end
end

Description
id ID. 0
entries Spam filter DNSBL and ORBL server. (Empty)

spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end

Description
spam-submit-srv Hostname of the spam submission server. www.nospammer.net
spam-submit-force Enable/disable force insertion of a new mime enable

entity for the submission text.
spam-submit-txt2htm Enable/disable conversion of text email to HTML enable

email.

spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end

Description
id ID. 0
entries Spam filter trusted IP addresses. (Empty)

spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set fieldname <string>
set fieldbody <string>
set action {spam | clear}
end
end

Description
id ID. 0
entries Spam filter mime header content. (Empty)

spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end

Description
dns-timeout DNS query time out (1 - 30 sec). 7

spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set flow-based {enable | disable}
set spam-log {enable | disable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set action {pass | tag}
end
config smtp
edit <name_str>
set action {pass | tag | discard}
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
end
config yahoo-mail
edit <name_str>
end
config gmail
edit <name_str>
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end

Description
flow-based Enable/disable flow-based spam filtering. disable
spam-log Enable/disable spam logging for email filtering. enable
spam-filtering Enable/disable spam filtering. disable
external Enable/disable external Email inspection. disable
options Options. (Empty)

log disable
action tag
tag-type subject spaminfo
tag-msg Spam

log disable
action tag
tag-msg Spam

log disable
action discard
tag-msg Spam
hdrip disable
local-override disable
mapi MAPI. Details below

log disable
action discard
msn-hotmail MSN Hotmail. Details below

log disable
yahoo-mail Yahoo! Mail. Details below

log disable
gmail Gmail. Details below

log disable
spam-bword-threshold Spam banned word threshold. 10
spam-bword-table Anti-spam banned word table ID. 0
spam-bwl-table Anti-spam black/white list table ID. 0
spam-mheader-table Anti-spam MIME header table ID. 0
spam-rbl-table Anti-spam DNSBL table ID. 0
spam-iptrust-table Anti-spam IP trust table ID. 0

system.autoupdate/push-update
CLI Syntax
config system.autoupdate push-update
edit <name_str>
set address <ipv4-address-any>
set port <integer>
end

Description
status Enable/disable push updates. disable
override Enable/disable push update override server. disable
address Push update override server. 0.0.0.0
port Push update override port. 9443

system.autoupdate/schedule
CLI Syntax
config system.autoupdate schedule
edit <name_str>
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

Description
status Enable/disable scheduled updates. enable
frequency Update frequency. every
time Update time. 02:60
day Update day. Monday

system.autoupdate/tunneling
CLI Syntax
config system.autoupdate tunneling
edit <name_str>
set port <integer>
end

Description
status Enable/disable web proxy tunnelling. disable
address Web proxy IP address or FQDN. (Empty)
port Web proxy port. 0
username Web proxy username. (Empty)
password Web proxy password. (Empty)

system.dhcp/server
CLI Syntax
config system.dhcp server
edit <name_str>
set id <integer>
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set wifi-ac1 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
config ip-range
edit <name_str>
set id <integer>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
set option1 <user>
set option2 <user>
set option3 <user>
set option4 <user>
set option5 <user>
set option6 <user>
set server-type {regular | ipsec}
set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
end
config reserved-address
edit <name_str>
set id <integer>
set action {assign | block | reserved}
end
end

Description
id ID. 0
status Enable/disable use this DHCP configuration. enable
lease-time Lease time in seconds. 604800
mac-acl-default-action MAC access control default action. assign
forticlient-on-net-status Sending FortiGate serial number as a DHCP enable

option.
dns-service DNS service option. specify
dns-server1 DNS server 1. 0.0.0.0
wifi-ac1 WiFi AC 1. 0.0.0.0
ntp-service NTP service option. specify
ntp-server1 NTP server 1. 0.0.0.0
domain Domain name. (Empty)
wins-server1 WINS server 1. 0.0.0.0
default-gateway Enable/disable default gateway. 0.0.0.0
next-server Next bootstrap server. 0.0.0.0
netmask Netmask. 0.0.0.0

ip-range DHCP IP range configuration. (Empty)
timezone-option Time zone settings. disable
timezone Time zone. 00
tftp-server Hostname or IP address of the TFTP server. (Empty)
filename Boot file name. (Empty)
option1 Option 1. 0
option2 Option 2. 0
option3 Option 3. 0
option4 Option 4. 0
option5 Option 5. 0
option6 Option 6. 0
server-type Type of DHCP service to provide. regular
ip-mode Method used to assign client IP. range
conflicted-ip-timeout Time conflicted IP is removed from the range 1800

(seconds).
ipsec-lease-hold DHCP over IPsec leases expire this many 60

seconds after tunnel down (0 to disable forced-
expiry).
auto-configuration Enable/disable auto configuration. enable
ddns-update Enable/disable DDNS update for DHCP. disable
ddns-server-ip DDNS server IP. 0.0.0.0
ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)
ddns-auth DDNS authentication mode. disable
ddns-keyname DDNS update key name. (Empty)

ddns-key DDNS update key (base 64 encoding). 'ENC
AuAHaUUdY1NOrENe
FjxC6TXsIjntkrMvREw
MTLVsKksjKKAeHgnm
gOYHVJsx1EMp4Fsdx
XlBMGI9fs0Gob4fjHviV
670NU8ypyB+szhnVal
5VB5J/EQgo1R2WKM
='
ddns-ttl TTL. 300
vci-match Enable/disable VCI matching. disable
vci-string VCI strings. (Empty)
exclude-range DHCP exclude range configuration. (Empty)
reserved-address DHCP reserved IP address. (Empty)

system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set domain <string>
set subnet <ipv6-prefix>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
end
end

Description
id ID. 0
status Enable/disable use this DHCP configuration. enable
rapid-commit Enable/disable allow/disallow rapid commit. disable
lease-time Lease time in seconds. 604800
dns-service DNS service option. specify
dns-server1 DNS server 1. ::
subnet Subnet or subnet-id if the IP mode is delegated. ::/0
option1 Option 1. 0
option2 Option 2. 0
option3 Option 3. 0
upstream-interface Interface name from where delegated information (Empty)

is provided.
ip-mode Method used to assign client IP. range
ip-range DHCP IP range configuration. (Empty)

system.replacemsg/admin
CLI Syntax
config system.replacemsg admin
edit <name_str>
set msg-type <string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

Description
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none

system.replacemsg/alertmail
CLI Syntax
config system.replacemsg alertmail
edit <name_str>
end

Description

system.replacemsg/auth
CLI Syntax
config system.replacemsg auth
edit <name_str>
end

Description

system.replacemsg/device-detection-portal
CLI Syntax
config system.replacemsg device-detection-portal
edit <name_str>
end

Description

system.replacemsg/ec
CLI Syntax
config system.replacemsg ec
edit <name_str>
end

Description

system.replacemsg/fortiguard-wf
CLI Syntax
config system.replacemsg fortiguard-wf
edit <name_str>
end

Description

system.replacemsg/ftp
CLI Syntax
config system.replacemsg ftp
edit <name_str>
end

Description

system.replacemsg/http
CLI Syntax
config system.replacemsg http
edit <name_str>
end

Description

system.replacemsg/mail
CLI Syntax
config system.replacemsg mail
edit <name_str>
end

Description

system.replacemsg/nac-quar
CLI Syntax
config system.replacemsg nac-quar
edit <name_str>
end

Description

system.replacemsg/nntp
CLI Syntax
config system.replacemsg nntp
edit <name_str>
end

Description

system.replacemsg/spam
CLI Syntax
config system.replacemsg spam
edit <name_str>
end

Description

system.replacemsg/sslvpn
CLI Syntax
config system.replacemsg sslvpn
edit <name_str>
end

Description

system.replacemsg/traffic-quota
CLI Syntax
config system.replacemsg traffic-quota
edit <name_str>
end

Description

system.replacemsg/utm
CLI Syntax
config system.replacemsg utm
edit <name_str>
end

Description

system.replacemsg/webproxy
CLI Syntax
config system.replacemsg webproxy
edit <name_str>
end

Description

system.snmp/community
CLI Syntax
config system.snmp community
edit <name_str>
set id <integer>
set name <string>
config hosts
edit <name_str>
set id <integer>
set ip <user>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end

Description
id Community ID. 0
name Community name. (Empty)
status Enable/disable this community. enable
hosts Allow hosts configuration. (Empty)
hosts6 Allow hosts configuration for IPv6. (Empty)
query-v1-status Enable/disable SNMP v1 query. enable
query-v1-port SNMP v1 query port. 161
query-v2c-status Enable/disable SNMP v2c query. enable
query-v2c-port SNMP v2c query port. 161
trap-v1-status Enable/disable SNMP v1 trap. enable
trap-v1-lport SNMP v1 trap local port. 162
trap-v1-rport SNMP v1 trap remote port. 162
trap-v2c-status Enable/disable SNMP v2c trap. enable
trap-v2c-lport SNMP v2c trap local port. 162
trap-v2c-rport SNMP v2c trap remote port. 162

events SNMP trap events. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down

system.snmp/sysinfo
CLI Syntax
config system.snmp sysinfo
edit <name_str>
set engine-id <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end

Description
status Enable/disable SNMP. disable
engine-id Local SNMP engineID string (maximum 24 (Empty)

characters).
description System description. (Empty)
contact-info Contact information. (Empty)
location System location. (Empty)
trap-high-cpu-threshold CPU usage when trap is sent. 80
trap-low-memory- Memory usage when trap is sent. 80

threshold
trap-log-full-threshold Log disk usage when trap is sent. 90

system.snmp/user
CLI Syntax
config system.snmp user
edit <name_str>
set name <string>
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ipv6 <ipv6-address>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end

Description
name SNMP user name. (Empty)
status Enable/disable this user. enable
trap-status Enable/disable traps for this user. enable
trap-lport SNMPv3 trap local port. 162
trap-rport SNMPv3 trap remote port. 162
queries Enable/disable queries for this user. enable
query-port SNMPv3 query port. 161
notify-hosts Hosts to send notifications (traps) to. (Empty)
notify-hosts6 IPv6 hosts to send notifications (traps) to. (Empty)
source-ip Source IP for SNMP trap. 0.0.0.0
source-ipv6 Source IPv6 for SNMP trap. ::
ha-direct Enable/disable direct management of HA cluster disable

members.

events SNMP notifications (traps) to send. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down
security-level Security level for message authentication and no-auth-no-priv

encryption.
auth-proto Authentication protocol. sha
auth-pwd Password for authentication protocol. (Empty)
priv-proto Privacy (encryption) protocol. aes
priv-pwd Password for privacy (encryption) protocol. (Empty)

system/accprofile
CLI Syntax

config system accprofile
edit <name_str>
set name <string>
set scope {vdom | global}
set mntgrp {none | read | read-write}
set admingrp {none | read | read-write}
set updategrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write | custom | w | r | rw}
set routegrp {none | read | read-write}
set fwgrp {none | read | read-write | custom | w | r | rw}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom | w | r | rw}
set wanoptgrp {none | read | read-write}
set endpoint-control-grp {none | read | read-write}
set wifi {none | read | read-write}
config fwgrp-permission
edit <name_str>
set policy {none | read | read-write}
set address {none | read | read-write}
set service {none | read | read-write}
set schedule {none | read | read-write}
set packet-capture {none | read | read-write}
set others {none | read | read-write}
end
config loggrp-permission
edit <name_str>
set config {none | read | read-write}
set data-access {none | read | read-write}
set report-access {none | read | read-write}
set threat-weight {none | read | read-write}
end
config utmgrp-permission
edit <name_str>
set antivirus {none | read | read-write}
set ips {none | read | read-write}
set webfilter {none | read | read-write}
set spamfilter {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set application-control {none | read | read-write}
set icap {none | read | read-write}
set casi {none | read | read-write}
set voip {none | read | read-write}
set waf {none | read | read-write}
set dnsfilter {none | read | read-write}
end
end

Description
scope Global or single VDOM access restriction. vdom
mntgrp Maintenance. none
admingrp Administrator Users. none
updategrp FortiGuard Update. none
authgrp User & Device. none
sysgrp System Configuration. none
netgrp Network Configuration. none
loggrp Log & Report. none
routegrp Router Configuration. none
fwgrp Firewall Configuration. none
vpngrp VPN Configuration. none
utmgrp Security Profile Configuration. none
wanoptgrp WAN Opt & Cache. none
endpoint-control-grp Endpoint Security. none
wifi Wireless controller. none
fwgrp-permission Custom firewall permission. Details below

policy none
address none
service none
schedule none
packet-capture none
others none

loggrp-permission Custom Log & Report permission. Details below

config none
data-access none
report-access none
threat-weight none
utmgrp-permission Custom UTM permission. Details below

antivirus none
ips none
webfilter none
spamfilter none
data-loss-prevention none
application-control none
icap none
casi none
voip none
waf none
dnsfilter none

system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-certificate <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set dst-interface <string>
set tr-history-period1 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
end

Description
name User name. (Empty)
wildcard Enable/disable wildcard RADIUS authentication. disable
remote-auth Enable/disable remote authentication. disable
remote-group User group name used for remote auth. (Empty)
password Admin user password. ENC XXUp2ozpdysrQ
peer-auth Enable/disable peer authentication. disable
peer-group Peer group name. (Empty)
trusthost1 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.
for all.
for all.
for all.
for all.
for all.
for all.
for all.
for all.
for all.

ip6-trusthost1 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
accprofile Admin user access profile. (Empty)
allow-remove-admin- Enable/disable allow admin session to be enable

session removed by privileged admin users.
hidden Admin user hidden attribute. 0
vdom Virtual domains. (Empty)
is-admin Is user admin. 0
ssh-public-key1 SSH public key1. (Empty)
ssh-certificate SSH certificate. (Empty)
accprofile-override Enable/disable allow access profile to be disable

overridden from remote auth server.
radius-vdom-override Enable/disable allow VDOM to be overridden disable

from RADIUS.

password-expire Password expire time. 0000-00-00 00:00:00
force-password-change Enable/disable force password change on next disable

login.
dashboard GUI custom dashboard. (Empty)
two-factor Enable/disable two-factor authentication. disable
fortitoken Two-factor recipient's FortiToken serial number. (Empty)
email-to Two-factor recipient's email address. (Empty)
sms-server Send SMS through FortiGuard or other external fortiguard

server.
sms-custom-server Two-factor recipient's SMS server. (Empty)
sms-phone Two-factor recipient's mobile phone number. (Empty)
guest-auth Enable/disable guest authentication. disable
guest-usergroups Select guest user groups. (Empty)
guest-lang Guest management portal language. (Empty)
history0 history0 ENC
history1 history1 ENC
login-time Record user login time. (Empty)

system/alarm
CLI Syntax
config system alarm
edit <name_str>
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end

Description
status Enable/disable alarm. disable
audible Enable/disable audible alarm. disable
sequence Sequence ID of alarms. 0
groups Alarm groups. (Empty)

system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
end

Description
id Unique integer ID of the entry. 0
mac MAC address. 00:00:00:00:00:00

system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end

Description
auto-install-config Enable/disable auto install the config in USB disk. disable
auto-install-image Enable/disable auto install the image in USB disk. disable
default-config-file Default config file name in USB disk. fgt_system.conf
default-image-file Default image file name in USB disk. image.out

system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end

Description
name Auto script name. (Empty)
interval Repeat interval in seconds. 0
repeat Number of times to repeat this script (0 = infinite). 1
start Script starting mode. manual
script List of FortiOS CLI commands to repeat. (Empty)

system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end

Description
mode Normal/backup management mode. normal
type Type of management server. none
schedule-config-restore Enable/disable scheduled configuration restore. enable
schedule-script-restore Enable/disable scheduled script restore. enable
allow-push- Enable/disable push configuration. enable

configuration
allow-pushd-firmware Enable/disable push firmware. enable
allow-remote-firmware- Enable/disable remote firmware upgrade. enable

upgrade
allow-monitor Enable/disable remote monitoring of device. enable
serial-number Serial number. (Empty)
fmg Address of FortiManager (IP or FQDN name). (Empty)
fmg-source-ip Source IPv4 address to use when connecting to 0.0.0.0

FortiManager.
fmg-source-ip6 Source IPv6 address to use when connecting to ::

FortiManager.
vdom Virtual domain name. root
server-list FortiGuard override server list. (Empty)
include-default-servers Enable/disable inclusion of public FortiGuard enable

servers in the override server list.
enc-algorithm Use SSL encryption. high

system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end

Description
sync-id Sync ID. 0
peervd Peer connecting VDOM. root
peerip Peer connecting IP. 0.0.0.0
syncvd VDOM of which sessions need to be synced. (Empty)
session-sync-filter Session sync filter. Details below

srcintf (Empty)
dstintf (Empty)
srcaddr 0.0.0.0 0.0.0.0
dstaddr 0.0.0.0 0.0.0.0
srcaddr6 ::/0
dstaddr6 ::/0
custom-service (Empty)

system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end

Description
mode Console mode. line
baudrate Console baud rate. 9600
output Console output mode. more
login Enable/disable serial console and FortiExplorer. enable
fortiexplorer Enable/disable access for FortiExplorer. enable

system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
end

Description
name Name. (Empty)
filename Custom language file path. (Empty)

system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.ne
t | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS}
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
end
end

Description
ddnsid DDNS ID. 0
ddns-server DDNS server. (Empty)
ddns-server-ip Generic DDNS server IP. 0.0.0.0
ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)
ddns-ttl TTL. 300
ddns-auth DDNS authentication mode. disable
ddns-keyname DDNS update key name. (Empty)
ddns-key DDNS update key (base 64 encoding). 'ENC

L97VaR0bKQoAAeh+O
+39Q85hAnL3Fl7t4UL1
eLfgKdgTSHZUCAnVY
M1U9oVgGyVRfy6HlP
mrFFsS9nlLExpJmd1p
wYrf7jCCjr0lx5+1WNFy
P50Fgz7fsLe43Lc='
ddns-domain Your domain name (ex. yourname.DDNS.com). (Empty)
ddns-username DDNS user name. (Empty)
ddns-sn DDNS Serial Number. (Empty)
ddns-password DDNS password. (Empty)
use-public-ip Enable/disable use of public IP address. disable
bound-ip Bound IP address. 0.0.0.0
monitor-interface Monitored interface. (Empty)

system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end

Description
status Enable/disable dedicated management. disable
interface Dedicated management interface. (Empty)
default-gateway Default gateway for dedicated management 0.0.0.0

interface.
dhcp-server Enable/disable DHCP server on management disable

interface.
dhcp-netmask DHCP netmask. 0.0.0.0
dhcp-start-ip DHCP start IP for dedicated management. 0.0.0.0
dhcp-end-ip DHCP end IP for dedicated management. 0.0.0.0

system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
end

Description
primary Primary DNS IP. 0.0.0.0
secondary Secondary DNS IP. 0.0.0.0
domain Local domain name. (Empty)
ip6-primary IPv6 primary DNS IP. ::
ip6-secondary IPv6 secondary DNS IP. ::
dns-cache-limit Maximum number of entries in DNS cache. 5000
dns-cache-ttl TTL in DNS cache. 1800
cache-notfound- Enable/disable cache NOTFOUND responses disable

responses from DNS server.
source-ip Source IP for communications to DNS server. 0.0.0.0

system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
config dns-entry
edit <name_str>
set id <integer>
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ipv6 <ipv6-address>
set canonical-name <string>
end
end

Description
name Zone name. (Empty)
status Enable/disable DNS zone status. enable
allow-transfer DNS zone transfer IP address list. (Empty)
type Zone type ('master' to manage entries directly, master

'slave' to import entries from outside).
view Zone view ('public' to serve public clients, shadow

'shadow' to serve internal clients).
ip-master IP address of master DNS server to import 0.0.0.0

entries of this zone.
primary-name Domain name of the default DNS server for this dns
zone.
contact Email address of the administrator for this zone. hostmaster

You can specify only the username (e.g. admin)
or full email address (e.g. admin.ca@test.com)
When using simple username, the domain of the
email will be this zone.
ttl Default time-to-live value in units of seconds for 86400

the entries of this zone (0 - 2147483647).
authoritative Enable/disable authoritative zone. enable
forwarder DNS zone forwarder IP address list. (Empty)
source-ip Source IP for forwarding to DNS server. 0.0.0.0
dns-entry DNS entry. (Empty)

system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
end

Description
name DNS server name. (Empty)
mode DNS server mode. recursive

system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
end

Description
id Item ID. 0
ds DSCP(DiffServ) DS value (0 - 63). 0
priority DSCP based priority level. high

system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set security {none | starttls | smtps}
end

Description
type Use FortiGuard Message service or custom custom

server.
reply-to Reply-To email address. (Empty)
server SMTP server IP address or hostname. (Empty)
port SMTP server port. 25
source-ip SMTP server source IP. 0.0.0.0
source-ip6 SMTP server source IPv6. ::
authenticate Enable/disable authentication. disable
validate-server Enable/disable validation of server certificate. disable
username SMTP server user name for authentication. (Empty)
password SMTP server user password for authentication. (Empty)
security Connection security. none

system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end

Description
status Enable/disable FIPS-CC mode. disable
entropy-token Enable/disable/dynamic entropy token. dynamic
error-flag Hidden CC error flag. (Empty)
error-cause Hidden CC error cause. none
self-test-period Self test period. 1440
key-generation-self-test Enable/disable self tests after key generation. disable

system/fm
CLI Syntax
config system fm
edit <name_str>
set id <string>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
end

Description
status Enable/disable FM. disable
id ID. (Empty)
vdom VDOM. root
auto-backup Enable/disable automatic backup. disable
scheduled-config- Enable/disable scheduled configuration restore. disable

restore
ipsec Enable/disable IPsec. disable

system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip6 <ipv6-address>
set ddns-server-port <integer>
end

Description
port Port used to communicate with the FortiGuard 53

servers.
service-account-id Service account ID. (Empty)
load-balance-servers Number of servers to alternate between as first 1

FortiGuard option.
antispam-force-off Enable/disable forcibly disable the service. disable
antispam-cache Enable/disable FortiGuard antispam cache. enable
antispam-cache-ttl Time-to-live for cache entries in seconds (300 - 1800

86400).
antispam-cache- Maximum percent of memory the cache is 2

mpercent allowed to use (1-15%).
antispam-license License type. 4294967295
antispam-expiration License expiration. 0
antispam-timeout Query time out (1 - 30 seconds). 7
avquery-force-off avquery-force-off
avquery-cache avquery-cache
avquery-cache-ttl avquery-cache-ttl
avquery-cache- avquery-cache-mpercent
mpercent
avquery-license avquery-license
avquery-timeout avquery-timeout
webfilter-force-off Enable/disable forcibly disable the service. disable
webfilter-cache Enable/disable FortiGuard webfilter cache. enable
webfilter-cache-ttl Time-to-live for cache entries in seconds (300 - 3600

86400).

webfilter-license License type. 4294967295
webfilter-expiration License expiration. 0
webfilter-timeout Query time out (1 - 30 seconds). 15
sdns-server-ip IP address of the FortiDNS server. (Empty)
sdns-server-port Port used to communicate with the FortiDNS 53

servers.
source-ip Source IPv4 address used to communicate with 0.0.0.0

the FortiGuard service.
source-ip6 Source IPv6 address used to communicate with ::

the FortiGuard service.
ddns-server-ip IP address of the FortiDDNS server. 0.0.0.0
ddns-server-port Port used to communicate with the FortiDDNS 443

servers.

system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set vdom <string>
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end

Description
vdom Virtual domain name. root
ipsec Enable/disable FortiManager IPsec tunnel. disable
central-management Enable/disable FortiManager central disable

management.
central-mgmt-auto- Enable/disable central management auto backup. disable

backup
central-mgmt-schedule- Enable/disable central management schedule disable

config-restore config restore.
central-mgmt-schedule- Enable/disable central management schedule disable

script-restore script restore.

system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set server <ipv4-address-any>
set email <string>
end

Description
status Enable/disable FortiSandbox. disable
server Server IP. 0.0.0.0
source-ip Source IP for communications to FortiSandbox. 0.0.0.0
enc-algorithm Enable/disable sending of FortiSandbox data with default

SSL encryption.
email Notifier email address. (Empty)

system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end

Description
status Enable/disable FSSO Polling Mode status. enable
listening-port Listening port to accept clients. 8000
authentication Enable/disable FSSO Agent Authentication disable

status.
auth-password Password to connect to FSSO Agent. (Empty)

system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
end
end

Description
name Location name. (Empty)
country-id Country ID. (Empty)
ip-range IP range. (Empty)

system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
set strong-crypto {enable | disable}
set ssh-cbc-cipher {enable | disable}
set ssh-hmac-md5 {enable | disable}
set snat-route-change {enable | disable}
set cli-audit-log {enable | disable}
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set fds-statistics {enable | disable}
set fds-statistics-period <integer>
set multicast-forward {enable | disable}
set mc-ttl-notchange {enable | disable}
set asymroute {enable | disable}
set tcp-option {enable | disable}
set phase1-rekey {enable | disable}
set lldp-transmission {enable | disable}
set explicit-proxy-auth-timeout <integer>
set sys-perf-log-interval <integer>
set check-protocol-header {loose | strict}
set vip-arp-range {unlimited | restricted}
set optimize {antivirus | session-setup | throughput}
set reset-sessionless-tcp {enable | disable}
set allow-traffic-redirect {enable | disable}
set strict-dirty-session-check {enable | disable}
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set block-session-timer <integer>
set ip-src-port-range <user>
set pre-login-banner {enable | disable}
set post-login-banner {disable | enable}
set tftp {enable | disable}
set av-failopen {pass | idledrop | off | one-shot}
set av-failopen-session {enable | disable}
set check-reset-range {strict | disable}
set vdom-admin {enable | disable}
set admin-port <integer>
set admin-sport <integer>
set admin-https-redirect {enable | disable}
set admin-ssh-password {enable | disable}
set admin-ssh-port <integer>
set admin-ssh-grace-time <integer>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <integer>
set admin-maintainer {enable | disable}
set admin-server-cert <string>
set user-server-cert <string>
set admin-https-pki-required {enable | disable}
set wifi-certificate <string>
set wifi-ca-certificate <string>
set auth-http-port <integer>
set auth-https-port <integer>
set auth-keepalive {enable | disable}
set auth-keepalive {enable | disable}
set policy-auth-concurrent <integer>
set clt-cert-req {enable | disable}
set endpoint-control-portal-port <integer>
set endpoint-control-fds-access {enable | disable}
set tp-mc-skip-policy {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <integer>
set reboot-upon-config-restore {enable | disable}
set admin-scp {enable | disable}
set registration-notification {enable | disable}
set service-expire-notification {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <integer>
set fortiextender-data-port <integer>
set fortiextender {enable | disable}
set switch-controller {disable | enable}
set switch-controller-reserved-network <ipv4-classnet>
set proxy-worker-count <integer>
set scanunit-count <integer>
set ssl-worker-count <integer>
set proxy-kxp-hardware-acceleration {disable | enable}
set proxy-cipher-hardware-acceleration {disable | enable}
set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attac
k | new-antivirus-db | new-attack-db}
set ipsec-hmac-offload {enable | disable}
set ipv6-accept-dad <integer>
set csr-ca-attribute {enable | disable}
set wimax-4g-usb {enable | disable}
set cert-chain-max <integer>
set sslvpn-max-worker-count <integer>
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set two-factor-email-expiry <integer>
set two-factor-sms-expiry <integer>
set two-factor-ftm-expiry <integer>
set per-user-bwl {enable | disable}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {disable | enable}
set wad-worker-count <integer>
set login-timestamp {enable | disable}
set miglogd-children <integer>
set special-file-23-support {disable | enable}
set log-uuid {disable | policy-only | extended}
set arp-max-entry <integer>
set ips-affinity <string>
set av-affinity <string>
set miglog-affinity <string>
set ndp-max-entry <integer>
set br-fdb-max-entry <integer>
set ipsec-asic-offload {enable | disable}
set ipsec-asic-offload {enable | disable}
set device-idle-timeout <integer>
set compliance-check-time <time>
set gui-device-latitude <string>
set gui-device-longitude <string>
set private-data-encryption {disable | enable}
set auto-auth-extension-device {enable | disable}
set gui-theme {green | red | blue | melongene}
end

Description
language GUI display language. english
gui-ipv6 Enable/disable IPv6 settings in GUI. disable
gui-certificates Enable/disable certificates configuration in GUI. enable
gui-custom-language Enable/disable custom languages in GUI. disable
gui-wireless- Enable/disable wireless open security option in disable

opensecurity GUI.
gui-display-hostname Enable/disable display of hostname on GUI login disable

page.
gui-lines-per-page Number of lines to display per page for web 50

administration.
admin-https-ssl- Allowed SSL/TLS versions for web tlsv1-1 tlsv1-2

versions administration.
admin-https-banned- Banned ciphers for web administration. rc4 low

cipher
admintimeout Idle time-out for firewall administration. 5
admin-console-timeout Idle time-out for console. 0
admin-concurrent Enable/disable admin concurrent login. enable
admin-lockout- Lockout threshold for firewall administration. 3

threshold
admin-lockout-duration Lockout duration (sec) for firewall administration. 60
refresh Statistics refresh interval in GUI. 0
interval Dead gateway detection interval. 5
failtime Fail-time for server lost. 5
daily-restart Enable/disable firewall daily reboot. disable
restart-time Daily restart time (hh:mm). 00:00

radius-port RADIUS service port number. 1812
admin-login-max Maximum number admin users logged in at one 100

time (1 - 100).
remoteauthtimeout Remote authentication (RADIUS/LDAP) time-out. 5
ldapconntimeout LDAP connection time-out (0 - 4294967295 500

milliseconds).
batch-cmdb Enable/disable batch mode to execute in CMDB enable

server.
max-dlpstat-memory Maximum DLP stat memory (0 - 4294967295).
dst Enable/disable daylight saving time. enable
timezone Time zone. 00
ntpserver IP address/hostname of NTP Server. (Empty)
ntpsync Enable/disable synchronization with NTP Server. disable
syncinterval NTP synchronization interval. 0
traffic-priority Traffic priority type. tos
traffic-priority-level Default TOS/DSCP priority level. medium
anti-replay Anti-replay control. strict
send-pmtu-icmp Enable/disable sending of PMTU ICMP enable

destination unreachable packet.
honor-df Enable/disable honoring Don't-Fragment flag. enable
split-port Split port(s) to multiple 10Gbps ports. none
revision-image-auto- Enable/disable revision image backup disable

backup automatically when upgrading image.
revision-backup-on- Enable/disable revision config backup disable

logout automatically when logout.
management-vdom Management virtual domain name. root
hostname Firewall hostname. (Empty)

strong-crypto Enable/disable strong crypto for HTTPS/SSH enable
access.
ssh-cbc-cipher Enable/disable CBC cipher for SSH access. enable
ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access. enable
snat-route-change Enable/disable SNAT route change. disable
cli-audit-log Enable/disable CLI audit log. disable
dh-params Minimum size of Diffie-Hellman prime for 2048

HTTPS/SSH.
fds-statistics Enable/disable FortiGuard statistics. enable
fds-statistics-period FortiGuard statistics update period (1 - 1440 min, 60

default = 60 min).
multicast-forward Enable/disable multicast forwarding. enable
mc-ttl-notchange Enable/disable no modification of multicast TTL. disable
asymroute Enable/disable asymmetric route. disable
tcp-option Enable/disable TCP option. enable
phase1-rekey Enable/disable phase1 rekey. enable
lldp-transmission Enable/disable Link Layer Discovery Protocol disable

(LLDP) transmission.
explicit-proxy-auth- Authentication timeout (sec) for idle sessions in 300

timeout explicit web proxy.
sys-perf-log-interval The interval of performance statistics logging. 5
check-protocol-header Level of checking protocol header. loose
vip-arp-range Control ARP behavior for VIP ranges. restricted
optimize Firmware optimization option. antivirus
reset-sessionless-tcp Enable/disable reset session-less TCP. disable
allow-traffic-redirect Enable/disable allow traffic redirect. enable

strict-dirty-session- Enable/disable strict dirty-session check. enable
check
tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, default = 120

120).
tcp-halfopen-timer TCP half open timeout (1 - 86400 sec, default = 10

10).
tcp-timewait-timer TCP time wait timeout (0 - 300 sec, default = 1). 1
udp-idle-timer UDP idle timeout (1 - 86400 sec, default = 180). 180
block-session-timer Block-session timeout (1-300 sec, default = 30 30

sec).
ip-src-port-range IP source port range for firewall originated traffic. 1024-25000
pre-login-banner Enable/disable pre-login-banner. disable
post-login-banner Enable/disable post-login-banner. disable
tftp Enable/disable TFTP. enable
av-failopen AV fail open option. pass
av-failopen-session Enable/disable AV fail open session option. disable
check-reset-range Drop RST packets if out-of-window. disable
vdom-admin Enable/disable multiple VDOMs mode. disable
admin-port Admin access HTTP port (1 - 65535). 80
admin-sport Admin access HTTPS port (1 - 65535). 443
admin-https-redirect Enable/disable redirection of HTTP admin traffic enable

to HTTPS.
admin-ssh-password Enable/disable password authentication for SSH enable

admin access.
admin-ssh-port Admin access SSH port (1 - 65535). 22
admin-ssh-grace-time Admin access login grace time (10 - 3600 sec). 120
admin-ssh-v1 Enable/disable SSH v1 compatibility. disable

admin-telnet-port Admin access TELNET port (1 - 65535). 23
admin-maintainer Enable/disable login of maintainer user. enable
admin-server-cert Admin HTTPS server certificate. Fortinet_Factory
user-server-cert User HTTPS server certificate. Fortinet_Factory
admin-https-pki- Enable/disable require HTTPS login page when disable

required PKI is enabled.
wifi-certificate WiFi certificate for WPA. Fortinet_Wifi
wifi-ca-certificate WiFi CA certificate for WPA. PositiveSSL_CA
auth-http-port Authentication HTTP port (1 - 65535). 1000
auth-https-port Authentication HTTPS port (1 - 65535). 1003
auth-keepalive Enable/disable use of keep alive to extend disable

authentication.
policy-auth-concurrent Concurrent user to pass firewall authentication. 0
auth-cert HTTPS server certificate for policy authentication. Fortinet_Factory
clt-cert-req Enable/disable require client certificate for GUI disable

login.
endpoint-control-portal- Endpoint control portal port (1 - 65535). 8009

port
endpoint-control-fds- Enable/disable access to FortiGuard servers for enable

access non-compliant endpoints.
tp-mc-skip-policy Enable/disable skip policy check and allow disable

multicast through.
cfg-save Configuration file save mode for changes made automatic

using the CLI.
cfg-revert-timeout Time-out for reverting to the last saved 600

configuration.
reboot-upon-config- Enable/disable reboot of system upon restoring enable

restore configuration.

admin-scp Enable/disable allow system configuration disable
download by SCP.
registration-notification Enable/disable allow license registration enable

notification.
service-expire- Enable/disable service expiration notification. enable

notification
wireless-controller Enable/disable wireless controller. enable
wireless-controller-port Local wireless controller port (1024 - 49150). 5246
fortiextender-data-port Fortiextender controller data port (1024 - 49150). 25246
fortiextender Enable/disable FortiExtender controller. disable
switch-controller Enable/disable switch controller feature. disable
switch-controller- Reserved network for switch-controller. 169.254.254.0

reserved-network 255.255.254.0
proxy-worker-count Proxy worker count. 16
scanunit-count Scanunit count. 39
ssl-worker-count SSL worker count (0 - 4294967295).
proxy-kxp-hardware- Enable/disable use of content processor to enable

acceleration encrypt or decrypt traffic.
proxy-cipher-hardware- Enable/disable use of content processor to enable

acceleration encrypt or decrypt traffic.
fgd-alert-subscription FortiGuard alert subscription. (Empty)
ipsec-hmac-offload Enable/disable offload HMAC to hardware for enable

IPsec VPN.
ipv6-accept-dad Enable/disable acceptance of IPv6 DAD 1

(Duplicate Address Detection). 0: Disable DAD; 1:
Enable DAD (default); 2: Enable DAD, and
disable IPv6 operation if MAC-based duplicate
link-local address has been found.
csr-ca-attribute Enable/disable CSR CA attribute. enable

wimax-4g-usb Enable/disable WiMAX USB device. disable
cert-chain-max Maximum depth for certificate chain. 8
sslvpn-max-worker- Maximum number of worker processes for SSL- 39

count VPN.
sslvpn-kxp-hardware- Enable/disable KXP SSL-VPN hardware disable

acceleration acceleration.
sslvpn-cipher- Enable/disable SSL-VPN cipher hardware disable

hardware-acceleration acceleration.
sslvpn-plugin-version- Enable/disable SSL-VPN automatic checking of enable

check browser plug-in version.
two-factor-email-expiry Expiration time for email token (30 - 300 sec, 60

default = 60 sec).
two-factor-sms-expiry Expiration time for SMS token (30 - 300 sec, 60

default = 60 sec).
two-factor-ftm-expiry Expiration time for FortiToken mobile provision (1 72

- 168 hr, default = 72 hr).
per-user-bwl Enable/disable per-user black/white list filter. disable
virtual-server-count Number of concurrent virtual server workers. 20
virtual-server- Enable/disable use of content processor to enable

hardware-acceleration encrypt or decrypt traffic.
wad-worker-count Number of concurrent WAD workers. 20
login-timestamp Enable/disable login time recording. disable
miglogd-children Number of miglog children. 0
special-file-23-support Enable/disable support for special file 23. disable
log-uuid Universally Unique Identifier (UUID) log option. policy-only
arp-max-entry Maximum number of ARP table entries (set to 131072

131,072 or higher).

ips-affinity Affinity setting for IPS (64-bit hexadecimal value 0
in the format of xxxxxxxxxxxxxxxx; allowed CPUs
must be less than total number of IPS engine
daemons).
av-affinity Affinity setting for AV scanning (64-bit 0

hexadecimal value in the format of
xxxxxxxxxxxxxxxx).
miglog-affinity Affinity setting for logging (64-bit hexadecimal 0

value in the format of xxxxxxxxxxxxxxxx).
ndp-max-entry Maximum number of NDP table entries (set to 0

65,536 or higher; if set to 0, kernel holds 65,536
entries).
br-fdb-max-entry Maximum number of bridge forwarding database 8192

entries (set to 8192 or higher).
ipsec-asic-offload Enable/disable ASIC offload for IPsec VPN. enable
device-idle-timeout Device idle timeout (30 - 31536000 sec, default = 300

300 sec).
compliance-check Enable/disable global PCI DSS compliance enable

check.
compliance-check-time PCI DSS compliance check time. 00:00:00
gui-device-latitude Physical device latitude coordinate. (Empty)
gui-device-longitude Physical device longitude coordinate. (Empty)
private-data-encryption Enable/disable private data encryption using an disable

AES 128-bit key.
auto-auth-extension- Enable/disable automatic authorization of enable

device dedicated Fortinet extension device globally.
gui-theme Color scheme to use for the administration GUI. green

system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end

Description
name Tunnel name. (Empty)
remote-gw IP address of the remote gateway. 0.0.0.0
local-gw IP address of the local gateway. 0.0.0.0
sequence-number- Enable/disable inclusion of sequence number in disable

transmission transmitted GRE packets.
sequence-number- Enable/disable validation of sequence number in disable

reception received GRE packets.
checksum-transmission Enable/disable inclusion of checksum in disable

transmitted GRE packets.
checksum-reception Enable/disable validation of checksum in disable

received GRE packets.
key-outbound Include this key in transmitted GRE packets (0 - 0

4294967295).
key-inbound Require received GRE packets contain this key (0 0

- 4294967295).
auto-asic-offload Enable/disable tunnel ASIC offloading. enable
keepalive-interval Keepalive message interval (0 - 32767, 0 = 0

disabled).
keepalive-failtimes Number of consecutive unreturned keepalive 10

messages before GRE connection is considered
down (1 - 255).

system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
set weight <user>
set cpu-threshold <user>
set memory-threshold <user>
set http-proxy-threshold <user>
set ftp-proxy-threshold <user>
set imap-proxy-threshold <user>
set nntp-proxy-threshold <user>
set pop3-proxy-threshold <user>
set smtp-proxy-threshold <user>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set pingserver-flip-timeout <integer>
set vdom <user>
config secondary-vcluster
edit <name_str>
set override-wait-time <integer>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set vdom <user>
end
end

Description
group-id Group ID (0 - 255). 0
group-name Group name. (Empty)
mode Mode. standalone
password password (Empty)
key key (Empty)
hbdev Heartbeat interfaces. "mgmt1" 50
session-sync-dev Session sync interfaces. (Empty)
route-ttl HA route TTL on master (5 - 3600 sec). 10
route-wait Route update wait time (0 - 3600 sec). 0
route-hold Wait time between route updates (0 - 3600 sec). 10
load-balance-all Enable/disable load balance. disable
sync-config Enable/disable configuration synchronization. enable
encryption Enable/disable HA message encryption. disable
authentication Enable/disable HA message authentication. disable
hb-interval Configure heartbeat interval (1 - 20 (100*ms)). 2
hb-lost-threshold Lost heartbeat threshold (1 - 60). 6
helo-holddown Configure hello state hold-down time (5 - 300 20

sec).
gratuitous-arps Enable/disable gratuitous ARPs. enable
arps Configure number of gratuitous ARPs (1 - 60). 5
arps-interval Configure gratuitous ARPs interval (1 - 20 sec). 8
session-pickup Enable/disable session pickup. disable

session-pickup- Enable/disable pickup non-TCP sessions. disable
connectionless
session-pickup- Enable/disable pickup expectation sessions. disable

expectation
session-pickup-nat Enable/disable pickup of NATed sessions. disable
session-pickup-delay Enable/disable delay session sync by 30 disable

seconds.
session-sync-daemon- Session sync daemon process number. 1

number
link-failed-signal Enable/disable link failed signal. disable
uninterruptible-upgrade Enable/disable uninterruptible HA upgrade. enable
standalone-mgmt-vdom Enable/disable standalone management VDOM. disable
ha-mgmt-status Enable/disable HA management interface disable

reservation.
ha-mgmt-interface Reserved interface of HA management. (Empty)
ha-mgmt-interface- Gateway for reserved interface of HA 0.0.0.0

gateway management.
ha-mgmt-interface- IPv6 gateway for reserved interface of HA ::

gateway6 management.
ha-eth-type HA Ethernet type (4-digit hex). 8890
hc-eth-type HC Ethernet type (4-digit hex). 8891
l2ep-eth-type L2EP Ethernet type (4-digit hex). 8893
ha-uptime-diff-margin HA uptime difference margin (sec). 300
standalone-config-sync Enable/disable standalone config sync. disable
vcluster2 Enable/disable secondary virtual cluster. disable
vcluster-id Cluster ID. 0
override Enable/disable master HA unit overriding. disable

priority Priority value (0 - 255). 128
override-wait-time Override wait time (0 - 3600 sec). 0
schedule Schedule. round-robin
weight Weight for weight-round-robin schedule. 40
cpu-threshold CPU threshold weight. 500
memory-threshold Memory threshold weight. 500
http-proxy-threshold HTTP proxy threshold. 500
ftp-proxy-threshold FTP proxy threshold. 500
imap-proxy-threshold IMAP proxy threshold. 500
nntp-proxy-threshold NNTP proxy threshold. 500
pop3-proxy-threshold POP3 proxy threshold. 500
smtp-proxy-threshold SMTP proxy threshold. 500
monitor Interfaces to monitor. (Empty)
pingserver-monitor- Monitor interfaces that has PING server enabled. (Empty)

interface
pingserver-failover- Threshold at which HA failover occurs upon PING 0

threshold server failure (0 - 50).
pingserver-slave-force- Enable/disable force reset of slave after PING enable

reset server failure.
pingserver-flip-timeout Minutes to wait before HA failover flip-flop. 60
vdom VDOM members. (Empty)
secondary-vcluster Secondary virtual cluster. Details below

vcluster-id 1
override enable
priority 128
override-wait-time 0
monitor (Empty)
pingserver-monitor-interface (Empty)
pingserver-failover-threshold 0
pingserver-slave-force-reset enable
vdom (Empty)
ha-direct Enable/disable sending of messages (logs, disable

SNMP, RADIUS) directly from ha-mgmt interface.

system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end

Description
monitor-vlan Enable/disable monitor VLAN interfaces. disable
vlan-hb-interval Configure heartbeat interval (seconds). 5
vlan-hb-lost-threshold VLAN lost heartbeat threshold (1 - 60). 3

system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set pppoe-unnumbered-negotiate {enable | disable}
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-timeout <integer>
set arpforward {enable | disable}
set ndiscforward {enable | disable}
set broadcast-forward {enable | disable}
set bfd {global | enable | disable}
set bfd-desired-min-tx <integer>
set bfd-detect-mult <integer>
set bfd-required-min-rx <integer>
set l2forward {enable | disable}
set icmp-redirect {enable | disable}
set vlanforward {enable | disable}
set stpforward {enable | disable}
set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}
set ips-sniffer-mode {enable | disable}
set ident-accept {enable | disable}
set ipmac {enable | disable}
set subst {enable | disable}
set macaddr <mac-address>
set substitute-dst-mac <mac-address>
set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000
auto | 10000full | 10000auto | 40000full}
set status {up | down}
set netbios-forward {disable | enable}
set wins-ip <ipv4-address>
set type {physical | vlan | aggregate | redundant | fortilink | tunnel | vdom-link
| loopback | switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-v
lan}
set dedicated-to {none | management}
set trust-ip-1 <ipv4-classnet-any>
set trust-ip6-1 <ipv6-prefix>
set mtu-override {enable | disable}
set mtu <integer>
set wccp {enable | disable}
set nst {enable | disable}
set netflow-sampler {disable | tx | rx | both}
set sflow-sampler {enable | disable}
set drop-overlapped-fragment {enable | disable}
set drop-fragment {enable | disable}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
set explicit-web-proxy {enable | disable}
set explicit-ftp-proxy {enable | disable}
set tcp-mss <integer>
set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp}
set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
s_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tc
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm
pland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ips
ecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_f
rag | drop_tcp_no_flag | drop_tcp_fin_noack}
set inbandwidth <integer>
set outbandwidth <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set vlanid <integer>
set forward-domain <integer>
set remote-ip <ipv4-address-any>
config member
edit <name_str>
end
set lacp-mode {static | passive | active}
set lacp-ha-slave {enable | disable}
set lacp-speed {slow | fast}
set min-links <integer>
set min-links-down {operational | administrative}
set algorithm {L2 | L3 | L4}
set link-up-delay <integer>
set priority-override {enable | disable}
set aggregate <string>
set redundant-interface <string>
set fortilink <string>
set managed-device <string>
set devindex <integer>
set vindex <integer>
set switch <string>
set alias <string>
set security-mode {none | captive-portal | 802.1X}
set security-mac-auth-bypass {enable | disable}
set security-external-web <string>
set security-redirect-url <string>
set security-exempt-list <string>
config security-groups
edit <name_str>
set name <string>
end
set device-identification {enable | disable}
set device-user-identification {enable | disable}
set device-identification-active-scan {enable | disable}
set device-access-list <string>
set device-netscan {disable | enable}
set lldp-transmission {enable | disable | vdom}
set lldp-transmission {enable | disable | vdom}
set listen-forticlient-connection {enable | disable}
set broadcast-forticlient-discovery {enable | disable}
set endpoint-compliance {enable | disable}
set estimated-upstream-bandwidth <integer>
set estimated-downstream-bandwidth <integer>
set vrrp-virtual-mac {enable | disable}
config vrrp
edit <name_str>
set vrid <integer>
set vrgrp <integer>
set vrip <ipv4-address-any>
set adv-interval <integer>
set start-time <integer>
set preempt {enable | disable}
set vrdst <ipv4-address-any>
end
set role {lan | wan | dmz | undefined}
set snmp-index <integer>
set secondary-IP {enable | disable}
config secondaryip
edit <name_str>
set id <integer>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec
| radius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
end
set auto-auth-extension-device {enable | disable}
set ap-discover {enable | disable}
config ipv6
edit <name_str>
set ip6-mode {static | dhcp | pppoe | delegated}
set ip6-dns-server-override {enable | disable}
set ip6-address <ipv6-prefix>
config ip6-extra-addr
edit <name_str>
set prefix <ipv6-prefix>
end
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
end
end

Description
name Name. (Empty)
vdom Virtual domain name. (Empty)
cli-conn-status CLI connection status. 0
mode Addressing mode (static, DHCP, PPPoE). static
distance Distance of learned routes. 5
priority Priority of learned routes. 0
dhcp-relay-service Enable/disable use DHCP relay service. disable
dhcp-relay-ip DHCP relay IP address. (Empty)
dhcp-relay-type DHCP relay type. regular
ip IP address of interface. 0.0.0.0 0.0.0.0
allowaccess Allow management access to the interface. (Empty)
gwdetect Enable/disable detect gateway alive for first. disable
ping-serv-status PING server status. 0
detectserver Gateway's ping server for this IP. (Empty)
detectprotocol Protocols used to detect the server. ping
ha-priority HA election priority for the PING server. 1
fail-detect Enable/disable interface failed option status. disable
fail-detect-option Interface fail detect option. link-down
fail-alert-method Interface fail alert. link-down
fail-action-on-extender Action on extender when interface fail . soft-restart
fail-alert-interfaces Physical interfaces that will be alerted. (Empty)
dhcp-client-identifier DHCP client identifier. (Empty)

ipunnumbered PPPoE unnumbered IP. 0.0.0.0
username User name. (Empty)
pppoe-unnumbered- Enable/disable PPPoE unnumbered negotiation. enable

negotiate
password Password (Empty)
idle-timeout PPPoE auto disconnect after idle timeout 0

seconds.
detected-peer-mtu MTU of detected peer (0 - 4294967295). 0
disc-retry-timeout PPPoE discovery init timeout value in sec. 1
padt-retry-timeout PPPoE terminate timeout value in sec. 1
service-name PPPoE service name. (Empty)
ac-name PPPoE AC name. (Empty)
lcp-echo-interval PPPoE LCP echo interval (sec). 5
lcp-max-echo-fails Maximum missed LCP echo messages before 3

disconnect.
defaultgw Enable/disable default gateway. enable
dns-server-override Enable/disable use DNS acquired by DHCP or enable

PPPoE.
auth-type PPP authentication type to use. auto
pptp-client Enable/disable PPTP client. disable
pptp-user PPTP user name. (Empty)
pptp-password PPTP password. (Empty)
pptp-server-ip PPTP server IP address. 0.0.0.0
pptp-auth-type PPTP authentication type. auto
pptp-timeout Idle timer in minutes (0 for disabled). 0
arpforward Enable/disable ARP forwarding. enable

ndiscforward Enable/disable NDISC forwarding. enable
broadcast-forward Enable/disable broadcast forwarding. disable
bfd Bidirectional Forwarding Detection (BFD). global
bfd-desired-min-tx BFD desired minimal transmit interval. 250
bfd-detect-mult BFD detection multiplier. 3
bfd-required-min-rx BFD required minimal receive interval. 250
l2forward Enable/disable l2 forwarding. disable
icmp-redirect Enable/disable ICMP redirect. enable
vlanforward Enable/disable VLAN forwarding. disable
stpforward Enable/disable STP forwarding. disable
stpforward-mode Configure STP forwarding mode. rpl-all-ext-id
ips-sniffer-mode Enable/disable IPS sniffer mode. disable
ident-accept Enable/disable accept ident protocol. disable
ipmac Enable/disable IP/MAC binding status. disable
subst Enable/disable substitute MAC. disable
macaddr MAC address. 00:00:00:00:00:00
substitute-dst-mac Substitute destination MAC address. 00:00:00:00:00:00
speed Speed auto
status Interface status. up
netbios-forward Enable/disable NETBIOS forwarding. disable
wins-ip WINS server IP. 0.0.0.0
type Interface type. vlan
dedicated-to Configure interface for single purpose. none
trust-ip-1 Trusted host for dedicated management traffic 0.0.0.0 0.0.0.0

(0.0.0.0/24 for all hosts).


trust-ip6-1 Trusted IPv6 host for dedicated management ::/0

traffic (::/0 for all hosts).


mtu-override Enable/disable use custom MTU. disable
mtu Maximum transportation unit. 1500
wccp Enable/disable WCCP protocol on this interface. disable
nst Enable/disable NST protocol on this interface. disable
netflow-sampler NetFlow measurement status. disable
sflow-sampler Enable/disable sFlow protocol. disable
drop-overlapped- Enable/disable drop overlapped fragment disable

fragment packets.
drop-fragment Enable/disable drop fragment packets. disable

sample-rate sFlow sampler sample rate. 2000
polling-interval sFlow sampler counter polling interval. 20
sample-direction sFlow sample direction. both
explicit-web-proxy Enable/disable explicit Web proxy. disable
explicit-ftp-proxy Enable/disable explicit FTP proxy. disable
tcp-mss Maximum sending TCP packet size. 0

mediatype Select SFP media interface type serdes-sfp
fp-anomaly Pass or drop different types of anomalies using (Empty)

Fastpath
inbandwidth Bandwidth limit for incoming traffic (0 - 16776000 0

kbps).
outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000 0

kbps).
spillover-threshold Egress Spillover threshold (0 - 16776000 kbps). 0
ingress-spillover- Ingress Spillover threshold (0 - 16776000 kbps). 0

threshold
weight Default weight for static routes (if route has no 0

weight configured).
external Enable/disable identifying interface as connected disable

to external side.
vlanid VLAN ID. 0
forward-domain TP mode forward domain. 0
remote-ip Remote IP address of tunnel. 0.0.0.0
member Physical interfaces that belong to the (Empty)

aggregate/redundant interface.
lacp-mode LACP mode. active
lacp-ha-slave LACP HA slave. enable
lacp-speed LACP speed. slow
min-links Minimum number of aggregated ports that must 1

be up.
min-links-down Action to take when there are less than min-links operational
active members.
algorithm Frame distribution algorithm. L4

link-up-delay Number of milliseconds to wait before 50
considering a link is up.
priority-override Enable/disable fail back to higher priority port enable

once recovered.
aggregate Aggregate interface. (Empty)
redundant-interface Redundant interface. (Empty)
fortilink FortiLink interface. (Empty)
managed-device FortiLink interface managed device. (Empty)
devindex Device Index. 0
vindex Switch control interface VLAN ID. 0
switch Contained in switch. (Empty)
alias Alias. (Empty)
security-mode Security mode. none
security-mac-auth- Enable/disable MAC authentication bypass. disable

bypass
security-external-web URL of external authentication web server. (Empty)
replacemsg-override- Specify replacement message override group. (Empty)

group
security-redirect-url URL redirection after disclaimer/authentication. (Empty)
security-exempt-list Name of security-exempt-list. (Empty)
security-groups Group name. (Empty)
device-identification Enable/disable passive gathering of identity disable

information about source hosts on this interface.
device-user- Enable/disable passive gathering of user identity enable

identification information about source hosts on this interface.

device-identification- Enable/disable active gathering of identity enable
active-scan information about source hosts on this interface.
device-access-list Device access list. (Empty)
device-netscan Enable/disable inclusion of devices detected on disable

this interface in network vulnerability scans.
lldp-transmission Enable/disable Link Layer Discovery Protocol vdom

listen-forticlient- Enable/disable listen for FortiClient connections. disable

connection
broadcast-forticlient- Enable/disable broadcast FortiClient discovery disable

discovery messages.
endpoint-compliance Enable/disable endpoint compliance disable

enforcement.
estimated-upstream- Estimated maximum upstream bandwidth (kbps). 0

bandwidth Used to estimate link utilization.
estimated-downstream- Estimated maximum downstream bandwidth 0

bandwidth (kbps). Used to estimate link utilization.
vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP. disable
vrrp VRRP configuration. (Empty)
role Interface role. undefined
snmp-index Permanent SNMP Index of the interface. 0
secondary-IP Enable/disable secondary IP. disable
secondaryip Second IP address of interface. (Empty)
auto-auth-extension- Enable/disable automatic authorization of disable

device dedicated Fortinet extension device on this
interface.
ap-discover Enable/disable automatic registration of unknown enable

FortiAP devices.
ipv6 IPv6 of interface. Details below

ip6-mode static
ip6-dns-server-override enable
ip6-address ::/0
ip6-extra-addr (Empty)
ip6-allowaccess (Empty)
ip6-send-adv disable
ip6-manage-flag disable
ip6-other-flag disable
ip6-max-interval 600
ip6-min-interval 198
ip6-link-mtu 0
ip6-reachable-time 0
ip6-retrans-time 0
ip6-default-life 1800
ip6-hop-limit 0
autoconf disable
ip6-upstream-interface (Empty)
ip6-subnet ::/0
ip6-prefix-list (Empty)
ip6-delegated-prefix-list (Empty)
dhcp6-relay-service disable
dhcp6-relay-type regular
dhcp6-relay-ip (Empty)
dhcp6-client-options dns
dhcp6-prefix-delegation disable

system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
end

Description
name IPIP Tunnel name. (Empty)
remote-gw IP address of the remote gateway. 0.0.0.0
local-gw Enable/disable IP address of the local gateway. 0.0.0.0

system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
end

Description
address DNS server IP address. 0.0.0.0
status Enable/disable this server for queries. enable

system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set ipv6 <ipv6-address>
end

Description
ipv6 IPv6 address. ::
mac MAC address. 00:00:00:00:00:00

system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
end

Description
source Local IPv6 address of tunnel. ::
destination Remote IPv6 address of tunnel. ::

system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
config server
edit <name_str>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set recoverytime <integer>
set security-mode {none | authentication}
set packet-size <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
end

Description
name Link monitor name. (Empty)
srcintf Interface where the monitor traffic is sent. (Empty)
server Server address(es). (Empty)
protocol Protocols used to detect the server. ping
port Port number to poll. 80
gateway-ip Gateway IP used to PING the server. 0.0.0.0
source-ip Source IP used in packet to the server. 0.0.0.0
http-get HTTP GET URL string. /
http-match Response value from detected server in http-get. (Empty)
interval Detection interval. 5
timeout Detect request timeout. 1
failtime Number of retry attempts before bringing server 5

down.
recoverytime Number of retry attempts before bringing server 5

up.
security-mode Twamp controller security mode. none
password Twamp controller password in authentication (Empty)

mode
packet-size Packet size of a twamp test session, 64
ha-priority HA election priority (1 - 50). 1
update-cascade- Enable/disable update cascade interface. enable

interface
update-static-route Enable/disable update static route. enable
status Enable/disable Link monitor administrative status. enable

system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set reply-substitute <mac-address>
end

Description
mac MAC address. 00:00:00:00:00:00
reply-substitute New MAC for reply traffic. 00:00:00:00:00:00

system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end

Description
status Enable/disable FGFM tunnel. enable
allow-config-restore Enable/disable allow config restore. enable
allow-push- Enable/disable push configuration. enable

configuration
allow-push-firmware Enable/disable push firmware. enable
allow-collect-statistics Enable/disable collection of run time statistics. enable
authorized-manager- Enable/disable restriction of authorized manager enable

only only.

system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
end
end

Description
status Enable/disable this mobile tunnel. enable
roaming-interface Roaming interface name. (Empty)
home-agent IP address of the NEMO HA. 0.0.0.0
home-address Home IP address. 0.0.0.0
renew-interval Time before lifetime expiraton to send NMMO HA 60

re-registration.
lifetime NMMO HA registration request lifetime. 65535
reg-interval NMMO HA registration interval. 5
reg-retry NMMO HA registration maximal retries. 3
n-mhae-spi NEMO authentication spi. 256
n-mhae-key-type NEMO authentication key type. ascii
n-mhae-key NEMO authentication key. 'ENC

AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='
hash-algorithm Hash Algorithm. hmac-md5
tunnel-mode NEMO tunnnel mode. gre
network NEMO network configuration. (Empty)

system/nat64
CLI Syntax
config system nat64
edit <name_str>
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end

Description
status Enable/disable NAT64. disable
nat64-prefix NAT64 prefix must be ::/96. 64:ff9b::/96
always-synthesize- Enable/disable AAAA record synthesis. enable

aaaa-record
generate-ipv6- Enable/disable IPv6 fragment header generation. disable

fragment-header

system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

Description
collector-ip Collector IP. 0.0.0.0
collector-port NetFlow collector port. 2055
source-ip Source IP for NetFlow agent. 0.0.0.0
active-flow-timeout Timeout to report active flows (min). 30
inactive-flow-timeout Timeout for periodic report of finished flows (sec). 15
template-tx-timeout Timeout for periodic template flowset 30

transmission (min).
template-tx-counter Counter of flowset records before resending a 20

template flowset record.

system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end

Description
destination-visibility Enable/disable logging of destination visibility. enable
source-location Enable/disable logging of source geographical enable

location visibility.
destination-hostname- Enable/disable logging of destination hostname enable

visibility visibility.
hostname-ttl TTL of hostname table entries. 86400
hostname-limit Limit of hostname table entries. 5000
destination-location Enable/disable logging of destination enable

geographical location visibility.

system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set key <password>
set key-id <integer>
end
set server-mode {enable | disable}
config interface
edit <name_str>
end
end

Description
ntpsync Enable/disable synchronization with NTP Server. disable
type FortiGuard or custom NTP Server. fortiguard
syncinterval NTP synchronization interval. 1
ntpserver NTP Server. (Empty)
source-ip Source IP for communications to NTP server. 0.0.0.0
server-mode Enable/disable NTP Server Mode. disable
interface List of interfaces with NTP server mode enabled. (Empty)

system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end

Description
name Tag name. (Empty)

system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end

Description
status Enable/disable password policy. disable
apply-to Apply password policy to. admin-password
minimum-length Minimum password length. 8
min-lower-case-letter Minimum number of lowercase characters in 0

password.
min-upper-case-letter Minimum number of uppercase characters in 0

password.
min-non-alphanumeric Minimum number of non-alphanumeric 0

characters in password.
min-number Minimum number of numeric characters in 0

password.
change-4-characters Enable/disable changing at least 4 characters for disable

new password.
expire-status Enable/disable password expiration. disable
expire-day Number of days after which admin users' 90

password will expire.
reuse-password Enable/disable reuse of password. enable

system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
end

Description
port Port number to response. 8008
http-probe-value Value to respond to the monitoring server. OK
ttl-mode Mode for TWAMP packet TTL modification. retain
mode SLA response mode. none
security-mode Twamp respondor security mode. none
password Twamp respondor password in authentication (Empty)

mode
timeout An inactivity timer for a twamp test session. 300

system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
end

Description
interface Interface acting proxy-ARP. (Empty)
ip IP address or start IP to be proxied. 0.0.0.0
end-ip End IP of IP range to be proxied. 0.0.0.0

system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set group-type {default | utm | auth | ec}
config mail
edit <name_str>
end
config http
edit <name_str>
end
config webproxy
edit <name_str>
end
config ftp
edit <name_str>
end
config nntp
edit <name_str>
end
config fortiguard-wf
edit <name_str>
end
config spam
edit <name_str>
end
config alertmail
edit <name_str>
end
config admin
edit <name_str>
end
config auth
edit <name_str>
end
config sslvpn
edit <name_str>
end
config ec
edit <name_str>
end
config device-detection-portal
edit <name_str>
end
config nac-quar
edit <name_str>
end
config traffic-quota
edit <name_str>
end
config utm
edit <name_str>
end
config custom-message
edit <name_str>
end
end

Description
name Group name. (Empty)
group-type Group type. default
mail Replacement message table entries. (Empty)
http Replacement message table entries. (Empty)
webproxy Replacement message table entries. (Empty)
ftp Replacement message table entries. (Empty)
nntp Replacement message table entries. (Empty)
fortiguard-wf Replacement message table entries. (Empty)
spam Replacement message table entries. (Empty)
alertmail Replacement message table entries. (Empty)
admin Replacement message table entries. (Empty)
auth Replacement message table entries. (Empty)
sslvpn Replacement message table entries. (Empty)
ec Replacement message table entries. (Empty)
device-detection-portal Replacement message table entries. (Empty)
nac-quar Replacement message table entries. (Empty)
traffic-quota Replacement message table entries. (Empty)
utm Replacement message table entries. (Empty)
custom-message Replacement message table entries. (Empty)

system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end

Description
name Image name. (Empty)
image-type Image type. (Empty)
image-base64 Image data. (null)

system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end

Description
session Maximum number of sessions. 0
ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. 0
ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. 0
dialup-tunnel Maximum number of dial-up tunnels. 0
firewall-policy Maximum number of firewall policies. 0
firewall-address Maximum number of firewall addresses. 0
firewall-addrgrp Maximum number of firewall address groups. 0
custom-service Maximum number of firewall custom services. 0
service-group Maximum number of firewall service groups. 0
onetime-schedule Maximum number of firewall one-time schedules. 0
recurring-schedule Maximum number of firewall recurring schedules. 0
user Maximum number of local users. 0
user-group Maximum number of user groups. 0
sslvpn Maximum number of SSL-VPN. 0
proxy Maximum number of concurrent explicit proxy 0

users.
log-disk-quota Log disk quota in MB. 0

system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set port <integer>
end

Description
id Session helper ID. 0
name Helper name. (Empty)
port Protocol port. 0

system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set timeout <user>
end
end

Description
default Default timeout. 3600
port Session TTL port. (Empty)

system/settings
CLI Syntax
config system settings
edit <name_str>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set sip-tcp-port <integer>
set sip-udp-port <integer>
set sip-ssl-port <integer>
set sccp-port <integer>
set multicast-forward {enable | disable}
set multicast-ttl-notchange {enable | disable}
set multicast-skip-policy {enable | disable}
set allow-subnet-overlap {enable | disable}
set deny-tcp-with-icmp {enable | disable}
set ecmp-max-paths <integer>
set discovered-device-timeout <integer>
set email-portal-check-dns {disable | enable}
set default-voip-alg-mode {proxy-based | kernel-helper-based}
set gui-icap {enable | disable}
set gui-nat46-64 {enable | disable}
set gui-implicit-policy {enable | disable}
set gui-dns-database {enable | disable}
set gui-load-balance {enable | disable}
set gui-multicast-policy {enable | disable}
set gui-dos-policy {enable | disable}
set gui-object-colors {enable | disable}
set gui-replacement-message-groups {enable | disable}
set gui-voip-profile {enable | disable}
set gui-ap-profile {enable | disable}
set gui-dynamic-profile-display {enable | disable}
set gui-ipsec-manual-key {enable | disable}
set gui-local-in-policy {enable | disable}
set gui-local-reports {enable | disable}
set gui-wanopt-cache {enable | disable}
set gui-explicit-proxy {enable | disable}
set gui-dynamic-routing {enable | disable}
set gui-dlp {enable | disable}
set gui-sslvpn-personal-bookmarks {enable | disable}
set gui-sslvpn-realms {enable | disable}
set gui-policy-based-ipsec {enable | disable}
set gui-threat-weight {enable | disable}
set gui-multiple-utm-profiles {enable | disable}
set gui-spamfilter {enable | disable}
set gui-application-control {enable | disable}
set gui-casi {enable | disable}
set gui-ips {enable | disable}
set gui-endpoint-control {enable | disable}
set gui-dhcp-advanced {enable | disable}
set gui-vpn {enable | disable}
set gui-wireless-controller {enable | disable}
set gui-switch-controller {enable | disable}
set gui-fortiap-split-tunneling {enable | disable}
set gui-webfilter-advanced {enable | disable}
set gui-traffic-shaping {enable | disable}
set gui-wan-load-balancing {enable | disable}
set gui-antivirus {enable | disable}
set gui-webfilter {enable | disable}
set gui-dnsfilter {enable | disable}
set gui-dnsfilter {enable | disable}
set gui-waf-profile {enable | disable}
set gui-fortiextender-controller {enable | disable}
set gui-advanced-policy {enable | disable}
set gui-allow-unnamed-policy {enable | disable}
set gui-email-collection {enable | disable}
set gui-domain-ip-reputation {enable | disable}
set ike-session-resume {enable | disable}
set ike-quick-crash-detect {enable | disable}
end

Description
comments VDOM comments. (Empty)
opmode Firewall operation mode. nat
inspection-mode Inspection mode. proxy
http-external-dest HTTP service external inspection destination. fortiweb
manageip IP address and netmask. (Empty)
gateway Default gateway IP address. 0.0.0.0
ip IP address and netmask. 0.0.0.0 0.0.0.0
manageip6 Management IPv6 address prefix for transparent ::/0

mode.
gateway6 Default gateway IPv6 address. ::
ip6 IPv6 address prefix for NAT mode. ::/0
device Interface. (Empty)
bfd Enable/disable Bi-directional Forwarding disable

Detection (BFD) on all interfaces.
bfd-desired-min-tx BFD desired minimal transmit interval. 250
bfd-required-min-rx BFD required minimal receive interval. 250
bfd-detect-mult BFD detection multiplier. 3
bfd-dont-enforce-src- Enable/disable verify source port of BFD Packets. disable

port
utf8-spam-tagging Convert spam tags to UTF-8 for better non-ASCII enable

character support.
wccp-cache-engine Enable/disable WCCP cache engine. disable
vpn-stats-log Enable/disable periodic VPN log statistics. ipsec pptp l2tp ssl

vpn-stats-period Period to send VPN log statistics (sec). 600
v4-ecmp-mode IPv4 ECMP mode. source-ip-based
mac-ttl Bridge MAC address expiration time (sec). 300
fw-session-hairpin Check every cross. disable
snat-hairpin-traffic Enable/disable SNAT hairpin traffic. enable
dhcp-proxy Enable/disable DHCP Proxy. disable
dhcp-server-ip DHCP Server IP address. (Empty)
dhcp6-server-ip DHCPv6 server IP address. (Empty)
central-nat Enable/disable central NAT. disable
gui-default-policy- Default columns to display for firewall policy list (Empty)

columns on GUI.
lldp-transmission Enable/disable Link Layer Discovery Protocol global

asymroute Enable/disable asymmetric route. disable
asymroute-icmp Enable/disable asymmetric ICMP route. disable
tcp-session-without-syn Enable/disable creation of TCP session without disable

SYN flag.
ses-denied-traffic Enable/disable insertion of denied traffic into disable

session table.
strict-src-check Enable/disable strict source verification. disable
asymroute6 Enable/disable asymmetric IPv6 route. disable
asymroute6-icmp Enable/disable asymmetric ICMPv6 route. disable
sip-helper Enable/disable helper to add dynamic SIP firewall enable

allow rule.
sip-nat-trace Enable/disable adding original IP if NATed. enable
status Enable/disable this VDOM. enable

sip-tcp-port TCP port the SIP proxy will monitor for SIP traffic. 5060
sip-udp-port UDP port the SIP proxy will monitor for SIP traffic. 5060
sip-ssl-port TCP SSL port the SIP proxy will monitor for SIP 5061
traffic.
sccp-port TCP port the SCCP proxy will monitor for SCCP 2000
traffic.
multicast-forward Enable/disable multicast forwarding. enable
multicast-ttl-notchange Enable/disable modification of multicast TTL. disable
multicast-skip-policy Enable/disable skip policy check and allow disable

multicast through.
allow-subnet-overlap Enable/disable allow one interface subnet overlap disable

with other interfaces.
deny-tcp-with-icmp Enable/disable deny TCP with ICMP. disable
ecmp-max-paths Maximum number of ECMP next-hops. 10
discovered-device- Discard discovered devices after N days of 28

timeout inactivity.
email-portal-check-dns Enable/disable DNS to validate domain names enable

used in the email address collection captive
portal.
default-voip-alg-mode Default ALG mode for VoIP traffic (when no VoIP proxy-based
profile on firewall policy).
gui-icap Enable/disable ICAP settings in GUI. disable
gui-nat46-64 Enable/disable NAT46 and NAT64 settings in disable

GUI.
gui-implicit-policy Enable/disable implicit firewall policies in GUI. enable
gui-dns-database Enable/disable DNS database in GUI. disable
gui-load-balance Enable/disable load balance in GUI. disable
gui-multicast-policy Enable/disable multicast firewall policies in GUI. disable

gui-dos-policy Enable/disable DoS policy display in GUI. enable
gui-object-colors Enable/disable object colors in GUI. enable
gui-replacement- Enable/disable replacement message groups in disable

message-groups GUI.
gui-voip-profile Enable/disable VoIP profiles in GUI. disable
gui-ap-profile Enable/disable AP profiles in GUI. enable
gui-dynamic-profile- Enable/disable dynamic profiles in GUI. disable

display
gui-ipsec-manual-key Enable/disable IPsec manual Key configuration in disable

GUI.
gui-local-in-policy Enable/disable Local-In policies in GUI. disable
gui-local-reports Enable/disable local reports in the GUI. disable
gui-wanopt-cache Enable/disable WAN Opt & Cache configuration disable

in GUI.
gui-explicit-proxy Enable/disable explicit proxy configuration in GUI. disable
gui-dynamic-routing Enable/disable dynamic routing menus in GUI. enable
gui-dlp Enable/disable DLP settings in GUI. disable
gui-sslvpn-personal- Enable/disable SSL-VPN personal bookmark disable

bookmarks management in GUI.
gui-sslvpn-realms Enable/disable SSL-VPN custom login pages in disable

GUI.
gui-policy-based-ipsec Enable/disable policy-based IPsec VPN. disable
gui-threat-weight Enable/disable threat weight feature in GUI. enable
gui-multiple-utm- Enable/disable multiple UTM profiles in GUI. enable

profiles
gui-spamfilter Enable/disable spamfilter profiles in GUI. disable
gui-application-control Enable/disable application control profiles in GUI. enable

gui-casi Enable/disable CASI profiles in GUI. enable
gui-ips Enable/disable IPS sensors in GUI. enable
gui-endpoint-control Enable/disable endpoint control in GUI. enable
gui-dhcp-advanced Enable/disable advanced DHCP configuration in enable

GUI.
gui-vpn Enable/disable VPN tunnels in GUI. enable
gui-wireless-controller Enable/disable wireless controller in GUI. enable
gui-switch-controller Enable/disable switch controller in GUI. enable
gui-fortiap-split- Enable/disable FortiAP split tunneling in GUI. disable

tunneling
gui-webfilter-advanced Enable/disable advanced web filter configuration disable

in GUI.
gui-traffic-shaping Enable/disable traffic shaping in GUI. enable
gui-wan-load-balancing Enable/disable WAN link load balancing in GUI. enable
gui-antivirus Enable/disable AntiVirus profile display in GUI. enable
gui-webfilter Enable/disable WebFilter profile display in GUI. enable
gui-dnsfilter Enable/disable DNS Filter profile display in GUI. enable
gui-waf-profile Enable/disable Web Application Firewall Profile disable

display in GUI.
gui-fortiextender- Enable/disable FortiExtender controller in GUI. disable

controller
gui-advanced-policy Enable/disable advanced policy configuration in disable

GUI.
gui-allow-unnamed- Enable/disable relaxation of requirement for disable

policy policy to have a name when created in GUI.
gui-email-collection Enable/disable email collection feature. disable
gui-domain-ip- Enable/disable Domain and IP Reputation disable

reputation feature.

compliance-check Enable/disable PCI DSS compliance check. disable
ike-session-resume Enable/disable IKEv2 session resumption (RFC disable

5723).
ike-quick-crash-detect Enable/disable IKEv2 quick crash detection (RFC disable

6290).

system/sflow
CLI Syntax
config system sflow
edit <name_str>
end

Description
collector-port sFlow collector port. 6343
source-ip Source IP for sFlow agent. 0.0.0.0

system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
end

Description
source Source IP address of tunnel. 0.0.0.0
destination Destination IP address of tunnel. 0.0.0.0
ip6 IPv6 address of tunnel. ::/0

system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end

Description
name Name of SMS server. (Empty)
mail-server Email-to-SMS server domain name. (Empty)

system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end

Description
name Storage name. default_n
partition Label of underlying partition. <unknown>
media-type Media of underlying disk. ?
device Partition device. ?
size Partition size. 0

system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
end
config member
edit <name_str>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end

Description
name Interface name. (Empty)
vdom VDOM. (Empty)
span-dest-port Span destination port. (Empty)
span-source-port Span source ports. (Empty)
member Interfaces compose the virtual switch. (Empty)
type Type. switch
intra-switch-policy Enable/disable policies between the members of implicit

the switch interface.
span Enable/disable span port. disable
span-direction SPAN direction. both

system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
end

Description
id Item ID. 0
tos IP ToS value (0 - 15). 0
priority ToS based priority level. high

system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set temporary <integer>
end

Description
name VDOM name. (Empty)
vcluster-id Virtual cluster ID (0 - 4294967295). 0
temporary Temporary. 0

system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
end

Description
vdom-dns Enable/disable DNS per VDOM. disable
primary VDOM primary DNS IP. 0.0.0.0
secondary VDOM secondary DNS IP. 0.0.0.0
ip6-primary VDOM IPv6 primary DNS IP. ::
ip6-secondary VDOM IPv6 Secondary DNS IP. ::
source-ip Source IP for communications to DNS server. 0.0.0.0

system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end

Description
name VDOM link name. (Empty)
vcluster Virtual cluster. vcluster1
type Type. ppp

system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
end

Description
vdom-netflow Enable/disable NetFlow per VDOM. disable
collector-port NetFlow collector port. 2055
source-ip Source IP for NetFlow agent. 0.0.0.0

system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end

Description
name VDOM name. (Empty)
snmp-index Permanent SNMP Index of the virtual domain. 0
session Maximum number (guaranteed number) of 00

sessions.
ipsec-phase1 Maximum number (guaranteed number) of VPN 00

IPsec phase1 tunnels.
ipsec-phase2 Maximum number (guaranteed number) of VPN 00

IPsec phase2 tunnels.
dialup-tunnel Maximum number (guaranteed number) of dial- 00

up tunnels.
firewall-policy Maximum number (guaranteed number) of 00

firewall policies.
firewall-address Maximum number (guaranteed number) of 00

firewall addresses.
firewall-addrgrp Maximum number (guaranteed number) of 00

firewall address groups.
custom-service Maximum number (guaranteed number) of 00

firewall custom services.
service-group Maximum number (guaranteed number) of 00

firewall service groups.
onetime-schedule Maximum number (guaranteed number) of 00

firewall one-time schedules.
recurring-schedule Maximum number (guaranteed number) of 00

firewall recurring schedules.
user Maximum number (guaranteed number) of local 00

users.

user-group Maximum number (guaranteed number) of user 00
groups.
sslvpn Maximum number (guaranteed number) of SSL- 00

VPN.
proxy Maximum number (guaranteed number) of 00

concurrent proxy users.
log-disk-quota Log disk quota in MB. 00

system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set radius-server-vdom <string>
end

Description
name Name of virtual domain for server settings. (Empty)
status Enable/disable or disable the entry. disable
radius-server-vdom Virtual domain of dynamic profile radius server to (Empty)

use for dynamic profile traffic in the current vdom.

system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
end

Description
vdom-sflow Enable/disable sFlow per VDOM. disable
collector-port sFlow collector port. 6343
source-ip Source IP for sFlow agent. 0.0.0.0

system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-
ip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set packet-size <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
edit <name_str>
set name <string>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
config priority-members
edit <name_str>
end
end
end

Description
status Enable/disable using the virtual-wan-link settings. disable
load-balance-mode Load balance mode among virtual WAN link source-ip-based

members.
fail-detect Enable/disable fail detection. disable
fail-alert-interfaces Physical interfaces that will be alerted. (Empty)
members Members belong to the virtual-wan-link. (Empty)
health-check Health check. (Empty)
service Service to be distributed. (Empty)

system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
end
set wildcard-vlan {enable | disable}
end

Description
name virtual-wire-pair name. (Empty)
member Interfaces belong to the port pair. (Empty)
wildcard-vlan Enable/disable wildcard VLAN. disable

system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end

Description
service-id Service ID. (Empty)
router-id IP address which is known by all web cache 0.0.0.0

servers.
cache-id IP address which is known by all routers. 0.0.0.0
group-address IP multicast address. 0.0.0.0
server-list Addresses of potential cache servers. (Empty)
router-list Addresses of potential routers. (Empty)
ports-defined Match method. (Empty)
ports Service ports. (Empty)
authentication Enable/disable MD5 authentication. disable
password Password of MD5 authentication. (Empty)
forward-method Method traffic is forwarded to cache servers. GRE
cache-engine-method Method traffic is forwarded to route or returned to GRE

cache engine.
service-type Service type auto/standard/dynamic. auto
primary-hash Hash method. dst-ip
priority Service priority. 0
protocol Service protocol. 0
assignment-weight Cache server hash weight. 0
assignment-bucket- Hash table bucket format. cisco-implementation

format
return-method Method traffic is returned back to firewall. GRE
assignment-method Assignment method preference. HASH

system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
end
end

Description
name Zone name. (Empty)
intrazone Intra-zone traffic. deny
interface Interfaces belong to the zone. (Empty)

user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end

Description
name Name. (Empty)
server-name FSSO agent name. (Empty)
polling-id FSSO polling ID. 0

user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set user <string>
set master-device <string>
set avatar <var-string>
set type {ipad | iphone | gaming-console | blackberry-phone | blackberry-playbook
| linux-pc | mac | windows-pc | android-phone | android-tablet | media-streaming | win
dows-phone | windows-tablet | fortinet-device | ip-phone | router-nat-device | printer
| other-network-device}
end

Description
alias Device alias. (Empty)
mac Device MAC address(es). 00:00:00:00:00:00
user User name. (Empty)
master-device Master device (optional). (Empty)
avatar Image file for avatar (maximum 4K base64 (Empty)

encoded).
type Device type. other-network-device

user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
end
end

Description
name Device access list name. (Empty)
default-action Allow or block unknown devices. accept
device-list Device list. (Empty)

user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
end

Description
name Device category name. (Empty)
desc Device category description. (Empty)

user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

Description
name Device group name. (Empty)
member Device group member. (Empty)

user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end

Description
status Status active
seed Token seed. (Empty)
license Mobile token license. (Empty)
activation-code Mobile token user activation-code. (Empty)
activation-expire Mobile token user activation-code expire time. 0

user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set server2 <string>
set port2 <integer>
set password2 <password>
set port3 <integer>
set port4 <integer>
set port5 <integer>
end

Description
name Name. (Empty)
server Address of the 1st FSSO agent. (Empty)
port Port of the 1st FSSO agent. 8000
password Password of the 1st FSSO agent. (Empty)
server2 Address of the 2nd FSSO agent. (Empty)
port2 Port of the 2nd FSSO agent. 8000
password2 Password of the 2nd FSSO agent. (Empty)
server3 Address of the 3rd FSSO agent. (Empty)
port3 Port of the 3rd FSSO agent. 8000
password3 Password of the 3rd FSSO agent. (Empty)
server4 Address of the 4th FSSO agent. (Empty)
port4 Port of the 4th FSSO agent. 8000
password4 Password of the 4th FSSO agent. (Empty)
server5 Address of the 5th FSSO agent. (Empty)
port5 Port of the 5th FSSO agent. 8000
password5 Password of the 5th FSSO agent. (Empty)
ldap-server LDAP server to get group information. (Empty)
source-ip Source IP for communications to FSSO agent. 0.0.0.0

user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end

Description
id Active Directory server ID. 0
status Enable/disable poll Active Directory status. enable
server Active Directory server name/IP address. (Empty)
default-domain Default domain in this server. (Empty)
port Port of the Active Directory server. 0
user Active Directory server user account. (Empty)
password Password to connect to Active Directory server. (Empty)
ldap-server LDAP Server NAME for group name and users. (Empty)
logon-history hours to keep as an active logon. 0 means 8

keeping forever
polling-frequency Polling frequency (1 - 30 s). 10
adgrp LDAP Group Info. (Empty)

user/group
CLI Syntax

config user group
edit <name_str>
set name <string>
set group-type {firewall | sslvpn | fsso-service | directory-service | active-dire
ctory | rsso | guest}
set authtimeout <integer>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
set http-digest-realm <string>
set sso-attribute-value <string>
config member
edit <name_str>
set name <string>
end
config match
edit <name_str>
set id <integer>
set server-name <string>
set group-name <string>
end
set user-id {email | auto-generate | specify}
set password {auto-generate | specify | disable}
set user-name {disable | enable}
set sponsor {optional | mandatory | disabled}
set company {optional | mandatory | disabled}
set email {disable | enable}
set mobile-phone {disable | enable}
set expire-type {immediately | first-successful-login}
set expire <integer>
set max-accounts <integer>
set multiple-guest-add {disable | enable}
config guest
edit <name_str>
set user-id <string>
set name <string>
set group <string>
set mobile-phone <string>
set sponsor <string>
set company <string>
set email <string>
set expiration <user>
end
end

Description
name Group name. (Empty)
group-type Type of user group. firewall
authtimeout Authentication timeout. 0
auth-concurrent- Enable/disable concurrent authentication disable

override override.
auth-concurrent-value Maximum number of concurrent authenticated 0

connections per user (0 - 100).
http-digest-realm Realm attribute for MD5-digest authentication. (Empty)
sso-attribute-value Single Sign On Attribute Value. (Empty)
member Group members. (Empty)
match Group matches. (Empty)
user-id User ID. email
password Password. auto-generate
user-name Enable/disable user name. disable
sponsor Sponsor. optional
company Company. optional
email Enable/disable email address. enable
mobile-phone Enable/disable mobile phone. disable

server.
sms-custom-server SMS server. (Empty)
expire-type Point at which expiration count down begins. immediately
expire Expiration (1 - 31536000 sec). 14400

max-accounts Maximum number of guest accounts that can be 0
created for this group (0 = unlimited).
multiple-guest-add Enable/disable addition of multiple guests. disable
guest Guest User. (Empty)

user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set group-member-check {user-attr | group-object}
set group-object-filter <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end

Description
name LDAP server entry name. (Empty)
server {<name_str|ip_str>} LDAP server CN domain (Empty)

name or IP.
secondary-server {<name_str|ip_str>} secondary LDAP server CN (Empty)

domain name or IP.
tertiary-server {<name_str|ip_str>} tertiary LDAP server CN (Empty)

domain name or IP.
source-ip Source IP for communications to LDAP server. 0.0.0.0
cnid Common Name Identifier (default = "cn"). cn
dn Distinguished Name. (Empty)
type Type of LDAP binding. simple
username Username (full DN) for initial binding. (Empty)
password Password for initial binding. (Empty)
group-member-check Group-member checking options. user-attr
group-object-filter Filter used for group searching. (&

(objectcategory=group)
(member=*))
secure SSL connection. disable
ca-cert CA certificate name. (Empty)
port Port number of the LDAP server (default = 389). 389
password-expiry- Enable/disable password expiry warnings. disable

warning
password-renewal Enable/disable online password renewal. disable
member-attr Name of attribute from which to get group memberOf

membership.

search-type Search type. (Empty)

user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end

Description
name User name. (Empty)
status Enable/disable user. enable
type Authentication type. (Empty)
passwd User password. (Empty)
ldap-server LDAP server name. (Empty)
radius-server RADIUS server name. (Empty)
tacacs+-server TACACS+ server name. (Empty)
two-factor Enable/disable two-factor authentication. disable
fortitoken Two-factor recipient's FortiToken serial number. (Empty)
email-to Two-factor recipient's email address. (Empty)

server.
sms-custom-server Two-factor recipient's SMS server. (Empty)
sms-phone Two-factor recipient's mobile phone number. (Empty)
passwd-policy Password policy. (Empty)
passwd-time Password last update time. 0000-00-00 00:00:00
authtimeout Authentication timeout. 0
workstation Name of remote user workstation. (Empty)
auth-concurrent- Enable/disable concurrent authentication disable

override override.
auth-concurrent-value Maximum number of concurrent authenticated 0

connections per user.

user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end

Description
name Password policy name. (Empty)
expire-days Number of days password will expire. 180
warn-days Number of days to warn before password 15

expires.

user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end

Description
name Peer name. (Empty)
mandatory-ca-verify Enable/disable mandatory CA verify. disable
ca Peer certificate CA (CA name in local). (Empty)
subject Peer certificate name constraints. (Empty)
cn Peer certificate common name. (Empty)
cn-type Peer certificate common name type. string
ldap-server LDAP server for access rights check. (Empty)
ldap-username Username for LDAP server bind. (Empty)
ldap-password Password for LDAP server bind. (Empty)
ldap-mode Peer LDAP mode. password
ocsp-override-server OSCP server. (Empty)
two-factor Enable/disable 2-factor authentication (certificate disable

+ password).
passwd User password. (Empty)

user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

Description
name Peer group name. (Empty)
member Peer group members. (Empty)

user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end

Description
name POP3 server entry name. (Empty)
server {<name_str|ip_str>} server domain name or IP. (Empty)
port POP3 service port number. 0
secure SSL connection. starttls

user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-secret <password>
set tertiary-secret <password>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set username-case-sensitive {enable | disable}
set password-renewal {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-
AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-
Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
ermination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-St
ate | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | F
ramed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time |
Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Mult
i-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-L
AT-Port}
set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NA
S-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Fram
ed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Servi
ce | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | F
ramed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Actio
n | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-
Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-
Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octe
ts | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-
Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | A
cct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
set sso-attribute-key <string>
set sso-attribute-value-override {enable | disable}
set rsso-context-timeout <integer>
set rsso-log-period <integer>
set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | ac
counting-event | endpoint-block | radiusd-other | none}
set rsso-flush-ip-session {enable | disable}
config accounting-server
edit <name_str>
set id <integer>
set server <string>
set secret <password>
set port <integer>
end
end

Description
name RADIUS server entry name. (Empty)
server {<name_str|ip_str>} primary server CN domain (Empty)

name or IP.
secret Secret key to access the primary server. (Empty)
secondary-server {<name_str|ip_str>} secondary RADIUS CN (Empty)

domain name or IP.
secondary-secret Secret key to access the secondary server. (Empty)
tertiary-server {<name_str|ip_str>} tertiary RADIUS CN domain (Empty)

name or IP.
tertiary-secret Secret key to access the tertiary server. (Empty)
timeout Authentication time-out. 5
all-usergroup Enable/disable automatically include this RADIUS disable

server to all user groups.
use-management- Enable/disable using management VDOM to disable

vdom send requests.
nas-ip NAS IP address and called station ID. 0.0.0.0
acct-interim-interval Number of seconds between each accouting 0

interim update message (600 - 86400 sec).
radius-coa Enable/Disable RADIUS CoA. disable
radius-port RADIUS service port number. 0
h3c-compatibility Enable/disable H3C compatibility. disable
auth-type Authentication Protocol. auto
source-ip Source IP for communications to RADIUS server. 0.0.0.0
username-case- Enable/disable username case sensitive. disable

sensitive

password-renewal Enable/disable password renewal. disable
rsso Enable/disable RADIUS based single sign on disable

feature.
rsso-radius-server-port UDP port to listen on for RADIUS accounting 1813

packets.
rsso-radius-response Enable/disable sending RADIUS response disable

packets.
rsso-validate-request- Enable/disable validating RADIUS request shared disable

secret secret.
rsso-secret RADIUS shared secret for responses / validating (Empty)

requests.
rsso-endpoint-attribute RADIUS Attribute used to hold End Point name. Calling-Station-Id
rsso-endpoint-block- RADIUS Attribute used to hold endpoint to block. (Empty)

attribute
sso-attribute RADIUS Attribute used to match the single sign Class

on group value.
sso-attribute-key Key prefix for single-sign-on group value in the (Empty)

sso-attribute.
sso-attribute-value- Enable/disable override old attribute value with enable

override new value for the same endpoint.
rsso-context-timeout Timeout value for RADIUS server database 28800

entries (0 = infinite).
rsso-log-period Minimum time period to use for event logs. 0
rsso-log-flags Events to log. protocol-error profile-

missing accounting-
stop-missed
accounting-event
endpoint-block radiusd-
other
rsso-flush-ip-session Enable/disable flush user IP sessions on RADIUS disable

accounting stop.

accounting-server Additional accounting servers. (Empty)

user/security-exempt-list
CLI Syntax
config user security-exempt-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end
end

Description
name Name of the exempt list. (Empty)
rule Exempt rules. (Empty)

user/setting
CLI Syntax
config user setting
edit <name_str>
set auth-type {http | https | ftp | telnet}
set auth-ca-cert <string>
set auth-secure-http {enable | disable}
set auth-http-basic {enable | disable}
set auth-multi-group {enable | disable}
set auth-timeout <integer>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
set auth-portal-timeout <integer>
set radius-ses-timeout-act {hard-timeout | ignore-timeout}
set auth-blackout-time <integer>
set auth-invalid-max <integer>
set auth-lockout-threshold <integer>
set auth-lockout-duration <integer>
config auth-ports
edit <name_str>
set id <integer>
set type {http | https | ftp | telnet}
set port <integer>
end
end

Description
auth-type Allowed firewall policy authentication methods. http https ftp telnet
auth-cert HTTPS server certificate for policy authentication. (Empty)
auth-ca-cert HTTPS CA certificate for policy authentication. (Empty)
auth-secure-http Enable/disable use of HTTPS for HTTP disable

authentication.
auth-http-basic Enable/disable use of HTTP BASIC for HTTP disable

authentication.
auth-multi-group Enable/disable retrieval of groups to which a user enable

belongs.
auth-timeout Firewall user authentication time-out. 5
auth-timeout-type Authenticated policy expiration behavior. idle-timeout
auth-portal-timeout Firewall captive portal authentication time-out (1 - 3

30 min, default - 3).
radius-ses-timeout-act RADIUS session timeout behavior. hard-timeout
auth-blackout-time Authentication blackout time (0 - 3600 s). 0
auth-invalid-max Number of invalid auth tries allowed before 5

blackout.
auth-lockout-threshold Maximum number of failed login attempts before 3

lockout (1 - 10).
auth-lockout-duration Lockout period in seconds after too many login 0

failures.
auth-ports Authentication port table. (Empty)

user/tacacs+
CLI Syntax
config user tacacs+
edit <name_str>
set name <string>
set server <string>
set port <integer>
set key <password>
set secondary-key <password>
set tertiary-key <password>
set authen-type {mschap | chap | pap | ascii | auto}
set authorization {enable | disable}
end

Description
name TACACS+ server entry name. (Empty)
server {<name_str|ip_str>} server CN domain name or (Empty)

IP.
secondary-server {<name_str|ip_str>} secondary server CN domain (Empty)

name or IP.
tertiary-server {<name_str|ip_str>} tertiary server CN domain (Empty)

name or IP.
port Port number of the TACACS+ server. 49
key Key to access the server. (Empty)
secondary-key Key to access the secondary server. (Empty)
tertiary-key Key to access the tertiary server. (Empty)
authen-type Authentication type to use. auto
authorization Enable/disable TACACS+ authorization. disable
source-ip source IP for communications to TACACS+ 0.0.0.0

server.

voip/profile
CLI Syntax
config voip profile
edit <name_str>
set name <string>
config sip
edit <name_str>
set rtp {disable | enable}
set open-register-pinhole {disable | enable}
set open-contact-pinhole {disable | enable}
set strict-register {disable | enable}
set register-rate <integer>
set invite-rate <integer>
set max-dialogs <integer>
set max-line-length <integer>
set block-long-lines {disable | enable}
set block-unknown {disable | enable}
set call-keepalive <integer>
set block-ack {disable | enable}
set block-bye {disable | enable}
set block-cancel {disable | enable}
set block-info {disable | enable}
set block-invite {disable | enable}
set block-message {disable | enable}
set block-notify {disable | enable}
set block-options {disable | enable}
set block-prack {disable | enable}
set block-publish {disable | enable}
set block-refer {disable | enable}
set block-register {disable | enable}
set block-subscribe {disable | enable}
set block-update {disable | enable}
set register-contact-trace {disable | enable}
set open-via-pinhole {disable | enable}
set open-record-route-pinhole {disable | enable}
set rfc2543-branch {disable | enable}
set log-violations {disable | enable}
set log-call-summary {disable | enable}
set nat-trace {disable | enable}
set subscribe-rate <integer>
set message-rate <integer>
set notify-rate <integer>
set refer-rate <integer>
set update-rate <integer>
set options-rate <integer>
set ack-rate <integer>
set prack-rate <integer>
set info-rate <integer>
set publish-rate <integer>
set bye-rate <integer>
set cancel-rate <integer>
set preserve-override {disable | enable}
set no-sdp-fixup {disable | enable}
set contact-fixup {disable | enable}
set max-idle-dialogs <integer>
set block-geo-red-options {disable | enable}
set hosted-nat-traversal {disable | enable}
set hnt-restrict-source-ip {disable | enable}
set max-body-length <integer>
set unknown-header {discard | pass | respond}
set malformed-request-line {discard | pass | respond}
set malformed-header-via {discard | pass | respond}
set malformed-header-from {discard | pass | respond}
set malformed-header-to {discard | pass | respond}
set malformed-header-call-id {discard | pass | respond}
set malformed-header-cseq {discard | pass | respond}
set malformed-header-rack {discard | pass | respond}
set malformed-header-rseq {discard | pass | respond}
set malformed-header-contact {discard | pass | respond}
set malformed-header-record-route {discard | pass | respond}
set malformed-header-route {discard | pass | respond}
set malformed-header-expires {discard | pass | respond}
set malformed-header-content-type {discard | pass | respond}
set malformed-header-content-length {discard | pass | respond}
set malformed-header-max-forwards {discard | pass | respond}
set malformed-header-allow {discard | pass | respond}
set malformed-header-p-asserted-identity {discard | pass | respond}
set malformed-header-sdp-v {discard | pass | respond}
set malformed-header-sdp-o {discard | pass | respond}
set malformed-header-sdp-s {discard | pass | respond}
set malformed-header-sdp-i {discard | pass | respond}
set malformed-header-sdp-c {discard | pass | respond}
set malformed-header-sdp-b {discard | pass | respond}
set malformed-header-sdp-z {discard | pass | respond}
set malformed-header-sdp-k {discard | pass | respond}
set malformed-header-sdp-a {discard | pass | respond}
set malformed-header-sdp-t {discard | pass | respond}
set malformed-header-sdp-r {discard | pass | respond}
set malformed-header-sdp-m {discard | pass | respond}
set provisional-invite-expiry-time <integer>
set ips-rtp {disable | enable}
set ssl-mode {off | full}
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-client-certificate <string>
set ssl-server-certificate <string>
set ssl-server-certificate <string>
set ssl-auth-client <string>
set ssl-auth-server <string>
end
config sccp
edit <name_str>
set block-mcast {disable | enable}
set verify-header {disable | enable}
set log-call-summary {disable | enable}
set log-violations {disable | enable}
set max-calls <integer>
end
end

Description
sip SIP. Details below

status enable
rtp enable
open-register-pinhole enable
open-contact-pinhole enable
strict-register disable
register-rate 0
invite-rate 0
max-dialogs 0
max-line-length 998
block-long-lines enable
block-unknown enable
call-keepalive 0
block-ack disable
block-bye disable
block-cancel disable
block-info disable
block-invite disable
block-message disable
block-notify disable
block-options disable
block-prack disable
block-publish disable
block-refer disable
block-register disable
block-subscribe disable
block-update disable
register-contact-trace disable
open-via-pinhole disable
open-record-route-pinhole enable
rfc2543-branch disable
log-violations disable
log-call-summary enable
nat-trace enable
subscribe-rate 0

message-rate 0
notify-rate 0
refer-rate 0
update-rate 0
options-rate 0
ack-rate 0
prack-rate 0
info-rate 0
publish-rate 0
bye-rate 0
cancel-rate 0
preserve-override disable
no-sdp-fixup disable
contact-fixup enable
max-idle-dialogs 0
block-geo-red-options disable
hosted-nat-traversal disable
hnt-restrict-source-ip disable
max-body-length 0
unknown-header pass
malformed-request-line pass
malformed-header-via pass
malformed-header-from pass
malformed-header-to pass
malformed-header-call-id pass
malformed-header-cseq pass
malformed-header-rack pass
malformed-header-rseq pass
malformed-header-contact pass
malformed-header-record-route pass
malformed-header-route pass
malformed-header-expires pass
malformed-header-content-type pass
malformed-header-content-length pass
malformed-header-max-forwards pass
malformed-header-allow pass
malformed-header-p-asserted-identity pass
malformed-header-sdp-v pass
malformed-header-sdp-o pass
malformed-header-sdp-s pass
malformed-header-sdp-i pass
malformed-header-sdp-c pass
malformed-header-sdp-b pass
malformed-header-sdp-z pass

malformed-header-sdp-k pass
malformed-header-sdp-a pass
malformed-header-sdp-t pass
malformed-header-sdp-r pass
malformed-header-sdp-m pass
provisional-invite-expiry-time 210
ips-rtp enable
ssl-mode off
ssl-send-empty-frags enable
ssl-client-renegotiation allow
ssl-algorithm high
ssl-pfs allow
ssl-min-version tls-1.0
ssl-max-version tls-1.2
ssl-client-certificate (Empty)
ssl-server-certificate (Empty)
ssl-auth-client (Empty)
ssl-auth-server (Empty)
sccp SCCP. Details below

status enable
block-mcast disable
verify-header disable
log-call-summary disable
log-violations disable
max-calls 0

vpn.certificate/ca
CLI Syntax
config vpn.certificate ca
edit <name_str>
set name <string>
set ca <user>
set trusted {enable | disable}
set auto-update-days <integer>
set auto-update-days-warning <integer>
end

Description
name Name. (Empty)
ca CA certificate. (Empty)
range CA certificate range. vdom
source CA certificate source. user
trusted Enable/disable trusted CA. enable
auto-update-days Days to auto-update before expired, 0=disabled. 0
auto-update-days- Days to send update before auto-update 0

warning (0=disabled).

vpn.certificate/crl
CLI Syntax
config vpn.certificate crl
edit <name_str>
set name <string>
set crl <user>
set update-vdom <string>
set http-url <string>
set scep-cert <string>
set update-interval <integer>
end

Description
name Name. (Empty)
crl Certificate Revocation List. (Empty)
range CRL range. vdom
source CRL source. user
update-vdom Virtual domain for CRL update. root
ldap-server LDAP server. (Empty)
ldap-username Login name for LDAP server. (Empty)
ldap-password Login password for LDAP server. (Empty)
http-url URL of HTTP server for CRL update. (Empty)
scep-url URL of CA server for CRL update via SCEP. (Empty)
scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL
update-interval Second between updates, 0=disabled. 0
source-ip Source IP for communications to CA 0.0.0.0

(HTTP/SCEP) server.

vpn.certificate/local
CLI Syntax
config vpn.certificate local
edit <name_str>
set name <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

Description
name Name. (Empty)
password Password. (Empty)
private-key Private key. (Empty)
certificate Certificate. (Empty)
csr Certificate Signing Request. (Empty)
state Certificate Signing Request State. (Empty)
range Certificate range. vdom
source Certificate source. user
auto-regenerate-days Days to auto-regenerate before expired, 0

0=disabled.
auto-regenerate-days- Days to send warning before auto-regeneration, 0

warning 0=disabled.
scep-password SCEP server challenge password for auto- (Empty)

regeneration.
ca-identifier CA identifier of the CA server for signing via (Empty)

SCEP.
name-encoding Name encoding for auto-regeneration. printable
ike-localid IKE local ID. (Empty)
ike-localid-type IKE local ID type. asn1dn

vpn.certificate/ocsp-server
CLI Syntax
config vpn.certificate ocsp-server
edit <name_str>
set name <string>
set url <string>
set cert <string>
set secondary-url <string>
set secondary-cert <string>
set unavail-action {revoke | ignore}
end

Description
name OCSP server entry name. (Empty)
url URL to OCSP server. (Empty)
cert OCSP server certificate. (Empty)
secondary-url URL to secondary OCSP server. (Empty)
secondary-cert Secondary OCSP server certificate. (Empty)
unavail-action Action when server is unavailable. revoke
source-ip Enable/disable source IP for communications to 0.0.0.0

OCSP server.

vpn.certificate/remote
CLI Syntax
config vpn.certificate remote
edit <name_str>
set name <string>
set remote <user>
end

Description
name Name. (Empty)
remote Remote certificate. (Empty)
range Remote certificate range. vdom
source Remote certificate source. user

vpn.certificate/setting
CLI Syntax
config vpn.certificate setting
edit <name_str>
set ocsp-status {enable | disable}
set ocsp-default-server <string>
set check-ca-cert {enable | disable}
set strict-crl-check {enable | disable}
set strict-ocsp-check {enable | disable}
end

Description
ocsp-status OCSP status. disable
ocsp-default-server Default OCSP server. (Empty)
check-ca-cert Enable/disable check CA certificate. enable
strict-crl-check Enable/disable check CRL in strict mode. disable
strict-ocsp-check Enable/disable check OCSP in strict mode. disable

vpn.ipsec/concentrator
CLI Syntax
config vpn.ipsec concentrator
edit <name_str>
set name <string>
set src-check {disable | enable}
config member
edit <name_str>
set name <string>
end
end

Description
name Concentrator name. (Empty)
src-check Enable/disable use of source selector when disable

choosing appropriate tunnel.
member Concentrator members. (Empty)

vpn.ipsec/forticlient
CLI Syntax
config vpn.ipsec forticlient
edit <name_str>
set realm <string>
set usergroupname <string>
set phase2name <string>
end

Description
realm FortiClient realm name. (Empty)
usergroupname User group name. (Empty)
phase2name Tunnel (phase2) name. (Empty)
status Enable/disable realm status. enable

vpn.ipsec/manualkey
CLI Syntax
config vpn.ipsec manualkey
edit <name_str>
set name <string>
set authentication {null | md5 | sha1 | sha256 | sha384 | sha512}
set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 |
aria256 | seed}
set authkey <user>
set enckey <user>
set localspi <user>
set remotespi <user>
set npu-offload {enable | disable}
end

Description
name IPsec tunnel name. (Empty)
remote-gw Peer gateway. 0.0.0.0
local-gw Local gateway. 0.0.0.0
authentication Authentication algorithm. null
encryption Encryption algorithm. null
authkey Authentication key. -
enckey Encryption key. -
localspi Local SPI. 0x100
remotespi Remote SPI. 0x100
npu-offload Enable/disable offloading NPU. enable

vpn.ipsec/manualkey-interface
CLI Syntax
config vpn.ipsec manualkey-interface
edit <name_str>
set name <string>
set addr-type {4 | 6}
set remote-gw6 <ipv6-address>
set local-gw6 <ipv6-address>
set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512}
set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | ar
ia256 | seed}
set auth-key <user>
set enc-key <user>
set local-spi <user>
set remote-spi <user>
end

Description
ip-version IP version to use for VPN interface. 4
addr-type IP version to use for IP packets. 4
remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0
remote-gw6 Remote IPv6 address of VPN gateway. ::
local-gw Local IPv4 address of VPN gateway. 0.0.0.0
local-gw6 Local IPv6 address of VPN gateway. ::
auth-alg Authentication algorithm. null
enc-alg Encryption algorithm. null
auth-key Authentication key. -
enc-key Encryption key. -
local-spi Local SPI. 0x100
remote-spi Remote SPI. 0x100

vpn.ipsec/phase1
CLI Syntax
config vpn.ipsec phase1
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set usrgrp <string>
set peer <string>
set peergrp <string>
set autoconfig {disable | client | gateway}
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set mode-cfg-ip-version {4 | 6}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-prefix <integer>
edit <name_str>
set id <integer>
end
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

Description
name IPsec remote gateway name. (Empty)
type Remote gateway type (static, dialup, or DDNS). static
interface Local outgoing interface. (Empty)
ike-version IKE protocol version (IKEv1 or IKEv2). 1
remote-gw Remote VPN gateway. 0.0.0.0
local-gw Local VPN gateway. 0.0.0.0
remotegw-ddns Domain name of remote gateway (eg. (Empty)

name.DDNS.com).
keylife Phase1 keylife. 86400
certificate Certificate name for signature. (Empty)
authmethod Authentication method. psk
mode Mode. main
peertype Peer type. any
peerid Peer ID. (Empty)
usrgrp User group. (Empty)
peer Accept this peer certificate. (Empty)
peergrp Accept this peer certificate group. (Empty)
autoconfig Auto-configuration type.
mode-cfg Enable/disable configuration method. disable
assign-ip Enable/disable assignment of IP to IPsec enable

interface via configuration method.
mode-cfg-ip-version IP addressing to use for configuration method. 4
assign-ip-from Method by which the IP address will be assigned. range

ipv4-start-ip Start of IPv4 range. 0.0.0.0
ipv4-end-ip End of IPv4 range. 0.0.0.0
ipv4-netmask IPv4 Netmask. 255.255.255.255
dns-mode DNS server mode. manual
ipv4-dns-server1 IPv4 DNS server 1. 0.0.0.0
ipv4-wins-server1 WINS server 1. 0.0.0.0
ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)
ipv4-split-include IPv4 split-include subnets. (Empty)
split-include-service Split-include services. (Empty)
ipv6-start-ip Start of IPv6 range. ::
ipv6-end-ip End of IPv6 range. ::
ipv6-prefix IPv6 prefix. 128
ipv6-dns-server1 IPv6 DNS server 1. ::
ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)
unity-support Enable/disable support for Cisco UNITY enable

Configuration Method extensions.
domain Instruct unity clients about the default DNS (Empty)

domain.
banner Message that unity client should display after (Empty)

connecting.

include-local-lan Enable/disable allow local LAN access on unity disable
clients.
save-password Enable/disable saving XAuth username and disable

password on VPN clients.
client-auto-negotiate Enable/disable allowing the VPN client to bring up disable

the tunnel when there is no traffic.
client-keep-alive Enable/disable allowing the VPN client to keep disable

the tunnel up when there is no traffic.
backup-gateway Instruct unity clients about the backup gateway (Empty)

address(es).
proposal Phase1 proposal. aes128-sha256

aes256-sha256 3des-
sha256 aes128-sha1
aes256-sha1 3des-
sha1
add-route Enable/disable control addition of a route to peer disable

destination selector.
exchange-interface-ip Enable/disable exchange of IPsec interface IP disable

address.
add-gw-route Enable/disable automatically add a route to the disable

remote gateway.
psksecret Pre-shared secret for PSK authentication. (Empty)
keepalive NAT-T keep alive interval. 10
distance Distance for routes added by IKE (1 - 255). 15
priority Priority for routes added by IKE (0 - 0

4294967295).
localid Local ID. (Empty)
localid-type Local ID type. auto
auto-negotiate Enable/disable automatic initiation of IKE SA enable

negotiation.

negotiate-timeout IKE SA negotiation timeout in seconds. 30
fragmentation Enable/disable fragment IKE message on re- enable

transmission.
dpd Dead Peer Detection mode. on-demand
dpd-retrycount Number of DPD retry attempts. 3
dpd-retryinterval DPD retry interval. 20
forticlient-enforcement Enable/disable FortiClient enforcement. disable
send-cert-chain Enable/disable sending certificate chain. enable
dhgrp DH group. 14 5
suite-b Use Suite-B. disable
eap Enable/disable IKEv2 EAP authentication. disable
eap-identity IKEv2 EAP peer identity type. use-id-payload
acct-verify Enable/disable verification of RADIUS accounting disable

record.
wizard-type GUI VPN Wizard Type. custom
xauthtype XAuth type. disable
reauth Enable/disable re-authentication upon IKE SA disable

lifetime expiration.
authusr XAuth user name. (Empty)
authpasswd XAuth password (max 35 characters). (Empty)
authusrgrp Authentication user group. (Empty)
mesh-selector-type Add selectors containing subsets of the disable

configuration depending on traffic.
idle-timeout Enable/disable IPsec tunnel idle timeout. disable

idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15
ha-sync-esp-seqno Enable/disable sequence number jump ahead for enable

IPsec HA.
nattraversal Enable/disable NAT traversal. enable
esn Extended sequence number (ESN) negotiation. disable

vpn.ipsec/phase1-interface
CLI Syntax
config vpn.ipsec phase1-interface
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set local-gw6 <ipv6-address>
set remote-gw6 <ipv6-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set default-gw <ipv4-address>
set default-gw-priority <integer>
set usrgrp <string>
set peer <string>
set peergrp <string>
set monitor-hold-down-type {immediate | delay | time}
set monitor-hold-down-delay <integer>
set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday |
thursday | friday | saturday}
set monitor-hold-down-time <user>
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set mode-cfg-ip-version {4 | 6}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
edit <name_str>
set id <integer>
end
set split-include-service <string>
set ipv6-prefix <integer>
edit <name_str>
set id <integer>
end
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set forticlient-enforcement {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set auto-discovery-sender {enable | disable}
set auto-discovery-receiver {enable | disable}
set auto-discovery-forwarder {enable | disable}
set auto-discovery-psk {enable | disable}
set encapsulation {none | gre | vxlan}
set encapsulation-address {ike | ipv4 | ipv6}
set encap-local-gw4 <ipv4-address>
set encap-local-gw6 <ipv6-address>
set encap-remote-gw4 <ipv4-address>
set encap-remote-gw6 <ipv6-address>
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

Description
name IPsec remote gateway name. (Empty)
type Remote gateway type (static, dialup, or DDNS). static
interface Local outgoing interface. (Empty)
ip-version IP version to use for VPN interface. 4
ike-version IKE protocol version (IKEv1 or IKEv2). 1
local-gw Local IPv4 address of VPN. 0.0.0.0
local-gw6 Local IPv6 address of VPN. ::
remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0
remote-gw6 Remote IPv6 address of VPN. ::
remotegw-ddns Domain name of remote gateway (eg. (Empty)

name.DDNS.com).
keylife Phase1 keylife. 86400
certificate Certificate name for signature. (Empty)
authmethod Authentication method. psk
mode Mode. main
peertype Peer type. any
peerid Peer ID. (Empty)
default-gw IPv4 address of default route gateway to use for 0.0.0.0

traffic exiting the interface.
default-gw-priority Priority for default gateway route. 0
peer Accept this peer certificate. (Empty)
peergrp Accept this peer certificate group. (Empty)

monitor IPsec interface to backup. (Empty)
monitor-hold-down-type Control recovery time when primary re- immediate

establishes.
monitor-hold-down- Number of seconds to wait before recovery once 0

delay primary re-establishes.
monitor-hold-down- Day of the week to recover once primary re- sunday

weekday establishes.
monitor-hold-down-time Time of day to recover once primary re- 00:00

establishes.
mode-cfg Enable/disable configuration method. disable
assign-ip Enable/disable assignment of IP to IPsec enable

interface via configuration method.
mode-cfg-ip-version IP addressing to use for configuration method. 4
assign-ip-from Method by which the IP address will be assigned. range
ipv4-start-ip Start of IPv4 range. 0.0.0.0
ipv4-end-ip End of IPv4 range. 0.0.0.0
ipv4-netmask IPv4 Netmask. 255.255.255.255
dns-mode DNS server mode. manual
ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)
split-include-service Split-include services. (Empty)

ipv6-start-ip Start of IPv6 range. ::
ipv6-end-ip End of IPv6 range. ::
ipv6-prefix IPv6 prefix. 128
ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)
unity-support Enable/disable support for Cisco UNITY enable

Configuration Method extensions.
domain Instruct unity clients about the default DNS (Empty)

domain.
banner Message that unity client should display after (Empty)

connecting.
include-local-lan Enable/disable allow local LAN access on unity disable

clients.
save-password Enable/disable saving XAuth username and disable

password on VPN clients.
client-auto-negotiate Enable/disable allowing the VPN client to bring up disable

the tunnel when there is no traffic.
client-keep-alive Enable/disable allowing the VPN client to keep disable

the tunnel up when there is no traffic.
backup-gateway Instruct unity clients about the backup gateway (Empty)

address(es).
proposal Phase1 proposal. aes128-sha256

aes256-sha256 3des-
sha256 aes128-sha1
aes256-sha1 3des-
sha1

add-route Enable/disable control addition of a route to peer enable
destination selector.
exchange-interface-ip Enable/disable exchange of IPsec interface IP disable

address.
add-gw-route Enable/disable automatically add a route to the disable

remote gateway.
psksecret Pre-shared secret for PSK authentication. (Empty)
keepalive NAT-T keep alive interval. 10
distance Distance for routes added by IKE (1 - 255). 15
priority Priority for routes added by IKE (0 - 0

4294967295).
localid Local ID. (Empty)
localid-type Local ID type. auto
auto-negotiate Enable/disable automatic initiation of IKE SA enable

negotiation.
negotiate-timeout IKE SA negotiation timeout in seconds. 30
fragmentation Enable/disable fragment IKE message on re- enable

transmission.
dpd Dead Peer Detection mode. on-demand
dpd-retrycount Number of DPD retry attempts. 3
dpd-retryinterval DPD retry interval. 20
forticlient-enforcement Enable/disable FortiClient enforcement. disable
send-cert-chain Enable/disable sending certificate chain. enable
dhgrp DH group. 14 5
suite-b Use Suite-B. disable

eap Enable/disable IKEv2 EAP authentication. disable
eap-identity IKEv2 EAP peer identity type. use-id-payload
acct-verify Enable/disable verification of RADIUS accounting disable

record.
wizard-type GUI VPN Wizard Type. custom
xauthtype XAuth type. disable
reauth Enable/disable re-authentication upon IKE SA disable

lifetime expiration.
authusr XAuth user name. (Empty)
authpasswd XAuth password (max 35 characters). (Empty)
authusrgrp Authentication user group. (Empty)
mesh-selector-type Add selectors containing subsets of the disable

configuration depending on traffic.
idle-timeout Enable/disable IPsec tunnel idle timeout. disable
idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15
ha-sync-esp-seqno Enable/disable sequence number jump ahead for enable

IPsec HA.
auto-discovery-sender Enable/disable sending auto-discovery short-cut disable

messages.
auto-discovery-receiver Enable/disable accepting auto-discovery short-cut disable

messages.
auto-discovery- Enable/disable forwarding auto-discovery short- disable

forwarder cut messages.
auto-discovery-psk Enable/disable use of pre-shared secrets for disable

authentication of auto-discovery tunnels.
encapsulation Enable/disable GRE/VXLAN encapsulation. none
encapsulation-address Source for GRE/VXLAN tunnel address. ike
encap-local-gw4 Local IPv4 address of GRE/VXLAN tunnel. 0.0.0.0

encap-local-gw6 Local IPv6 address of GRE/VXLAN tunnel. ::
encap-remote-gw4 Remote IPv4 address of GRE/VXLAN tunnel. 0.0.0.0
encap-remote-gw6 Remote IPv6 address of GRE/VXLAN tunnel. ::
nattraversal Enable/disable NAT traversal. enable
esn Extended sequence number (ESN) negotiation. disable

vpn.ipsec/phase2
CLI Syntax
config vpn.ipsec phase2
edit <name_str>
set name <string>
set dhcp-ipsec {enable | disable}
set use-natip {enable | disable}
set selector-match {exact | subset | auto}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set add-route {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name}
set dst-start-ip <ipv4-address-any>
set dst-start-ip6 <ipv6-address>
set dst-end-ip <ipv4-address-any>
set dst-end-ip6 <ipv6-address>
set dst-subnet <ipv4-classnet-any>
set dst-subnet6 <ipv6-prefix>
end

Description
phase1name IKE phase1 name. (Empty)
dhcp-ipsec Enable/disable DHCP-IPsec. disable
use-natip Enable/disable source NAT selector fix-up. enable
selector-match Match type to use when comparing selectors. auto
proposal Phase2 proposal. aes128-sha1 aes256-

sha1 3des-sha1
aes128-sha256
aes256-sha256 3des-
sha256
pfs Enable/disable PFS feature. enable
dhgrp Phase2 DH group. 14 5
replay Enable/disable replay detection. enable
keepalive Enable/disable keep alive. disable
auto-negotiate Enable/disable IPsec SA auto-negotiation. disable
add-route Enable/disable automatic route addition. phase1
keylifeseconds Phase2 keylife in time. 43200
keylifekbs Phase2 keylife in traffic (kbps). 5120
keylife-type Keylife type. seconds
single-source Enable/disable single source IP restriction. disable
route-overlap Action for overlapping routes. use-new
encapsulation ESP encapsulation mode. tunnel-mode
l2tp Enable/disable L2TP over IPsec. disable

protocol Quick mode protocol selector (1 - 255 or 0 for all). 0
src-name Local proxy ID name. (Empty)
src-name6 Local proxy ID name. (Empty)
src-addr-type Local proxy ID type. subnet
src-start-ip Local proxy ID start. 0.0.0.0
src-start-ip6 Local proxy ID IPv6 start. ::
src-end-ip Local proxy ID end. 0.0.0.0
src-end-ip6 Local proxy ID IPv6 end. ::
src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0
src-subnet6 Local proxy ID IPv6 subnet. ::/0
src-port Quick mode source port (1 - 65535 or 0 for all). 0
dst-name Remote proxy ID name. (Empty)
dst-name6 Remote proxy ID name. (Empty)
dst-addr-type Remote proxy ID type. subnet
dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0
dst-start-ip6 Remote proxy ID IPv6 start. ::
dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0
dst-end-ip6 Remote proxy ID IPv6 end. ::
dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0
dst-subnet6 Remote proxy ID IPv6 subnet. ::/0
dst-port Quick mode destination port (1 - 65535 or 0 for 0

all).

vpn.ipsec/phase2-interface
CLI Syntax
config vpn.ipsec phase2-interface
edit <name_str>
set name <string>
set dhcp-ipsec {enable | disable}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set add-route {phase1 | enable | disable}
set auto-discovery-sender {phase1 | enable | disable}
set auto-discovery-forwarder {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set dst-start-ip <ipv4-address-any>
set dst-start-ip6 <ipv6-address>
set dst-end-ip <ipv4-address-any>
set dst-end-ip6 <ipv6-address>
set dst-subnet <ipv4-classnet-any>
set dst-subnet6 <ipv6-prefix>
end

Description
phase1name IKE phase1 name. (Empty)
dhcp-ipsec Enable/disable DHCP-IPsec. disable
proposal Phase2 proposal. aes128-sha1 aes256-

sha1 3des-sha1
aes128-sha256
aes256-sha256 3des-
sha256
pfs Enable/disable PFS feature. enable
dhgrp Phase2 DH group. 14 5
replay Enable/disable replay detection. enable
keepalive Enable/disable keep alive. disable
auto-negotiate Enable/disable IPsec SA auto-negotiation. disable
add-route Enable/disable automatic route addition. phase1
auto-discovery-sender Enable/disable sending short-cut messages. phase1
auto-discovery- Enable/disable forwarding short-cut messages. phase1

forwarder
keylifeseconds Phase2 keylife in time. 43200
keylifekbs Phase2 keylife in traffic (kbps). 5120
keylife-type Keylife type. seconds
single-source Enable/disable single source IP restriction. disable
route-overlap Action for overlapping routes. use-new
encapsulation ESP encapsulation mode. tunnel-mode
l2tp Enable/disable L2TP over IPsec. disable

protocol Quick mode protocol selector (1 - 255 or 0 for all). 0
src-name Local proxy ID name. (Empty)
src-name6 Local proxy ID name. (Empty)
src-addr-type Local proxy ID type. subnet
src-start-ip Local proxy ID start. 0.0.0.0
src-start-ip6 Local proxy ID IPv6 start. ::
src-end-ip Local proxy ID end. 0.0.0.0
src-end-ip6 Local proxy ID IPv6 end. ::
src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0
src-subnet6 Local proxy ID IPv6 subnet. ::/0
src-port Quick mode source port (1 - 65535 or 0 for all). 0
dst-name Remote proxy ID name. (Empty)
dst-name6 Remote proxy ID name. (Empty)
dst-addr-type Remote proxy ID type. subnet
dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0
dst-start-ip6 Remote proxy ID IPv6 start. ::
dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0
dst-end-ip6 Remote proxy ID IPv6 end. ::
dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0
dst-subnet6 Remote proxy ID IPv6 subnet. ::/0
dst-port Quick mode destination port (1 - 65535 or 0 for 0

all).

vpn.ssl.web/host-check-software
CLI Syntax
config vpn.ssl.web host-check-software
edit <name_str>
set name <string>
set type {av | fw}
set version <string>
set guid <user>
config check-item-list
edit <name_str>
set id <integer>
set action {require | deny}
set type {file | registry | process}
set target <string>
set version <string>
config md5s
edit <name_str>
set id <string>
end
end
end

Description
name Name. (Empty)
type Type. av
version Version. (Empty)
guid Globally unique ID. "00000000-0000-0000-

0000-000000000000"
check-item-list Check item list. (Empty)

vpn.ssl.web/portal
CLI Syntax
config vpn.ssl.web portal
edit <name_str>
set name <string>
set tunnel-mode {enable | disable}
set ip-mode {range | user-group}
set auto-connect {enable | disable}
set keep-alive {enable | disable}
set save-password {enable | disable}
config ip-pools
edit <name_str>
set name <string>
end
set exclusive-routing {enable | disable}
set service-restriction {enable | disable}
set split-tunneling {enable | disable}
config split-tunneling-routing-address
edit <name_str>
set name <string>
end
set ipv6-tunnel-mode {enable | disable}
config ipv6-pools
edit <name_str>
set name <string>
end
set ipv6-exclusive-routing {enable | disable}
set ipv6-service-restriction {enable | disable}
set ipv6-split-tunneling {enable | disable}
config ipv6-split-tunneling-routing-address
edit <name_str>
set name <string>
end
set web-mode {enable | disable}
set display-bookmark {enable | disable}
set user-bookmark {enable | disable}
set user-group-bookmark {enable | disable}
config bookmark-group
edit <name_str>
set name <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | te
lnet | vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set remote-port <integer>
set show-status-window {enable | disable}
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwer
ty | sv-se-qwerty | failsafe}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
set display-connection-tools {enable | disable}
set display-history {enable | disable}
set display-status {enable | disable}
set heading <string>
set redir-url <var-string>
set theme {blue | green | red | melongene}
set custom-lang <string>
set host-check {none | av | fw | av-fw | custom}
set host-check-interval <integer>
config host-check-policy
edit <name_str>
set name <string>
end
set limit-user-logins {enable | disable}
set mac-addr-check {enable | disable}
set mac-addr-action {allow | deny}
config mac-addr-check-rule
edit <name_str>
set name <string>
set mac-addr-mask <integer>
config mac-addr-list
edit <name_str>
set addr <mac-address>
end
end
end
set os-check {enable | disable}
config os-check-list
edit <name_str>
set name <string>
set action {deny | allow | check-up-to-date}
set tolerance <integer>
set latest-patch-level <user>
end
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <string>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
end

Description
name Portal name. (Empty)
tunnel-mode Enable/disable SSL VPN tunnel mode. disable
ip-mode IP mode is range or by user group. range
auto-connect Enable/disable automatic connect by client when disable

system is up.
keep-alive Enable/disable automatic re-connect by client. disable
save-password Enable/disable save of user password by client. disable
ip-pools Tunnel IP pools. (Empty)
exclusive-routing Enable/disable all traffic go through tunnel only. disable
service-restriction Enable/disable tunnel service restriction. disable
split-tunneling Enable/disable split tunneling. enable
split-tunneling-routing- Split tunnelling address range for client routing. (Empty)

address
ipv6-tunnel-mode Enable/disable SSL VPN IPV6 tunnel mode. disable
ipv6-pools Tunnel IP pools. (Empty)
ipv6-exclusive-routing Enable/disable all IPv6 traffic go through tunnel disable

only.
ipv6-service-restriction Enable/disable IPv6 tunnel service restriction. disable
ipv6-split-tunneling Enable/disable IPv6 split tunneling. enable

ipv6-split-tunneling- IPv6 split tunnelling address range for client (Empty)
routing-address routing.
ipv6-wins-server1 IPv6 WINS server 1. ::
web-mode Enable/disable SSL VPN web mode. disable
display-bookmark Enable/disable displaying of bookmark widget. enable
user-bookmark Enable/disable user defined bookmark. enable
user-group-bookmark Enable/disable user group defined bookmark. enable
bookmark-group Portal bookmark group. (Empty)
display-connection- Enable/disable displaying of connection tools enable

tools widget.
display-history Enable/disable displaying of user login history enable

widget.
display-status Enable/disable display of status widget. enable
heading Portal heading message. SSL-VPN Portal
redir-url Client login redirect URL. (Empty)
theme Color scheme for the portal. blue
custom-lang Custom portal language. (Empty)
host-check Configure host check settings. none
host-check-interval Periodic host check interval. 0
host-check-policy Host check policy. (Empty)
limit-user-logins Enable/disable allow users to have only one disable

active SSL VPN connection at a time.
mac-addr-check Client MAC address check. disable

mac-addr-action Client MAC address action. allow
mac-addr-check-rule Client MAC address check rule. (Empty)
os-check Enable/disable SSL VPN OS check. disable
os-check-list SSL VPN OS checks. (Empty)
virtual-desktop Enable/disable SSL VPN virtual desktop. disable
virtual-desktop-app-list Virtual desktop application list. (Empty)
virtual-desktop- Enable/disable sharing of clipboard in virtual disable

clipboard-share desktop.
virtual-desktop- Enable/disable switch to virtual desktop. enable

desktop-switch
virtual-desktop-logout- Enable/disable logout when browser is close in disable

when-browser-close virtual desktop.
virtual-desktop- Enable/disable network share access in virtual disable

network-share-access desktop.
virtual-desktop-printing Enable/disable printing in virtual desktop. disable
virtual-desktop- Enable/disable access to removable media in disable

removable-media- virtual desktop.
access
skip-check-for- Skip check for unsupported OS. enable

unsupported-os
skip-check-for- Skip check for unsupported browsers. enable

unsupported-browser

vpn.ssl.web/realm
CLI Syntax
config vpn.ssl.web realm
edit <name_str>
set url-path <string>
set max-concurrent-user <integer>
set login-page <var-string>
set virtual-host <var-string>
end

Description
url-path URL path to access SSL-VPN login page. (Empty)
max-concurrent-user Maximum concurrent users (0 - 65535, 0 for 0

unlimited).
login-page Replacement HTML for SSL-VPN login page. (Empty)
virtual-host Virtual host name for realm. (Empty)

vpn.ssl.web/user-bookmark
CLI Syntax
config vpn.ssl.web user-bookmark
edit <name_str>
set name <string>
set custom-lang <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet
| vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set remote-port <integer>
set show-status-window {enable | disable}
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty |
sv-se-qwerty | failsafe}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end

Description
name User and group name. (Empty)
custom-lang Personal language. (Empty)
bookmarks Bookmark table. (Empty)

vpn.ssl.web/virtual-desktop-app-list
CLI Syntax
config vpn.ssl.web virtual-desktop-app-list
edit <name_str>
set name <string>
set action {allow | block}
config apps
edit <name_str>
set name <string>
config md5s
edit <name_str>
set id <string>
end
end
end

Description
name Application list name. (Empty)
action Action. allow
apps Applications. (Empty)

vpn.ssl/settings
CLI Syntax
config vpn.ssl settings
edit <name_str>
set reqclientcert {enable | disable}
set sslv2 {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set ssl-big-buffer {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set https-redirect {enable | disable}
set ssl-client-renegotiation {disable | enable}
set force-two-factor-auth {enable | disable}
set unsafe-legacy-renegotiation {enable | disable}
set servercert <string>
set algorithm {default | high | low}
set idle-timeout <integer>
set auth-timeout <integer>
config tunnel-ip-pools
edit <name_str>
set name <string>
end
config tunnel-ipv6-pools
edit <name_str>
set name <string>
end
set dns-suffix <var-string>
set route-source-interface {enable | disable}
set url-obscuration {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set deflate-compression-level <integer>
set deflate-min-data-size <integer>
set port <integer>
set port-precedence {enable | disable}
set auto-tunnel-static-route {enable | disable}
set header-x-forwarded-for {pass | add | remove}
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
set default-portal <string>
config authentication-rule
edit <name_str>
set id <integer>
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set portal <string>
set realm <string>
set client-cert {enable | disable}
set cipher {any | high | medium}
set auth {any | local | radius | tacacs+ | ldap}
end
set dtls-tunnel {enable | disable}
set check-referer {enable | disable}
end

Description
reqclientcert Enable/disable require client certificate. disable
sslv2 Enable/disable SSLv2. disable
sslv3 Enable/disable SSLv3. disable
tlsv1-0 Enable/disable TLSv1.0. disable
tlsv1-1 Enable/disable TLSv1.1. enable
tlsv1-2 Enable/disable TLSv1.2. enable
ssl-big-buffer Enable/disable big SSLv3 buffer. disable
ssl-insert-empty- Enable/disable insertion of empty fragment. enable

fragment
https-redirect Enable/disable redirect of port 80 to SSL-VPN disable

port.
ssl-client-renegotiation Allow/block client renegotiation by server. disable
force-two-factor-auth Enable/disable force two-factor authentication. disable
unsafe-legacy- Enable/disable unsafe legacy re-negotiation. disable

renegotiation
servercert Server certificate. Fortinet_Factory
algorithm Allow algorithms. high
idle-timeout SSL VPN disconnects if idle for specified time. 300
auth-timeout Forced re-authentication after timeout. 28800
tunnel-ip-pools Tunnel IP pools. (Empty)
tunnel-ipv6-pools Tunnel IPv6 pools. (Empty)
dns-suffix DNS suffix. (Empty)

route-source-interface Enable/disable bind client side outgoing interface. disable
url-obscuration Enable/disable URL obscuration. disable
http-compression Enable/disable support HTTP compression. disable
http-only-cookie Enable/disable support HTTP only cookie. enable
deflate-compression- Compression level (0~9). 6

level
deflate-min-data-size Minimum size to start compression (200 - 65535). 300
port SSL VPN access HTTPS port (1 - 65535). 10443
port-precedence Enable/disable SSLVPN port precedence over enable

admin GUI HTTPS port.
auto-tunnel-static-route Enable/disable auto create static route for tunnel enable

IP addresses.
header-x-forwarded-for Action when HTTP x-forwarded-for header to add

forwarded requests.
source-interface SSL VPN source interface of incoming traffic. (Empty)
source-address Source address of incoming traffic. (Empty)
source-address-negate Enable/disable negated source address match. disable
source-address6 IPv6 source address of incoming traffic. (Empty)
source-address6- Enable/disable negated source IPv6 address disable

negate match.

default-portal Default SSL VPN portal. (Empty)
authentication-rule Authentication rule for SSL VPN. (Empty)
dtls-tunnel Enable/disable DTLS tunnel. enable
check-referer Enable/disable verification of referer field in HTTP disable

request header.

vpn/l2tp
CLI Syntax
config vpn l2tp
edit <name_str>
set eip <ipv4-address>
set sip <ipv4-address>
set usrgrp <string>
end

Description
eip End IP. 0.0.0.0
sip Start IP. 0.0.0.0
status Enable/disable FortiGate as a L2TP gateway. disable

vpn/pptp
CLI Syntax
config vpn pptp
edit <name_str>
set ip-mode {range | usrgrp}
set eip <ipv4-address>
set sip <ipv4-address>
set local-ip <ipv4-address>
set usrgrp <string>
end

Description
status Enable/disable FortiGate as a PPTP gateway. disable
ip-mode IP assignment mode for PPTP client. range
eip End IP. 0.0.0.0
sip Start IP. 0.0.0.0
local-ip Local IP to be used for peer's remote IP. 0.0.0.0

waf/main-class
CLI Syntax
config waf main-class
edit <name_str>
set name <string>
set id <integer>
end

Description
name Main signature class name. (Empty)
id Main signature class ID. 0

waf/profile
CLI Syntax
config waf profile
edit <name_str>
set name <string>
set external {disable | enable}
config signature
edit <name_str>
config main-class
edit <name_str>
set id <integer>
set action {allow | block | erase}
set severity {high | medium | low}
end
config disabled-sub-class
edit <name_str>
set id <integer>
end
config disabled-signature
edit <name_str>
set id <integer>
end
set credit-card-detection-threshold <integer>
config custom-signature
edit <name_str>
set name <string>
set action {allow | block | erase}
set direction {request | response}
set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req
-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hd
r | resp-status}
end
end
config constraint
edit <name_str>
config header-length
edit <name_str>
set length <integer>
end
config content-length
edit <name_str>
end
config param-length
edit <name_str>
end
config line-length
edit <name_str>
end
config url-param-length
edit <name_str>
end
config version
edit <name_str>
end
config method
edit <name_str>
end
config hostname
edit <name_str>
end
config malformed
edit <name_str>
end
config max-cookie
edit <name_str>
set max-cookie <integer>
end
config max-header-line
edit <name_str>
set max-header-line <integer>
end
config max-url-param
edit <name_str>
set max-url-param <integer>
end
config max-range-segment
edit <name_str>
set max-range-segment <integer>
end
config exception
edit <name_str>
set id <integer>
set regex {enable | disable}
set header-length {enable | disable}
set content-length {enable | disable}
set param-length {enable | disable}
set line-length {enable | disable}
set url-param-length {enable | disable}
set version {enable | disable}
set version {enable | disable}
set method {enable | disable}
set hostname {enable | disable}
set malformed {enable | disable}
set max-cookie {enable | disable}
set max-header-line {enable | disable}
set max-url-param {enable | disable}
set max-range-segment {enable | disable}
end
end
config method
edit <name_str>
set default-allowed-methods {get | post | put | head | connect | trace | optio
ns | delete | others}
config method-policy
edit <name_str>
set id <integer>
set allowed-methods {get | post | put | head | connect | trace | options |
delete | others}
end
end
config address-list
edit <name_str>
set blocked-log {enable | disable}
config trusted-address
edit <name_str>
set name <string>
end
config blocked-address
edit <name_str>
set name <string>
end
end
config url-access
edit <name_str>
set id <integer>
set action {bypass | permit | block}
config access-pattern
edit <name_str>
set id <integer>
set srcaddr <string>
set negate {enable | disable}
end
end
end

Description
name WAF Profile name. (Empty)
external Disable/Enable external HTTP Inspection. disable
signature WAF signatures. Details below

main-class (Empty)
disabled-sub-class (Empty)
disabled-signature (Empty)
credit-card-detection-threshold 3
custom-signature (Empty)
constraint WAF HTTP protocol restrictions. Details below

{"status":"disable","length":8192,"action":"allow","log":"disable",
header-length
"severity":"medium"}
{"status":"disable","length":67108864,"action":"allow","log":"disa
content-length
ble","severity":"medium"}
param-length
line-length
url-param-length
{"status":"disable","action":"allow","log":"disable","severity":"me
version
dium"}
method
dium"}
hostname
dium"}
malformed
dium"}
{"status":"disable","max-
max-cookie
cookie":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-header-
max-header-line
line":32,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-url-
max-url-param
param":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-range-
max-range-segment
segment":5,"action":"allow","log":"disable","severity":"medium"}
exception (Empty)
method Method restriction. Details below

status disable
log disable
severity medium
default-allowed-methods (Empty)
method-policy (Empty)
address-list Black address list and white address list. Details below

status disable
blocked-log disable
severity medium
trusted-address (Empty)
blocked-address (Empty)
url-access URL access list (Empty)

waf/signature
CLI Syntax
config waf signature
edit <name_str>
set desc <string>
set id <integer>
end

Description
desc Signature description. (Empty)
id Signature ID. 0

waf/sub-class
CLI Syntax
config waf sub-class
edit <name_str>
set name <string>
set id <integer>
end

Description
name Signature subclass name. (Empty)
id Signature subclass ID. 0

wanopt/auth-group
CLI Syntax
config wanopt auth-group
edit <name_str>
set name <string>
set auth-method {cert | psk}
set psk <password>
set cert <string>
set peer-accept {any | defined | one}
set peer <string>
end

Description
name Auth-group name. (Empty)
auth-method Group authentication method. cert
psk Pre-shared secret for PSK authentication. (Empty)
cert Name of certificate to identify this host. (Empty)
peer-accept Peer acceptance method. any
peer Peer host ID. (Empty)

wanopt/peer
CLI Syntax
config wanopt peer
edit <name_str>
set peer-host-id <string>
end

Description
peer-host-id Peer host ID. (Empty)
ip Peer IP address. 0.0.0.0

wanopt/profile
CLI Syntax
config wanopt profile
edit <name_str>
set name <string>
set transparent {enable | disable}
set auth-group <string>
config http
edit <name_str>
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
set ssl {enable | disable}
set ssl-port <integer>
set unknown-http-version {reject | tunnel | best-effort}
set tunnel-non-http {enable | disable}
end
config cifs
edit <name_str>
set port <integer>
end
config mapi
edit <name_str>
set port <integer>
end
config ftp
edit <name_str>
set port <integer>
end
config tcp
edit <name_str>
set byte-caching-opt {mem-only | mem-disk}
set port <user>
set ssl {enable | disable}
set ssl-port <integer>
end
end

Description
transparent Enable/disable transparent mode. enable
auth-group Peer authentication group. (Empty)
http HTTP protocol settings. Details below

status disable
secure-tunnel disable
byte-caching enable
prefer-chunking fix
tunnel-sharing private
log-traffic enable
port 80
ssl disable
ssl-port 443
unknown-http-version tunnel
tunnel-non-http disable
cifs CIFS protocol settings. Details below

status disable
byte-caching enable
prefer-chunking fix
log-traffic enable
port 445
mapi MAPI protocol settings. Details below

status disable
byte-caching enable
log-traffic enable
port 135
ftp FTP protocol settings. Details below

status disable
byte-caching enable
prefer-chunking fix
log-traffic enable
port 21
tcp TCP protocol settings. Details below

status disable
byte-caching disable
byte-caching-opt mem-only
log-traffic enable
port 1-65535
ssl disable
ssl-port 443 990 995 465 993

wanopt/settings
CLI Syntax
config wanopt settings
edit <name_str>
set host-id <string>
set tunnel-ssl-algorithm {high | medium | low}
set auto-detect-algorithm {simple | diff-req-resp}
end

Description
host-id Host identity. default-id
tunnel-ssl-algorithm Relative strength of encryption algorithms high

accepted in tunnel negotiation.
auto-detect-algorithm Auto detection algorithms used in tunnel simple

negotiation.

wanopt/storage
CLI Syntax
config wanopt storage
edit <name_str>
set name <string>
set size <integer>
set webcache-storage-percentage <integer>
set webcache-storage-size <user>
set wan-optimization-cache-storage-size <user>
end

Description
name Storage name. (Empty)
size Maximum total size of files within the storage 1024

(MB).
webcache-storage- Percentage of storage available for Web cache. 50

percentage The rest is used for WAN optimization
webcache-storage-size Web cache storage size. (Empty)
wan-optimization- WAN optimization cache storage size. (Empty)

cache-storage-size

wanopt/webcache
CLI Syntax
config wanopt webcache
edit <name_str>
set max-object-size <integer>
set neg-resp-time <integer>
set fresh-factor <integer>
set max-ttl <integer>
set min-ttl <integer>
set default-ttl <integer>
set ignore-ims {enable | disable}
set ignore-conditional {enable | disable}
set ignore-pnc {enable | disable}
set ignore-ie-reload {enable | disable}
set cache-expired {enable | disable}
set cache-cookie {enable | disable}
set reval-pnc {enable | disable}
set always-revalidate {enable | disable}
set cache-by-default {enable | disable}
set host-validate {enable | disable}
end

Description
max-object-size Maximum cacheable object size in kB, the 512000

maximum is 2147483 (2GB).
neg-resp-time Duration of negative responses cache. 0
fresh-factor Fresh factor percentage (1 - 100 percent). 100
max-ttl Maximum TTL in minutes (default = 7200 (5 7200

days); maximum = 5256000 (100 years)).
min-ttl Minimum TTL in minutes (default = 5; maximum 5

= 5256000 (100 years)).
default-ttl Default TTL minutes (default = 1440 (1 day); 1440

maximum = 5256000 (100 years)).
ignore-ims Enable/disable ignore if-modified-since. disable
ignore-conditional Enable/disable ignore HTTP 1.1 conditionals. disable
ignore-pnc Enable/disable ignore pragma-no-cache. disable
ignore-ie-reload Enable/disable ignore IE reload. enable
cache-expired Enable/disable cache expired objects. disable
cache-cookie Enable/disable caching of HTTP response with disable

Set-Cookie header.
reval-pnc Enable/disable re-validation of pragma-no-cache. disable
always-revalidate Enable/disable re-validation of requested cached disable

object with content server before serving it to
client.
cache-by-default Enable/disable caching of content lacking explicit disable

caching policy from server.
host-validate Enable/disable validating "Host:" with original disable

server IP.
external Enable/disable external cache. disable

web-proxy/debug-url
CLI Syntax
config web-proxy debug-url
edit <name_str>
set name <string>
set url-pattern <string>
set exact {enable | disable}
end

Description
name Debug URL name. (Empty)
url-pattern URL exemption pattern. (Empty)
status Enable/disable this URL exemption. enable
exact Enable/disable match exact path. enable

web-proxy/explicit
CLI Syntax
config web-proxy explicit
edit <name_str>
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <integer>
set https-incoming-port <integer>
set ftp-incoming-port <integer>
set socks-incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set ipv6-status {enable | disable}
set incoming-ip6 <ipv6-address>
set outgoing-ip6 <ipv6-address>
set strict-guest {enable | disable}
set pref-dns-result {ipv4 | ipv6}
set unknown-http-version {reject | best-effort}
set realm <string>
set sec-default-action {accept | deny}
set https-replacement-message {enable | disable}
set message-upon-server-error {enable | disable}
set pac-file-server-status {enable | disable}
set pac-file-server-port <integer>
set pac-file-name <string>
set pac-file-data <user>
set pac-file-url <user>
end

Description
status Enable/disable explicit Web proxy. disable
ftp-over-http Enable/disable FTP-over-HTTP. disable
socks Enable/disable SOCKS proxy. disable
http-incoming-port Accept incoming HTTP requests on ports other 8080

than port 80.
https-incoming-port Accept incoming HTTPS requests on this port. 0
ftp-incoming-port Accept incoming FTP-over-HTTP requests on this 0

port.
socks-incoming-port Accept incoming SOCKS proxy requests on this 0

port.
incoming-ip Accept incoming HTTP requests from this IP. An 0.0.0.0

outgoing-ip Outgoing HTTP requests will leave this IP. An (Empty)

ipv6-status Enable/disable IPv6 destination in policy. disable
incoming-ip6 Accept incoming HTTP requests from this IP. An ::

outgoing-ip6 Outgoing HTTP requests will leave this IP. An (Empty)

strict-guest Enable/disable strict guest user check in explicit disable

proxy.
pref-dns-result IPv4 or IPv6 DNS result preference. ipv4
unknown-http-version Unknown HTTP version handling. reject
realm Authentication realm. default
sec-default-action Default action to allow or deny when no web- deny

proxy firewall policy exists.

https-replacement- Default action to enable or disable return enable
message replacement message for HTTPS requests.
message-upon-server- Enable/disable return of replacement message enable

error upon server error detection.
pac-file-server-status Enable/disable PAC file server. disable
pac-file-server-port PAC file server listening port. 0
pac-file-name PAC file name. proxy.pac
pac-file-data PAC file contents. (Empty)
pac-file-url PAC file access URL. (Empty)

accepted in HTTPS deep-scan.

web-proxy/forward-server
CLI Syntax
config web-proxy forward-server
edit <name_str>
set name <string>
set fqdn <string>
set addr-type {ip | fqdn}
set port <integer>
set healthcheck {disable | enable}
set server-down-option {block | pass}
end

Description
ip Forward server IP. 0.0.0.0
fqdn Forward server FQDN. (Empty)
addr-type Address type. ip
port Forward server port. 3128
healthcheck Enable/disable forward server health checking. disable
monitor Forward health checking URL. http://www.google.com
server-down-option Action when forward server is down. block

web-proxy/forward-server-group
CLI Syntax
config web-proxy forward-server-group
edit <name_str>
set name <string>
set affinity {enable | disable}
set ldb-method {weighted | least-session}
set group-down-option {block | pass}
config server-list
edit <name_str>
set name <string>
end
end

Description
name Forward server group name. (Empty)
affinity Enable/disable affinity. enable
ldb-method Load balance method. weighted
group-down-option Action when group is down. block
server-list Forward server list. (Empty)

web-proxy/global
CLI Syntax
config web-proxy global
edit <name_str>
set proxy-fqdn <string>
set max-request-length <integer>
set max-message-length <integer>
set strict-web-check {enable | disable}
set forward-proxy-auth {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {reject | tunnel | best-effort}
set forward-server-affinity-timeout <integer>
set max-waf-body-cache-length <integer>
set webproxy-profile <string>
end

Description
proxy-fqdn Proxy FQDN. default.fqdn
max-request-length Maximum length of HTTP request line (1kB units 4

(1024 Bytes)).
max-message-length Maximum length of HTTP message not including 32

body (1kB units (1024 Bytes)).
strict-web-check Enable/disable strict web check. disable
forward-proxy-auth Enable/disable forward proxy authentication. disable
tunnel-non-http Enable/disable non-HTTP tunnel. enable
unknown-http-version Unknown HTTP version handling. best-effort
forward-server-affinity- Timeout of the forward server affinity (6 - 60 min, 30

timeout default = 30 min).
max-waf-body-cache- Maximum length of HTTP message (1kB units 100

length (1024 Bytes)) processed by Web Application
Firewall.
webproxy-profile Web proxy profile using when none matched (Empty)

policy.

web-proxy/profile
CLI Syntax
config web-proxy profile
edit <name_str>
set name <string>
set header-client-ip {pass | add | remove}
set header-via-request {pass | add | remove}
set header-via-response {pass | add | remove}
set header-x-forwarded-for {pass | add | remove}
set header-front-end-https {pass | add | remove}
config headers
edit <name_str>
set id <integer>
set name <string>
set action {add-to-request | add-to-response | remove-from-request | remove-fr
om-response}
end
end

Description
header-client-ip Action when HTTP client-IP header to forwarded pass

requests.
header-via-request Action when HTTP via header to forwarded pass

requests.
header-via-response Action when HTTP via header to forwarded pass

responses.
header-x-forwarded-for Action when HTTP x-forwarded-for header to pass

forwarded requests.
header-front-end-https Action when HTTP front-end-HTTPS header to pass

forwarded requests.
headers Configure HTTP forwarded requests headers. (Empty)

web-proxy/url-match
CLI Syntax
config web-proxy url-match
edit <name_str>
set name <string>
set url-pattern <string>
set forward-server <string>
set cache-exemption {enable | disable}
end

Description
name Configure URL name. (Empty)
status Enable/disable per URL pattern web proxy enable

forwarding and cache exemptions.
url-pattern URL pattern. (Empty)
forward-server Forward server name. (Empty)
cache-exemption Enable/disable cache exemption for this URL disable

pattern.

webfilter/content
CLI Syntax
config webfilter content
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set name <string>
set lang {western | simch | trach | japanese | korean | french | thai | spanis
h | cyrillic}
set score <integer>
set action {block | exempt}
end
end

Description
id ID. 0
entries Configure web filter banned word. (Empty)

webfilter/content-header
CLI Syntax
config webfilter content-header
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set action {block | allow | exempt}
set category <user>
end
end

Description
id ID. 0
entries Configure content types used by web filter. (Empty)

webfilter/cookie-ovrd
CLI Syntax
config webfilter cookie-ovrd
edit <name_str>
set auth-epoch <integer>
set redir-host <string>
set redir-port <integer>
set cookie-name <string>
end

Description
auth-epoch Current authentication epoch - changing this 0

value will invalidate all currently issued override
cookies.
redir-host Domain name or IP of host that will be used to (Empty)

validate override authentication cookies.
redir-port TCP port that will be used on "redir-host" to 20080

validate override authentication cookies.
cookie-name Name to use for override authentication cookies. wfovrdZnkHSb2CESh

webfilter/fortiguard
CLI Syntax
config webfilter fortiguard
edit <name_str>
set cache-mode {ttl | db-ver}
set cache-prefix-match {enable | disable}
set cache-mem-percent <integer>
set ovrd-auth-port-http <integer>
set ovrd-auth-port-https <integer>
set ovrd-auth-port-warning <integer>
set ovrd-auth-https {enable | disable}
set warn-auth-https {enable | disable}
set close-ports {enable | disable}
set request-packet-size-limit <integer>
set ovrd-auth-port <integer>
end

Description
cache-mode Cache entry expiration mode. ttl
cache-prefix-match Enable/disable prefix matching in the cache. enable
cache-mem-percent Maximum percentage of available memory 2

allocated to caching (1 - 15%).
ovrd-auth-port-http Port to use for FortiGuard Web Filter HTTP 8008

override authentication
ovrd-auth-port-https Port to use for FortiGuard Web Filter HTTPS 8010

override authentication.
ovrd-auth-port-warning Port to use for FortiGuard Web Filter Warning 8020

override authentication.
ovrd-auth-https Enable/disable use of HTTPS for override enable

authentication.
warn-auth-https Enable/disable use of HTTPS for warning and enable

authentication.
close-ports Close ports used for HTTP/HTTPS override disable

authentication and disable user overrides.
request-packet-size- Limit size of URL request packets sent to 0

limit FortiGuard server (0 for default).
ovrd-auth-port Port to use for FortiGuard Web Filter override 8008

authentication.

webfilter/ftgd-local-cat
CLI Syntax
config webfilter ftgd-local-cat
edit <name_str>
set id <integer>
set desc <string>
end

Description
id Local category ID. 0
desc Local category description. (Empty)

webfilter/ftgd-local-rating
CLI Syntax
config webfilter ftgd-local-rating
edit <name_str>
set url <string>
set rating <user>
end

Description
url URL to rate locally. (Empty)
status Enable/disable local rating. enable
rating Local rating.

webfilter/ftgd-warning
CLI Syntax
config webfilter ftgd-warning
edit <name_str>
set id <integer>
set scope {user | user-group | ip | ip6}
set user <string>
set user-group <string>
set old-profile <string>
set expires <user>
set rating <integer>
end

Description
id Specify the override rule ID. 0
status Enable/disable override rule. disable
scope Specify the scope of the override rule. user
ip Specify the IP address for which the override 0.0.0.0

applies.
user Specify the username for which the override (Empty)

applies.
user-group Specify the user group for which the override (Empty)
applies.
old-profile Specify the web-filter profile for which the (Empty)

override applies.
expires Specify when the override expires. 1969/12/31 16:00:00
rating Ratings associated with the overridden filter. 0

webfilter/ips-urlfilter-cache-setting
CLI Syntax
config webfilter ips-urlfilter-cache-setting
edit <name_str>
set dns-retry-interval <integer>
set extended-ttl <integer>
end

Description
dns-retry-interval Retry interval. Refresh DNS faster than TTL to 0

capture multiple IPs for hosts. 0 means use DNS
server's TTL only.
extended-ttl Extend time to live beyond reported by DNS. 0 0

means use DNS server's TTL

webfilter/ips-urlfilter-setting
CLI Syntax
config webfilter ips-urlfilter-setting
edit <name_str>
set device <string>
end

Description
device Enable/disable gateway out interface. (Empty)
gateway Gateway IP for this route. 0.0.0.0

webfilter/override
CLI Syntax
config webfilter override
edit <name_str>
set id <integer>
set user <string>
set new-profile <string>
set expires <user>
set initiator <string>
end

Description

applies.

applies.
applies.

override applies.
new-profile Specify the new web-filter profile to apply (Empty)

override.
ip6 Specify the IPv6 address for which the override ::

applies.
initiator Initiating user of override (not settable). (Empty)

webfilter/override-user
CLI Syntax
config webfilter override-user
edit <name_str>
set id <integer>
set user <string>
set new-profile <string>
set expires <user>
set initiator <string>
end

Description

applies.

applies.
applies.

override applies.
new-profile Specify the new web-filter profile to apply (Empty)

override.
ip6 Specify the IPv6 address for which the override ::

applies.
initiator Initiating user of override (not settable). (Empty)

webfilter/profile
CLI Syntax
config webfilter profile
edit <name_str>
set name <string>
set inspection-mode {proxy | flow-based | dns}
set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invali
d-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-url-
scan | per-user-bwl}
set https-replacemsg {enable | disable}
set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override |
contenttype-check-override}
set post-action {normal | comfort | block}
config override
edit <name_str>
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | browser | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <user>
set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Addr
ess | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmas
k | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Log
in-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-R
oute | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Terminati
on-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Lo
gin-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-Ap
pleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-In
put-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time
| Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sessio
n-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
config ovrd-user-group
edit <name_str>
set name <string>
end
config profile
edit <name_str>
set name <string>
end
end
config web
edit <name_str>
set bword-threshold <integer>
set bword-table <integer>
set urlfilter-table <integer>
set content-header-list <integer>
set blacklist {enable | disable}
set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | ex
empt-dlp | exempt-rangeblock | extended-log-others}
set safe-search {url | header}
set youtube-edu-filter-id <string>
set log-search {enable | disable}
config keyword-match
edit <name_str>
end
end
config ftgd-wf
edit <name_str>
set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip
| redir-block | connect-request-bypass | ftgd-disable}
set category-override <user>
set exempt-quota <user>
set ovrd <user>
config filters
edit <name_str>
set id <integer>
set action {block | authenticate | monitor | warning}
set warn-duration <user>
config auth-usr-grp
edit <name_str>
set name <string>
end
set override-replacemsg <string>
set warning-prompt {per-domain | per-category}
set warning-duration-type {session | timeout}
end
config quota
edit <name_str>
set id <integer>
set category <user>
set type {time | traffic}
set unit {B | KB | MB | GB}
set value <integer>
set duration <user>
set override-replacemsg <string>
end
set max-quota-timeout <integer>
set rate-image-urls {disable | enable}
set rate-javascript-urls {disable | enable}
set rate-css-urls {disable | enable}
set rate-crl-urls {disable | enable}
end
set wisp {enable | disable}
set log-all-url {enable | disable}
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-url-log {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
end

Description
inspection-mode Web filtering inspection mode. proxy
options Options. (Empty)
https-replacemsg Enable replacement message display for non- enable

deep SSL inspection.
ovrd-perm Override permit option. (Empty)
post-action Action for HTTP POST requests. normal
override Web Filter override settings. Details below

ovrd-cookie deny
ovrd-scope user
profile-type list
ovrd-dur-mode constant
ovrd-dur 15m
profile-attribute Login-LAT-Service
ovrd-user-group (Empty)
profile (Empty)
web Web settings. Details below

bword-threshold 10
bword-table 0
urlfilter-table 0
content-header-list 0
blacklist disable
whitelist (Empty)
safe-search (Empty)
youtube-edu-filter-id (Empty)
log-search disable
keyword-match (Empty)

ftgd-wf FortiGuard Web Filter settings. Details below

options ftgd-disable
category-override
exempt-quota 17
ovrd
filters (Empty)
quota (Empty)
max-quota-timeout 300
rate-image-urls enable
rate-javascript-urls enable
rate-css-urls enable
rate-crl-urls enable
wisp Enable/disable web proxy WISP. disable
log-all-url Enable/disable log all URLs visited. disable
web-content-log Enable/disable logging for web filter content enable

blocking.
web-filter-activex-log Enable/disable logging for web script filtering on enable

ActiveX.
web-filter-command- Enable/disable logging for web filtering on enable

block-log command blocking.
web-filter-cookie-log Enable/disable logging for web script filtering on enable

cookies.
web-filter-applet-log Enable/disable logging for web script filtering on enable

Java applets.
web-filter-jscript-log Enable/disable logging for web script filtering on enable

JScripts.
web-filter-js-log Enable/disable logging for web script filtering on enable

Java scripts.
web-filter-vbs-log Enable/disable logging for web script filtering on enable

VB scripts.
web-filter-unknown-log Enable/disable logging for web script filtering on enable

unknown scripts.

web-filter-referer-log Enable/disable logging of web filter referrer block. enable
web-filter-cookie- Enable/disable logging of web filter cookie block. enable

removal-log
web-url-log Enable/disable logging for URL filtering. enable
web-invalid-domain-log Enable/disable logging for web filtering of invalid enable

domain name.
web-ftgd-err-log Enable/disable logging for FortiGuard Web Filter enable

rating errors.
web-ftgd-quota-usage Enable/disable logging for FortiGuard Web Filter enable

quota usage each day.

webfilter/search-engine
CLI Syntax
config webfilter search-engine
edit <name_str>
set name <string>
set url <string>
set query <string>
set safesearch {disable | url | header}
set charset {utf-8 | gb2312}
set safesearch-str <string>
end

Description
name Search engine name. (Empty)
hostname Hostname regular expression. (Empty)
url URL regular expression. (Empty)
query Query string (must end with an equals character). (Empty)
safesearch Safe search enable. disable
charset Search engine charset. utf-8
safesearch-str Safe search parameter. (Empty)

webfilter/urlfilter
CLI Syntax
config webfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set one-arm-ips-urlfilter {enable | disable}
set ip-addr-block {enable | disable}
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {exempt | block | allow | monitor}
set exempt {av | filepattern | web-content | activex-java-cookie | dlp | forti
guard | range-block | pass | all}
set web-proxy-profile <string>
set referrer-host <string>
end
end

Description
id ID. 0
one-arm-ips-urlfilter Enable/disable DNS resolver for one-arm IPS disable

URL filter operation.
ip-addr-block Enable/disable block URLs when hostname disable

appears as an IP address.
entries Web filter/URL filter. (Empty)

wireless-controller/ap-status
CLI Syntax
config wireless-controller ap-status
edit <name_str>
set id <integer>
set bssid <mac-address>
set ssid <string>
set status {rogue | accepted | suppressed}
end

Description
id AP ID. 0
bssid AP's BSSID. 00:00:00:00:00:00
ssid AP's SSID. (Empty)
status AP status. rogue

wireless-controller/global
CLI Syntax
config wireless-controller global
edit <name_str>
set name <string>
set max-retransmit <integer>
set data-ethernet-II {enable | disable}
set mesh-eth-type <integer>
set discovery-mc-addr <ipv4-address-multicast>
set max-clients <integer>
set rogue-scan-mac-adjacency <integer>
set ap-log-server {enable | disable}
set ap-log-server-ip <ipv4-address>
set ap-log-server-port <integer>
end

Description
name Name. (Empty)
location Location. (Empty)
max-retransmit Maximum # of retransmissions for tunnel packet. 3
data-ethernet-II Enable/disable ethernet frame type with 802.3 disable

data tunnel mode.
mesh-eth-type Ethernet type for wireless backhaul tunnel packet. 8755
discovery-mc-addr Discovery multicast address. 224.0.1.140
max-clients Maximum number of stations supported by the 0

AC.
rogue-scan-mac- Range of numerical difference between AP's 7

adjacency Ethernet MAC and AP's BSSID, given the
identical OUI (default = 7).
ap-log-server Enable/disable AP log server. disable
ap-log-server-ip AP log server IP address. 0.0.0.0
ap-log-server-port AP log server port. 0

wireless-controller/setting
CLI Syntax
config wireless-controller setting
edit <name_str>
set account-id <string>
set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ |
BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG |
SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | I
D | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO
| MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG
| PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES |
LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ |
VE | VN | YE | ZW | JP | AU | CA}
end

Description
account-id FortiCloud customer account ID. (Empty)
country Country. US

wireless-controller/timers
CLI Syntax
config wireless-controller timers
edit <name_str>
set echo-interval <integer>
set discovery-interval <integer>
set client-idle-timeout <integer>
set rogue-ap-log <integer>
set fake-ap-log <integer>
set darrp-optimize <integer>
set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturda
y}
config darrp-time
edit <name_str>
set time <string>
end
set sta-stats-interval <integer>
set vap-stats-interval <integer>
set radio-stats-interval <integer>
set sta-capability-interval <integer>
set sta-locate-timer <integer>
end

Description
echo-interval Interval before WTP sends Echo Request after 30

joining AC (1 - 255, default = 30 sec).
discovery-interval Interval between Discovery Request (2 - 180 sec, 5

default = 5 sec).
client-idle-timeout Wireless station idle timeout (0 no client-idle 300

check, 20 - 3600 sec, default = 300 sec).
rogue-ap-log Rogue AP periodic log reporting interval (default 0

= 0 min).
fake-ap-log Fake AP periodic log reporting interval (default = 1

1 min).
darrp-optimize DARRP optimization interval (default = 1800 sec). 1800
darrp-day Weekday on which DARRP optimization is (Empty)

executed.
darrp-time Time at which DARRP optimization is executed (Empty)

(Up to 8 time points).
sta-stats-interval WTP interval for which station statistics are sent 1

(1 - 255, default = 1 sec).
vap-stats-interval WTP interval for which vap statistics are sent (1 - 15

255, default = 15 sec).
radio-stats-interval WTP interval for which radio statistics are sent (1 15

- 255, default = 15 sec).
sta-capability-interval WTP interval for which station capability 30

information is sent (1 - 255, default = 30 sec).
sta-locate-timer Interval at which the WTP flushes the station 1800

presence (default = 1800 sec).

wireless-controller/vap
CLI Syntax
config wireless-controller vap
edit <name_str>
set name <string>
set vdom <string>
set fast-roaming {enable | disable}
set external-fast-roaming {enable | disable}
set mesh-backhaul {enable | disable}
set max-clients-ap <integer>
set ssid <string>
set broadcast-ssid {enable | disable}
set security-obsolete-option {enable | disable}
set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal
+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-porta
l | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa
2-only-enterprise}
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
set tkip-counter-measure {enable | disable}
set external-web <string>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <string>
set auth {psk | radius | usergroup}
set encrypt {TKIP | AES | TKIP-AES}
set keyindex <integer>
set key <password>
set passphrase <password>
set radius-server <string>
set acct-interim-interval <integer>
config usergroup
edit <name_str>
set name <string>
end
set portal-message-override-group <string>
config portal-message-overrides
edit <name_str>
set auth-disclaimer-page <string>
set auth-reject-page <string>
set auth-login-page <string>
set auth-login-failed-page <string>
end
set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
config selected-usergroups
edit <name_str>
set name <string>
end
set security-exempt-list <string>
set security-redirect-url <string>
set intra-vap-privacy {enable | disable}
set local-standalone {enable | disable}
set local-standalone-nat {enable | disable}
set local-bridging {enable | disable}
set split-tunneling {enable | disable}
set local-authentication {enable | disable}
set local-switching {enable | disable}
set vlanid <integer>
set vlan-auto {enable | disable}
set dynamic-vlan {enable | disable}
set alias <string>
set multicast-rate {0 | 6000 | 12000 | 24000}
set multicast-enhance {enable | disable}
set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp
-unknown | arp-reply | arp-poison | netbios-ns | netbios-ds | ipv6 | all-other-mc | al
l-other-bc}
set me-disable-thresh <integer>
set probe-resp-suppression {enable | disable}
set probe-resp-threshold <string>
set vlan-pooling {wtp-group | round-robin | hash | disable}
config vlan-pool
edit <name_str>
set id <integer>
set wtp-group <string>
end
set ptk-rekey {enable | disable}
set ptk-rekey-intv <integer>
set gtk-rekey {enable | disable}
set gtk-rekey-intv <integer>
set eap-reauth {enable | disable}
set eap-reauth-intv <integer>
set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-b
asic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic |
54 | 54-basic}
set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-
basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic
| 54 | 54-basic}
set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 |
mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2}
set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mc
s22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4
| mcs31/4}
set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1
| mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs
6/2 | mcs7/2 | mcs8/2 | mcs9/2}
set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3
| mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
set mac-filter {enable | disable}
set mac-filter-policy-other {allow | deny}
config mac-filter-list
edit <name_str>
set id <integer>
set mac-filter-policy {allow | deny}
end
end

Description
name Virtual AP name. (Empty)
vdom Owning VDOM. (Empty)
fast-roaming Enable/disable fast roaming. enable
external-fast-roaming Enable/disable fast roaming with external non- disable

managed AP.
mesh-backhaul Enable/disable mesh backhaul. disable
max-clients Maximum number of STAs supported by the 0

VAP.
max-clients-ap Maximum number of STAs supported by the VAP 0

(per AP radio).
ssid IEEE 802.11 Service Set Identifier. fortinet
broadcast-ssid Enable/disable SSID broadcast in the beacon. enable
security-obsolete- Enable/disable obsolete security options. disable

option
security Wireless access security of SSID. wpa2-only-personal
pmf Protected Management Frames (PMF) support. disable
pmf-assoc-comeback- Protected Management Frames (PMF) comeback 1

timeout maximum timeout (1-20 sec).
pmf-sa-query-retry- Protected Management Frames (PMF) SA query 2

timeout retry timeout interval (1 - 5 in 100s of msec).
okc Enable/disable Opportunistic Key Caching (OKC). enable
tkip-counter-measure Enable/disable TKIP counter measure. enable
external-web URL of external authentication web server. (Empty)
radius-mac-auth Enable/disable RADIUS-based MAC disable

authentication.

radius-mac-auth-server RADIUS-based MAC authentication server. (Empty)
auth Authentication protocol. psk
encrypt Data encryption. AES
keyindex WEP key index (1 - 4). 1
key WEP Key. (Empty)
passphrase Pre-shared key for WPA. (Empty)
radius-server WiFi RADIUS server. (Empty)
acct-interim-interval WiFi RADIUS accounting interim interval (60 - 0

86400 sec, default = 0).
usergroup Selected user group. (Empty)
portal-message- Specify captive portal replacement message (Empty)

override-group override group.
portal-message- Individual message overrides. Details below

overrides

auth-disclaimer-page (Empty)
auth-reject-page (Empty)
auth-login-page (Empty)
auth-login-failed-page (Empty)
portal-type Captive portal type. auth
selected-usergroups Selected user group. (Empty)
security-exempt-list Security exempt list name. (Empty)
security-redirect-url URL redirection after disclaimer/authentication. (Empty)
intra-vap-privacy Enable/disable intra-SSID privacy. disable
schedule VAP schedule name. (Empty)
local-standalone Enable/disable AP local standalone. disable
local-standalone-nat Enable/disable AP local standalone NAT mode. disable

ip IP address and subnet mask for the local 0.0.0.0 0.0.0.0
standalone NAT subnet.
local-bridging Enable/disable FortiAP local VAP-to-Ethernet disable

bridge.
split-tunneling Enable/disable split tunneling. disable
local-authentication Enable/disable AP local authentication. disable
local-switching Enable/disable FortiAP local VAP traffic enable

switching.
vlanid Optional VLAN ID. 0
vlan-auto Enable/disable automatic management of SSID disable

VLAN interface.
dynamic-vlan Enable/disable dynamic VLAN assignment. disable
alias Alias. (Empty)
multicast-rate Multicast rate (kbps). 0
multicast-enhance Enable/disable multicast enhancement. disable
broadcast-suppression Suppress broadcast frames from WiFi clients. dhcp-up arp-known
me-disable-thresh Threshold of number of multicast clients to 32

disable multicast enhancement.
probe-resp- Enable/disable probe response suppression. disable

suppression
probe-resp-threshold Threshold at which FortiAP responds to probe -80

requests (signal level must be no lower than this
value).
vlan-pooling Enable/disable VLAN pooling. disable
vlan-pool VLAN pool. (Empty)
ptk-rekey Enable/disable PTK rekey for WPA-Enterprise disable

security.
ptk-rekey-intv PTK rekey interval interval (1800 - 864000 sec, 86400

default = 86400).

gtk-rekey Enable/disable GTK rekey for WPA security. disable
gtk-rekey-intv GTK rekey interval interval (1800 - 864000 sec, 86400

default = 86400).
eap-reauth Enable/disable EAP re-authentication for WPA- disable

Enterprise security.
eap-reauth-intv EAP re-authentication interval (1800 - 864000 86400

sec, default = 86400).
rates-11a Configure allowed data rates for 802.11a. (Empty)
rates-11bg Configure allowed data rates for 802.11b/g. (Empty)
rates-11n-ss12 Configure allowed data rates for 802.11n with 1 or (Empty)

2 spatial streams.
rates-11n-ss34 Configure allowed data rates for 802.11n with 3 or (Empty)

4 spatial streams.
rates-11ac-ss12 Configure allowed data rates for 802.11ac with 1 (Empty)

or 2 spatial streams.
rates-11ac-ss34 Configure allowed data rates for 802.11ac with 3 (Empty)

or 4 spatial streams.
mac-filter Enable/disable MAC filter status. disable
mac-filter-policy-other Deny or allow STAs whose MAC addresses are allow

not in the filter list.
mac-filter-list MAC filter list. (Empty)

wireless-controller/vap-group
CLI Syntax
config wireless-controller vap-group
edit <name_str>
set name <string>
config vaps
edit <name_str>
set name <string>
end
end

Description
name Group Name (Empty)
vaps Selected list of SSIDs to be included in the group. (Empty)

wireless-controller/wids-profile
CLI Syntax
config wireless-controller wids-profile
edit <name_str>
set name <string>
set ap-scan {disable | enable}
set ap-bgscan-period <integer>
set ap-bgscan-intv <integer>
set ap-bgscan-duration <integer>
set ap-bgscan-idle <integer>
set ap-bgscan-report-intv <integer>
set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | frid
ay | saturday}
set ap-bgscan-disable-start <user>
set ap-bgscan-disable-end <user>
set ap-fgscan-report-intv <integer>
set ap-scan-passive {enable | disable}
set rogue-scan {enable | disable}
set ap-auto-suppress {enable | disable}
set wireless-bridge {enable | disable}
set deauth-broadcast {enable | disable}
set null-ssid-probe-resp {enable | disable}
set long-duration-attack {enable | disable}
set long-duration-thresh <integer>
set invalid-mac-oui {enable | disable}
set weak-wep-iv {enable | disable}
set auth-frame-flood {enable | disable}
set auth-flood-time <integer>
set auth-flood-thresh <integer>
set assoc-frame-flood {enable | disable}
set assoc-flood-time <integer>
set assoc-flood-thresh <integer>
set spoofed-deauth {enable | disable}
set asleap-attack {enable | disable}
set eapol-start-flood {enable | disable}
set eapol-start-thresh <integer>
set eapol-start-intv <integer>
set eapol-logoff-flood {enable | disable}
set eapol-logoff-thresh <integer>
set eapol-logoff-intv <integer>
set eapol-succ-flood {enable | disable}
set eapol-succ-thresh <integer>
set eapol-succ-intv <integer>
set eapol-fail-flood {enable | disable}
set eapol-fail-thresh <integer>
set eapol-fail-intv <integer>
set eapol-pre-succ-flood {enable | disable}
set eapol-pre-succ-thresh <integer>
set eapol-pre-succ-intv <integer>
set eapol-pre-fail-flood {enable | disable}
set eapol-pre-fail-thresh <integer>
set eapol-pre-fail-intv <integer>
set deauth-unknown-src-thresh <integer>
end

Description
name WIDS profile name. (Empty)
ap-scan Enable/disable AP scan. disable
ap-bgscan-period Interval between two rounds of scanning (60 - 600

3600 sec).
ap-bgscan-intv Interval between two scanning channels (1 - 600 1

sec).
ap-bgscan-duration Listening time on a scanning channel (10 - 1000 20

msec).
ap-bgscan-idle Channel idle time before scanning channel (0 - 0

1000 msec).
ap-bgscan-report-intv Interval between two background scan reports 30

(15 - 600 sec).
ap-bgscan-disable-day Weekday on which background scan is disabled. (Empty)
ap-bgscan-disable-start Start time at which background scan is disabled. 00:00
ap-bgscan-disable-end End time at which background scan is disabled. 00:00
ap-fgscan-report-intv Interval between two foreground scan reports (15 15

- 600 sec)
ap-scan-passive Enable/disable passive scan on all channels. disable
rogue-scan Enable/disable rogue AP on-wire scan. disable
ap-auto-suppress Enable/disable on-wire rogue AP auto-suppress. disable
wireless-bridge Enable/disable wireless bridge detection. disable
deauth-broadcast Enable/disable broadcasting de-authentication disable

detection.
null-ssid-probe-resp Enable/disable null SSID probe response disable

detection.

long-duration-attack Enable/disable long duration attack detection disable
based on user configured threshold.
long-duration-thresh Threshold value (usec) for long duration attack 8200

detection.
invalid-mac-oui Enable/disable invalid MAC OUI detection. disable
weak-wep-iv Enable/disable weak WEP IV (Initialization disable

Vector) detection.
auth-frame-flood Enable/disable authentication frame flooding disable

detection.
auth-flood-time Number of seconds after which an STA is 10

considered not connected.
auth-flood-thresh The threshold value for authentication flooding. 30
assoc-frame-flood Enable/disable association frame flooding disable

detection.
assoc-flood-time Number of seconds after which an STA is 10

considered not connected.
assoc-flood-thresh The threshold value for association flooding. 30
spoofed-deauth Enable/disable spoofed de-authentication disable

detection.
asleap-attack Enable/disable asleap attack detection. disable
eapol-start-flood Enable/disable EAPOL-Start flooding (to AP) disable

detection.
eapol-start-thresh The threshold value for EAPOL-Start flooding in 10

specified interval.
eapol-start-intv The detection interval for EAPOL-Start flooding in 1

sec.
eapol-logoff-flood Enable/disable EAPOL-Logoff flooding (to AP) disable

detection.
eapol-logoff-thresh The threshold value for EAPOL-Logoff flooding in 10

specified interval.

eapol-logoff-intv The detection interval for EAPOL-Logoff flooding 1
in sec.
eapol-succ-flood Enable/disable EAPOL-Success flooding (to AP) disable

detection.
eapol-succ-thresh The threshold value for EAPOL-Success flooding 10

in specified interval.
eapol-succ-intv The detection interval for EAPOL-Success 1

flooding in sec.
eapol-fail-flood Enable/disable EAPOL-Failure flooding (to AP) disable

detection.
eapol-fail-thresh The threshold value for EAPOL-Failure flooding 10

in specified interval.
eapol-fail-intv The detection interval for EAPOL-Failure flooding 1

in sec.
eapol-pre-succ-flood Enable/disable premature EAPOL-Success disable

flooding (to STA) detection.
eapol-pre-succ-thresh The threshold value for premature EAPOL- 10

Success flooding in specified interval.
eapol-pre-succ-intv The detection interval for premature EAPOL- 1

Success flooding in sec.
eapol-pre-fail-flood Enable/disable premature EAPOL-Failure disable

flooding (to STA) detection.
eapol-pre-fail-thresh The threshold value for premature EAPOL- 10

Failure flooding in specified interval.
eapol-pre-fail-intv The detection interval for premature EAPOL- 1

Failure flooding in sec.
deauth-unknown-src- Threshold value per second to deauth unknown 10

thresh src for DoS attack(0: no limit).

wireless-controller/wtp
CLI Syntax
config wireless-controller wtp
edit <name_str>
set wtp-id <string>
set index <integer>
set admin {discovered | disable | enable}
set name <string>
set wtp-mode {normal | remote}
set wtp-profile <string>
set override-led-state {enable | disable}
set led-state {enable | disable}
set override-wan-port-mode {enable | disable}
set wan-port-mode {wan-lan | wan-only}
set override-ip-fragment {enable | disable}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set override-split-tunnel {enable | disable}
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set override-lan {enable | disable}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
end
set override-allowaccess {enable | disable}
set allowaccess {telnet | http}
set override-login-passwd-change {enable | disable}
set login-passwd-change {yes | default | no}
set login-passwd <password>
config radio-1
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set override-txpower {enable | disable}
set override-vaps {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
edit <name_str>
set chan <string>
end
end
set image-download {enable | disable}
set mesh-bridge-enable {default | enable | disable}
set coordinate-enable {enable | disable}
set coordinate-x <string>
set coordinate-y <string>
end

Description
wtp-id WTP ID. (Empty)
index Index (0 - 4294967295). 0
admin Admin status. enable
name WTP name. (Empty)
location WTP location. (Empty)
wtp-mode WTP mode. normal
wtp-profile WTP profile name. (Empty)
override-led-state Enable/disable override of LED state. disable
led-state Enable/disable use of LEDs on WTP. enable
override-wan-port- Enable/disable override of wan-port-mode. disable

mode
wan-port-mode Enable/disable use of WAN port as LAN port. wan-only
override-ip-fragment Enable/disable override of IP fragment disable

prevention.
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunnelled tcp-mss-adjust

control and data packets.
tun-mtu-uplink Uplink tunnel MTU. 0
tun-mtu-downlink Downlink tunnel MTU. 0
override-split-tunnel Enable/disable override of split tunneling. disable
split-tunneling-acl- Enable/disable split tunneling ACL local AP disable

local-ap-subnet subnet.
split-tunneling-acl Split tunneling ACL filter list. (Empty)
override-lan Enable/disable override of WTP LAN port. disable
lan WTP LAN port mapping. Details below

port-mode offline
port-ssid (Empty)
port1-mode offline
port1-ssid (Empty)
port2-mode offline
port2-ssid (Empty)
port3-mode offline
port3-ssid (Empty)
port4-mode offline
port4-ssid (Empty)
port5-mode offline
port5-ssid (Empty)
port6-mode offline
port6-ssid (Empty)
port7-mode offline
port7-ssid (Empty)
port8-mode offline
port8-ssid (Empty)
override-allowaccess Enable/disable override of management access disable

to managed AP.
allowaccess Allow management access to managed AP. (Empty)
override-login-passwd- Enable/disable override of login password of disable

change managed AP.
login-passwd-change Configuration options for login password of no

managed AP.
login-passwd Login password of managed AP. (Empty)
radio-1 Radio 1. Details below

radio-id 0
override-band disable
band (Empty)
override-analysis disable
spectrum-analysis disable
override-txpower disable
auto-power-level disable
auto-power-high 17
auto-power-low 10
power-level 100
override-vaps disable
vap-all enable
vaps (Empty)
override-channel disable
channel (Empty)

radio-id 1
override-band disable
band (Empty)
override-analysis disable
override-txpower disable
auto-power-high 17
auto-power-low 10
power-level 100
override-vaps disable
vap-all enable
vaps (Empty)
override-channel disable
channel (Empty)
image-download Enable/disable WTP image download. enable
mesh-bridge-enable Enable/disable mesh Ethernet bridge when WTP default

is configured as a mesh branch/leaf AP.
coordinate-enable Enable/disable WTP coordinates. disable
coordinate-x X axis coordinate. 0

coordinate-y Y axis coordinate. 0

wireless-controller/wtp-profile
CLI Syntax
config wireless-controller wtp-profile
edit <name_str>
set name <string>
config platform
edit <name_str>
set type {FWF | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C | 2
8C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321C |
S323C | S311C | S313C}
end
set wan-port-mode {wan-lan | wan-only}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
end
set led-state {enable | disable}
set dtls-policy {clear-text | dtls-enabled}
set dtls-in-kernel {enable | disable}
set handoff-rssi <integer>
set handoff-sta-thresh <integer>
set handoff-roaming {enable | disable}
config deny-mac-list
edit <name_str>
set id <integer>
end
set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | B
Z | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG
| SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU |
MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA |
PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | E
S | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ
| VE | VN | YE | ZW | JP | AU | CA}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set allowaccess {telnet | http}
set login-passwd-change {yes | default | no}
set login-passwd <password>
set lldp {enable | disable}
config radio-1
edit <name_str>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
set max-distance <integer>
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
config vaps
edit <name_str>
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config lbs
edit <name_str>
set ekahau-blink-mode {enable | disable}
set ekahau-tag <mac-address>
set erc-server-ip <ipv4-address-any>
set erc-server-port <integer>
set aeroscout {enable | disable}
set aeroscout-server-ip <ipv4-address-any>
set aeroscout-server-port <integer>
set aeroscout-mu-factor <integer>
set aeroscout-mu-timeout <integer>
set fortipresence {enable | disable}
set fortipresence-server <ipv4-address-any>
set fortipresence-port <integer>
set fortipresence-secret <password>
set fortipresence-project <string>
set fortipresence-frequency <integer>
set fortipresence-rogue {enable | disable}
set fortipresence-unassoc {enable | disable}
set station-locate {enable | disable}
end
end

Description
name WTP profile name. (Empty)
platform WTP platform. Details below

type 220B
wan-port-mode Enable/disable use of WAN port as LAN port. wan-only
lan WTP LAN port mapping. Details below

port-mode offline
port-ssid (Empty)
port1-mode offline
port1-ssid (Empty)
port2-mode offline
port2-ssid (Empty)
port3-mode offline
port3-ssid (Empty)
port4-mode offline
port4-ssid (Empty)
port5-mode offline
port5-ssid (Empty)
port6-mode offline
port6-ssid (Empty)
port7-mode offline
port7-ssid (Empty)
port8-mode offline
port8-ssid (Empty)
led-state Enable/disable use of LEDs on WTP. enable
dtls-policy WTP data channel DTLS policy. clear-text
dtls-in-kernel Enable/disable data channel DTLS in kernel. disable
max-clients Maximum number of STAs supported by the 0

WTP.

handoff-rssi Minimum RSSI value for handoff. 25
handoff-sta-thresh Threshold value for AP handoff. 30
handoff-roaming Enable/disable handoff when a client is roaming. enable
deny-mac-list Deny MAC filter list. (Empty)
ap-country AP country code. NA
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneled tcp-mss-adjust

control and data packets.
tun-mtu-uplink Uplink tunnel MTU. 0
tun-mtu-downlink Downlink tunnel MTU. 0
split-tunneling-acl- Enable/disable split tunneling ACL local AP disable

local-ap-subnet subnet.
split-tunneling-acl Split tunneling ACL filter list. (Empty)
allowaccess Allow management access to managed AP. (Empty)
login-passwd-change Configuration options for login password of no

managed AP.
login-passwd Login password of managed AP. (Empty)
lldp Enable/disable LLDP. disable

radio-id 0
mode ap
band (Empty)
protection-mode disable
powersave-optimize (Empty)
amsdu enable
coexistence enable
short-guard-interval disable
channel-bonding 20MHz
auto-power-high 17
auto-power-low 10
power-level 100
dtim 1
beacon-interval 100
rts-threshold 2346
frag-threshold 2346
ap-sniffer-bufsize 16
ap-sniffer-chan 36
ap-sniffer-addr 00:00:00:00:00:00
ap-sniffer-mgmt-beacon enable
ap-sniffer-mgmt-probe enable
ap-sniffer-mgmt-other enable
ap-sniffer-ctl enable
ap-sniffer-data enable
wids-profile (Empty)
darrp disable
max-clients 0
max-distance 0
frequency-handoff disable
ap-handoff disable
vap-all enable
vaps (Empty)
channel (Empty)

radio-id 1
mode ap
band (Empty)
protection-mode disable
powersave-optimize (Empty)
amsdu enable
coexistence enable
short-guard-interval disable
channel-bonding 20MHz
auto-power-high 17
auto-power-low 10
power-level 100
dtim 1
beacon-interval 100
rts-threshold 2346
frag-threshold 2346
ap-sniffer-bufsize 16
ap-sniffer-chan 6
ap-sniffer-addr 00:00:00:00:00:00
ap-sniffer-mgmt-beacon enable
ap-sniffer-mgmt-probe enable
ap-sniffer-mgmt-other enable
ap-sniffer-ctl enable
ap-sniffer-data enable
wids-profile (Empty)
darrp disable
max-clients 0
max-distance 0
frequency-handoff disable
ap-handoff disable
vap-all enable
vaps (Empty)
channel (Empty)
lbs Location based service. Details below

ekahau-blink-mode disable
ekahau-tag 01:18:8e:00:00:00
erc-server-ip 0.0.0.0
erc-server-port 8569
aeroscout disable
aeroscout-server-ip 0.0.0.0
aeroscout-server-port 0
aeroscout-mu-factor 20
aeroscout-mu-timeout 5
fortipresence disable
fortipresence-server 0.0.0.0
fortipresence-port 3000
fortipresence-secret fortinet
fortipresence-project fortipresence
fortipresence-frequency 30
fortipresence-rogue disable
fortipresence-unassoc disable
station-locate disable

execute backup
execute
The execute commands perform immediate operations on the FortiGate unit, including:
l Maintenance operations, such as back up and restore the system configuration, reset the configuration to factory
settings, update antivirus and attack definitions, view and delete log messages, set the date and time.
l Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnose
network problems.
l Generate certificate requests and install certificates for VPN authentication.
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USB
disk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysis
and Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.
When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup file
depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator
account can restore the configuration from this file.
Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config management-station <comment_str>
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup config usb <filename_str> [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]
| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_
password_str>]
execute backup config-with-forticlient-info usb [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup full-config usb <filename_str> [<backup_password_str>]
execute backup full-config usb-mode <filename_str> [<backup_password_str>]
execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>
execute backup {disk | memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]

backup execute
execute backup {disk | memory} alllogs tftp <server_ipv4>

execute backup {disk | memory} alllogs usb
execute backup {disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]
> <username_str> <password_str> {traffic | event | ids | virus | webfilter | spam
| dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log tftp <server_ipv4> {traffic | event | ids | virus
| webfilter | spam | dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log usb {traffic | event | ids | virus | webfilter
| spam | dlp | voip | app-ctrl | netscan}
Variable Description
config flash <comment> Back up the system configuration to the flash disk.
Optionally, include a comment.
config ftp <filename_str> <server_

Back up the system configuration to an FTP server.
ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str>
Optionally, you can specify a password to protect the
[<password_str>]] [<backup_
saved data.
password_str>]
config management-station Back up the system configuration to a configured

<comment_str> management station. If you are adding a comment, do
not add spaces, underscore characters (_), or quotation
marks (“ “) or any other punctuation marks.
The comment you enter displays in both the portal

website and FortiGate web-based manager (System >
Maintenance > Revision).
config tftp <filename_str> Back up the system configuration to a file on a TFTP

<server_ipv4> [<backup_password_ server. Optionally, you can specify a password to protect
str>] the saved data.
config usb <filename_str> Back up the system configuration to a file on a USB disk.
[<backup_password_str>] Optionally, you can specify a password to protect the
saved data.
Back up the system configuration to a USB disk (Global

config usb-mode [<backup_password_
admin only). Optionally, you can specify a password to
str>]
protect the saved data.
config-with-forticlient-info ftp Back up the system configuration to a file on an FTP

<filename_str> <server_ipv4[:port_ server. Optionally, you can specify a password to protect
int] | server_fqdn[:port_int]> the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]
config-with-forticlient-info tftp Back up the system configuration to a file on a TFTP

<filename_str> <server_ipv4> server. Optionally, you can specify a password to protect
[<backup_password_str>] the saved data.

execute backup
config-with-forticlient-info usb Back up the system configuration to a file on a USB disk.

[<backup_password_str>] Optionally, you can specify a password to protect the
saved data.
Back up the system configuration to a USB disk (Global

config-with-forticlient-info usb-
admin only). Optionally, you can specify a password to
mode [<backup_password_str>]
protect the saved data.
full-config ftp <filename_str> Back up the full system configuration to a file on an FTP
<server_ipv4[:port_int] | server_ server. You can optionally specify a password to protect
fqdn[:port_int]> [<username_str> the saved data.
[<password_str>]] [<backup_
password_str>]
full-config tftp <filename_str> Back up the full system configuration to a file on a TFTP
<server_ipv4> [<backup_password_ server. You can optionally specify a password to protect
str>] the saved data.
full-config usb <filename_str> Back up the full system configuration to a file on a USB
[<backup_password_str>] disk. You can optionally specify a password to protect
the saved data.
Back up the full system configuration to a file on a USB

full-config usb-mode <filename_
disk (Global admin only). You can optionally specify a
str> [<backup_password_str>]
password to protect the saved data.
ipsuserdefsig ftp <filename_str> Backup IPS user-defined signatures to a file on an FTP

<server_ipv4[:port_int] | server_ server.
fqdn[:port_int]> [<username_str>
[<password_str>]]
ipsuserdefsig tftp tftp <filename_ Back up IPS user-defined signatures to a file on a TFTP
str> <server_ipv4> server.
{disk | memory} alllogs ftp Back up either all memory or all hard disk log files for this
<server_ipv4[:port_int] | server_ VDOM to an FTP server. The disk option is available on
fqdn[:port_int]> [<username_str> FortiGate models that log to a hard disk.
<password_str>]
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>
Back up either all memory or all hard disk log files for this
VDOM to a TFTP server. he disk option is available on
{disk | memory} alllogs tftp FortiGate models that log to a hard disk.
<server_ipv4>

batch execute
{disk | memory} alllogs usb Back up either all memory or all hard disk log files for this
VDOM to a USB disk. he disk option is available on
FortiGate models that log to a hard disk.
{disk | memory} log ftp <server_

Back up the specified type of log file from either hard
ipv4[:port_int] | server_fqdn
disk or memory to an FTP server.
[:port_int]> <username_str>
<password_str> {traffic | event
The disk option is available on FortiGate models that log
| ids | virus | webfilter | spam
to a hard disk.
| dlp | voip | app-ctrl | netscan}
{disk | memory} log tftp <server_ Back up the specified type of log file from either hard
ipv4> {traffic | event | ids disk or memory to a TFTP server.
| virus | webfilter | spam | dlp
| voip | app-ctrl | netscan} The disk option is available on FortiGate models that log
to a hard disk.
Back up the specified type of log file from either hard

{disk | memory} log usb
disk or memory to a USB disk.
{traffic | event | ids | virus
| webfilter | spam | dlp | voip
The disk option is available on FortiGate models that log
| app-ctrl | netscan}
to a hard disk.
Example
This example shows how to backup the FortiGate unit system configuration to a file named fgt.cfg on a
TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
batch
Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)
access control group.
Syntax
execute batch [<cmd_cue>]
where <cmd_cue> is one of:
end — exit session and run the batch commands
lastlog — read the result of the last batch commands
start — start batch mode
status — batch mode status reporting if batch mode is running or stopped

execute bypass-mode
Example
To start batch mode:
execute batch start
Enter batch mode...
To enter commands to run in batch mode:

config system global
set refresh 5
end
To execute the batch commands:
execute batch end
Exit and run batch commands...
bypass-mode
Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is available
in transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypass
mode is disabled.
Syntax
execute bypass-mode {enable | disable}
carrier-license
Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on a
FortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.
Contact Fortinet Support for more information about this command.
Syntax
execute carrier-license <license_key>
<license_key> Enter the FortiOS Carrier license key supplied by Fortinet.
central-mgmt
Update Central Management Service account information. Also used receive configuration file updates from an
attached FortiManager unit.
Syntax
execute central-mgmt set-mgmt-id <management_id>

cfg reload execute
execute central-mgmt register-device <fmg-serial-number> <fmg-register-password> <fgt-

user-name> <fgt-password>
execute central-mgmt unregister-device <fmg-serial-number>
set-mgmt-id is used to change or initially set the management ID, or your account number for Central
Management Services. This account ID must be set for the service to be enabled.
register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.
You must also specify the administrator name and password that the FortiManager unit uses to log on to the
FortiGate unit.
unregister-device removes the FortiGate unit from the specified FortiManager unit’s device list.
update is used to update your Central Management Service contract with your new management account ID.
This command is to be used if there are any changes to your management service account.
Example
If you are registering with the Central Management Service for the first time, and your account number is 123456,
you would enter the following:
execute central-mgmt set-mgmt-id 123456
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual or
revert. This command has no effect if the mode is automatic, the default. The set cfg-save command
in system global sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.
In the default configuration change mode, automatic, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. You set the timeout in system global using the set cfg-revert-timeout command.
Syntax
execute cfg reload
Example
This is sample output from the command when successful:
# execute cfg reload
configs reloaded. system will reboot.This is sample output from the command when not in
runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.

execute cfg save
cfg save
Use this command to save configuration changes when the configuration change mode is manual or revert. If
the mode is automatic, the default, all changes are added to the saved configuration as you make them and
this command has no effect. The set cfg-save command in system global sets the configuration change
mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically if
the administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. To change the timeout from the default of 600 seconds, go to system global and use the
set cfg-revert-timeout command.
Syntax
execute cfg save
Example
This is sample output from the command:
# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# execute cfg save
no config to be saved.
clear system arp table
Clear all the entries in the arp table.
Syntax
execute clear system arp table
cli check-template-status
Reports the status of the secure copy protocol (SCP) script template.
Syntax
execute cli check-template-status

cli status-msg-only execute
cli status-msg-only
Enable or disable displaying standardized CLI error output messages. If executed, this command stops other
debug messages from displaying in the current CLI session. This command is used for compatibility with
FortiManager.
Syntax
execute cli status-msg-only [enable | disable]
Variable Description Default
Enable or disable standardized CLI error output messages.

status-msg-only
Entering the command without enable or disable disables enable
[enable | disable]
displaying standardized output.
client-reputation
Use these commands to retrieve or remove client reputation information.
Syntax
To erase all client reputation data

execute client-reputation erase
To retrieve client reputation host count

execute client-reputation host-count <rows>
To retrieve client reputation host details

execute client-reputation host detail <host>
To retrieve client reputation host summary

execute client-reputation host summary <host>
To purge old data

execute client-reputation purge
To view the top n records

execute client-reputation <n | all>
date
Get or set the system date.

execute disk
Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd, where
yyyy is the year and can be 2001 to 2037
mm is the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as ‘06’
instead of ‘2006’ for the year or ‘1’ instead of ‘01’ for month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execute date 2004-09-17
disk
Use this command to list and format hard disks installed in FortiGate units or individual partitions on these hard
disks.
Syntax
execute disk format <partition1_ref_int> [...<partitionn_ref_int>]
execute disk list
execute disk scan <ref_int>
Format the referenced disk partitions or disks. Separate

reference numbers with spaces.
format If you enter a partition reference number the disk partition is
formatted. If you enter a disk reference number the entire disk
and all of its partitions are formatted.
List the disks and partitions and the reference number for each
list
one.
scan Scan a disk or partition and repair errors.
<ref_int> Disk (device) or partition reference number.
The execute disk format command formats the specified partitions or disks and then reboots the system if
a reboot is required.
In most cases you need to format the entire disk only if there is a problem with the partition. Formatting the
partition removes all data from the partition. Formatting the disk removes all data from the entire disk and creates
a single partition on the disk.

disk raid execute
Examples
Use the following command to list the disks and partitions.
execute disk list
Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sda
partition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3
In this example, there is only one partition and its reference number is 3.
Enter the following command to format the partition.

execute disk format 3
After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.
disk raid
Use this command to view information about and change the raid settings on FortiGate units that support RAID.
Syntax
execute disk raid disable
execute disk raid enable {Raid-0 | Raid-1 | Raid-5}
execute disk raid rebuild
execute disk raid status
disable Disable raid for the FortiGate unit.
enable {Raid-0 | Raid-1

Change the RAID level on the FortiGate unit.
| Raid-5}
Rebuild RAID on the FortiGate unit at the same RAID level. You can only
rebuild execute this command if a RAID error has been detected. Changing the
RAID level takes a while and deletes all data on the disk array.
status Display information about the RAID disk array in the FortiGate unit.
Examples
Use the following command to display information about the RAID disk array in a FortiGate-82C.
execute disk raid status
RAID Level: Raid-1
RAID Status: OK
RAID Size: 1000GB
Disk 1: OK Used 1000GB

Disk 4: Unavailable Not-Used 0GB

execute disk scan
disk scan
Use this command to run a disk check operation.
Syntax
execute disk scan <ref_int>
where n is the partition "ref:" number for the disk, shown by execute disk list.
The operation requires the FortiGate unit to reboot. The command responds:
Example
# execute disk scan 3
scan requested for: 3/Internal (device=/dev/sda3)
This action requires the unit to reboot.
Do you want to continue? (y/n)
dhcp lease-clear
Clear all DHCP address leases.
Syntax
For IPv4:
execute dhcp lease-clear
For IPv6
execute dhcp6 lease-clear
dhcp lease-list
Display DHCP leases on a given interface
Syntax
For IPv4:
execute dhcp lease-list [interface_name]
For IPv6:
execute dhcp6 lease-list [interface_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includes
all leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.

disconnect-admin-session execute
disconnect-admin-session
Disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators
by using the following command:
execute disconnect-admin-session ?
The list of logged-in administrators looks like this:
Connected:
INDEX USERNAME TYPE FROM TIME
0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006
1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect the logged administrator admin2 from the above list.
execute disconnect-admin-session 1
enter
Use this command to go from global commands to a specific virtual domain (VDOM).
Only available when virtual domains are enabled and you are in config global.
After you enter the VDOM, the prompt will not change from “(global)”. However you will be in the VDOM with
all the commands that are normally available in VDOMs.
Syntax
execute enter <vdom>
Use “?” to see a list of available VDOMs.
erase-disk
Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restore
the image from a TFTP server after erasing.
Syntax
execute erase-disk <disk_name>
The <disk_name> for the boot device is boot.

execute factoryreset
factoryreset
Reset the FortiGate configuration to factory default settings.
Syntax
execute factoryreset [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGate
configuration and reverts the system to its original configuration, including resetting interface addresses.
factoryreset2
Reset the FortiGate configuration to factory default settings except VDOM and interface settings.
Syntax
execute factoryreset2 [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Syntax
execute formatlogdisk
In addition to deleting logs, this operation will erase all other data on the
disk, including system configuration, quarantine files, and databases for
antivirus and IPS.
forticarrier-license
Use this command to perform a FortiCarrier license upgrade.
Syntax
execute forticarrier-license <activation-code>
forticlient
Use these commands to manage FortiClient licensing.

FortiClient-NAC execute
Syntax
To view FortiClient license information

execute forticlient info
To show current FortiClient count

execute forticlient list <connection_type>
where <connection_type> is one of:
0 - IPsec
1 - SSLVPN
2 - NAC (Endpoint Security)
3 - WAN optimization
4 - Test
To upgrade FortiClient licenses

execute forticlient upgrade <license_key_str>
FortiClient-NAC
Use the following command to load a FortiClient license onto a FortiGate unit.
Syntax
execute FortiClient-NAC update-registration-license <code>
where <code> is the FortiClient registration license key/activation code.
fortiguard-log
Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.
Syntax
To create a FortiCloud account

execute fortiguard-log create-account
To perform FortiCloud certification

execute fortiguard-log certification
To retrieve the FortiCloud agreement

execute fortiguard-log agreement

execute fortitoken
To test connection to a FortiCloud account

execute fortiguard-log try <account-id> <password>
To join FortiCloud
execute fortiguard-log join
To log in to a FortiCloud account

execute fortiguard-log login <account-id> <password>
To update the FortiGuard Analysis and Management Service contract

execute fortiguard-log update
fortitoken
Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factor
authentication of administrator and user account logons. The device generates a random six-digit code that you
enter during the logon process along with user name and password.
Before they can be used to authenticate account logins, FortiToken devices must be activated with the
FortiGuard service. When successfully activated, the status of the FortiToken device will change from New to
Active.
Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual for
new FortiToken units to require synchronization before being put into service. Synchronization is accomplished by
entering two sequential codes provided by the FortiToken.
Syntax
To activate one or more FortiToken devices

execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]
To import FortiToken OTP seeds

execute fortitoken import <seeds_file> <seeds_file_preshared_key>
To synchronize a FortiToken device

execute fortitoken sync <serial_number> <code> <next code>
To import a set of FortiToken serial numbers

execute fortitoken import-sn-file <ftk-sn>
FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specified
FortiToken device.

fortitoken-mobile execute
fortitoken-mobile
Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used in
two-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digit
code to the mobile device by email or SMS that the user enters during the logon process along with user name
and password.
Syntax
To import the FortiToken Mobile card serial number

execute fortitoken-mobile import <activation_code>
To poll a FortiToken Mobile token state

execute fortitoken-mobile poll
To provision a FortiToken Mobile token

execute fortitoken-mobile provision <token_serial_number>
fsso refresh
Use this command to manually refresh user group information from Directory Service servers connected to the
FortiGate unit using the Fortinet Single Sign On (FSSO) agent.
Syntax
execute fsso refresh
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial number
of the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask to
this interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. After
the unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiate
and may select a new primary unit.
To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of the
disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to 0.0.0.0.
The interface specified in the command is set to the IP address and netmask that you specify in the command. In
addition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can use
SSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.
Syntax
execute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>
<address_ipv4mask>

execute ha ignore-hardware-revision
cluster-member-
The serial number of the cluster unit to be disconnected.
serial_str
The name of the interface to configure. The command

interface_str configures the IP address and netmask for this interface and also
enables all management access for this interface.
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internal
interface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect FGT5002803033050 internal 1.1.1.1 255.255.255.0
ha ignore-hardware-revision
Use this command to set ignore-hardware-revision status.
Syntax
To view ignore-hardware-revision status

execute ha ignore-hardware-revision status
To set ignore-hardware-revision status

execute ha ignore-hardware-revision {enable | disable}
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in the
cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinate
unit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primary
unit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to the
configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.
Syntax
execute ha manage <cluster-index>

ha synchronize execute
The cluster index is assigned by the FortiGate Clustering

Protocol according to cluster unit serial number. The cluster unit
with the highest serial number has a cluster index of 0. The
cluster unit with the second highest serial number has a cluster
cluster-index index of 1 and so on.
Enter ? to list the cluster indexes of the cluster units that you can
log into. The list does not show the unit that you are already
logged into.
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example you
have already logged into the primary unit. The primary unit has serial number FGT3082103000056. The
subordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execute ha manage ?
<id> please input slave cluster index.
<0> Subsidary unit FGT3012803021709
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLI
prompt changes to the host name of this unit. To return to the primary unit, type exit.
From the subordinate unit you can also use the execute ha manage command to log into the primary unit or
into another subordinate unit. Enter the following command:
execute ha manage ?
<id> please input slave cluster index.
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.
The CLI prompt changes to the host name of this unit.
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.
Syntax
execute ha synchronize {start | stop}
start Start synchronizing the cluster configuration.
stop Stop the cluster from completing synchronizing its configuration.

execute interface dhcpclient-renew
interface dhcpclient-renew
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP
connection on the specified port, there is no output.
Syntax
execute interface dhcpclient-renew <port>
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
interface pppoe-reconnect
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE
connection on the specified port, there is no output.
Syntax
execute interface pppoe-reconnect <port>
log backup
Use this command to back up all logs, index files, and report databases. The files are compressed and combined
into a TAR archive.
Syntax
execute log backup <file name>
where <file name> is the name of the backup file to create.
log client-reputation-report
Use these commands to control client-reputation log actions.
Syntax
To accept a host so that it has its own baselines

execute log client-reputation-report accept <policy-id> <host>

log client-reputation-report execute
To clear all auto-profile data

execute log client-reputation-report clear
To ignore a host, removing it from the abnormal list

execute log client-reputation-report ignore <policy-id> <host>
To refresh the data of one option result

execute log client-reputation-report refresh <policy-id> <option> <action>
<option> is one of bandwidth, session, failconn, geo, or app
<action> is one of data, baseline, or data_baseline (both data and baseline)
To get baseline/average information of one option

execute log client-reputation-report result baseline <policy-id> <option>
<option> is one of bandwidth, session, or failconn
To get hourly data of a host visiting a country or using an application

execute log client-reputation-report result details {hourly | total} <policy-id>
<option> <name> <host>
<option> is geo or app
<name> is the name of the country or application
To list abnormal hosts of one or all options

execute log client-reputation-report result list <policy-id> <option>
<option> is geo, app, or all
To list periodical data of one host of one option

execute log client-reputation-report result period <policy-id> <option> <host>
<periods>
<periods> is number of periods to list
To list the top 10 abnormal hosts of one option

execute log client-reputation-report result top10 <policy-id> <option>
To run reports immediately

execute log client-reputation-report run <policy-id>

execute log convert-oldlogs
log convert-oldlogs
Use this command to convert old compact logs to the new format. This command is available only if you have
upgraded from an earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log convert-oldlogs
log delete-all
Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If your
FortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted to
confirm the command.
Syntax
execute log delete-all
log delete-oldlogs
Use this command to delete old compact logs. This command is available only if you have upgraded from an
earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log delete-oldlogs
log detail
Display UTM-related log entries for traffic log entries in this VDOM.
Syntax
execute log detail <category> <utm-ref>
where <category> is one of:
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-spam
9: utm-dlp
10: utm-app-ctrl

log display execute
You can obtain <utm-ref> from the execute log display output.
log display
Use this command to display log messages for this VDOM that you have selected with the execute log
filter command.
Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do
this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the
commands
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the command
execute log filter reset
log downgrade-log
Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.
Syntax
execute log downgrade-log
log filter
Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category on
one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of
log messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want to
view.
Syntax
execute log filter category <category_name>
execute log filter device {disk | memory}
execute log filter dump
execute log filter field <name> <value> [<value2>,...<valuen>] [not]
execute log filter ha-member <unitsn_str>
execute log filter reset [all | field]
execute log filter rolled_number <number>
execute log filter sortby <field> [max-sort-lines]
execute log filter start-line <line_number>

execute log fortianalyzer test-connectivity
execute log filter view-lines <count>

Enter the type of log you want to select. To

category see a list of available categories, enter event
<category_name>
execute log filter category
device {disk
Device where the logs are stored. disk
| memory}
No
dump Display current filter settings.
default.
Enter execute log filter field to

field <name> view the list of field names.
<value> No
Press Enter after <name> to view information
[<value2>,...<value default.
about value parameters for that field.
n>] [not]
not inverts the field value condition.
ha-member Select logs from the specified HA cluster

<unitsn_str> member. Enter the serial number of the unit.
Execute this command to reset all filter

No
reset [all | field] settings. You can use field option to reset only
default.
filter field settings.
rolled_number Select logs from rolled log file. 0 selects

0
<number> current log file.
sortby <field> No
Sort logs by specified field.
[max-sort-lines] default.
start-line <line_
Select logs starting at specified line number. 1
number>
view-lines <count> Set lines per view. Range: 5 to 1000 10
log fortianalyzer test-connectivity
Use this command to test the connection to the FortiAnalyzer unit. This command is available only when
FortiAnalyzer is configured.
Syntax
execute log fortianalyzer test-connectivity
Example
When FortiAnalyzer is connected, the output looks like this:
FortiAnalyzer Host Name: FortiAnalyzer-800B

log list execute
FortiGate Device ID: FG50B3G06500085

Registration: registered
Connection: allow
Disk Space (Used/Allocated): 468/1003 MB
Total Free Space: 467088 MB
Log: Tx & Rx
Report: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Error
log list
You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,
size and timestamp.
Syntax
execute log list <category>
To see a list of available categories, enter
execute log list
Example
The output looks like this:
elog 8704 Fri March 6 14:24:35 2009
elog.1 1536 Thu March 5 18:02:51 2009
elog.2 35840 Wed March 4 22:22:47 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event log file(s) found.
log rebuild-sqldb
Use this command to rebuild the SQL database from log files.
If run in the VDOM context, only this VDOM’s SQL database is rebuilt. If run in the global context, the SQL
database is rebuilt for all VDOMs.
If SQL logging is disabled, this command is unavailable.
Syntax
execute log rebuild-sqldb
log recreate-sqldb
Use this command to recreate SQL log database.

execute log-report reset
Syntax
execute log recreate-sqldb
log-report reset
Use this command to delete all logs, archives and user configured report templates.
Syntax
execute log-report reset
log restore
Use this command to restore up all logs, index files, and report databases from a backup file created with the "log
backup" on page 27 command.
This command will wipe out all existing logs and report database for the vdom. It is only available for debug
firmware builds.
It is recommended to kill reportd and miglogd prior to running this command.

kill -3 1
killall miglogd
killall reportd
Syntax
execute log restore <file name>
where <file name> is the name of the backup file to use.
log roll
Use this command to roll all log files.
Syntax
execute log roll
log shift-time
Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. You
can load a log set generated previously to do demos or testing without needing to regenerate data.

log upload-progress execute
Syntax
execute log shift-time <number of hours>
log upload-progress
Use this command to display the progress of the latest log upload.
Syntax
execute log upload-progress
modem dial
Dial the modem.
The dial command dials the accounts configured in config system modem until it makes a connection or it
has made the maximum configured number of redial attempts.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem dial
modem hangup
Hang up the modem.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem hangup
modem trigger
This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its current
state. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modem
should not be connected but is, this command will cause the modem to disconnect.
Syntax
execute modem trigger

execute mrouter clear
mrouter clear
Clear multicast routes, RP-sets, IGMP membership records or routing statistics.
Syntax
Clear IGMP memberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}
execute mrouter clear igmp-interface <interface-name>
Clear multicast routes:
execute mrouter clear <route-type> {<group-address> {<source-address>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):
execute mrouter clear sparse-mode-bsr
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}
Enter the name of the interface on which you want to clear IGMP
<interface-name>
memberships.
Optionally enter a group address to limit the command to a

<group-address>
particular group.
Enter one of:
dense-routes - clear only PIM dense routes

<route-type>
multicast-routes - clear all types of multicast routes
sparse-routes - clear only sparse routes
Optionally, enter a source address to limit the command to a

<source-address> particular source address. You must also specify
group-address.
netscan
Use this command to start and stop the network vulnerability scanner and perform related functions.
Syntax
execute netscan import
execute netscan list
execute netscan start scan
execute netscan status
execute netscan stop

pbx execute
import Import hosts discovered on the last asset discovery scan.
list List the hosts discovered on the last asset discover scan.
start scan Start configured vulnerability scan.
status Display the status of the current network vulnerability scan.
stop Stop the current network vulnerability scan.
pbx
Use this command to view active channels and to delete, list or upload music files for when music is playing while
a caller is on hold.
Syntax
execute pbx active-call <list>
execute pbx extension <list>
execute pbx ftgd-voice-pkg {sip-trunk}
execute pbx music-on-hold {delete | list | upload}
execute pbx prompt upload ftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload tftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload usb <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx restore-default-prompts
execute pbx sip-trunk list
Variables Description
Enter to display a list of the active calls being processed by the

active-call <list>
FortiGate Voice unit.
Enter to display the status of all extensions with SIP phones that
extension <list>
have connected to the FortiGate Voice unit.
ftgd-voice-pkg
Enter to retrieve FortiGuard voice package sip trunk information.
{sip-trunk}
Enter to either delete, list or upload music on hold files. You can
music-on-hold
upload music on hold files using FTP, TFTP, or from a USB drive
{delete | list | upload}
plugged into the FortiGate Voice unit.

execute pbx
Variables Description
prompt upload ftp Upload new pbx voice prompt files using FTP. The voice prompt
<file.tgz> <ftp_ files should be added to a tar file and zipped. This file would
server_address> usually have the extension tgz. You must include the filename,
[:port] [<username>] FTP server address (domain name of IPv4 address) and if
[password>] required the username and password for the server.
prompt upload tftp

Upload new pbx voice prompt files using TFTP. The voice
<file.tgz> <ftp_
prompt files should be added to a tar file and zipped. This file
server_address>
would usually have the extension tgz. You must include the
[:port] [<username>]
filename and TFTP server IP address.
[password>]
prompt upload usb

Upload new pbx voice prompt files from a USB drive plugged into
<file.tgz> <ftp_
the FortiGate Voice unit. The voice prompt files should be added
server_address>
to a tar file and zipped. This file would usually have the extension
[:port] [<username>]
tgz. You must include the filename.
[password>]
Restore default English voicemail and other PBX system

restore-default-
prompts. Use this command if you have changed the default
prompts
prompts and want to restore the default settings.
Enter to display the status of all SIP trunks that have been added
sip-trunk list
to the FortiGate Voice configuration.
Example command output

Enter the following command to view active calls:
execute pbx active-call
Call-From Call-To Durationed
6016 6006 00:00:46
Enter the following command to display the status of all extensions
execute pbx extension list
Extension Host Dialplan
6052 Unregister company-default
6021/6021 172.30.63.34 company-default
Enter the following command to display the status of all SIP trunks
execute pbx sip-trunk list
Name Host Username Account-Type State
Provider_1 192.169.20.1 +5555555 Static N/A

ping execute
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and another
network device.
Syntax
execute ping {<address_ipv4> | <host-name_str>}
<host-name_str> should be an IP address, or a fully qualified domain name.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes

64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms
--- 172.20.120.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
ping-options, ping6-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGate
unit and another network device.
Syntax
execute ping-options data-size <bytes>
execute ping-options df-bit {yes | no}
execute ping-options pattern <2-byte_hex>
execute ping-options repeat-count <repeats>
execute ping-options source {auto | <source-intf_ip>}
execute ping-options timeout <seconds>
execute ping-options tos <service_type>
execute ping-options ttl <hops>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings
data-size
Specify the datagram size in bytes. 56
<bytes>

execute ping-options, ping6-options
Set df-bit to yes to prevent the ICMP packet

df-bit {yes | no} from being fragmented. Set df-bit to no to no
allow the ICMP packet to be fragmented.
Used to fill in the optional data buffer at the end of

the ICMP packet. The size of the buffer is
pattern <2- specified using the data_size parameter. This No
byte_hex> allows you to send out packets of different sizes default.
for testing the effect of packet size on the
connection.
repeat-count
Specify how many times to repeat ping. 5
<repeats>
Specify the FortiGate interface from which to send

the ping. If you specify auto, the FortiGate unit
source
selects the source address and interface based on
{auto |
the route to the <host-name_str> or <host_ auto
<source-intf_
ip>. Specifying the IP address of a FortiGate
ip>}
interface tests connections to different network
segments from the specified interface.
timeout Specify, in seconds, how long to wait until ping

2
<seconds> times out.
Set the ToS (Type of Service) field in the packet

header to provide an indication of the quality of
service wanted.
tos <service_ lowdelay = minimize delay

0
type>
throughput = maximize throughput
reliability = maximize reliability
lowcost = minimize cost
Specify the time to live. Time to live is the number

ttl <hops> of hops the ping packet should be allowed to make 64
before being discarded or returned.
validate-reply
Select yes to validate reply data. no
{yes | no}
No
view-settings Display the current ping-option settings.
default.
Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.

ping6 execute
execute ping-options source 192.168.10.23
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6
capable network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
policy-packet-capture delete-all
Use this command to delete captured packets.
Syntax
execute policy-packet-capture delete-all
You will be asked to confirm that you want delete the packets.
reboot
Restart the FortiGate unit.
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute reboot <comment “comment_string”>
<comment “comment_string”> allows you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute reboot comment “December monthly maintenance”

execute report
report
Use these commands to manage reports.
Syntax
To flash report caches:

execute report flash-cache
To recreate the report database:

execute report recreate-db
To generate a report:
execute report run [<layout_name>["start-time" "end-time"]]
The start and end times have the format yyyy-mm-dd hh:mm:ss
report-config reset
Use this command to reset report templates to the factory default. Logs are not deleted.
Syntax
execute report-config reset
restore
Use this command to
l restore the configuration from a file

l change the FortiGate firmware
l change the FortiGate backup firmware
l restore an IPS custom signature file
When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content of
the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to
which the administrator belongs. Only a regular administrator account can restore the configuration from this file.

restore execute
Syntax
execute restore av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore av tftp <filename_str> <server_ipv4[:port_int]>
execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>] [<backup_password_str>]
execute restore config management-station {normal | template | script} <rev_int>
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore config usb <filename_str> [<backup_password_str>]
execute restore config usb-mode [<backup_password_str>]
execute restore forticlient tftp <filename_str> <server_ipv4>
execute restore image flash <revision>
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore image usb <filename_str>
execute restore ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]
> [<username_str> <password_str>]
execute restore ips tftp <filename_str> <server_ipv4>
execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> <password_str>]
execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
execute restore secondary-image usb <filename_str>
execute restore src-vis <src-vis-pkgfile>
execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>
execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>
av ftp <filename_
str> <server_ipv4
[:port_int] | server_ Download the antivirus database file from an FTP server to the
fqdn[:port_int]> FortiGate unit.
[<username_str>
<password_str>]
av tftp <filename_
Download the antivirus database file from a TFTP server to the
str> <server_ipv4
FortiGate unit.
[:port_int]>
config flash Restore the specified revision of the system configuration from
<revision> the flash disk.

execute restore
config ftp
<filename_str>
<server_ipv4[:port_ Restore the system configuration from an FTP server. The new
int] | server_fqdn configuration replaces the existing configuration, including
[:port_int]> administrator accounts and passwords.
[<username_str> If the backup file was created with a password, you must specify
<password_str>] the password.
[<backup_
password_str>]
config Restore the system configuration from the central management

management- server. The new configuration replaces the existing
station {normal configuration, including administrator accounts and passwords.
| template | script} rev_int is the revision number of the saved configuration to
<rev_int> restore. Enter 0 for the most recent revision.
config tftp Restore the system configuration from a file on a TFTP server.
<filename_str> The new configuration replaces the existing configuration,
<server_ipv4> including administrator accounts and passwords.
[<backup_ If the backup file was created with a password, you must specify
password_str>] the password.
Restore the system configuration from a file on a USB disk. The

config usb new configuration replaces the existing configuration, including
<filename_str> administrator accounts and passwords.
[<backup_
password_str>] If the backup file was created with a password, you must specify
the password.
Restore the system configuration from a USB disk. The new

configuration replaces the existing configuration, including
config usb-mode administrator accounts and passwords. When the USB drive is
[<backup_ removed, the FortiGate unit needs to reboot and revert to the
password_str>] unit’s existing configuration.
If the backup file was created with a password, you must specify
the password.
Download the FortiClient image from a TFTP server to the

forticlient tftp
FortiGate unit. The filename must have the format:
<filename_str>
FortiClientSetup_versionmajor. versionminor.build.exe.
<server_ipv4>
For example, FortiClientSetup.4.0.377.exe.
image flash
Restore specified firmware image from flash disk.
<revision>

restore execute
image ftp
<filename_str>
<server_ipv4[:port_ Download a firmware image from an FTP server to the FortiGate
int] | server_fqdn unit. The FortiGate unit reboots, loading the new firmware.
[:port_int]> This command is not available in multiple VDOM mode.
[<username_str>
<password_str>]
Download a firmware image from the central management

image
station. This is available if you have configured a FortiManager
management-
unit as a central management server. This is also available if
station <version_
your account with FortiGuard Analysis and Management Service
int>
allows you to upload firmware images.
image tftp Download a firmware image from a TFTP server to the FortiGate
<filename_str> unit. The FortiGate unit reboots, loading the new firmware.
<server_ipv4> This command is not available in multiple VDOM mode.
image usb Download a firmware image from a USB disk to the FortiGate
<filename_str> unit. The FortiGate unit reboots, loading the new firmware.
ips ftp <filename_

str> <server_ipv4
[:port_int] | server_ Download the IPS database file from an FTP server to the
fqdn[:port_int]> FortiGate unit.
[<username_str>
<password_str>]
ips tftp <filename_ Download the IPS database file from a TFTP server to the
str> <server_ipv4> FortiGate unit.
ipsuserdefsig ftp
<filename_str>
<server_ipv4[:port_
Restore IPS custom signature file from an FTP server. The file
int] | server_fqdn
will overwrite the existing IPS custom signature file.
[:port_int]>
[<username_str>
<password_str>]
ipsuserdefsig tftp
Restore an IPS custom signature file from a TFTP server. The
<filename_str>
file will overwrite the existing IPS custom signature file.
<server_ipv4>

execute revision
secondary-image ftp
<filename_str>
<server_ipv4[:port_ Download a firmware image from an FTP server as the backup
int] | server_fqdn firmware of the FortiGate unit. Available on models that support
[:port_int]> backup firmware images.
[<username_str>
<password_str>]
secondary-image Download a firmware image from a TFTP server as the backup

tftp <filename_str> firmware of the FortiGate unit. Available on models that support
<server_ipv4> backup firmware images.
Download a firmware image from a USB disk as the backup

secondary-image firmware of the FortiGate unit. The unit restarts when the upload
usb <filename_str> is complete. Available on models that support backup firmware
images.
src-vis <src-vis-
Download source visibility signature package.
pkgfile>
vcm {ftp | tftp}

<filename_str> Restore VCM engine/plugin from an ftp or tftp server.
<server_ipv4>
vmlicense {ftp | tftp}

<filename_str> Restore VM license (VM version of product only).
<server_ipv4>
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart the
FortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
revision
Use these commands to manage configuration and firmware image files on the local disk.
Syntax
To delete a configuration file

execute revision delete config <revision>
To delete a firmware image file

execute revision delete image <revision>

router clear bfd session execute
To list the configuration files

execute revision list config
To delete a firmware image file

execute revision list image
router clear bfd session
Use this command to clear bi-directional forwarding session.
Syntax
execute router clear bfd session <src_ip> <dst_ip> <interface>
<src_ip> Select the source IP address of the session.
<dst_ip> Select the destination IP address of the session.
<interface> Select the interface for the session.
router clear bgp
Use this command to clear BGP peer connections.
Syntax
execute router clear bgp all [soft] [in | out]
execute router clear bgp as <as_number> [soft] [in | out]
execute router clear bgp dampening {ip_address | ip/netmask}
execute router clear bgp external {in prefix-filter} [soft] [in | out]
execute router clear bgp flap-statistics {ip_address | ip/netmask}
execute router clear bgp ip <ip_address> [soft] [in | out]
all Clear all BGP peer connections.
as <as_number> Clear BGP peer connections by AS number.
dampening {ip_
address | Clear route flap dampening information for peer or network.
ip/netmask}
external {in prefix-

Clear all external peers.
filter}

execute router clear ospf process
ip <ip_address> Clear BGP peer connections by IP address.
peer-group Clear all members of a BGP peer-group.
[in | out] Optionally limit clear operation to inbound only or outbound only.
flap-statistics {ip_
address | Clear flap statistics for peer or network.
ip/netmask}
Do a soft reset that changes the configuration but does not

soft
disturb existing sessions.
router clear ospf process
Use this command to clear and restart the OSPF router.
Syntax
IPv4:
execute router clear ospf process
IPv6:
execute router clear ospf6 process
router restart
Use this command to restart the routing software.
Syntax
execute router restart
send-fds-statistics
Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval to
expire.
Syntax
execute send-fds-statistics

set system session filter execute
set system session filter
Use these commands to define the session filter for get system session commands.
Syntax
To clear the filter settings

execute set system session filter clear
{all|dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify destination port

execute set system session filter dport <port_range>
To specify destination IP address

execute set system session filter dst <ip_range>
To specify duration
execute set system session filter duration <duration_range>
To specify expiry
execute set system session filter expire <expire_range>
To list the filter settings

execute set system session filter list
To invert a filter setting

execute set system session filter negate
{dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify firewall policy ID

execute set system session filter policy <policy_range>
To specify protocol
execute set system session filter proto <protocol_range>
To specify source port

execute set system session filter sport <port_range>
To specify source IP address

execute set system session filter src <ip_range>

execute set-next-reboot
To specify virtual domain

execute set system session filter vd <vdom_index>
<duration_range> The start and end times, separated by a space.
<expire_range> The start and end times, separated by a space.
<ip_range> The start and end IP addresses, separated by a space.
<policy_range> The start and end policy numbers, separated by a space.
<port_range> The start and end port numbers, separated by a space.
<protocol_range> The start and end protocol numbers, separated by a space.
<vdom_index> The VDOM index number. -1 means all VDOMs.
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Available
on models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primary
partition.
VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
Syntax
execute set-next-reboot {primary | secondary}
sfp-mode-sgmii
Change the SFP mode for an NP2 card to SGMII. By default when an AMC card is inserted the SFP mode is set
to SERDES mode by default.
If a configured NP2 card is removed and re-inserted, the SFP mode goes back to the default.
In these situations, the sfpmode-sgmii command will change the SFP mode from SERDES to SGMII for the
interface specified.
Syntax
execute sfpmode-sgmii <interface>
<interface> is the NP2 interface where you are changing the SFP mode.
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.

ssh execute
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute shutdown [comment <comment_string>]
comment is optional but you can use it to add a message that will appear in the event log message that records
the shutdown. The comment message of the does not appear on the Alert Message console. If the message is
more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute shutdown comment “emergency facility shutdown”
An event log message similar to the following is recorded:
2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown
the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'
ssh
Use this command to establish an ssh session with another system.
Syntax
execute ssh <destination> [<port>]
<destination> - the destination in the form user@ip or user@host.
[<port>] - optional TCP port number
Example
execute ssh admin@172.20.120.122
To end an ssh session, type exit:
FGT-6028030112 # exit
Connection to 172.20.120.122 closed.
FGT-8002805000 #
sync-session
Use this command to force a session synchronization.
Syntax
execute sync-session

execute system custom-language import
system custom-language import
Use this command to import a custom language file from a TFTP server.
The web-based manager provides a downloadable template file. Go to System > Config > Advanced.
Syntax
execute system custom-language import <lang_name> <file_name> <tftp_server_ip>
<lang_name> - language name
<file_name> - the language file name

<tftp_server_ip> the TFTP server IP address
system fortisandbox test-connectivity
Use this command to query FortiSandbox connection status.
Syntax
execute fortisandbox test-connectivity
tac report
Use this command to create a debug report to send to Fortinet Support. Normally you would only use this
command if requested to by Fortinet Support.
Syntax
execute tac report
telnet
Use telnet client. You can use this tool to test network connectivity.
Syntax
execute telnet <telnet_ipv4>
<telnet_ipv4> is the address to connect with.
Type exit to close the telnet session.
time
Get or set the system time.

traceroute execute
Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where
hh is the hour and can be 00 to 23
mm is the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1
are allowed.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
traceroute
Test the connection between the FortiGate unit and another network device, and display information about the
network hops between the device and the FortiGate unit.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute docs.forticare.com
traceroute to docs.forticare.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2 * * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote host-
named locations with traceroute.
tracert6
Test the connection between the FortiGate unit and another network device using IPv6 protocol, and display
information about the network hops between the device and the FortiGate unit.
Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]
[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]

execute update-av
-F Set Don’t Fragment bit.
-d Enable debugging.
-n Do not resolve numeric address to domain name.
-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.
-i <interface> Select interface to use for tracert.
Set the max time-to-live (max number of hops) used in outgoing

-m <max_ttl> probe packets.
-s <src_addr> Set the source IP address to use in outgoing probe packets.
-q <nprobes> Set the number probes per hop.
Set the time in seconds to wait for response to a probe. Default

-w <waittime> is 5.
-z <sendwait> Set the time in milliseconds to pause between probes.
host Enter the IP address or FQDN to probe.
<paddatalen> Set the packet size to use when probing.
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus and attack
definitions, use the execute update-now command.
Syntax
execute update-av
update-geo-ip
Use this command to obtain an update to the IP geography database from FortiGuard.
Syntax
execute update-geo-ip
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engine
update. To update both virus and attack definitions, use the execute update-now command.

update-list execute
Syntax
execute update-ips
update-list
Use this command to download an updated FortiGuard server list.
Syntax
execute update-list
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virus
or attack definitions, use the execute update-av or execute update-ids command respectively.
Syntax
execute update-now
update-src-vis
Use this command to trigger an FDS update of the source visibility signature package.
Syntax
execute update-src-vis
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet to
increase the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximum
of 10 VDOMs.
Available on FortiGate models that can be licensed for more than 10 VDOMs.
Syntax
execute upd-vd-license <license_key>
The license key is a 32-character string supplied by Fortinet.

<license_key> Fortinet requires your unit serial number to generate the license
key.

execute upload
upload
Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, or
USB sources.
Syntax
To upload configuration files:

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>
execute upload config usb <filename_str> <comment>
To upload firmware image files:

execute upload image ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn
execute upload image tftp <filename_str> <comment> <server_ipv4>
execute upload image usb <filename_str> <comment>
To upload report image files:

execute upload report-img ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
execute upload report-img tftp <filename_str> <server_ipv4>
<comment> Comment string.
<filename_str> Filename to upload.
<server_fqdn[:port_
Server fully qualified domain name and optional port.
int]>
<server_ipv4[:port_
Server IP address and optional port number.
int]>
<username_str> Username required on server.
<password_str> Password required on server.
<backup_password_
Password for backup file.
str>
usb-device
Use these commands to manage FortiExplorer IOS devices.

usb-disk execute
Syntax
List connected FortiExplorer IOS devices

execute usb-device list
Disconnect FortiExplorer IOS devices

execute usb-device disconnect
usb-disk
Use these commands to manage your USB disks.
Syntax
execute usb-disk delete <filename>
execute usb-disk format
execute usb-disk list
execute usb-disk rename <old_name> <new_name>
delete <filename> Delete the named file from the USB disk.
format Format the USB disk.
list List the files on the USB disk.
rename <old_
name> <new_ Rename a file on the USB disk.
name>
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CA
certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

execute vpn certificate crl
Syntax
execute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file-name_str> <tftp_ip>
Import the CA certificate from a TFTP server to the FortiGate

import
unit.
Export or copy the CA certificate from the FortiGate unit to a file

export
on the TFTP server. Type ? for a list of certificates.
<certificate-name_
Enter the name of the CA certificate.
str>
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
auto Retrieve a CA certificate from a SCEP server.
Import the CA certificate to the FortiGate unit from a file on a

tftp
TFTP server (local administrator PC).
<ca_server_url> Enter the URL of the CA certificate server.
<ca_identifier_str> CA identifier on CA certificate server (optional).
Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP
server with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54
vpn certificate crl
Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update configuration.
In order to use the command execute vpn certificate crl, the authentication servers must already be configured.
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that

vpn certificate local export execute
Syntax
execute vpn certificate crl import auto <crl-name>
Import the CRL from the configured LDAP, HTTP, or SCEP

import
authentication server to the FortiGate unit.
<crl-name> Enter the name of the CRL.
Trigger an auto-update of the CRL from the configured LDAP,

auto
HTTP, or SCEP authentication server.
vpn certificate local export
Use this command to export a local certificate from the FortiGate unit to a TFTP server.
prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that
Syntax
execute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_
ip>
Export or copy the local certificate from the FortiGate unit to a

export
file on the TFTP server. Type ? for a list of certificates.
Enter the name of the local certificate.

<certificate-name_
To view a list of the local certificates, you can enter:
str>
execute vpn certificate local export tftp ?
Example
Use the following command to export the local certificate request generated in the above example from the
FortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the

execute vpn certificate local generate
TFTP server address 192.168.21.54.

execute vpn certificate local export branch_cert testcert 192.168.21.54
vpn certificate local generate
Use this command to generate a local certificate.
When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The
public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the vpn certificate local command to install it
on the FortiGate unit.
Syntax
To generate the default CA certificate used by SSL Inspection

execute vpn certificate local generate default-ssl-ca
To generate the default server key used by SSL Inspection

execute vpn certificate local generate default-ssl-serv-key
To generate an elliptical curve certificate request

execute vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name>
<subject_str> [<optional_information>]
To generate an RSA certificate request

execute vpn certificate local generate rsa <certificate-name_str> <key-length>
<subject_str> [<optional_information>]
Enter a name for the certificate. The name can contain numbers
<certificate-name_ (0-9), uppercase and lowercase letters (A-Z, a-z), and the special
str> characters - and _. Other special characters and spaces are not
allowed.

vpn certificate local generate execute
<elliptic-curve- Enter the elliptic curve name: secp256rl, secp384rl, or

name> secp521rl.
Enter 1024, 1536 or 2048 for the size in bits of the encryption
<key-length>
key.
Enter the FortiGate unit host IP address, its fully qualified

domain name, or an email address to identify the FortiGate unit
<subject_str> being certified.
An IP address or domain name is preferred. If this is impossible

(such as with a dialup client), use an e-mail address.
If you specify a host IP or domain name, use the IP address or

domain name associated with the interface on which IKE
negotiations will take place (usually the external interface of the
local FortiGate unit). If the IP address in the certificate does not
match the IP address of this interface (or if the domain name in
the certificate does not match a DNS query of the FortiGate
unit’s IP), then some implementations of IKE may reject the
connection. Enforcement of this rule varies for different IPSec
products.
Enter optional_information as required to further identify

the certificate. See Optional information variables on page 60 for
the list of optional information variables. You must enter the
optional variables in order that they are listed in the table. To
[<optional_ enter any optional variable you must enter all of the variables
information>] that come before it in the list. For example, to enter the
organization_name_str, you must first enter the
country_code_str, state_name_str, and city_name_
str. While entering optional variables, you can type ? for help
on the next required variable.
Optional information variables
Enter the two-character country code. Enter execute vpn

certificates local generate <name_str>
<country_code_str> country followed by a ? for a list of country codes. The country
code is case sensitive. Enter null if you do not want to specify
a country.
Enter the name of the state or province where the FortiGate unit
<state_name_str>
is located.

execute vpn certificate local import
Enter the name of the city, or town, where the person or

<city_name_str>
organization certifying the FortiGate unit resides.
<organization-name_ Enter the name of the organization that is requesting the

str> certificate for the FortiGate unit.
Enter a name that identifies the department or unit within the

<organization-unit_
organization that is requesting the certificate for the FortiGate
name_str>
unit.
<email_address_str> Enter a contact e-mail address for the FortiGate unit.
Enter the URL of the CA (SCEP) certificate server that allows

<ca_server_url>
auto-signing of the request.
<challenge_
Enter the challenge password for the SCEP certificate server.
password>
Example
Use the following command to generate a local certificate request with the name branch_cert, the domain
name www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 www.example.com
vpn certificate local import
Use this command to import a local certificate to the FortiGate unit from a TFTP server.
Syntax
execute vpn certificate local import tftp <file-name_str> <tftp_ip>
<certificate-name_
Enter the name of the local certificate.
str>

vpn certificate remote execute
Example
Use the following command to import the signed local certificate named branch_cert to the FortiGate unit
from a TFTP server with the address 192.168.21.54.
execute vpn certificate local import branch_cert 192.168.21.54
vpn certificate remote
Use this command to import a remote certificate from a TFTP server, or export a remote certificate from the
FortiGate unit to a TFTP server. The remote certificates are public certificates without a private key. They are
used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
execute vpn certificate remote import tftp <file-name_str> <tftp_ip>
execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>
<tftp_ip>
Field/variable Description
Import the remote certificate from the TFTP server to the

import
FortiGate unit.
Export or copy the remote certificate from the FortiGate unit to a

export
file on the TFTP server. Type ? for a list of certificates.
<certificate-name_
Enter the name of the public certificate.
str>
tftp Import/export the remote certificate via a TFTP server.
vpn ipsec tunnel down
Use this command to shut down an IPsec VPN tunnel.
Syntax
execute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]
where:

execute vpn ipsec tunnel up
<phase2> is the phase 2 name

<phase2_serial> is the phase 2 serial number
<phase1> is required on a dial-up tunnel.
vpn ipsec tunnel up
Use this command to activate an IPsec VPN tunnel.
Syntax
execute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]
where:

<phase2_serial> is the phase 2 serial number
This command cannot activate a dial-up tunnel.
vpn sslvpn del-all
Use this command to delete all SSL VPN connections in this VDOM.
Syntax
execute vpn sslvpn del-all
vpn sslvpn del-tunnel
Use this command to delete an SSL tunnel connection.
Syntax
execute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.
vpn sslvpn del-web
Use this command to delete an active SSL VPN web connection.
Syntax
execute vpn sslvpn del-web <web_index>

vpn sslvpn list execute
<web_index> identifies which web connection to delete if there is more than one active connection.
vpn sslvpn list
Use this command to list current SSL VPN tunnel connections.
Syntax
execute vpn sslvpn list {web | tunnel}
webfilter quota-reset
Use this command to reset user quota.
Syntax
execute webfilter quota-reset <wf-profile> <user_ip4addr>
execute webfilter quota-reset <wf-profile> <user_name>
wireless-controller delete-wtp-image
Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physical
access points.
Syntax
execute wireless-controller delete-wtp-image
wireless-controller list-wtp-image
Use this command to list all firmware images for WLAN Termination Points (WTPs), also known as WiFi physical
access points.
Syntax
execute wireless-controller list-wtp-image
Example output
WTP Images on AC:
ImageName ImageSize(B) ImageInfo ImageMTime
FAP22A-IMG.wtp 3711132 FAP22A-v4.0-build212 Mon Jun 6 12:26:41 2011

execute wireless-controller reset-wtp
wireless-controller reset-wtp
Use this command to reset a physical access point (WTP).
If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and install
it. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGate
unit.
Syntax
execute wireless-controller reset-wtp {<serialNumber_str> | all}
where <serialNumber_str> is the FortiWiFi unit serial number.
Use the all option to reset all APs.
wireless-controller restart-acd
Use this command to restart the wireless-controller daemon.
Syntax
execute wireless-controller restart-acd
wireless-controller restart-wtpd
Use this command to restart the wireless access point daemon.
Syntax
execute wireless-controller restart-wtpd
wireless-controller upload-wtp-image
Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by this
wireless controller can download the image as needed. Use the execute wireless-controller reset-wtp command
to trigger FortiAP units to update their firmware.
Syntax
FTP:
execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_int]
> [<username_str> <password_str>]
TFTP:
execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>

endpoint-control app-detect get
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
endpoint-control app-detect
Use this command to retrieve information about predefined application detection signatures for Endpoint NAC.
Syntax
get endpoint-control app-detect predefined-category status
get endpoint-control app-detect predefined-group status
get endpoint-control app-detect predefined-signature status
get endpoint-control app-detect predefined-vendor status
Example output (partial)

get endpoint-control app-detect predefined-category status
FG200A2907500558 # get endpoint-control app-detect predefined-category status
name: "Anti-Malware Software"
id: 1
group: 1
name: "Authentication and Authorization"

id: 2
group: 1
name: "Encryption, PKI"

id: 3
group: 1
name: "Firewalls"
id: 4
group: 1
get endpoint-control app-detect predefined-group status

FG200A2907500558 # get endpoint-control app-detect predefined-group status
name: "Security"
id: 1
name: "Multimedia"
id: 2
name: "Communication"
id: 3
name: "Critical Functions"

id: 4

get extender modem-status
get endpoint-control app-detect predefined-signature status

FG200A2907500558 # get endpoint-control app-detect predefined-signature status
name: "Apache HTTP Server"
id: 256
category: 26
vendor: 149
name: "RealPlayer (32-bit)"

id: 1
category: 10
vendor: 68
name: "VisualSVN Server"

id: 257
category: 26
vendor: 162
name: "QQ2009"
id: 2
category: 14
vendor: 78
get endpoint-control app-detect predefined-vendor status

FG200A2907500558 # get endpoint-control app-detect predefined-vendor status
name: "Access Remote PC (www.access-remote-pc.com)"
id: 3
name: "ACD Systems, Ltd."

id: 4
name: "Adobe Systems Incorporated"

id: 5
name: "Alen Soft"

id: 6
extender modem-status
Use this command to display detailed FortiExtender modem status information.
Syntax
get extender modem-status <serno>
where <serno> is the FortiExtender serial number.
Example output
physical_port: Internal
manufacture: Sierra Wireless, Incorporated
product: AirCard 313U
model: AirCard 313U
revision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 11:58:38
imsi: 310410707582825

extender sys-info get
pin_status: READY
service: N/A
signal_strength: 73
RSSI: -68 dBm
connection_status: connected
Profile 1: broadband
Profile 13: wap.cingular
NAI: w.tp
Profile: 0 Disabled
home_addr: 127.219.10.128
primary_ha: 127.218.246.40
secondary_ha: 119.75.69.176
aaa_spi: 0
ha_spi: 4
esn_imei: 012615000227604
activation_status: Activated
roaming_status: N/A
usim_status: N/A
oma_dm_version: N/A
plmn: N/A
band: B17
signal_rsrq: N/A
signal_rsrp: N/A
lte_sinr: N/A
lte_rssi: N/A
lte_rs_throughput: N/A
lte_ts_throughput: N/A
lte_physical_cellid: N/A
modem_type:
drc_cdma_evdo: N/A
current_snr: N/A
wireless_operator:
operating_mode: N/A
wireless_signal: 73
usb_wan_mac: 16:78:f7:db:01:07
extender sys-info
Use this command to display detailed FortiExtender system information.
Syntax
get extender sys-info
firewall dnstranslation
Use this command to display the firewall DNS translation table.

get firewall iprope appctrl
Syntax
get firewall dnstranslation
firewall iprope appctrl
Use this command to list all application control signatures added to an application control list and display a
summary of the application control configuration.
Syntax
get firewall iprope appctrl {list | status}
Example output
In this example, the FortiGate unit includes one application control list that blocks the FTP application.
get firewall iprope appctrl list
app-list=app_list_1/2000 other-action=Pass
app-id=15896 list-id=2000 action=Block
get firewall iprope appctrl status

appctrl table 3 list 1 app 1 shaper 0
firewall iprope list
Use this command to list all of the FortiGate unit iprope firewall policies. Optionally include a group number in
hexidecimal format to display a single policy. Policies are listed in FortiOS format.
Syntax
get firewall iprope list [<group_number_hex>]
Example output
get firewall iprope list 0010000c
policy flag (8000000): pol_stats

flag2 (20): ep_block shapers: / per_ip=
imflag: sockport: 1011 action: redirect index: 0
schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000
chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0
npu_sensor_id=0
tunnel=
zone(1): 0 ->zone(1): 0
source(0):
dest(0):
source wildcard(0):
destination wildcard(0):
service(1):
[6:0x8:1011/(0,65535)->(80,80)]

firewall proute, proute6 get
nat(0):
mms: 0 0
firewall proute, proute6
Use these commands to list policy routes.
Syntax
For IPv4 policy routes:
get firewall proute
For IPv6 policy routes:
get firewall proute6
Example output
get firewall proute
list route policy info(vf=root):
iff=5 src=1.1.1.0/255.255.255.0 tos=0x00 tos_mask=0x00 dst=0.0.0.0/0.0.0.0 protocol=80
port=1:65535
oif=3 gwy=1.2.3.4
firewall service custom
Use this command to view the list of custom services. If you do not specify a <service_name> the command lists
all of the pre-defined services.
Syntax
get firewall service custom
This lists the services.
To view details about all services

config firewall service custom
show full-configuration
To view details about a specific service
This example lists the configuration for the ALL_TCP service:

config firewall service custom
edit ALL_TCP
show full-configuration
Example output
This is a partial output.
get firewall service custom

get firewall shaper
== [ ALL ]
name: ALL
== [ ALL_TCP ]
name: ALL_TCP
== [ ALL_UDP ]
name: ALL_UDP
== [ ALL_ICMP ]
name: ALL_ICMP
== [ ALL_ICMP6 ]
name: ALL_ICMP6
== [ GRE ]
name: GRE
== [ AH ]
name: AH
== [ ESP ]
name: ESP
== [ AOL ]
name: AOL
== [ BGP ]
name: BGP
== [ DHCP ]
name: DHCP
== [ DNS ]
name: DNS
== [ FINGER ]
name: FINGER
firewall shaper
Use these command to retrieve information about traffic shapers.
Syntax
To get information about per-ip traffic shapers

get firewall shaper per-ip
To get information about shared traffic shapers

get firewall shaper traffic-shaper
grep
In many cases the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output you can use the grep command to filter
the output to only display what you are looking for. The grep command is based on the standard UNIX grep,
used for searching text output based on regular expressions.
Information about how to use grep and regular expressions is available from the Internet. For example, see
http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.

gui console status get
Syntax
{get | show| diagnose} | grep <regular_expression>
Example output
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number
in the output
get system session list | grep -n tcp
19:tcp 1110 10.31.101.10:1862 172.20.120.122:30670 69.111.193.57:1469 -
27:tcp 3599 10.31.101.10:2061 - 10.31.101.100:22 -
38:tcp 3594 10.31.101.10:4780 172.20.120.122:49700 172.20.120.100:445 -
43:tcp 3582 10.31.101.10:4398 172.20.120.122:49574 24.200.188.171:48726 -
Use the following command to display all lines in HTTP replacement message commands that contain URL
(upper or lower case):
show system replacemsg http | grep -i url
set buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"
config system replacemsg http "url-block"
set buffer "<HTML><BODY>The URL you requested has been blocked. URL =
%%URL%%</BODY></HTML>"
config system replacemsg http "urlfilter-err"
.
.
.
gui console status
Display information about the CLI console.
Syntax
get gui console status
Example
Preferences:
User: admin
Colour scheme (RGB): text=FFFFFF, background=000000
Font: style=monospace, size=10pt
History buffer=50 lines, external input=disabled

get gui topology status
gui topology status
Display information about the topology viewer database. The topology viewer is available only if the Topology
widget has been added to a customized web-based manager menu layout.
Syntax
get gui topology status
Example output
Preferences:
Canvas dimensions (pixels): width=780, height=800
Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee
Background image: type=none, placement: x=0, y=0
Line style: thickness=2
Custom background image file: none
Topology element database:

__FortiGate__: x=260, y=340
Office: x=22, y=105
ISPnet: x=222, y=129
__Text__: x=77, y=112: "Ottawa"
__Text__: x=276, y=139: "Internet"
hardware cpu
Use this command to display detailed information about all of the CPUs in your FortiGate unit.
Syntax
get hardware cpu
Example output
get hardware npu legacy list
No npu ports are found
620_ha_1 # get hardware cpu

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no

hardware memory get
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
hardware memory
Use this command to display information about FortiGate unit memory use including the total, used, and free
memory.
Syntax
get hardware memory
Example output
get hardware memory
total: used: free: shared: buffers: cached: shm:
Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304
Swap: 0 0 0
MemTotal: 3617132 kB
MemFree: 3276396 kB
MemShared: 0 kB
Buffers: 188 kB
Cached: 136664 kB
SwapCached: 0 kB
Active: 22172 kB
Inactive: 114740 kB
HighTotal: 1703936 kB
HighFree: 1443712 kB
LowTotal: 1913196 kB
LowFree: 1832684 kB

get hardware nic
SwapTotal: 0 kB
SwapFree: 0 kB
hardware nic
Use this command to display hardware and status information about each FortiGate interface. The hardware
information includes details such as the driver name and version and chip revision. Status information includes
transmitted and received packets, and different types of errors.
Syntax
get hardware nic <interface_name>
<interface_name> A FortiGate interface name such as port1, wan1, internal, etc.
Example output
get hardware nic port9
Chip_Model FA2/ISCP1B-v3/256MB
FPGA_REV_TAG 06101916
Driver Name iscp1a/b-DE
Driver Version 0.1
Driver Copyright Fortinet Inc.
Link down
Speed N/A
Duplex N/A
State up
Rx_Packets 0
Tx_Packets 0
Rx_Bytes 0
Tx_Bytes 0
Current_HWaddr 00:09:0f:77:09:68
Permanent_HWaddr 00:09:0f:77:09:68
Frame_Received 0
Bad Frame Received 0
Tx Frame 0
Tx Frame Drop 0
Receive IP Error 0
FIFO Error 0
Small PktBuf Left 125

Normal PktBuf Left 1021
Jumbo PktBuf Left 253
NAT Anomaly 0

hardware npu get
hardware npu
Use this command to display information about the network processor unit (NPU) hardware installed in a
FortiGate unit. The NPUs can be built-in or on an installed AMC module.
Syntax
get hardware npu legacy {list | session <device_name_str> | setting <device_name_str>}
get hardware npu np1 {list | status}
get hardware npu np2 {list | performance <device_id_int> | status <device_id_int>}
get hardware npu np4 {list | status <device_id_int>}
get hardware npu sp {list | status}
Example output
get hardware npu np1 list
ID Interface
0 port9 port10
get hardware npu np1 status

ISCP1A 10ee:0702
RX SW Done 0 MTP 0x00000000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Total Number of Interfaces: 2
Number of Interface In-Use: 2
Interface[0] Tx done: 0
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
Interface[1] Tx done: 0
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
NAT Information:
head = 0x00000001 tail = 00000001
ISCP1A Performance [Top]:
Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000
PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000
PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000
CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000
IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000
TOTUP : 0x00000000 RSVD MEMU : 0x00000010
MSG Performance:
QLEN: 0x00001000(QW) HEAD: 0x00000000
Performance:
TOTMSG: 0x00000000 BADMSG: 0x00000000 TOUTMSG: 0x00000000 QUERY: 0x00000000
NULLTK: 0x00000000
NAT Performance: BYPASS (Enable) BLOCK (Disable)
IRQ : 00000001 QFTL : 00000000 DELF : 00000000 FFTL : 00000000
OVTH : 00000001 QRYF : 00000000 INSF : 00000000 INVC : 00000000
ALLO : 00000000 FREE : 00000000 ALLOF : 00000000 BPENTR: 00000000 BKENTR: 00000000
PBPENTR: 00000000 PBKENTR: 00000000 NOOP : 00000000 THROT : 00000000(0x002625a0)

get hardware npu
SWITOT : 00000000 SWDTOT : 00000000 ITDB : 00000000 OTDB : 00000000

SPISES : 00000000 FLUSH : 00000000
APS (Disabled) information:
MODE: BOTH UDPTH 255 ICMPTH 255 APSFLAGS: 0x00000000
IPSEC Offload Status: 0x58077dcb
get hardware npu np2 list

ID PORTS
-- -----
0 amc-sw1/1
0 amc-sw1/2
0 amc-sw1/3
0 amc-sw1/4
ID PORTS
-- -----
1 amc-dw2/1
ID PORTS
-- -----
2 amc-dw2/2
get hardware npu np2 status 0

NP2 Status
ISCP2 f7750000 (Neighbor 00000000) 1a29:0703 256MB Base f8aad000 DBG 0x00000000
RX SW Done 0 MTP 0x0
desc_alloc = f7216000
nxt_to_u = 0x0 nxt_to_f = 0x0
Total Interfaces: 4 Total Ports: 4
Number of Interface In-Use: 4
Interface f7750100 netdev 81b1e000 0 Name amc-sw1-1
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750694, 00000000, 00000000, 00000000
Port f7750694 Id 0 Status Down ictr 4
desc = 8128c000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f7750100
Interface f7750264 netdev 81b2cc00 1 Name amc-sw1-2
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750748, 00000000, 00000000, 00000000
Port f7750748 Id 1 Status Down ictr 0
desc = 81287000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f7750264
Interface f77503c8 netdev 81b2c800 2 Name amc-sw1-3
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77507fc, 00000000, 00000000, 00000000
Port f77507fc Id 2 Status Down ictr 0
desc = 81286000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f77503c8
Interface f775052c netdev 81b2c400 3 Name amc-sw1-4

hardware status get
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77508b0, 00000000, 00000000, 00000000
Port f77508b0 Id 3 Status Down ictr 0
desc = 81281000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f775052c
NAT Information:
cmdq_qw = 0x2000 cmdq = 82160000
head = 0x1 tail = 0x1
APS (Enabled) information:
Session Install when TMM TSE OOE: Disable
Session Install when TMM TAE OOE: Disable
IPS anomaly check policy: Follow config
MSG Base = 82150000 QL = 0x1000 H = 0x0
hardware status
Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,
flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset
(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGate
unit to Fortinet Support, or confirming the features that your FortiGate model supports.
Syntax
get hardware status
Example output
Model name: Fortigate-620B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
RAM: 2020 MB
Compact Flash: 493 MB /dev/sda
Hard disk: 76618 MB /dev/sdb
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)
ips decoder status
Displays all the port settings of all the IPS decoders.
Syntax
get ips decoder status
Example output
# get ips decoder status

get ips rule status
decoder-name: "back_orifice"
decoder-name: "dns_decoder"
port_list: 53
decoder-name: "ftp_decoder"
port_list: 21
decoder-name: "http_decoder"
decoder-name: "im_decoder"
decoder-name: "imap_decoder"
port_list: 143
Ports are shown only for decoders with configurable port settings.
ips rule status
Displays current configuration information about IPS rules.
Syntax
get ips rule status
Example output
# get ips rule status
rule-name: "IP.Land"
rule-id: 12588
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 3.high
service: All
location: server, client
os: All
application: All
rule-name: "IP.Loose.Src.Record.Route.Option"
rule-id: 12805
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 2.medium
service: All
location: server, client
os: All
application: All

ips session get
ips session
Displays current IPS session status.
Syntax
get ips session
Example output
get ips session
SYSTEM:
memory capacity 279969792
memory used 5861008
recent pps\bps 0\0K
session in-use 0
TCP: in-use\active\total 0\0\0
UDP: in-use\active\total 0\0\0
ICMP: in-use\active\total 0\0\0
ipsec tunnel
List the current IPSec VPN tunnels and their status.
Syntax
To view details of all IPsec tunnels:

get ipsec tunnel details
To list IPsec tunnels by name:

get ipsec tunnel name
To view a summary of IPsec tunnel information:

get ipsec tunnel summary
ips view-map
Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips view
map, it means IPS is not used or enabled.
Syntax
get ips view-map <id>

get mgmt-data status
Example output
id : 1
id-policy-id : 0
policy-id : 2
vdom-id : 0
which : firewall
id IPS policy ID
id-policy-id Identity-based policy ID (0 means none)
policy-id Policy ID
vdom-id VDOM, identified by ID number
Type of policy id: firewall, firewall6, sniffer, sniffer6, interface,

which
interface6
mgmt-data status
Use this command to display information additional to that provided by get system status or

get hardware status.
Syntax
get mgmt-data status
Sample output
FG100D3G12801361 # get mgmt-data status
Model name: FortiGate-100D

CPU: 4
RAM: 1977 MB
is_ssd_available: 0
is_logdisk_mounted: 1
is_support_log_on_boot_device: 1
is_rev_support_wanopt: 1
netscan settings
Use this command to display tcp and udp ports that are scanned by the current scan mode.
Syntax
get netscan settings

pbx branch-office get
Example output
scan-mode : full
tcp-ports : 1-65535
udp-ports : 1-65535
pbx branch-office
Use this command to list the configured branch offices.
Syntax
get pbx branch-office
Example output
== [ Branch 15 ]
name: Branch 15
== [ Branch 12 ]
name: Branch 12
pbx dialplan
Use this command to list the configured dial plans.
Syntax
get pbx dialplan
Example output
== [ company-default ]
name: company-default
== [ inbound ]
name: inbound
pbx did
Use this command to list the configured direct inward dial (DID) numbers.
Syntax
get pbx did
Example output
== [ Operator ]
name: Operator
== [ Emergency ]
name: Emergency

get pbx extension
pbx extension
Use this command to list the configured extensions.
Syntax
get pbx extension
Example output
== [ 6555 ]
extension: 6555
== [ 6777 ]
extension: 6777
== [ 6111 ]
extension: 6111
pbx ftgd-voice-pkg
Use this command to display the current FortiGate Voice service package status.
Syntax
get pbx ftgd-voice-pkg status
Example output
Status: Activated
Total 1 Packages:
Package Type: B, Credit Left: 50.00, Credit Used: 0.00,
Expiration Date: 2011-01-01 12:00:00
Total 1 Dids:
12345678901
Total 1 Efaxs:
12345678902
Total 0 Tollfrees:
pbx global
Use this command to display the current global pbx settings.
Syntax
get pbx global
Example output
block-blacklist : enable
country-area : USA
country-code : 1

pbx ringgrp get
efax-check-interval : 5
extension-pattern : 6XXX
fax-admin-email : faxad@example.com
ftgd-voice-server : service.fortivoice.com
local-area-code : 408
max-voicemail : 60
outgoing-prefix : 9
ring-timeout : 20
rtp-hold-timeout : 0
rtp-timeout : 60
voicemail-extension : *97
pbx ringgrp
Use this command to display the currently configured ring groups.
Syntax
get pbx ringgrp
Example output
== [ 6001 ]
name: 6001
== [ 6002 ]
name: 6002
pbx sip-trunk
Use this command to display the currently configured SIP trunks.
Syntax
get pbx sip-trunk
Example output
== [ __FtgdVoice_1 ]
name: __FtgdVoice_1
pbx voice-menu
Use this command to display the current voice menu and recorder extension configuration.
Syntax
get pbx voice-menu

get router info bfd neighbor
Example output
comment : general
password : *
press-0:
ring-group : 6001
type : ring-group
press-1:
type : voicemail
press-2:
type : directory
press-3:
type : none
press-4:
type : none
press-5:
type : none
press-6:
type : none
press-7:
type : none
press-8:
type : none
press-9:
type : none
recorder-exten : *30
router info bfd neighbor
Use this command to list state information about the neighbors in the bi-directional forwarding table.
Syntax
get router info bfd neighbour
router info bgp
Use this command to display information about the BGP configuration.
Syntax
get router info bgp <keyword>
<keyword> Description
cidr-only Show all BGP routes having non-natural network masks.
community Show all BGP routes having their COMMUNITY attribute set.

router info bgp get
Show general information about the configured BGP

community-info communities, including the routes in each community and their
associated network addresses.
community-list Show all routes belonging to configured BGP community lists.
Display information about dampening:
dampening Type dampened-paths to show all paths that have been

{dampened-paths suppressed due to flapping.
| flap-statistics Type flap-statistics to show flap statistics related to BGP
| parameters} routes.
Type parameters to show the current dampening settings.
filter-list Show all routes matching configured AS-path lists.
Show all routes associated with inconsistent autonomous

inconsistent-as
systems of origin.
memory Show the BGP memory table.
neighbors
[<address_ipv4>
| <address_ipv4>
advertised-routes
| <address_ipv4>
Show information about connections to TCP and BGP neighbors.
received prefix-filter
| <address_ipv4>
received-routes
| <address_ipv4>
routes]
network [<address_ Show general information about the configured BGP networks,
ipv4mask>] including their network addresses and associated prefixes.
network-longer- Show general information about the BGP route that you specify
prefixes <address_ (for example, 12.0.0.0/14) and any specific routes
ipv4mask> associated with the prefix.
Show general information about BGP AS paths, including their

paths
prefix-list <name> Show all routes matching configured prefix list <name>.
Enter the regular expression to compare to the AS_PATH

quote-regexp attribute of BGP routes (for example, ^730$) and enable the use
<regexp_str> of output modifiers (for example, include, exclude, and
begin) to search the results.

get router info bgp

regexp <regexp_str>
attribute of BGP routes (for example, ^730$).
route-map Show all routes matching configured route maps.
Show information about next-hop route scanning, including the

scan
scan interval setting.
summary Show information about BGP neighbor status.
Example output
get router info bgp memory
Memory type Alloc count Alloc bytes
=================================== ============= ===============
BGP structure : 2 1408
BGP VR structure : 2 104
BGP global structure : 1 56
BGP peer : 2 3440
BGP as list master : 1 24
Community list handler : 1 32
BGP Damp Reuse List Array : 2 4096
BGP table : 62 248
----------------------------------- ------------- ---------------
Temporary memory : 4223 96095
Hash : 7 140
Hash index : 7 28672
Hash bucket : 11 132
Thread master : 1 564
Thread : 4 144
Link list : 32 636
Link list node : 24 288
Show : 1 396
Show page : 1 4108
Show server : 1 36
Prefix IPv4 : 10 80
Route table : 4 32
Route node : 63 2772
Vector : 2180 26160
Vector index : 2180 18284
Host config : 1 2
Message of The Day : 1 100
IMI Client : 1 708
VTY master : 1 20
VTY if : 11 2640
VTY connected : 5 140
Message handler : 2 120
NSM Client Handler : 1 12428
NSM Client : 1 1268
Host : 1 64
Log information : 2 72
Context : 1 232
----------------------------------- ------------- ---------------
bgp proto specifc allocations : 9408 B

router info isis get
bgp generic allocations : 196333 B

bgp total allocations : 205741 B
router info isis
Use this command to display information about the FortiGate ISIS.
Syntax
get router info isis interface
get router info isis neighbor
get router info isis is-neighbor
get router info isis database
get router info isis route
get router info isis topology
router info kernel
Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.
Syntax
get router info kernel [<routing_type_int>]
router info multicast
Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.
Multicast routing is supported in the root virtual domain only.
Syntax
get router info multicast <keywords>

get router info multicast
<keywords> Description
Show Internet Group Management Protocol (IGMP) membership

information according to one of these qualifiers:
Type groups [{<interface-name> | <group-

address>}] to show IGMP information for the multicast group
(s) associated with the specified interface or multicast group
address.
igmp Type groups-detail [{<interface-name> |
<group-address>}] to show detailed IGMP information for
the multicast group(s) associated with the specified interface or
multicast group address.
Type interface [<interface-name>] to show IGMP

information for all multicast groups associated with the specified
interface.
Show information related to dense mode operation according to

one of these qualifiers:
Type interface to show information about PIM-enabled

interfaces.
Type interface-detail to show detailed information about

PIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.

pim dense-mode
Type neighbor-detail to show detailed information about
PIM neighbors.
Type next-hop to show information about next-hop PIM

routers.
Type table [<group-address>][<source-address>]

to show the multicast routing table entries associated with the
specified multicast group address and/or multicast source
address.

router info ospf get
<keywords> Description
Show information related to sparse mode operation according to

one of these qualifiers:
Type bsr-info to show Boot Strap Router (BSR) information.
Type interface to show information about PIM-enabled

interfaces.
Type interface-detail to show detailed information about

PIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.

pim sparse-mode
Type neighbor-detail to show detailed information about
PIM neighbors.
Type next-hop to show information about next-hop PIM

routers.
Type rp-mapping to show Rendezvous Point (RP) information.
Type table [<group-address>][<source-address>]

to show the multicast routing table entries associated with the
specified multicast group address and/or multicast source
address.
table Show the multicast routing table entries associated with the
[<group-address>] specified multicast group address and/or multicast source
[<source-address>] address.
table-count
Show statistics related to the specified multicast group address
[<group-address>]
and/or multicast source address.
[<source-address>]
router info ospf
Use this command to display information about the FortiGate OSPF configuration and/or the Link-State
Advertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of all
OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the
shortest path to a destination.
Syntax
get router info ospf <keyword>
Show OSPF routing table entries that have an Area

border-routers Border Router (ABR) or Autonomous System
Boundary Router (ASBR) as a destination.

get router info ospf
Show information from the OSPF routing database

according to the of these qualifiers.
Some qualifiers require a target that can be one of

the following values:
database <qualifier> Type adv_router <address_ipv4> to limit the

information to LSAs originating from the router at the
specified IP address.
Type self-originate <address_ipv4> to

limit the information to LSAs originating from the
FortiGate unit.
adv-
Type adv-router <address_ipv4> to show
router
ospf Advertising Router link states for the router at
<address_
the given IP address.
ipv4>
asbr-
Type asbr-summary to show information about
summary
ASBR summary LSAs.
<target>
Type brief to show the number and type of LSAs

brief
associated with each OSPF area.
external Type external to show information about external

<target> LSAs.
max-age Type max-age to show all LSAs in the MaxAge list.
network Type network to show information about network

<target> LSAs.
nssa-
Type nssa-external to show information about
external
not-so-stubby external LSAs.
<target>
opaque-
Type opaque-area <address_ipv4> to show
area
information about opaque Type 10 (area-local) LSAs
<address_
(see RFC 2370).
ipv4>
opaque-as Type opaque-as <address_ipv4> to show

<address_ information about opaque Type 11 LSAs (see RFC
ipv4> 2370), which are flooded throughout the AS.
opaque-
Type opaque-link <address_ipv4> to show
link
information about opaque Type 9 (link-local) LSAs
<address_
(see RFC 2370).
ipv4>

router info protocols get
router Type router to show information about router

<target> LSAs.
self- Type self-originate to show self-originated

originate LSAs.
summary Type summary to show information about summary

<target> LSAs.
Show the status of one or all FortiGate interfaces

interface [<interface_name>]
and whether OSPF is enabled on those interfaces.
Show general information about OSPF neighbors,

excluding down-status neighbors:
Type all to show information about all neighbors,

including down-status neighbors.
Type <neighbor_id> to show detailed

information about the specified neighbor only.
neighbor [all | <neighbor_id> Type detail to show detailed information about all
| detail | detail all neighbors, excluding down-status neighbors.
| interface <address_ipv4>]
Type detail all to show detailed information
about all neighbors, including down-status
neighbors.
Type interface <address_ipv4> to show

neighbor information based on the FortiGate
interface IP address that was used to establish the
neighbor’s relationship.
route Show the OSPF routing table.
Show general information about the OSPF routing

status
processes.
virtual-links Show information about OSPF virtual links.
router info protocols
Use this command to show the current states of active routing protocols. Inactive protocols are not displayed.
Syntax
get router info protocols
Routing Protocol is "rip"

Sending updates every 30 seconds with +/-50%
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set

get router info rip
Incoming update filter list for all interface is not set

Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Distance: (default is 120)
Routing Protocol is "ospf 0"

Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing:
Routing for Networks:
Routing Information Sources: Gateway Distance Last Update
Distance: (default is 110) Address Mask Distance List
Routing Protocol is "bgp 5"

IGP synchronization is disabled
Automatic route summarization is disabled
Default local-preference applied to incoming route is 100
Redistributing:
Neighbor(s):
Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight
192.168.20.10 unicast
router info rip
Use this command to display information about the RIP configuration.
Syntax
get router info rip <keyword>
database Show the entries in the RIP routing database.
Show the status of the specified FortiGate unit interface

interface <interface_name> and whether RIP is enabled.
[<interface_name>] If interface is used alone it lists all the FortiGate unit interfaces
and whether RIP is enabled on each.
router info routing-table
Use this command to display the routes in the routing table.

router info vrrp get
Syntax
get router info routing-table <keyword>
all Show all entries in the routing table.
bgp Show the BGP routes in the routing table.
connected Show the connected routes in the routing table.
database Show the routing information database.
Show detailed information about a route in the routing table,

details [<address_
including the next-hop routers, metrics, outgoing interfaces, and
ipv4mask>]
protocol-specific information.
ospf Show the OSPF routes in the routing table.
rip Show the RIP routes in the routing table.
static Show the static routes in the routing table.
router info vrrp
Use this command to display information about the VRRP configuration.
Syntax
get router info vrrp
Example output
Interface: port1, primary IP address: 9.1.1.2
VRID: 1
vrip: 9.1.1.254, priority: 100, state: BACKUP
adv_interval: 1, preempt: 1, start_time: 3
vrdst: 0.0.0.0
router info6 bgp
Use this command to display information about the BGP IPv6 configuration.
Syntax
get router info6 bgp <keyword>
community Show all BGP routes having their COMMUNITY attribute set.

get router info6 interface
community-list Show all routes belonging to configured BGP community lists.
Display information about dampening:
dampening Type dampened-paths to show all paths that have been

{dampened-paths suppressed due to flapping.
| flap-statistics Type flap-statistics to show flap statistics related to BGP
| parameters} routes.
Type parameters to show the current dampening settings.
filter-list Show all routes matching configured AS-path lists.
Show all routes associated with inconsistent autonomous

inconsistent-as
systems of origin.
neighbors
[<address_ Show information about connections to TCP and BGP neighbors.
ipv6mask>
network [<address_ Show general information about the configured BGP networks,
ipv6mask>] including their network addresses and associated prefixes.
network-longer- Show general information about the BGP route that you specify
prefixes <address_ (for example, 12.0.0.0/14) and any specific routes
ipv6mask> associated with the prefix.
Show general information about BGP AS paths, including their

paths
prefix-list <name> Show all routes matching configured prefix list <name>.

quote-regexp attribute of BGP routes (for example, ^730$) and enable the use
<regexp_str> of output modifiers (for example, include, exclude, and
begin) to search the results.

regexp <regexp_str>
attribute of BGP routes (for example, ^730$).
route-map Show all routes matching configured route maps.
summary Show information about BGP neighbor status.
router info6 interface
Use this command to display information about IPv6 interfaces.

router info6 kernel get
Syntax
get router info6 interface <interface_name>
Example output
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [administratively down/down]
2001:db8:85a3:8d3:1319:8a2e:370:7348
fe80::209:fff:fe04:4cfd
router info6 kernel
Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.
Syntax
get router info6 kernel
router info6 ospf
Use this command to display information about the OSPF IPv6 configuration.
Syntax
get router info6 ospf
router info6 protocols
Use this command to display information about the configuration of all IPv6 dynamic routing protocols.
Syntax
get router info6 protocols
router info6 rip
Use this command to display information about the RIPng configuration.
Syntax
get router info6 rip

get router info6 routing-table
router info6 routing-table
Use this command to display the routes in the IPv6 routing table.
Syntax
get router info6 routing-table <item>
where <item> is one of the following:
<ipv6_ip> Destination IPv6 address or prefix.
bgp Show BGP routing table entries.
connected Show connected routing table entries.
database Show routing information base.
ospf Show OSPF routing table entries.
rip Show RIP routing table entries.
static Show static routing table entries.
system admin list
View a list of all the current administration sessions.
Syntax
get system admin list
Example output
# get system admin list
username local device remote started
admin sshv2 port1:172.20.120.148:22 172.20.120.16:4167 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.16:4214 2006-08-09 12:25:29
username Name of the admin account for this session
local The protocol this session used to connect to the FortiGate unit.
The interface, IP address, and port used by this session to

device
connect to the FortiGate unit.

system admin status get
The IP address and port used by the originating computer to

remote
connect to the FortiGate unit.
started The time the current session started.
system admin status
View the status of the currently logged in admin and their session.
Syntax
get system admin status
Example
# get system admin status
username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12
username Name of the admin account currently logged in.
login local The protocol used to start the current session.
The login information from the FortiGate unit including interface,

login device
IP address, and port number.
The computer the user is logging in from including the IP address

login remote
and port number.
login vdom The virtual domain the admin is current logged into.
login started The time the current session started.
current time The current time of day on the FortiGate unit
system arp
View the ARP table entries on the FortiGate unit.
This command is not available in multiple VDOM mode.

get system auto-update
Syntax
get system arp
Example output
# get system arp
Address Age(min) Hardware Addr Interface
172.20.120.16 0 00:0d:87:5c:ab:65 internal
172.20.120.138 0 00:08:9b:09:bb:01 internal
system auto-update
Use this command to display information about the status FortiGuard updates on the FortiGate unit.
Syntax
get system auto-update status
get system auto-update versions
Example output
get system auto-update status
FDN availability: available at Thu Apr 1 08:22:58 2010
Push update: disable

Scheduled update: enable
Update daily: 8:22
Virus definitions update: enable
IPS definitions update: enable
Server override: disable
Push address override: disable
Web proxy tunneling: disable
system central-management
View information about the Central Management System configuration.
Syntax
get system central-management
Example
FG600B3908600705 # get system central-management
status : enable
type : fortimanager
auto-backup : disable
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable

system checksum get
allow-pushd-firmware: enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
fmg : 172.20.120.161
vdom : root
authorized-manager-only: enable
serial-number : "FMG-3K2404400063"
system checksum
View the checksums for global, root, and all configurations. These checksums are used by HA to compare the
configurations of each cluster unit.
Syntax
get system checksum status
Example output
# get system checksum status
global: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15
root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fb
all: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88
system cmdb status
View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.
Syntax
get system cmdb status
Example output
# get system cmdb status
version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68
last request type: 29
last request: 78
version Version of the cmdb software.
owner id Process ID of the cmdbsvr daemon.
The updated index shows how many changes have been made in
update index
cmdb.

get system fortianalyzer-connectivity
config checksum The config file version used by FortiManager.
last request pid The last process to access the cmdb.
last requst type Type of the last attempted access of cmdb.
last request The number of the last attempted access of cmdb.
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
Syntax
get fortianalyzer-connectivity status
Example output
# get system fortianalyzer-connectivity status
Status: connected
Disk Usage: 0%
system fortiguard-log-service status
Command returns information about the status of the FortiGuard Log & Analysis Service including license and
disk information.
Syntax
get system fortiguard-log-service status
Example output
# get system fortiguard-log-service status
FortiGuard Log & Analysis Service
Expire on: 20071231
Total disk quota: 1111 MB
Max daily volume: 111 MB
Current disk quota usage: n/a
system fortiguard-service status
COMMAND REPLACED. Command returns information about the status of the FortiGuard service including the
name, version late update, method used for the last update and when the update expires. This information is
shown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.

system ha-nonsync-csum get
Syntax
get system fortiguard-service status
Example output
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine 2.002 2006-01-26 19:45:00 manual 2006-06-12 08:00:00
Virus Definitions 6.513 2006-06-02 22:01:00 manual 2006-06-12 08:00:00
Attack Definitions 2.299 2006-06-09 19:19:00 manual 2006-06-12 08:00:00
IPS Attack Engine 1.015 2006-05-09 23:29:00 manual 2006-06-12 08:00:00
system ha-nonsync-csum
FortiManager uses this command to obtain a system checksum.
Syntax
get system ha-nonsync-csum
system ha status
Use this command to display information about an HA cluster. The command displays general HA configuration
settings. The command also displays information about how the cluster unit that you have logged into is
operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha status
command displays information about the primary unit first, and also displays the HA state of the primary unit (the
primary unit operates in the work state). However, if you log into the primary unit and then use the execute ha
manage command to log into a subordinate unit, (or if you use a console connection to log into a subordinate
unit) the get system status command displays information about this subordinate unit first, and also
displays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active cluster
and standby for an active-passive cluster.
For a virtual cluster configuration, the get system ha status command displays information about how the
cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if you
connect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,
the output of the get system ha status command shows virtual cluster 1 in the work state and virtual
cluster 2 in the standby state. The get system ha status command also displays additional information
about virtual cluster 1 and virtual cluster 2.
Syntax
get system ha status
The command display includes the following fields. For more information see the examples that follow.
Model The FortiGate model number.

get system ha status
Mode The HA mode of the cluster: a-a or a-p.
Group The group ID of the cluster.
Debug The debug status of the cluster.
ses_pickup The status of session pickup: enable or disable.
The status of the load-balance-all field: enable or disable.

load_balance
Displayed for active-active clusters only.
The active-active load balancing schedule. Displayed for active-

schedule
active clusters only.
Master displays the device priority, host name, serial number,

and actual cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number,

and actual cluster index of the subordinate (or slave, or backup)
unit or units.
Master The list of cluster units changes depending on how you log into
the CLI. Usually you would use SSH or telnet to log into the
Slave
primary unit CLI. In this case the primary unit would be at the top
the list followed by the other cluster units.
If you use execute ha manage or a console connection to log

into a subordinate unit CLI, and then enter get system ha
status the subordinate unit that you have logged into appears
at the top of the list of cluster units.
The number of virtual clusters. If virtual domains are not

number of vcluster enabled, the cluster has one virtual cluster. If virtual domains are
enabled the cluster has two virtual clusters.

system ha status get
The HA state (hello, work, or standby) and HA heartbeat IP

address of the cluster unit that you have logged into in virtual
cluster 1. If virtual domains are not enabled, vcluster 1
displays information for the cluster. If virtual domains are
enabled, vcluster 1 displays information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.1 if you are logged into a

the primary unit of virtual cluster 1 and 10.0.0.2 if you are logged
into a subordinate unit of virtual cluster 1.
vcluster 1 also lists the primary unit (master) and

subordinate units (slave) in virtual cluster 1. The list includes the
operating cluster index and serial number of each cluster unit in
virtual cluster 1. The cluster unit that you have logged into is at
the top of the list.
If virtual domains are not enabled and you connect to the primary
unit CLI, the HA state of the cluster unit in virtual cluster 1 is
work. The display lists the cluster units starting with the primary
unit.
If virtual domains are not enabled and you connect to a

vcluster 1 subordinate unit CLI, the HA state of the cluster unit in virtual
cluster 1 is standby. The display lists the cluster units starting
with the subordinate unit that you have logged into.
If virtual domains are enabled and you connect to the virtual

cluster 1 primary unit CLI, the HA state of the cluster unit in
virtual cluster 1 is work. The display lists the cluster units starting
with the virtual cluster 1 primary unit.
If virtual domains are enabled and you connect to the virtual

cluster 1 subordinate unit CLI, the HA state of the cluster unit in
virtual cluster 1 is standby. The display lists the cluster units
starting with the subordinate unit that you are logged into.
In a cluster consisting of two cluster units operating without

virtual domains enabled all clustering actually takes place in
virtual cluster 1. HA is designed to work this way to support virtual
clustering. If this cluster was operating with virtual domains
enabled, adding virtual cluster 2 is similar to adding a new copy
of virtual cluster 1. Virtual cluster 2 is visible in the get system
ha status command output when you add virtual domains to
virtual cluster 2.

get system info admin status
vcluster 2 only appears if virtual domains are enabled.

vcluster 2 displays the HA state (hello, work, or standby) and
HA heartbeat IP address of the cluster unit that you have logged
into in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 if
you are logged into the primary unit of virtual cluster 2 and
10.0.0.1 if you are logged into a subordinate unit of virtual cluster
2.
vcluster 2 also lists the primary unit (master) and

subordinate units (slave) in virtual cluster 2. The list includes the
cluster index and serial number of each cluster unit in virtual
vcluster 2 cluster 2. The cluster unit that you have logged into is at the top
of the list.
If you connect to the virtual cluster 2 primary unit CLI, the HA

state of the cluster unit in virtual cluster 2 is work. The display
lists the cluster units starting with the virtual cluster 2 primary
unit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HA

state of the cluster unit in virtual cluster 2 is standby. The
display lists the cluster units starting with the subordinate unit
that you are logged into.
system info admin status
Use this command to display administrators that are logged into the FortiGate unit.
Syntax
get system info admin status
Example
This shows sample output.
Index User name Login type From
0 admin CLI ssh(172.20.120.16)
1 admin WEB 172.20.120.16
Index The order the administrators logged in.
User name The name of the user account logged in.
Login type Which interface was used to log in.
From The IP address this user logged in from.

system info admin ssh get
Related topics
"system info admin ssh" on page 106
system info admin ssh
Use this command to display information about the SSH configuration on the FortiGate unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
Syntax
get system info admin ssh
Example output
# get system info admin ssh
SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
internal
SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99
SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
system interface physical
Use this command to list information about the unit’s physical network interfaces.
Syntax
get system interface physical
# get system interface physical
== [onboard]
==[dmz1]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[dmz2]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[internal]
mode: static
ip: 172.20.120.146 255.255.255.0
status: up

get system mgmt-csum
speed: 100
==[wan1]
mode: pppoe
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[wan2]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[modem]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
system mgmt-csum
FortiManager uses this command to obtain checksum information from FortiGate units.
Syntax
get system mgmt-csum {global | vdom | all}
where
global retrieves global object checksums

vdom retrieves VDOM object checksums
all retrieves all object checksums.
system performance firewall
Use this command to display packet distribution and traffic statistics information for the FortiGate firewall.
Syntax
get system performance firewall packet-distribution
get system performance firewall statistics
Display a list of packet size ranges and the number of packets of

each size accepted by the firewall since the system restarted.
packet- You can use this information to learn about the packet size
distribution distribution on your network.
Note: these counts do not include packets offloaded to the NPU.
Display a list of traffic types (browsing, email, DNS etc) and the
statistics number of packets and number of payload bytes accepted by the
firewall for each type since the FortiGate unit was restarted.

system performance status get
Example output
get system performance firewall packet-distribution
getting packet distribution statistics...
0 bytes - 63 bytes: 655283 packets
> 1500 bytes: 0 packets
get system performance firewall statistics

getting traffic statistics...
Browsing: 623738 packets, 484357448 bytes
DNS: 5129187383836672 packets, 182703613804544 bytes
E-Mail: 23053606 packets, 2 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 654722117362778112 packets, 674223966126080 bytes
VoIP: 16834455 packets, 10 bytes
Generic TCP: 266287972352 packets, 8521215115264 bytes
Generic UDP: 0 packets, 0 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 0 packets, 0 bytes
system performance status
Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS attacks,
and system up time.
Syntax
get system performance status

get system performance top
The percentages of CPU cycles used by user, system, nice and

idle categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
CPU states nice - CPU usage of user-space processes having other-than-

normal running priority
idle - Idle CPU cycles
Adding user, system, and nice produces the total CPU usage as
seen on the CPU widget on the web-based system status
dashboard.
Memory states The percentage of memory used.
Average network The average amount of network traffic in kbps in the last 1, 10
usage and 30 minutes.
The average number of sessions connected to the FortiGate unit

Average sessions
over the list 1, 10 and 30 minutes.
The number of viruses the FortiGate unit has caught in the last 1
Virus caught
minute.
The number of IPS attacks that have been blocked in the last 1
IPS attacks blocked
minute.
Uptime How long since the FortiGate unit has been restarted.
Example output
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 18% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 9days, 22 hours, 0 minutes
system performance top
Use this command to display the list of processes running on the FortiGate unit (similar to the Linux top
command).
You can use the following commands when get system performance top is running:
• Press Q or Ctrl+C to quit.

system session list get
• Press P to sort the processes by the amount of CPU that the processes are using.
• Press M to sort the processes by the amount of memory that the processes are using.
Syntax
get system performance top [<delay_int>] <max_lines_int>]]
The delay, in seconds, between updating the process list. The

<delay_int>
default is 5 seconds.
<max_lines_ The maximum number of processes displayed in the output. The

int> default is 20 lines.
system session list
Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if virtual
domain mode is enabled.
Syntax
get system session list
Example output
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 0 127.0.0.1:1083 - 127.0.0.1:514 -
tcp 0 127.0.0.1:1085 - 127.0.0.1:514 -
tcp 10 127.0.0.1:1087 - 127.0.0.1:514 -
tcp 20 127.0.0.1:1089 - 127.0.0.1:514 -
tcp 30 127.0.0.1:1091 - 127.0.0.1:514 -
tcp 40 127.0.0.1:1093 - 127.0.0.1:514 -
tcp 60 127.0.0.1:1097 - 127.0.0.1:514 -
tcp 70 127.0.0.1:1099 - 127.0.0.1:514 -
tcp 80 127.0.0.1:1101 - 127.0.0.1:514 -
tcp 90 127.0.0.1:1103 - 127.0.0.1:514 -
tcp 100 127.0.0.1:1105 - 127.0.0.1:514 -
tcp 110 127.0.0.1:1107 - 127.0.0.1:514 -
tcp 103 172.20.120.16:3548 - 172.20.120.133:22 -
tcp 3600 172.20.120.16:3550 - 172.20.120.133:22 -
udp 175 127.0.0.1:1026 - 127.0.0.1:53 -
tcp 5 127.0.0.1:1084 - 127.0.0.1:514 -
tcp 5 127.0.0.1:1086 - 127.0.0.1:514 -
tcp 15 127.0.0.1:1088 - 127.0.0.1:514 -
tcp 25 127.0.0.1:1090 - 127.0.0.1:514 -
tcp 45 127.0.0.1:1094 - 127.0.0.1:514 -
tcp 59 127.0.0.1:1098 - 127.0.0.1:514 -
tcp 69 127.0.0.1:1100 - 127.0.0.1:514 -
tcp 79 127.0.0.1:1102 - 127.0.0.1:514 -
tcp 99 127.0.0.1:1106 - 127.0.0.1:514 -
tcp 109 127.0.0.1:1108 - 127.0.0.1:514 -
tcp 119 127.0.0.1:1110 - 127.0.0.1:514 -

get system session status
PROTO The transfer protocol of the session.
EXPIRE How long before this session will terminate.
SOURCE The source IP address and port number.
SOURCE-NAT The source of the NAT. ‘-’ indicates there is no NAT.
DESTINATION The destination IP address and port number.
DESTINATION-NAT The destination of the NAT. ‘-’ indicates there is no NAT.
system session status
Use this command to display the number of active sessions on the FortiGate unit, or if virtual domain mode is
enabled it returns the number of active sessions on the current VDOM. In both situations it will say ‘the current
VDOM.
Syntax
get system session status
Example output
The total number of sessions for the current VDOM: 3100
system session-helper-info list
Use this command to list the FortiGate session helpers and the protocol and port number configured for each
one.
Syntax
get system sesion-helper-info list
Example output
list builtin help module:
mgcp
dcerpc
rsh
pmap
dns-tcp
dns-udp
rtsp
pptp
sip
mms
tns

system session-info get
h245
h323
ras
tftp
ftp
list session help:
help=pmap, protocol=17 port=111
help=rtsp, protocol=6 port=8554
help=pptp, protocol=6 port=1723
help=sip, protocol=17 port=5060
help=pmap, protocol=6 port=111
help=rsh, protocol=6 port=512
help=dns-udp, protocol=17 port=53
help=tftp, protocol=17 port=69
help=tns, protocol=6 port=1521
help=mgcp, protocol=17 port=2727
help=dcerpc, protocol=17 port=135
help=rsh, protocol=6 port=514
help=ras, protocol=17 port=1719
help=ftp, protocol=6 port=21
help=mgcp, protocol=17 port=2427
help=dcerpc, protocol=6 port=135
help=mms, protocol=6 port=1863
help=h323, protocol=6 port=1720
system session-info
Use this command to display session information.
Syntax
get system session-info expectation
get system session-info full-stat
get system session-info list
get system session-info statistics
get system session-info ttl
expectation Display expectation sessions.
Display detailed information about the FortiGate session table

full-stat including a session table and expect session table summary,
firewall error statistics, and other information.
Display detailed information about all current FortiGate sessions.

For each session the command displays the protocol number,
list
traffic shaping information, policy information, state information,
statistics and other information.

get system source-ip
Display the same information as the full-stat command

statistics
except for the session table and expect session table summary.
Display the current setting of the config system session-

ttl ttl command including the overall session timeout as well as
the timeouts for specific protocols.
Example output
get system session-info statistics
misc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752
removeable=14
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000001
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
system source-ip
Use this command to list defined source-IPs.
Syntax
get system source-ip
Example output
# get sys source-ip status
The following services force their communication to use
a specific source IP address:
service=NTP source-ip=172.18.19.101
service=DNS source-ip=172.18.19.101
vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101
vdom=root service=FSAE name=pc26 source-ip=172.18.19.101
vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101
vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101
vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101

system startup-error-log get
system startup-error-log
Use this command to display information about system startup errors. This command only displays information if
an error occurs when the FortiGate unit starts up.
Syntax
get system startup-error-log
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode VDOMs and
VDOM status
current HA status
system time
the revision of the WiFi chip in a FortiWiFi unit
Syntax
get system status
Example output
Version: Fortigate-620B v4.0,build0271,100330 (MR2)
Virus-DB: 11.00643(2010-03-31 17:49)
Extended DB: 11.00643(2010-03-31 17:50)
Extreme DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00778(2010-03-31 12:55)
FortiClient application signature package: 1.167(2010-04-01 10:11)
Serial-Number: FG600B3908600705
BIOS version: 04000006
Log hard disk: Available
Hostname: 620_ha_1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable

get test
FIPS-CC mode: disable

Current HA mode: a-p, master
Distribution: International
Branch point: 271
Release Version Information: MR2
System time: Thu Apr 1 15:27:29 2010
test
Use this command to display information about FortiGate applications and perform operations on FortiGate
applications. You can specify an application name and a test level. Enter ? to display the list of applications. The
test level performs various functions depending on the application but can include displaying memory usage,
dropping connections and restarting the application.
The test levels are different for different applications. In some cases when you enter the command and include
an application name but no test level (or an invalid test level) the command output includes a list of valid test
levels.
Syntax
get test <application_name_str> <test_level_int>
Example output
get test http
Proxy Worker 0 - http
[0:H] HTTP Proxy Test Usage
[0:H]
[0:H] 2: Drop all connections
[0:H] 22: Drop max idle connections
[0:H] 222: Drop all idle connections
[0:H] 4: Display connection stat
[0:H] 44: Display info per connection
[0:H] 444: Display connections per state
[0:H] 4444: Display per-VDOM statistics
[0:H] 44444: Display information about idle connections
[0:H] 55: Display tcp info per connection
get test http 4

HTTP Common
Current Connections 0/8032
HTTP Stat
Bytes sent 0 (kb)
Bytes received 0 (kb)
Error Count (alloc) 0
Error Count (accept) 0
Error Count (bind) 0
Error Count (connect) 0
Error Count (socket) 0
Error Count (read) 0
Error Count (write) 0
Error Count (retry) 0
Error Count (poll) 0

user adgrp get
Error Count (scan reset) 0

Error Count (urlfilter wait) 0
Last Error 0
Web responses clean 0
Web responses scan errors 0
Web responses detected 0
Web responses infected with worms 0
Web responses infected with viruses 0
Web responses infected with susp 0
Web responses file blocked 0
Web responses file exempt 0
Web responses bannedword detected 0
Web requests oversize pass 0
Web requests oversize block 0
URL requests exempt 0
URL requests blocked 0
URL requests passed 0
URL requests submit error 0
URL requests rating error 0
URL requests rating block 0
URL requests rating allow 0
URL requests infected with worms 0
Web requests detected 0
Web requests file blocked 0
Web requests file exempt 0
POST requests clean 0
POST requests scan errors 0
POST requests infected with viruses 0
POST requests infected with susp 0
POST requests file blocked 0
POST requests bannedword detected 0
POST requests oversize pass 0
POST requests oversize block 0
Web request backlog drop 0
Web response backlog drop 0
HTTP Accounting
setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0
urlfilter=0/0/0 uf_lookupf=0
scan=0 clt=0 srv=0
user adgrp
Use this command to list Directory Service user groups.
Syntax
get user adgrp [<dsgroupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. For
example:
== [ DOCTEST/Cert Publishers ]
name: DOCTEST/Cert Publishers server-name: DSserv1
== [ DOCTEST/Developers ]
name: DOCTEST/Developers server-name: DSserv1

get vpn ike gateway
== [ DOCTEST/Domain Admins ]
name: DOCTEST/Domain Admins server-name: DSserv1
== [ DOCTEST/Domain Computers ]
name: DOCTEST/Domain Computers server-name: DSserv1
== [ DOCTEST/Domain Controllers ]
name: DOCTEST/Domain Controllers server-name: DSserv1
== [ DOCTEST/Domain Guests ]
name: DOCTEST/Domain Guests server-name: DSserv1
== [ DOCTEST/Domain Users ]
name: DOCTEST/Domain Users server-name: DSserv1
== [ DOCTEST/Enterprise Admins ]
name: DOCTEST/Enterprise Admins server-name: DSserv1
== [ DOCTEST/Group Policy Creator Owners ]
name: DOCTEST/Group Policy Creator Owners server-name: DSserv1
== [ DOCTEST/Schema Admins ]
name: DOCTEST/Schema Admins server-name: DSserv1
If you specify a Directory Service group name, the command returns information for only that group. For example:
name : DOCTEST/Developers
server-name : ADserv1
The server-name is the name you assigned to the Directory Service server when you configured it in the user
fsae command.
vpn ike gateway
Use this command to display information about FortiGate IPsec VPN IKE gateways.
Syntax
get vpn ike gateway [<gateway_name_str>]
vpn ipsec tunnel details
Use this command to display information about IPsec tunnels.
Syntax
get vpn ipsec tunnel details
vpn ipsec tunnel name
Use this command to display information about a specified IPsec VPN tunnel.
Syntax
get vpn ipsec tunnel name <tunnel_name_str>

vpn ipsec stats crypto get
vpn ipsec stats crypto
Use this command to display information about the FortiGate hardware and software crypto configuration.
Syntax
get vpn ipsec stats crypto
Example output
get vpn ipsec stats crypto
IPsec crypto devices in use:
CP6 (encrypted/decrypted):
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
CP6 (generated/validated):
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
SOFTWARE (encrypted/decrypted):
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
SOFTWARE (generated/validated):
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
vpn ipsec stats tunnel
Use this command to view information about IPsec tunnels.
Syntax
get vpn ipsec stats tunnel
Example output
#get vpn ipsec stats tunnel
tunnels
total: 0
static/ddns: 0
dynamic: 0

get vpn ssl monitor
manual: 0
errors: 0
selectors
total: 0
up: 0
vpn ssl monitor
Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.
Syntax
get vpn ssl monitor
Example output
vpn status l2tp
Use this command to display information about L2TP tunnels.
Syntax
get vpn status l2tp
vpn status pptp
Use this command to display information about PPTP tunnels.
Syntax
get vpn status pptp
vpn status ssl
Use this command to display SSL VPN tunnels and to also verify that the FortiGate unit includes the CP6 or
greater FortiASIC device that supports SSL acceleration.
Syntax
get vpn status ssl hw-acceleration-status
get vpn status ssl list

webfilter ftgd-statistics get
hw-
Display whether or not the FortiGate unit contains a FortiASIC
acceleration-
device that supports SSL acceleration.
status
list Display information about all configured SSL VPN tunnels.
webfilter ftgd-statistics
Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.
Syntax
get webfilter ftgd-statistics
Example output
get webfilter ftgd-statistics
Rating Statistics:
=====================
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Wrong package type : 0
Hash table miss : 0
Unknown server : 0
Incorrect CRC : 0
Proxy request failures : 0
Request timeout : 0
Total requests : 0
Requests to FortiGuard servers : 0
Server errored responses : 0
Relayed rating : 0
Invalid profile : 0
Allowed : 0
Blocked : 0
Logged : 0
Errors : 0
Cache Statistics:
=====================
Maximum memory : 0
Memory usage : 0
Nodes : 0
Leaves : 0
Prefix nodes : 0
Exact nodes : 0
Requests : 0

get webfilter status
Misses : 0
Hits : 0
Prefix hits : 0
Exact hits : 0
No cache directives : 0
Add after prefix : 0
Invalid DB put : 0
DB updates : 0
Percent full : 0%
Branches : 0%
Leaves : 0%
Prefix nodes : 0%
Exact nodes : 0%
Miss rate : 0%
Hit rate : 0%
Prefix hits : 0%
Exact hits : 0%
webfilter status
Use this command to display FortiGate Web Filtering rating information.
Syntax
get webfilter status [<refresh-rate_int>]
wireless-controller client-info
Use this command to get information about WiFi clients.
Syntax
get wireless-controller client-info <vfid> <interface> <client_ip>

# get wireless-controller client-info 0 test-local 192.168.2.100
count=1
status: sta_mac=10:fe:ed:26:aa:e0 ap_sn=FP320C3X14006184, ap_name=FP320C3X14006184,
chan=6, radio_type=11N
wireless-controller rf-analysis
Use this command to show information about RF conditions at the access point.

wireless-controller scan get
Syntax
get wireless-controller rf-analysis [<wtp_id>]
Example output
# get wireless-controller rf-analysis
<wtp-id> wtp id
FWF60C3G11004319 (global) # get wireless-controller rf-analysis

WTP: FWF60C-WIFI0 0-127.0.0.1:15246
channel rssi-total rf-score overlap-ap interfere-ap
1 418 1 24 26
2 109 5 0 34
3 85 7 1 34
4 64 9 0 35
5 101 6 1 35
6 307 1 8 11
7 82 7 0 16
8 69 8 1 15
9 42 10 0 15
10 53 10 0 14
11 182 1 5 6
12 43 10 0 6
13 20 10 0 5
14 8 10 0 5
Controller: FWF60C3G11004319-0
channel rssi_total
1 418
2 109
3 85
4 64
5 101
6 307
7 82
8 69
9 42
10 53
11 182
12 43
13 20
14 8
wireless-controller scan
Use this command to view the list of access points detected by wireless scanning.
Syntax
get wireless-controller scan
Example output
CMW SSID BSSID CHAN RATE S:N INT CAPS ACT LIVE AGE WIRED
UNN 00:0e:8f:24:18:6d 64 54M 16:0 100 Es N 62576 1668 ?

get wireless-controller status
UNN ftiguest 00:15:55:23:d8:62 157 130M 6:0 100 EPs N 98570 2554 ?
wireless-controller status
Use this command to view the numbers of wtp sessions and clients.
Syntax
get wireless-controller status
Example output
# get wireless-controller status
Wireless Controller :
wtp-session-count: 1
client-count : 1/0
wireless-controller vap-status
Use this command to view information about your SSIDs.
Syntax
get wireless-controller vap-status
Example output
# get wireless-controller vap-status
WLAN: mesh.root
name : mesh.root
vdom : root
ssid : fortinet.mesh.root
status : up
mesh backhaul : yes
ip : 0.0.0.0
mac : 00:ff:0a:57:95:ca
station info : 0/0
WLAN: wifi
name : wifi
vdom : root
ssid : ft-mesh
status : up
mesh backhaul : yes
ip : 10.10.80.1
mac : 00:ff:45:e1:55:81
station info : 1/0
wireless-controller wlchanlistlic
Use this command to display a list of the channels allowed in your region, including

wireless-controller wlchanlistlic get
the maximum permitted power for each channel
the channels permitted for each wireless type (802.11n, for example)
The list is in XML format.
Syntax
get wireless-controller wlchanlistlic
Sample output
country name: UNITED STATES2, country code:841, iso name:US
channels on 802.11A band without channel bonding:
channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11B band without channel bonding:

channels on 802.11G band without channel bonding:

channels on 802.11N 2.4GHz band without channel bonding:


get wireless-controller wtp-status

channels on 802.11N 2.4GHz band with channel bonding plus:

channels on 802.11N 2.4GHz band with channel bonding minus:

channels on 802.11N 5GHz band without channel bonding:

channels on 802.11N 5GHz band with channel bonding all:

wireless-controller wtp-status
Syntax
get wireless-controller wtp-status

wireless-controller wtp-status get
Example output
# get wireless-controller wtp-status
WTP: FAP22B3U11005354 0-192.168.3.110:5246
wtp-id : FAP22B3U11005354
region-code :
name :
mesh-uplink : mesh
mesh-downlink : disabled
mesh-hop-count : 1
parent-wtp-id :
software-version :
local-ipv4-addr : 0.0.0.0
board-mac : 00:00:00:00:00:00
join-time : Mon Apr 2 10:23:32 2012
connection-state : Disconnected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Monitor
Radio 2 : Ap
country-name : NA
country-code : N/A
client-count : 0
base-bssid : 00:00:00:00:00:00
max-vaps : 7
oper-chan : 0
Radio 3 : Not Exist
WTP: FWF60C-WIFI0 0-127.0.0.1:15246
wtp-id : FWF60C-WIFI0
region-code : ALL
name :
mesh-uplink : ethernet
mesh-downlink : enabled
mesh-hop-count : 0
parent-wtp-id :
software-version : FWF60C-v5.0-build041
local-ipv4-addr : 127.0.0.1
board-mac : 00:09:0f:fe:cc:56
join-time : Mon Apr 2 10:23:35 2012
connection-state : Connected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Ap
country-name : US
country-code : N/A
client-count : 1
base-bssid : 00:0e:8e:3b:63:99
max-vaps : 7
oper-chan : 1
Radio 2 : Not Exist
Radio 3 : Not Exist

tree
tree
The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.
Each configuration command forms a branch of the tree.
Syntax
tree [branch] [sub-branch]
You can enter the tree command from the top of the configuration tree the command displays the complete
configuration tree. Commands are displayed in the order that they are processed when the FortiGate unit starts
up. For example, the following output shows the first 10 lines of tree command output:
tree
-- -- system -- [vdom] --*name (12)
+- vcluster-id (0,0)
|- <global> -- language
|- gui-ipv6
|- gui-voip-profile
|- gui-lines-per-page (20,1000)
|- admintimeout (0,0)
|- admin-concurrent
|- admin-lockout-threshold (0,0)
|- admin-lockout-duration (1,2147483647)
|- refresh (0,2147483647)
|- interval (0,0)
|- failtime (0,0)
|- daily-restart
|- restart-time
...
You can include a branch name with the tree command to view the commands in that branch:
tree user
-- user -- [radius] --*name (36)
|- server (64)
|- secret
|- secondary-server (64)
|- secondary-secret
...
|- [tacacs+] --*name (36)
|- server (64)
|- tertiary-server (64)
...
|- [ldap] --*name (36)
|- server (64)
|- tertiary-server (64)
|- port (1,65535)
...
You can include a branch and sub branch name with the tree command to view the commands in that sub branch:
tree user local
-- [local] --*name (36)
|- status

tree
|- type
|- passwd
|- ldap-server (36)
|- radius-server (36)
+- tacacs+-server (36)
...
If you enter the tree command from inside the configuration tree the command displays the tree for the
current command:
config user ldap
tree
-- [ldap] --*name (36)
|- server (64)
|- cnid (21)
|- dn (512)
|- port (1,65535)
|- type
...
The tree command output includes information about field limits. These apply in both the CLI and the web-
based manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. For
example (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number in
parentheses is one more than the maximum number of characters permitted.
In the following example, the FQDN can contain up to 255 characters.

config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- cache-ttl (0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface (36)
|- color (0,32)
+- [tags] --*name (64)

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants,
CLI Reference representations,and
for FortiOS 5.4 guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,998
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortigate Cli Ref 54 PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Fortigate Cli Ref 54 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

#

END USER LICENSE AGREEMENT

Date Change Description

December 16, 2015 New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4 3

How this guide is organized

This document contains the following sections:

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

CLI Reference for FortiOS 5.4 4

Managing Firmware with the FortiGate BIOS

Using the BIOS, you can:

l view system information

Accessing the BIOS

Navigating the menu

CLI Reference for FortiOS 5.4 5

Configuring TFTP parameters

Selecting the VLAN (if VLANs are used)

Choose port and whether to use DHCP

TFTP and filename

Initiating TFTP firmware transfer

CLI Reference for FortiOS 5.4 6

Please connect TFTP server to Ethernet port 'WAN1'.

Connect to tftp server 192.168.1.145 ...

Booting the backup firmware

Starting from the main BIOS menu

CLI Reference for FortiOS 5.4 7

Use the config commands to change your FortiGate's configuration.

CLI Reference for FortiOS 5.4 8

CLI Reference for FortiOS 5.4 9

username Email from address. (Empty)

mailto1 Destination email address 1. (Empty)

mailto2 Destination email address 2. (Empty)

mailto3 Destination email address 3. (Empty)

filter-mode Filter mode. category

email-interval Interval between each email. 5

IPS-logs Enable/disable IPS Logs. disable

firewall-authentication- Enable/disable logging of firewall authentication disable

HA-logs Enable/disable HA Logs. disable

IPsec-errors-logs Enable/disable IPsec errors logs. disable

FDS-update-logs Enable/disable FortiGuard update logs. disable

PPP-errors-logs Enable/disable PPP errors logs. disable

sslvpn-authentication- Enable/disable logging of SSL-VPN disable

antivirus-logs Enable/disable antivirus logs. disable

webfilter-logs Enable/disable web filter logging. disable

configuration-changes- Enable/disable logging of configuration changes. disable

violation-traffic-logs Enable/disable logging of violation traffic. disable

admin-login-logs Enable/disable logging of administrator disable

FDS-license-expiring- Enable/disable FortiGuard license expiration disable

log-disk-usage-warning Enable/disable logging of disk usage warning. disable

CLI Reference for FortiOS 5.4 10

amc-interface-bypass- Enable/disable Fortinet Advanced Mezzanine disable

FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable

FDS-license-expiring- Number of days to end alert email prior to 15

local-disk-usage Percentage at which to send alert email prior to 75

emergency-interval Emergency alert interval in minutes. 1

alert-interval Alert alert interval in minutes. 2

critical-interval Critical alert interval in minutes. 3

error-interval Error alert interval in minutes. 5

warning-interval Warning alert interval in minutes. 10