Fortigate CLI Reference Manual 5.4

#
FortiOS - CLIReference
VERSION 5.4.1
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
June 3, 2016
FortiOS - CLIReference
01-541-99686-20160603
Change Log
Change Log
Date
Change Description
June 3, 2016
Updated for FortiOS 5.4.1.
December 16, 2015
New FortiOS 5.4.0 release.
CLI Reference for FortiOS 5.4

Fortinet Technologies Inc.
How this guide is organized
Introduction
Introduction
This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).
How this guide is organized

This document contains the following sections:
Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGate
unit boot-up.
config describes the commands for each configuration branch of the FortiOS CLI. The command branches and
commands are in alphabetical order. The information in this section has been extracted and formatted from
FortiOS source code. The extracted information includes the command syntax, command descriptions (extracted
from CLI help)and default values. This is the first version of this content produced in this way. You can send
comments about this content to techdoc@fortinet.com.
execute describes execute commands.
get describes get commands.
tree describes the tree command.
Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error
message if you attempt to enter a command or option that is not available. You can use the question mark ? to
verify the commands and options that are available.
Commands and options may not be available for the following reasons:
FortiGate model
All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.
Hardware configuration
For example, some AMC module commands are only available when an AMC module is installed.
FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes
commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

Managing Firmware with the FortiGate BIOS
Accessing the BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the webbased manager or by using the CLI execute restore command. From the console, you can also interrupt the
FortiGate units boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.
Using the BIOS, you can:
l
view system information
format the boot device
load firmware and reboot (see )
reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )
Accessing the BIOS

The BIOS menu is available only through direct connection to the FortiGate units Console port. During boot-up,
Press any key appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOS
menu appears. If you are too late, the boot-up process continues as usual.
Navigating the menu

The main BIOS menu looks like this:
[C]:
[R]:
[T]:
[F]:
[Q]:
[I]:
[B]:
[Q]:
[H]:
Configure TFTP parameters

Review TFTP paramters
Initiate TFTP firmware transfer
Format boot device
Quit menu and continue to boot
System Information
Boot with backup firmare and set as default
Quit menu and continue to boot
Display this list of options
Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the Enter line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.
Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.

Loading firmware
The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.
Configuring TFTP parameters

Starting from the main BIOS menu
[C]: Configure TFTP parameters.
Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.
Choose port and whether to use DHCP

[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].
Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.
The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.
TFTP and filename

[T]: Set
Enter
[F]: Set
Enter
remote TFTP server IP address.

remote TFTP server IP address [192.168.1.145]:
firmware file name.
firmware file name [image.out]:
Enter [Q] to return to the main menu.
Initiating TFTP firmware transfer

[T]: Initiate TFTP firmware transfer.

Booting the backup firmware
Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28
Connect to tftp server 192.168.1.145 ...
##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.
[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press Y or y to boot default image.

config
config
Use the config commands to change your FortiGate's configuration.
The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help)and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@fortinet.com

alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end

Description
Configuration
Description
Default Value
username
Email from address.
(Empty)
mailto1
Destination email address 1.
(Empty)
mailto2
(Empty)
mailto3
(Empty)
filter-mode
Filter mode.
category
email-interval
Interval between each email.
IPS-logs
Enable/disable IPS Logs.
disable
firewall-authenticationfailure-logs
Enable/disable logging of firewall authentication

failures.
disable
HA-logs
Enable/disable HA Logs.
disable
IPsec-errors-logs
Enable/disable IPsec errors logs.
disable
FDS-update-logs
Enable/disable FortiGuard update logs.
disable
PPP-errors-logs
Enable/disable PPP errors logs.
disable
sslvpn-authenticationerrors-logs
Enable/disable logging of SSL-VPN

authentication error.
disable
antivirus-logs
Enable/disable antivirus logs.
disable
webfilter-logs
Enable/disable web filter logging.
disable
configuration-changeslogs
Enable/disable logging of configuration changes.
disable
violation-traffic-logs
Enable/disable logging of violation traffic.
disable
admin-login-logs
Enable/disable logging of administrator

login/logouts.
disable
FDS-license-expiringwarning
Enable/disable FortiGuard license expiration

warning.
disable
log-disk-usage-warning
Enable/disable logging of disk usage warning.
disable

10
fortiguard-log-quotawarning
Enable/disable warning of FortiCloud log quota.
disable
amc-interface-bypassmode
Enable/disable Fortinet Advanced Mezzanine

Card (AMC) interface bypass mode.
disable
FIPS-CC-errors
Enable/disable FIPS and Common Criteria errors.
disable
FDS-license-expiringdays
Number of days to end alert email prior to

FortiGuard license expiration (1 - 100 days).
15
local-disk-usage
Percentage at which to send alert email prior to

disk usage exceeding this threshold (1 - 99
percent).
75
emergency-interval
Emergency alert interval in minutes.
alert-interval
Alert alert interval in minutes.
critical-interval
Critical alert interval in minutes.
error-interval
Error alert interval in minutes.
warning-interval
Warning alert interval in minutes.
10
notification-interval
Notification alert interval in minutes.
20
information-interval
Information alert interval in minutes.
30
debug-interval
Debug alert interval in minutes.
60
severity
Lowest severity level to log.
alert

11
antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end

12
Description
Configuration
Description
Default Value
mode
Mode to use for heuristics.
disable

13
antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
andled}
dled}
end
config imap
edit <name_str>
andled}
dled}
set executables {default | virus}
end
config pop3
edit <name_str>
andled}
dled}
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
14

end
config smtp
edit <name_str>
andled}
dled}
end
config mapi
edit <name_str>
andled}
dled}
end
config nntp
edit <name_str>
andled}
dled}
end
config smb
edit <name_str>
andled}
dled}
end
config nac-quar
edit <name_str>
set infected {none | quar-src-ip | quar-interface}
set expiry <user>
set log {enable | disable}
end
set av-virus-log {enable | disable}
set av-block-log {enable | disable}
set scan-mode {quick | full}
end
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
15
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
Replacement message group.
(Empty)
inspection-mode
Inspection mode.
flow-based
ftgd-analytics
Submit suspicious or supposedly clean files to

FortiSandbox.
disable
analytics-max-upload
Maximum upload size to FortiSandbox (in MB).
10
analytics-wl-filetype
Do not submit files matching this file-pattern table

to the FortiSandbox.
analytics-bl-filetype
Only submit files matching this file-pattern table

to the FortiSandbox.
analytics-db
Use signature database from FortiSandbox to

supplement the AV signature databases.
disable
mobile-malware-db
Use mobile malware signature database.
enable
http
HTTP.
Details below
Configuration
options
archive-block
archive-log
emulator
ftp
Default Value
(Empty)
(Empty)
(Empty)
enable
FTP.
Configuration
options
archive-block
archive-log
emulator
imap
Default Value
(Empty)
(Empty)
(Empty)
enable
IMAP.

Details below
Details below
16
Configuration
options
archive-block
archive-log
emulator
executables
pop3
Default Value
(Empty)
(Empty)
(Empty)
enable
default
POP3.
Configuration
options
archive-block
archive-log
emulator
executables
smtp
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
SMTP.
Configuration
options
archive-block
archive-log
emulator
executables
mapi
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
MAPI.
Configuration
options
archive-block
archive-log
emulator
executables
nntp
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
NNTP.
Configuration
options
archive-block
archive-log
emulator
smb
Default Value
(Empty)
(Empty)
(Empty)
enable
SMB.

Details below
Details below
17
Configuration
options
archive-block
archive-log
emulator
nac-quar
Configuration
infected
expiry
log
Default Value
(Empty)
(Empty)
(Empty)
enable
Quarantine settings.
Details below
Default Value
none
5m
disable
av-virus-log
Enable/disable logging for antivirus scanning.
enable
av-block-log
Enable/disable logging for antivirus file blocking.
enable
scan-mode
Choose between full scan mode and quick scan

mode.
full

18
antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
set store-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3
s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end

19
Description
Configuration
Description
Default Value
agelimit
Age limit for quarantined files.
maxfilesize
Maximum file size to quarantine.
quarantine-quota
Quarantine quota.
drop-infected
Ignore infected files from a protocol.
(Empty)
store-infected
Quarantine infected files from a protocol.
imap smtp pop3 http ftp

nntp imaps smtps
pop3s https ftps mapi
drop-blocked
Drop blocked files from a protocol.
(Empty)
store-blocked
Quarantine blocked files from a protocol.

nntp imaps smtps
pop3s ftps mapi
drop-heuristic
Ignore heuristically caught files from a protocol.
(Empty)
store-heuristic
Quarantine heuristically caught files from a

protocol.

nntp imaps smtps
pop3s https ftps mapi
lowspace
Action when the disk is almost full.
ovrw-old
destination
Quarantine destination: disk/FortiAnalyzer.
disk

20
antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end

21
Description
Configuration
Description
Default Value
default-db
Select AV database to be used for AV scanning.
extended
grayware
Enable/disable detection of grayware.
disable

22
application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end

23
Description
Configuration
Description
Default Value
tag
Signature tag.
(Empty)
name
Application name.
(Empty)
id
Application ID.
comment
Comment.
(Empty)
signature
Signature text.
(Empty)
category
Application category ID.
protocol
Application protocol.
(Empty)
technology
Application technology.
(Empty)
behavior
Application behavior.
(Empty)
vendor
Application vendor.
(Empty)

24
application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
25
set
set
set
set
set
set
set
set
set
set
set
set
set
end
log {disable | enable}

log-packet {disable | enable}
rate-count <integer>
rate-duration <integer>
rate-mode {periodical | continuous}
rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
session-ttl <integer>
shaper <string>
shaper-reverse <string>
per-ip-shaper <string>
quarantine {none | attacker | both | interface}
quarantine-expiry <user>
quarantine-log {disable | enable}
end

26
Description
Configuration
Description
Default Value
name
List name.
(Empty)
comment
comments
(Empty)
replacemsg-group
(Empty)
other-application-action
Action for other applications.
pass
app-replacemsg
Enable/disable replacement messages for

blocked applications.
enable
other-application-log
Enable/disable logging of other applications.
disable
unknown-applicationaction
Action for unknown applications.
pass
unknown-applicationlog
Enable/disable logging of unknown applications.
disable
p2p-black-list
Action for p2p black list.
(Empty)
deep-app-inspection
Enable/disable deep application inspection.
disable
options
Options.
allow-dns
entries
Application list entries.
(Empty)

27
application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

28
Description
Configuration
Description
Default Value
name
Application name.
(Empty)
id
Application ID.
category
Application category ID.
sub-category
Application sub-category ID.
popularity
Application popularity.
risk
Application risk.
protocol
Application protocol.
(Empty)
technology
Application technology.
(Empty)
behavior
Application behavior.
(Empty)
vendor
Application vendor.
(Empty)
parameter
Application parameter name.
(Empty)
metadata
Meta data.
(Empty)

29
application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

30
Description
Configuration
Description
Default Value
id
Rule ID.
tags
Applied object tags.
(Empty)

31
certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

32
Description
Configuration
Description
Default Value
name
Name.
(Empty)
ca
CA certificate.
(Empty)
range
CA certificate range.
global
source
CA certificate source.
user
trusted
Enable/disable trusted CA.
enable
scep-url
URL of SCEP server.
(Empty)
auto-update-days
Days to auto-update before expired, 0=disabled.
auto-update-dayswarning
Days to send update before auto-update

(0=disabled).
source-ip
Source IP for communications to SCEP server.
0.0.0.0

33
certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-cert <string>
set update-interval <integer>
end

34
Description
Configuration
Description
Default Value
name
Name.
(Empty)
crl
Certificate Revocation List.
(Empty)
range
CRL range.
global
source
CRL source.
user
update-vdom
Virtual domain for CRL update.
root
ldap-server
LDAP server.
(Empty)
ldap-username
Login name for LDAP server.
(Empty)
ldap-password
Login password for LDAP server.
(Empty)
http-url
URL of HTTP server for CRL update.
(Empty)
scep-url
URL of CA server for CRL update via SCEP.
(Empty)
scep-cert
Local certificate used for CRL update via SCEP.
Fortinet_CA_SSL
update-interval
Second between updates, 0=disabled.
source-ip
Source IP for communications to CA

(HTTP/SCEP) server.
0.0.0.0

35
certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

36
Description
Configuration
Description
Default Value
name
Name.
(Empty)
password
Password.
(Empty)
comments
Comment.
(Empty)
private-key
Private key.
(Empty)
certificate
Certificate.
(Empty)
csr
Certificate Signing Request.
(Empty)
state
Certificate Signing Request State.
(Empty)
scep-url
URL of SCEP server.
(Empty)
range
Certificate range.
global
source
Certificate source.
user
auto-regenerate-days
Days to auto-regenerate before expired,

0=disabled.
auto-regenerate-dayswarning
Days to send warning before auto-regeneration,

0=disabled.
scep-password
SCEP server challenge password for autoregeneration.
(Empty)
ca-identifier
CA identifier of the CA server for signing via

SCEP.
(Empty)
name-encoding
Name encoding for auto-regeneration.
printable
source-ip
0.0.0.0
ike-localid
IKE local ID.
(Empty)
ike-localid-type
IKE local ID type.
asn1dn

37
dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end

38
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Configure file patterns used by DLP blocking.
(Empty)

39
dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end

40
Description
Configuration
Description
Default Value
name
DLP Server.
(Empty)
server-type
DLP Server.
samba
server
Server location (can be IP or IPv6 address).
(Empty)
period
Select periodic server checking.
none
vdom
Select source on management or current VDOM.
mgmt
scan-subdirectories
Enable/disable scanning of subdirectories.
enable
scan-on-creation
Enable/disable force scan of server to happen

when document source is created or edited.
enable
remove-deleted
Enable/disable removing chunks of files deleted

from the server.
enable
keep-modified
Enable/disable retaining old chunks of modified

files.
enable
username
Login username.
(Empty)
password
Login password.
(Empty)
file-path
File path on server.
(Empty)
file-pattern
File patterns to fingerprint (wildcard).
sensitivity
DLP fingerprint sensitivity defined for these files.
(Empty)
tod-hour
Time of day to run scans (hour part, 24 hour

clock).
tod-min
Time of day to run scans (min).
weekday
Day of week to run scans.
sunday
date
Date within a month to run scans.

41
dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end

42
Description
Configuration
Description
Default Value
name
DLP Sensitivity Levels.
(Empty)

43
dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | mm1
| mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | m
api | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi |
mm1 | mm3 | mm4 | mm7}
end

44
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
filter
Configure DLP filters.
(Empty)
dlp-log
Enable/disable logging for data leak prevention.
enable
nac-quar-log
Enable/disable logging for NAC quarantine

creation.
disable
flow-based
Enable/disable flow-based data leak prevention.
disable
options
options
full-archive-proto
Protocols to always content archive.
(Empty)
summary-proto
Protocols to always log summary.
(Empty)

45
dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end

46
Description
Configuration
Description
Default Value
storage-device
Storage name.
(Empty)
size
Maximum total size of files within the storage

(MB).
16
db-mode
Method of maintaining database size.
stop-adding
cache-mem-percent
Maximum percentage of available memory

allocated to caching (1 - 15%).
chunk-size
Maximum fingerprint chunk size. **Changing will

flush the entire database**.
2800

47
dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set action {block | monitor}
end
end
set log-all-url {enable | disable}
set sdns-ftgd-err-log {enable | disable}
set sdns-url-log {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end

48
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
urlfilter
URL filter settings.
Details below
Configuration
urlfilter-table
ftgd-dns
Configuration
options
filters
Default Value
0
FortiGuard DNS Filter settings.
Details below
Default Value
(Empty)
(Empty)
log-all-url
Enable/disable log all URLs visited.
disable
sdns-ftgd-err-log
Enable/disable logging of FortiGuard SDNS

rating errors.
enable
sdns-url-log
Enable/disable logging of URL filtering and botnet

domains.
enable
block-action
Action to take for blocked domains.
redirect
redirect-portal
IP address of the SDNS portal.
0.0.0.0
block-botnet
Enable/disable block of botnet C&C.
disable

49
dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end

50
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
DNS URL filter.
(Empty)

51
endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end

52
Description
Configuration
Description
Default Value
id
Endpoint client ID.
ftcl-uid
Endpoint FortiClient UID.
(Empty)
src-ip
Endpoint client IP address.
0.0.0.0
src-mac
Endpoint client MAC address.
00:00:00:00:00:00
info
Endpoint client information.
(Empty)
ad-groups
Endpoint client AD logon groups.
(Empty)

53
endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end

54
Description
Configuration
Description
Default Value
peer-name
Peer name.
(Empty)
peer-ip
Peer connecting IP.
0.0.0.0

55
endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set compliance-action {block | warning | auto-update}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set av-signature-up-to-date {enable | disable}
set sandbox-analysis {enable | disable}
set sandbox-address <string>
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set forticlient-system-compliance {enable | disable}
set forticlient-minimum-software-version {enable | disable}
set forticlient-win-ver <string>
set forticlient-mac-ver <string>
set os-av-software-installed {enable | disable}
config forticlient-operating-system
edit <name_str>
set id <integer>
set os-type {custom | mac_os | win_10 | win_svr_10 | win_81 | win_svr_2012
_r2 | win_80 | win_svr_2012 | win_7 | win_svr_2008_r2 | win_vista | win_svr_2008 | win
_svr_2003_r2 | win_sto_svr_2003 | win_home_svr | win_svr_2003 | win_xp | win_2000}
set os-name <string>
end
config forticlient-running-app
edit <name_str>
set id <integer>
set app-name <string>
set process-name <string>
set app-sha256-signature <string>
set process-name2 <string>
set app-sha256-signature2 <string>
end
config forticlient-registry-entry
edit <name_str>
set id <integer>
set registry-entry <string>
end
config forticlient-own-file
edit <name_str>
set id <integer>
56
set file <string>

end
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-level {traffic | vulnerability | event}
set forticlient-log-upload-server <string>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-enforce {critical | high | medium | low}
set forticlient-vuln-scan-enforce-grace <integer>
end
config forticlient-android-settings
edit <name_str>
set disable-wf-when-protected {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
end
config forticlient-ios-settings
edit <name_str>
set disable-wf-when-protected {enable | disable}
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set vpn-configuration-name <string>
set vpn-configuration-content <var-string>
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set distribute-configuration-profile {enable | disable}
set configuration-name <string>
set configuration-content <var-string>
end
set description <var-string>
57

config src-addr
edit <name_str>
set name <string>
end
config device-groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config user-groups
edit <name_str>
set name <string>
end
config on-net-addr
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
end

58
Description
Configuration
Description
Default Value
profile-name
Profile name.
(Empty)
forticlient-winmacsettings
FortiClient settings for Windows/Mac platform.
Details below
Configuration
compliance-action
forticlient-av
av-realtime-protection
av-signature-up-to-date
sandbox-analysis
sandbox-address
forticlient-application-firewall
forticlient-application-firewall-list
forticlient-system-compliance
forticlient-minimum-software-version
forticlient-win-ver
forticlient-mac-ver
os-av-software-installed
forticlient-operating-system
forticlient-running-app
forticlient-registry-entry
forticlient-own-file
forticlient-log-upload
forticlient-log-upload-level
forticlient-log-upload-server
forticlient-wf
forticlient-wf-profile
forticlient-vuln-scan
forticlient-vuln-scan-enforce
forticlient-vuln-scan-enforce-grace
forticlient-androidsettings

Default Value
auto-update
disable
disable
disable
disable
(Empty)
disable
(Empty)
enable
disable
5.4.1
5.4.1
disable
(Empty)
(Empty)
(Empty)
(Empty)
enable
traffic vulnerability event
(Empty)
disable
default
enable
high
1
FortiClient settings for Android platform.
Details below
59
Configuration
forticlient-wf
disable-wf-when-protected
forticlient-vpn-provisioning
forticlient-advanced-vpn
forticlient-advanced-vpn-buffer
forticlient-vpn-settings
forticlient-ios-settings
Default Value
disable
(Empty)
enable
disable
disable
(Empty)
(Empty)
FortiClient settings for iOS platform.
Configuration
forticlient-wf
disable-wf-when-protected
client-vpn-provisioning
client-vpn-settings
distribute-configuration-profile
configuration-name
configuration-content
Details below
Default Value
disable
(Empty)
enable
disable
(Empty)
disable
(Empty)
(Empty)
description
Description.
(Empty)
src-addr
Source addresses.
(Empty)
device-groups
Device groups.
(Empty)
users
Users.
(Empty)
user-groups
User groups.
(Empty)
on-net-addr
Addresses for on-net detection.
(Empty)
replacemsg-overridegroup
Specify endpoint control replacement message

override group.
(Empty)

60
endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end

61
Description
Configuration
Description
Default Value
uid
FortiClient UID.
(Empty)
vdom
Registering vdom.
(Empty)
ip
Endpoint IP address.
0.0.0.0
mac
Endpoint MAC address.
00:00:00:00:00:00
status
FortiClient registration status.
flag
FortiClient registration flag.
reg-fortigate
Registering FortiGate SN.
(Empty)

62
endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
set forticlient-avdb-update-interval <integer>
end

63
Description
Configuration
Description
Default Value
forticlient-reg-keyenforce
Enable/disable enforcement of FortiClient

registration key.
disable
forticlient-reg-key
FortiClient registration key.
(Empty)
forticlient-reg-timeout
FortiClient registration license timeout (days, min

= 1, max = 180, 0 = unlimited).
download-custom-link
Customized URL for downloading FortiClient.
(Empty)
download-location
FortiClient download location.
fortiguard
forticlient-keepaliveinterval
Interval between two KeepAlive messages from

FortiClient (in seconds).
60
forticlient-sys-updateinterval
Interval between two system update messages

from FortiClient (in minutes).
720
forticlient-avdb-updateinterval
Hours between FortiClient AntiVirus database

updates (0 - 24, default = 8)

64
extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end

65
Description
Configuration
Description
Default Value
id
FortiExtender serial number.
(Empty)
admin
FortiExtender Administration (enable or disable).
disable
ifname
FortiExtender interface name.
(Empty)
vdom
VDOM
role
FortiExtender work role(Primary, Secondary,

None).
none
mode
FortiExtender mode.
standalone
dial-mode
Dial mode (dial-on-demand or always-connect).
always-connect
redial
Number of redials allowed based on failed

attempts.
none
redundant-intf
Redundant interface.
(Empty)
dial-status
Dial status.
conn-status
Connection status.
ext-name
FortiExtender name.
(Empty)
description
Description.
(Empty)
quota-limit-mb
Monthly quota limit (MB).
billing-start-day
Billing start day.
at-dial-script
Initialization AT commands specific to the

MODEM.
(Empty)
modem-passwd
MODEM password.
(Empty)
initiated-update
Allow/disallow network initiated updates to the

MODEM.
disable
modem-type
MODEM type (CDMA, GSM/LTE or WIMAX).
gsm/lte
ppp-username
PPP username.
(Empty)

66
ppp-password
PPP password.
(Empty)
ppp-auth-protocol
PPP authentication protocol (PAP,CHAP or auto).
auto
ppp-echo-request
Enable/disable PPP echo request.
disable
wimax-carrier
WiMax carrier.
(Empty)
wimax-realm
WiMax realm.
(Empty)
wimax-auth-protocol
WiMax authentication protocol(TLS or TTLS).
tls
sim-pin
SIM PIN.
(Empty)
access-point-name
Access point name(APN).
(Empty)
multi-mode
MODEM mode of operation(3G,LTE,etc).
auto
roaming
Enable/disable MODEM roaming.
disable
cdma-nai
NAI for CDMA MODEMS.
(Empty)
aaa-shared-secret
AAA shared secret.
(Empty)
ha-shared-secret
HA shared secret.
(Empty)
primary-ha
Primary HA.
(Empty)
secondary-ha
Secondary HA.
(Empty)
cdma-aaa-spi
CDMA AAA SPI.
(Empty)
cdma-ha-spi
CDMA HA SPI.
(Empty)

67
firewall.ipmacbinding/setting
CLI Syntax
config firewall.ipmacbinding setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

68
Description
Configuration
Description
Default Value
bindthroughfw
Enable/disable going through firewall.
disable
bindtofw
Enable/disable going to firewall.
disable
undefinedhost
Allow/block traffic for undefined hosts.
block

69
firewall.ipmacbinding/table
CLI Syntax
config firewall.ipmacbinding table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set name <string>
end

70
Description
Configuration
Description
Default Value
seq-num
Entry number.
ip
IP address.
0.0.0.0
mac
MAC address.
00:00:00:00:00:00
name
Name (optional, default = no name).
noname
status
Enable/disable IP-mac binding.
disable

71
firewall.schedule/group
CLI Syntax
config firewall.schedule group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end

72
Description
Configuration
Description
Default Value
name
Schedule group name.
(Empty)
member
Schedule group member.
(Empty)
color
GUI icon color.

73
firewall.schedule/onetime
CLI Syntax
config firewall.schedule onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end

74
Description
Configuration
Description
Default Value
name
Onetime schedule name.
(Empty)
start
Start time and date.
00:00 2001/01/01
end
End time and date.
00:00 2001/01/01
color
GUI icon color.
expiration-days
Generate event log before schedule expires (1100 days, 0 = disable).

75
firewall.schedule/recurring
CLI Syntax
config firewall.schedule recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end

76
Description
Configuration
Description
Default Value
name
Recurring schedule name.
(Empty)
start
Start time.
00:00
end
End time.
00:00
day
weekday
none
color
GUI icon color.

77
firewall.service/category
CLI Syntax
config firewall.service category
edit <name_str>
set name <string>
end

78
Description
Configuration
Description
Default Value
name
Service category name.
(Empty)
comment
Comment.
(Empty)

79
firewall.service/custom
CLI Syntax
config firewall.service custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set session-ttl <integer>
set check-reset-range {disable | strict | default}
set color <integer>
set visibility {enable | disable}
end

80
Description
Configuration
Description
Default Value
name
Custom service name.
(Empty)
explicit-proxy
Enable/disable explicit web proxy service.
disable
category
Service category.
(Empty)
protocol
Protocol type.
TCP/UDP/SCTP
iprange
Start IP-End IP.
0.0.0.0
fqdn
Fully qualified domain name.
(Empty)
protocol-number
IP protocol number.
icmptype
ICMP type.
(Empty)
icmpcode
ICMP code.
(Empty)
tcp-portrange
Multiple TCP port ranges.
(Empty)
udp-portrange
Multiple UDP port ranges.
(Empty)
sctp-portrange
Multiple SCTP port ranges.
(Empty)
tcp-halfclose-timer
TCP half close timeout (1 - 86400 sec, 0 =

default).
tcp-halfopen-timer

default).
tcp-timewait-timer
TCP half close timeout (1 - 300 sec, 0 = default).
udp-idle-timer

default).
session-ttl
Session TTL (300 - 604800, 0 = default).
check-reset-range
Enable/disable RST check.
default
comment
Comment.
(Empty)
color
GUI icon color.
visibility
Enable/disable service visibility.
enable

81
firewall.service/group
CLI Syntax
config firewall.service group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set color <integer>
end

82
Description
Configuration
Description
Default Value
name
Address group name.
(Empty)
member
Address group member.
(Empty)
explicit-proxy
Enable/disable explicit web proxy service group.
disable
comment
Comment.
(Empty)
color
GUI icon color.

83
firewall.shaper/per-ip-shaper
CLI Syntax
config firewall.shaper per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end

84
Description
Configuration
Description
Default Value
name
Traffic shaper name.
(Empty)
max-bandwidth
Maximum bandwidth value (0 - 16776000).
bandwidth-unit
Bandwidth unit (default = kbps).
kbps
max-concurrentsession
Maximum concurrent session (0 - 2097000).
diffserv-forward
Forward (original) traffic DiffServ.
disable
diffserv-reverse
Reverse (reply) traffic DiffServ.
disable
diffservcode-forward
Forward (original) traffic DiffServ code point

value.
000000
diffservcode-rev
Reverse (reply) traffic DiffServ code point value.
000000

85
firewall.shaper/traffic-shaper
CLI Syntax
config firewall.shaper traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end

86
Description
Configuration
Description
Default Value
name
Traffic shaper name.
(Empty)
guaranteed-bandwidth
Guaranteed bandwidth value (0 - 16776000).
maximum-bandwidth
Maximum bandwidth value (0 - 16776000).
bandwidth-unit
Bandwidth unit (default = kbps).
kbps
priority
Traffic priority.
high
per-policy
Enable/disable use a separate shaper for each

policy.
disable
diffserv
Enable/disable traffic DiffServ.
disable
diffservcode
Traffic DiffServ code point value.
000000

87
firewall.ssl/setting
CLI Syntax
config firewall.ssl setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end

88
Description
Configuration
Description
Default Value
proxy-connect-timeout
Time limit to make an internal connection to the

appropriate proxy process (1 - 60 sec).
30
ssl-dh-bits
Size of Diffie-Hellman prime used in DHE-RSA

negotiation.
2048
ssl-send-empty-frags
Send empty fragments to avoid attack on CBC IV

(SSL 3.0 & TLS 1.0 only).
enable
no-matching-cipheraction
Bypass or drop the connection when no matching

cipher was found.
bypass
cert-cache-capacity
Maximum capacity of the host certificate cache (0

- 500).
200
cert-cache-timeout
Minutes to keep certificate cache (1 - 120 min).
10
session-cache-capacity
Obsolete.
500
session-cache-timeout
Number of minutes to keep SSL session state.
20

89
firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

90
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
Universally Unique IDentifier.
00000000-0000-00000000-000000000000
subnet
IP address and netmask.
0.0.0.0 0.0.0.0
type
Type.
ipmask
start-ip
Start IP.
0.0.0.0
end-ip
End IP.
0.0.0.0
fqdn
Fully qualified domain name.
(Empty)
country
Country name.
(Empty)
wildcard-fqdn
Wildcard FQDN.
(Empty)
cache-ttl
Minimal TTL of individual IP addresses in FQDN

cache.
wildcard
IP address and wildcard netmask.
0.0.0.0 0.0.0.0
comment
Comment.
(Empty)
visibility
Enable/disable address visibility.
enable
associated-interface
Associated interface name.
(Empty)
color
GUI icon color.
tags
(Empty)
allow-routing
Enable/disable use of this address in the static

route configuration.
disable

91
firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

92
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
00000000-0000-00000000-000000000000
type
Type.
ipprefix
ip6
IPv6 address prefix.
::/0
start-ip
Start IP.
::
end-ip
End IP.
::
visibility
enable
color
GUI icon color.
tags
(Empty)
comment
Comment.
(Empty)

93
firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

94
Description
Configuration
Description
Default Value
name
Address group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
member
Address group member.
(Empty)
comment
Comment.
(Empty)
visibility
Enable/disable address group visibility.
enable
color
GUI icon color.
tags
(Empty)
allow-routing
Enable/disable use of this group in the static route disable

configuration.

95
firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

96
Description
Configuration
Description
Default Value
name
IPv6 address group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
visibility
Enable/disable address group6 visibility.
enable
color
GUI icon color.
comment
Comment.
(Empty)
member
IPv6 address group member.
(Empty)
tags
(Empty)

97
firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end

98
Description
Configuration
Description
Default Value
groups
Group name.
(Empty)
portal-addr
Address (or domain name) of authentication

portal.
(Empty)
portal-addr6
IPv6 address (or domain name) of authentication

portal.
(Empty)
identity-based-route
Name of identity-based routing rule.
(Empty)

99
firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end

100
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
Enable/disable policy status.
enable
orig-addr
Original address.
(Empty)
dst-addr
Destination address.
(Empty)
nat-ippool
IP pool names for translated address.
(Empty)
protocol
Protocol (0 - 255).
orig-port
Original port.
nat-port
Translated port or port range.

101
firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end

102
Description
Configuration
Description
Default Value
id
ID.
src
Source IP.
0.0.0.0
dst
Destination IP.
0.0.0.0
netmask
Network mask.
255.255.255.255

103
firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

104
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
interface
Interface name.
(Empty)
srcaddr
Source address name.
(Empty)
dstaddr
Destination address name.
(Empty)
service
Service name.
(Empty)
anomaly
Anomaly.
(Empty)

105
firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
end
end

106
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
interface
Interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
anomaly
Anomaly.
(Empty)

107
firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dstadvanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

108
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
00000000-0000-00000000-000000000000
type
Address type.
url
host
Host address
(Empty)
host-regex
Host regular expression.
(Empty)
path
URL path regular expression.
(Empty)
category
FortiGuard category ID.
(Empty)
method
HTTP methods.
(Empty)
ua
User agent.
(Empty)
header-name
HTTP header.
(Empty)
header
HTTP header regular expression.
(Empty)
case-sensitivity
Case sensitivity in pattern.
disable
header-group
HTTP header group.
(Empty)
color
GUI icon color.
tags
(Empty)
comment
Comment.
(Empty)
visibility
disable

109
firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

110
Description
Configuration
Description
Default Value
name
Address group name.
(Empty)
type
Address group type.
src
uuid
00000000-0000-00000000-000000000000
member
Address group members.
(Empty)
color
GUI icon color.
tags
(Empty)
comment
Comment.
(Empty)
visibility
disable

111
firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | negotiate | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
112

set logtraffic-start {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
set disclaimer {disable | domain | policy | user}
end
set webproxy-forward-server <string>
set webproxy-profile <string>
set transparent {enable | disable}
set webcache {enable | disable}
set webcache-https {disable | any | enable}
set disclaimer {disable | domain | policy | user}
config tags
edit <name_str>
set name <string>
113
set name <string>

end
set label <string>
set global-label <string>
set comments <var-string>
end

114
Description
Configuration
Description
Default Value
uuid
00000000-0000-00000000-000000000000
policyid
Policy ID.
proxy
Explicit proxy type.
(Empty)
dstintf
Destination interface name.
(Empty)
srcaddr
Source address name. [srcaddr or srcaddr6(web

proxy only) must be set].
(Empty)
dstaddr
Destination address name. [dstaddr or

dstaddr6(web proxy only) must be set].
(Empty)
service
Service name.
(Empty)
srcaddr-negate
Enable/disable negated source address match.
disable
dstaddr-negate
Enable/disable negated destination address

match.
disable
service-negate
Enable/disable negated service match.
disable
action
Policy action.
deny
status
enable
schedule
Schedule name.
(Empty)
logtraffic
Enable/disable policy log traffic.
utm
srcaddr6
IPv6 source address (web proxy only). [srcaddr6

or srcaddr must be set].
(Empty)
dstaddr6
IPv6 destination address (web proxy only).

[dstaddr6 or dstaddr must be set].
(Empty)
identity-based
Enable/disable identity-based policy.
disable
ip-based
Enable/disable IP-based authentication.
disable
active-auth-method
Active authentication method.
basic

115
sso-auth-method
SSO authentication method.
none
require-tfa
Enable/disable requirement of 2-factor

authentication.
disable
web-auth-cookie
Enable/disable Web authentication cookie.
disable
transaction-based
Enable/disable transaction based authentication.
disable
identity-based-policy
Identity-based policy.
(Empty)
webproxy-forwardserver
Web proxy forward server.
(Empty)
webproxy-profile
Web proxy profile.
(Empty)
transparent
Use IP address of client to connect to server.
disable
webcache
Enable/disable web cache.
disable
webcache-https
Enable/disable web cache for HTTPS.
disable
disclaimer
Web proxy disclaimer setting.
disable
utm-status
Enable AV/web/IPS protection profile.
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
Web filter profile.
(Empty)
spamfilter-profile
Spam filter profile.
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
Web application firewall profile.
(Empty)

116
profile-protocol-options
Profile protocol options.
(Empty)
ssl-ssh-profile
SSL SSH Profile.
(Empty)
Specify authentication replacement message

override group.
(Empty)
logtraffic-start
Enable/disable policy log traffic start.
disable
tags
(Empty)
label
Label for section view.
(Empty)
global-label
Label for global view.
(Empty)
scan-botnetconnections
Enable/disable scanning of connections to Botnet

servers.
disable
comments
Comment.
(Empty)

117
firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end

118
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Description/comments.
(Empty)
rule
Rule.
(Empty)

119
firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set address-type {ipv4 | ipv6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set casi-profile-status {enable | disable}
set ips-sensor-status {enable | disable}
set dsri {enable | disable}
set av-profile-status {enable | disable}
set webfilter-profile-status {enable | disable}
set spamfilter-profile-status {enable | disable}
set dlp-sensor-status {enable | disable}
set label <string>
end

120
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
logtraffic
Enable/disable interface log traffic.
utm
address-type
Policy address type.
ipv4
interface
Interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
application-list-status
Enable/disable application control.
disable
application-list
Application list name.
(Empty)
casi-profile-status
Enable/disable CASI.
disable
casi-profile
CASI profile name.
(Empty)
ips-sensor-status
Enable/disable IPS sensor.
disable
ips-sensor
IPS sensor name.
(Empty)
dsri
Enable/disable DSRI.
disable
av-profile-status
Enable/disable antivirus.
disable
av-profile
Antivirus profile.
(Empty)
webfilter-profile-status
Enable/disable web filter profile.
disable
webfilter-profile
Web filter profile.
(Empty)
spamfilter-profile-status
Enable/disable spam filter.
disable
spamfilter-profile
(Empty)
dlp-sensor-status
Enable/disable DLP sensor.
disable

121
dlp-sensor
DLP sensor.
(Empty)

servers.
disable
label
Label.
(Empty)

122
firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set address-type {ipv4 | ipv6}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set label <string>
end

123
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
logtraffic
Enable/disable interface log traffic.
utm
address-type
Policy address type.
ipv6
interface
Interface name.
(Empty)
srcaddr6
IPv6 source address name.
(Empty)
dstaddr6
IPv6 destination address name.
(Empty)
service6
Service name.
(Empty)
disable
application-list
(Empty)
casi-profile-status
disable
casi-profile
CASI profile name.
(Empty)
ips-sensor-status
disable
ips-sensor
IPS sensor name.
(Empty)
dsri
disable
av-profile-status
disable
av-profile
Antivirus profile.
(Empty)
Enable/disable web filter profile.
disable
webfilter-profile
Web filter profile.
(Empty)
disable
spamfilter-profile
(Empty)
dlp-sensor-status
disable

124
dlp-sensor
DLP sensor.
(Empty)

servers.
disable
label
Label.
(Empty)

125
firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end

126
Description
Configuration
Description
Default Value
transid
IP translation ID.
type
IP translation type.
SCTP
startip
Start IP.
0.0.0.0
endip
End IP.
0.0.0.0
map-startip
Mapped start IP.
0.0.0.0

127
firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
end

128
Description
Configuration
Description
Default Value
name
IP pool name.
(Empty)
type
IP pool type.
overload
startip
Start IP.
0.0.0.0
endip
End IP.
0.0.0.0
source-startip
Source start IP.
0.0.0.0
source-endip
Source end IP.
0.0.0.0
block-size
Block size.
128
num-blocks-per-user
Number of blocks per user (1 - 128).
permit-any-host
Enable/disable full cone.
disable
arp-reply
Enable/disable ARP reply.
enable
arp-intf
ARP reply interface. Any if unset.
(Empty)
comments
Comment.
(Empty)

129
firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
end

130
Description
Configuration
Description
Default Value
name
IPv6 pool name.
(Empty)
startip
Start IP.
::
endip
End IP.
::
comments
Comment.
(Empty)

131
firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end

132
Description
Configuration
Description
Default Value
hop-opt
Block packets with Hop-by-Hop Options header.
disable
dest-opt
Block packets with Destination Options header.
disable
hdopt-type
Block specific Hop-by-Hop and/or Destination

Option types (maximum 7 types, each between 0
and 255).
(Empty)
routing
Block packets with Routing header.
enable
routing-type
Block specific Routing header types (maximum 7

types, each between 0 and 255).
fragment
Block packets with Fragment header.
disable
auth
Block packets with Authentication header.
disable
no-next
Block packets with No Next header.
disable

133
firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end

134
Description
Configuration
Description
Default Value
name
Monitor name.
(Empty)
type
Monitor type.
(Empty)
interval
Detect interval.
10
timeout
Detect request timeout.
retry
Number of detect tries before bring server down.
port
Service port.
http-get
HTTP get URL string.
(Empty)
http-match
String for matching HTTP-get response.
(Empty)
http-max-redirects
The maximum number of HTTP redirects to be

allowed.

135
firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end

136
Description
Configuration
Description
Default Value
policyid
User defined local in policy ID.
ha-mgmt-intf-only
Enable/disable dedication of HA management

interface only for local-in policy.
disable
intf
Source interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Local-In policy action.
deny
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
status
enable

137
firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end

138
Description
Configuration
Description
Default Value
policyid
User defined local in policy ID.
intf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Local-In policy action.
deny
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
status
enable

139
firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

140
Description
Configuration
Description
Default Value
name
Multicast address name.
(Empty)
type
type
multicastrange
subnet
Broadcast address and subnet.
0.0.0.0 0.0.0.0
start-ip
Start IP.
0.0.0.0
end-ip
End IP.
0.0.0.0
comment
Comment.
(Empty)
visibility
Enable/disable multicast address visibility.
enable
associated-interface
Associated interface name.
(Empty)
color
GUI icon color.
tags
(Empty)

141
firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

142
Description
Configuration
Description
Default Value
name
IPv6 multicast address name.
(Empty)
ip6
IPv6 address prefix.
::/0
comment
Comment.
(Empty)
visibility
Enable/disable multicast address visibility.
enable
color
GUI icon color.
tags
(Empty)

143
firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

144
Description
Configuration
Description
Default Value
id
Policy ID.
status
enable
logtraffic
disable
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
snat
Enable/disable NAT source address.
disable
snat-ip
NAT source address.
0.0.0.0
dnat
NAT destination address.
0.0.0.0
action
Policy action.
accept
protocol
Protocol number.
start-port
Start port number.
end-port
End port number.
65535
auto-asic-offload
Enable/disable policy traffic ASIC offloading.
enable

145
firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
end

146
Description
Configuration
Description
Default Value
id
Policy ID.
status
Enable/disable multicast IPv6 policy status.
enable
logtraffic
Enable/disable multicast IPv6 policy log traffic.
disable
srcintf
IPv6 source interface name.
(Empty)
dstintf
IPv6 destination interface name.
(Empty)
srcaddr
IPv6 source address name.
(Empty)
dstaddr
IPv6 destination address name.
(Empty)
action
Policy action.
accept
protocol
Protocol number.
start-port
Start port number.
end-port
End port number.
65535
auto-asic-offload
enable

147
firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set learning-mode {enable | disable}
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set dnsfilter-profile <string>
148

set voip-profile <string>
set capture-packet {enable | disable}
set wanopt {enable | disable}
set wanopt-detection {active | passive | off}
set wanopt-passive-opt {default | transparent | non-transparent}
set wanopt-profile <string>
set wanopt-peer <string>
set webcache {enable | disable}
set webcache-https {disable | ssl-server | any | enable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set permit-any-host {enable | disable}
set permit-stun-host {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set wccp {enable | disable}
set ntlm {enable | disable}
set ntlm-guest {enable | disable}
config ntlm-enabled-browsers
edit <name_str>
set user-agent-string <string>
end
set fsso {enable | disable}
set wsso {enable | disable}
set rsso {enable | disable}
set fsso-agent-for-ntlm <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
149
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field-id <string>
end
config tags
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set delay-tcp-npu-sessoin {enable | disable}
end

150
Description
Configuration
Description
Default Value
policyid
Policy ID.
name
Policy name.
(Empty)
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
rtp-nat
Enable/disable use of this policy for RTP NAT.
disable
rtp-addr
RTP NAT address name.
(Empty)
learning-mode
Enable/disable learning mode for policy.
disable
action
Policy action.
deny
send-deny-packet
Enable/disable deny-packet sending.
disable
firewall-session-dirty
Packet session management.
check-all
status
enable
schedule
Schedule name.
(Empty)
schedule-timeout
Enable/disable schedule timeout.
disable
service
Service name.
(Empty)
utm-status
Enable AV/web/IPS protection profile.
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
Web filter profile.
(Empty)

151
dnsfilter-profile
DNS filter profile.
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
(Empty)
(Empty)
ssl-ssh-profile
SSL SSH Profile.
(Empty)
logtraffic
utm
logtraffic-start
disable
capture-packet
Enable/disable capture packets.
disable
auto-asic-offload
enable
wanopt
Enable/disable WAN optimization.
disable
wanopt-detection
WAN optimization auto-detection mode.
active
wanopt-passive-opt
WAN optimization passive mode options. This

option decides what IP address will be used to
connect server.
default
wanopt-profile
WAN optimization profile.
(Empty)
wanopt-peer
WAN optimization peer.
(Empty)
webcache
Enable/disable web cache.
disable
webcache-https
Enable/disable web cache for HTTPS.
disable
traffic-shaper
Traffic shaper.
(Empty)

152
traffic-shaper-reverse
Traffic shaper.
(Empty)
per-ip-shaper
Per-IP shaper.
(Empty)
nat
Enable/disable policy NAT.
disable
permit-any-host
Enable/disable permit any host in.
disable
permit-stun-host
Enable/disable permit stun host in.
disable
fixedport
Enable/disable policy fixed port.
disable
ippool
Enable/disable policy IP pool.
disable
poolname
Policy IP pool names.
(Empty)
session-ttl
Session TTL.
vlan-cos-fwd
VLAN forward direction user priority.
255
vlan-cos-rev
VLAN reverse direction user priority.
255
inbound
Enable/disable policy inbound.
disable
outbound
Enable/disable policy outbound.
disable
natinbound
Enable/disable policy NAT inbound.
disable
natoutbound
Enable/disable policy NAT outbound.
disable
wccp
Enable/disable Web Cache Coordination Protocol

(WCCP).
disable
ntlm
Enable/disable NTLM authentication.
disable
ntlm-guest
Enable/disable guest user for NTLM

authentication.
disable
ntlm-enabled-browsers
User agent strings for NTLM enabled browsers.
(Empty)
fsso
Enable/disable Fortinet Single Sign-On.
disable
wsso
Enable/disable WiFi Single Sign-On.
enable
rsso
Enable/disable RADIUS Single Sign-On.
disable
fsso-agent-for-ntlm
Specify FSSO agent for NTLM authentication.
(Empty)

153
groups
User authentication groups.
(Empty)
users
User name.
(Empty)
devices
Devices or device groups.
(Empty)
auth-path
Enable/disable authentication-based routing.
disable
disclaimer
Enable/disable user authentication disclaimer.
disable
vpntunnel
Policy VPN tunnel.
(Empty)
natip
NAT address.
0.0.0.0 0.0.0.0
match-vip
Enable/disable match DNATed packet.
disable
diffserv-forward
Enable/disable forward (original) traffic DiffServ.
disable
diffserv-reverse
Enable/disable reverse (reply) traffic DiffServ.
disable
Forward (original) traffic DiffServ code point

value.
000000
diffservcode-rev
Reverse (reply) traffic DiffServ code point value.
000000
tcp-mss-sender
TCP MSS value of sender.
tcp-mss-receiver
TCP MSS value of receiver.
comments
Comment.
(Empty)
label
(Empty)
global-label
(Empty)
auth-cert
HTTPS server certificate for policy authentication.
(Empty)
auth-redirect-addr
HTTP-to-HTTPS redirect address for firewall

authentication.
(Empty)
redirect-url
URL redirection after disclaimer/authentication.
(Empty)
identity-based-route
Name of identity-based routing rule.
(Empty)
block-notification
Enable/disable block notification.
disable
custom-log-fields
Custom log fields.
(Empty)

154
tags
(Empty)

override group.
(Empty)
srcaddr-negate
disable
dstaddr-negate

match.
disable
service-negate
disable
timeout-send-rst
Enable/disable sending of RST packet upon TCP

session expiration.
disable
captive-portal-exempt
Enable/disable exemption of captive portal.
disable
ssl-mirror
Enable/disable SSL mirror.
disable
ssl-mirror-intf
Mirror interface name.
(Empty)

servers.
disable
dsri
disable
delay-tcp-npu-sessoin
Enable/disable TCP NPU session delay in order

to guarantee packet order of 3-way handshake.
disable

155
firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set uuid <uuid>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

156
Description
Configuration
Description
Default Value
permit-any-host
disable
policyid
Policy ID.
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
status
Policy status.
enable
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
logtraffic
Enable/disable traffic log.
disable
traffic-shaper
Traffic shaper.
(Empty)
Reverse traffic shaper.
(Empty)
per-ip-shaper
Per IP traffic shaper.
(Empty)
fixedport
disable
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
tags
(Empty)

157
firewall/policy6
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
config service
edit <name_str>
set name <string>
end
158

set nat {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set send-deny-packet {enable | disable}
set vpntunnel <string>
set label <string>
config custom-log-fields
edit <name_str>
set field-id <string>
end
config tags
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
159

set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
end

160
Description
Configuration
Description
Default Value
policyid
Policy ID.
name
Policy name.
(Empty)
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
check-all
status
enable
vlan-cos-fwd
VLAN forward direction user priority.
255
vlan-cos-rev
VLAN reverse direction user priority.
255
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
utm-status
Enable AV/web/ips protection profile.
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
Web filter profile.
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)

161
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
(Empty)
ssl-ssh-profile
SSL SSH Profile.
(Empty)
logtraffic
utm
logtraffic-start
disable
auto-asic-offload
enable
traffic-shaper
Traffic shaper.
(Empty)
Traffic shaper.
(Empty)
per-ip-shaper
Per-IP shaper.
(Empty)
nat
Enable/disable policy NAT.
disable
fixedport
disable
ippool
Enable/disable policy IP pool.
disable
poolname
(Empty)
session-ttl
Session TTL.
inbound
Enable/disable policy inbound.
disable
outbound
Enable/disable policy outbound.
disable
natinbound
Enable/disable policy NAT inbound.
disable
natoutbound
Enable/disable policy NAT outbound.
disable
send-deny-packet
Enable/disable return of deny-packet.
disable
vpntunnel
Policy VPN tunnel.
(Empty)
diffserv-forward
Enable/disable forward (original) traffic DiffServ.
disable

162
diffserv-reverse
Enable/disable reverse (reply) traffic DiffServ.
disable
Forward (original) Traffic DiffServ code point

value.
000000
diffservcode-rev
Reverse (reply) Traffic DiffServ code point value.
000000
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
label
(Empty)
global-label
(Empty)
rsso
Enable/disable RADIUS Single Sign-On.
disable
custom-log-fields
Custom log fields.
(Empty)
tags
(Empty)

override group.
(Empty)
srcaddr-negate
disable
dstaddr-negate

match.
disable
service-negate
disable
groups
(Empty)
users
User name.
(Empty)
devices
Devices or device groups.
(Empty)
timeout-send-rst
Enable/disable sending of RST packet upon TCP

session expiration.
disable
ssl-mirror
Enable/disable SSL mirror.
disable
ssl-mirror-intf
Mirror interface name.
(Empty)
dsri
disable

163
firewall/policy64
CLI Syntax
edit <name_str>
set uuid <uuid>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config poolname
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

164
Description
Configuration
Description
Default Value
policyid
Policy ID.
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
status
enable
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
logtraffic
disable
permit-any-host
disable
traffic-shaper
Traffic shaper.
(Empty)
(Empty)
per-ip-shaper
Per-IP traffic shaper.
(Empty)
fixedport
disable
ippool
Enable/disable policy64 IP pool.
disable
poolname
(Empty)
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
tags
(Empty)

165
firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
end

166
Description
Configuration
Description
Default Value
name
Profile group name.
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
Web filter profile.
(Empty)
dnsfilter-profile
DNS filter profile.
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
(Empty)
(Empty)
ssl-ssh-profile
SSL SSH Profile.
(Empty)

167
firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
end
config imap
edit <name_str>
168
set ports <integer>

set options {fragmail | oversize | no-content-summary}
end
config mapi
edit <name_str>
set ports <integer>
end
config pop3
edit <name_str>
set ports <integer>
end
config smtp
edit <name_str>
set ports <integer>
set options {fragmail | oversize | no-content-summary | splice}
set server-busy {enable | disable}
end
config nntp
edit <name_str>
set ports <integer>
set options {oversize | no-content-summary | splice}
end
169
end
config dns
edit <name_str>
set ports <integer>
end
config mail-signature
edit <name_str>
end
set rpc-over-http {enable | disable}
end

170
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
oversize-log
Enable/disable logging for antivirus oversize file

blocking.
disable
switching-protocols-log
Enable/disable logging of HTTP/HTTPS switching

protocols.
disable
http
HTTP.
Details below
Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
range-block
post-lang
fortinet-bar
fortinet-bar-port
streaming-content-bypass
switching-protocols
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
block-page-status-code
retry-count
ftp
FTP.

Default Value
(Empty)
enable
disable
(Empty)
10
1
disable
(Empty)
disable
8011
enable
bypass
10
10
12
enable
200
0
Details below
171
Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
oversize-limit
scan-bzip2
imap
Default Value
(Empty)
enable
disable
(Empty)
10
1
10
10
12
enable
IMAP.
Configuration
ports
status
inspect-all
options
oversize-limit
scan-bzip2
mapi
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
MAPI
Configuration
ports
status
options
oversize-limit
scan-bzip2
pop3

POP3.
Details below
Default Value
(Empty)
enable
(Empty)
10
10
12
enable
Details below
172
Configuration
ports
status
inspect-all
options
oversize-limit
scan-bzip2
smtp
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
SMTP.
Configuration
ports
status
inspect-all
options
oversize-limit
scan-bzip2
server-busy
nntp
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
disable
NNTP.
Configuration
ports
status
inspect-all
options
oversize-limit
scan-bzip2
dns
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
DNS.
Configuration
ports
status
mail-signature

Details below
Default Value
(Empty)
enable
Mail signature.
Details below
173
Configuration
status
signature
rpc-over-http

Default Value
disable
(Empty)
Enable/disable inspection of RPC over HTTP.
enable
174
firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
175
set name <string>

end
end

176
Description
Configuration
Description
Default Value
id
Shaping policy ID.
status
Enable/disable traffic shaping policy.
enable
ip-version
IP version.
srcaddr
Source address.
(Empty)
dstaddr
Destination address.
(Empty)
srcaddr6
IPv6 source address.
(Empty)
dstaddr6
IPv6 destination address.
(Empty)
service
Service name.
(Empty)
users
User name.
(Empty)
groups
(Empty)
application
Application ID list.
(Empty)
app-category
Application category ID list.
(Empty)
url-category
URL category ID list.
(Empty)
dstintf
Destination interface list.
(Empty)
traffic-shaper
Forward traffic shaper.
(Empty)
(Empty)
per-ip-shaper
Per IP shaper.
(Empty)

177
firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set ipv6 {enable | disable}
set non-ip {enable | disable}
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
end
set max-packet-count <integer>
end

178
Description
Configuration
Description
Default Value
id
Sniffer ID.
status
Enable/disable sniffer status.
enable
logtraffic
Enable/disable sniffer log traffic.
utm
ipv6
Enable/disable sniffer for IPv6 packets.
disable
non-ip
Enable/disable sniffer for non-IP packets.
disable
interface
Interface name.
(Empty)
host
Host list (IP or IP/mask or IP range).
(Empty)
port
Port list.
(Empty)
protocol
IP protocol list.
(Empty)
vlan
VLAN list.
(Empty)
disable
application-list
(Empty)
casi-profile-status
disable
casi-profile
CASI profile name.
(Empty)
ips-sensor-status
disable
ips-sensor
IPS sensor name.
(Empty)
dsri
disable
av-profile-status
disable
av-profile
Antivirus profile.
(Empty)
Enable/disable web filter.
disable
webfilter-profile
Web filter profile.
(Empty)
disable

179
spamfilter-profile
(Empty)
dlp-sensor-status
disable
dlp-sensor
DLP sensor.
(Empty)
ips-dos-status
Enable/disable IPS DoS anomaly detection.
disable
anomaly
Configure anomaly.
(Empty)

servers.
disable
max-packet-count
Maximum packet count.
4000

180
firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set url-rewrite {enable | disable}
end

181
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip
Server IP address.
0.0.0.0
port
Server service port.
443
ssl-mode
SSL/TLS mode for encryption & decryption of

traffic.
full
add-header-xforwarded-proto
Enable/disable add X-Forwarded-Proto header to

forwarded requests.
enable
mapped-port
Mapped server service port.
80
ssl-cert
Name of certificate for SSL connections to this

server.
Fortinet_CA_SSL
ssl-dh-bits

negotiation.
2048
ssl-algorithm
Relative strength of encryption algorithms

accepted in negotiation.
high
ssl-client-renegotiation
Allow/block client renegotiation by server.
allow
ssl-min-version
Lowest SSL/TLS version to negotiate.
tls-1.0
ssl-max-version
Highest SSL/TLS version to negotiate.
tls-1.2
Enable/disable send empty fragments to avoid

attack on CBC IV.
enable
url-rewrite
Enable/disable rewrite URL.
disable

182
firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
end
config imaps
edit <name_str>
set ports <integer>
end
config pop3s
edit <name_str>
set ports <integer>
183
end
config smtps
edit <name_str>
set ports <integer>
end
config ssh
edit <name_str>
set ports <integer>
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
set mapi-over-https {enable | disable}
end

184
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
ssl
ssl
Details below
Configuration
inspect-all
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
https
Default Value
disable
bypass
bypass
disable
allow
https
Configuration
ports
status
client-cert-request
unsupported-ssl
untrusted-cert
ftps
Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow
ftps
Configuration
ports
status
client-cert-request
unsupported-ssl
untrusted-cert
imaps
Configuration
ports
status
client-cert-request
unsupported-ssl
untrusted-cert
Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow
imaps
Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
185
pop3s
pop3s
Configuration
ports
status
client-cert-request
unsupported-ssl
untrusted-cert
smtps
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
smtps
Configuration
ports
status
client-cert-request
unsupported-ssl
untrusted-cert
ssh
Details below
Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
ssh
Configuration
ports
status
inspect-all
block
log
Details below
Default Value
(Empty)
deep-inspection
disable
(Empty)
(Empty)
whitelist
Enable/disable exempt servers by FortiGuard

whitelist.
disable
ssl-exempt
Servers to exempt from SSL inspection.
(Empty)
server-cert-mode
Re-sign or replace the server's certificate.
re-sign
use-ssl-server
Enable/disable to use SSL server table for SSL

offloading.
disable
caname
CA certificate used by SSL Inspection.
Fortinet_CA_SSL
untrusted-caname
Untrusted CA certificate used by SSL Inspection.
Fortinet_CA_Untrusted
certname
Certificate containing the key to use when resigning server certificates for SSL inspection.
Fortinet_SSL

186
server-cert
Certificate used by SSL Inspection to replace

server certificate.
Fortinet_SSL
ssl-server
SSL servers.
(Empty)
ssl-invalid-server-certlog
Enable/disable SSL server certificate validation

logging.
disable
rpc-over-https
Enable/disable inspection of RPC over HTTPS.
enable
mapi-over-https
Enable/disable inspection of MAPI over HTTPS.
enable

187
firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set ttl <user>
end

188
Description
Configuration
Description
Default Value
id
ID.
status
status
enable
action
Action.
deny
srcintf
(Empty)
srcaddr
(Empty)
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
ttl
TTL range.
(Empty)

189
firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
190
set monitor <string>

set client-ip <user>
end
set http-cookie-domain-from-host {disable | enable}
set http-cookie-domain <string>
set http-cookie-path <string>
set http-cookie-generation <integer>
set http-cookie-age <integer>
set http-cookie-share {disable | same-ip}
set https-cookie-secure {disable | enable}
set http-multiplex {enable | disable}
set http-ip-header {enable | disable}
set http-ip-header-name <string>
set outlook-web-access {disable | enable}
set weblogic-server {disable | enable}
set websphere-server {disable | enable}
set ssl-mode {half | full}
set ssl-certificate <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048 | 3072 | 4096}
set ssl-algorithm {high | medium | low | custom}
config ssl-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITHAES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITHCAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBCSHA | TLS-RSA-WITH-DES-CBC-SHA}
191
SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-server-algorithm {high | medium | low | custom | client}
config ssl-server-cipher-suites
edit <name_str>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITHAES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITHCAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBCSHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-client-fallback {disable | enable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
192
set
set
set
set
set
set
end
ssl-server-session-state-max <integer>
ssl-http-location-conversion {enable | disable}
ssl-http-match-host {enable | disable}
monitor <string>
max-embryonic-connections <integer>
color <integer>

193
Description
Configuration
Description
Default Value
name
Virtual IP name.
(Empty)
id
Custom defined ID.
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
type
VIP type: static NAT, load balance., server load

balance
static-nat
dns-mapping-ttl
DNS mapping TTL (Set to zero to use TTL in

DNS response, default = 0).
ldb-method
Load balance method.
static
src-filter
Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y).
(Empty)
extip
Start external IP - end external IP.
0.0.0.0
mappedip
Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y).
(Empty)
mapped-addr
Mapped address.
(Empty)
extintf
External interface.
(Empty)
arp-reply
enable
server-type
Server type.
(Empty)
persistence
Persistence.
none
nat-source-vip
Enable/disable force NAT as VIP when server

goes out.
disable
portforward
Enable/disable port forward.
disable
protocol
Mapped port protocol.
tcp
extport
External service port.
mappedport
Mapped service port.

194
gratuitous-arp-interval
Interval between sending gratuitous ARPs in

seconds (0 = disable).
srcintf-filter
Source interface filter.
(Empty)
portmapping-type
Port mapping type.
1-to-1
realservers
Real servers.
(Empty)
http-cookie-domainfrom-host
Enable/disable use of HTTP cookie domain from

host field in HTTP.
disable
http-cookie-domain
HTTP cookie domain.
(Empty)
http-cookie-path
HTTP cookie path.
(Empty)
http-cookie-generation
Generation of HTTP cookie to be accepted.

Changing invalidates all existing cookies.
http-cookie-age
Number of minutes the web browser should keep

cookie (0 = forever).
60
http-cookie-share
Share HTTP cookies across different virtual

servers.
same-ip
https-cookie-secure
Enable/disable verification of cookie inserted into

HTTPS is marked as secure.
disable
http-multiplex
Enable/disable multiplex HTTP

requests/responses over a single TCP
connection.
disable
http-ip-header
Add additional HTTP header containing client's

original IP address.
disable
http-ip-header-name
Name of HTTP header containing client's IP

address (X-Forwarded-For is used if empty).
(Empty)
outlook-web-access
Enable/disable adding HTTP header indicating

SSL offload for Outlook Web Access server.
disable
weblogic-server

SSL offload for WebLogic server.
disable
websphere-server

SSL offload for WebSphere server.
disable

195
ssl-mode
SSL/TLS mode for encryption & decryption of

traffic.
half
ssl-certificate
Name of Certificate to offer in every SSL

connection.
(Empty)
ssl-dh-bits

negotiation.
2048
ssl-algorithm

accepted in negotiation with client.
high
ssl-cipher-suites
SSL/TLS cipher suites acceptable from a client,

ordered by priority.
(Empty)
ssl-server-algorithm

accepted in negotiation with server.
client
ssl-server-cipher-suites
SSL/TLS cipher suites to offer to a server,

ordered by priority.
(Empty)
ssl-pfs
SSL Perfect Forward Secrecy.
allow
ssl-min-version
Lowest SSL/TLS version acceptable from a client.
tls-1.0
ssl-max-version
Highest SSL/TLS version acceptable from a

client.
tls-1.2
ssl-server-min-version
Lowest SSL/TLS version acceptable from a

server.
client
ssl-server-max-version
Highest SSL/TLS version acceptable from a

server.
client
Send empty fragments to avoid attack on CBC IV

(SSL 3.0 & TLS 1.0 only).
enable
ssl-client-fallback
Enable/disable support for preventing Downgrade

Attacks on client connections (RFC 7507).
enable
allow
ssl-client-session-statetype
Control Client to FortiGate SSL session state

preservation.
both

196
ssl-client-session-statetimeout
Number of minutes to keep client to FortiGate

SSL session state.
30
ssl-client-session-statemax
Maximum number of client to FortiGate SSL

session states to keep.
1000
ssl-server-sessionstate-type
Control FortiGate to server SSL session state

preservation.
both
ssl-server-sessionstate-timeout
Number of minutes to keep FortiGate to Server

SSL session state.
60
ssl-server-sessionstate-max
Maximum number of FortiGate to Server SSL

session states to keep.
100
ssl-http-locationconversion
Enable/disable location conversion on HTTP

response header.
disable
ssl-http-match-host
Enable/disable HTTP host matching for location

conversion.
disable
monitor
Health monitors.
(Empty)
max-embryonicconnections
Maximum number of incomplete connections.
1000
color
GUI icon color.

197
firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp}
set extport <user>
set color <integer>
end

198
Description
Configuration
Description
Default Value
name
VIP46 name.
(Empty)
id
Custom defined id.
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
src-filter
Source IP filter (x.x.x.x/x).
(Empty)
extip
Start-external-IP [-end-external-IP].
0.0.0.0
mappedip
Start-mapped-IP [-end mapped-IP].
::
arp-reply
Enable ARP reply.
enable
portforward
Enable port forward.
disable
protocol
tcp
extport
mappedport
color
GUI icon color.

199
firewall/vip6
CLI Syntax
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp | sctp}
set extport <user>
set color <integer>
end

200
Description
Configuration
Description
Default Value
name
Virtual ip6 name.
(Empty)
id
Custom defined ID.
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
type
VIP type: static NAT.
static-nat
src-filter
Source IP6 filter (x:x:x:x:x:x:x:x/x).
(Empty)
extip
Start external IP - end external IP.
::
mappedip
Start mapped IP -end mapped IP.
::
arp-reply
enable
portforward
Enable/disable port forward.
disable
protocol
tcp
extport
mappedport
color
GUI icon color.

201
firewall/vip64
CLI Syntax
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set protocol {tcp | udp}
set extport <user>
set color <integer>
end

202
Description
Configuration
Description
Default Value
name
VIP64 name.
(Empty)
id
Custom defined id.
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
src-filter
Source IP6 filter (x:x:x:x:x:x:x:x/x).
(Empty)
extip
Start-external-IP [-End-external-IP].
::
mappedip
Start-mapped-IP [-End-mapped-IP].
0.0.0.0
arp-reply
Enable ARP reply.
enable
portforward
Enable port forward.
disable
protocol
tcp
extport
mappedport
color
GUI icon color.

203
firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

204
Description
Configuration
Description
Default Value
name
VIP group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
interface
interface
(Empty)
color
GUI icon color.
comments
Comment.
(Empty)
member
VIP group member.
(Empty)

205
firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

206
Description
Configuration
Description
Default Value
name
VIP46 group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
color
GUI icon color.
comments
Comment.
(Empty)
member
VIP46 group member.
(Empty)

207
firewall/vipgrp6
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

208
Description
Configuration
Description
Default Value
name
IPv6 VIP group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
color
GUI icon color.
comments
Comment.
(Empty)
member
VIP group6 member.
(Empty)

209
firewall/vipgrp64
CLI Syntax
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
config member
edit <name_str>
set name <string>
end
end

210
Description
Configuration
Description
Default Value
name
VIP64 group name.
(Empty)
uuid
00000000-0000-00000000-000000000000
color
GUI icon color.
comments
Comment.
(Empty)
member
VIP64 group member.
(Empty)

211
ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end

212
Description
Configuration
Description
Default Value
status
Enable/disable explicit ftp proxy.
disable
incoming-port
Accept incoming FTP requests on ports other

than port 21.
21
incoming-ip
accept incoming ftp requests from this ip. An

interface must have this IP address.
0.0.0.0
outgoing-ip
outgoing FTP requests will leave this ip. An

(Empty)
sec-default-action
Default action to allow or deny when no ftp-proxy

firewall policy exists.
deny

213
gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end

214
Description
Configuration
Description
Default Value
preferences
Preferences.
Binary file, 0 bytes.

215
icap/profile
CLI Syntax
config icap profile
edit <name_str>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end

216
Description
Configuration
Description
Default Value
replacemsg-group
(Empty)
name
ICAP profile name.
(Empty)
request
Enable/disable whether an HTTP request is

passed to an ICAP server.
disable
response
Enable/disable whether an HTTP response is

passed to an ICAP server.
disable
streaming-contentbypass
Enable/disable bypassing of ICAP server for

streaming content.
disable
request-server
ICAP server to use for an HTTP request.
(Empty)
response-server
ICAP server to use for an HTTP response.
(Empty)
request-failure
Action to take if the ICAP server cannot be

contacted when processing an HTTP request.
error
response-failure
Action to take if the ICAP server cannot be

contacted when processing an HTTP response.
error
request-path
Path component of the ICAP URI that identifies

the HTTP request processing service.
(Empty)
response-path
Path component of the ICAP URI that identifies

the HTTP response processing service.
(Empty)
methods
The allowed HTTP methods that will be sent to

ICAP server for further processing.
delete get head options

post put trace other

217
icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end

218
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip-version
IP version.
ip-address
IPv4 address of the ICAP server.
0.0.0.0
ip6-address
IPv6 address of the ICAP server.
::
port
ICAP server port.
1344
max-connections
Maximum number of concurrent connections to

ICAP server.
100

219
ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
end

220
Description
Configuration
Description
Default Value
tag
Signature tag.
(Empty)
signature
Signature text.
(Empty)
sig-name
Signature name.
(Empty)
rule-id
Signature ID.
severity
severity
(Empty)
location
Vulnerable location.
(Empty)
os
Vulnerable operating systems.
(Empty)
application
Vulnerable applications.
(Empty)
protocol
Vulnerable service.
(Empty)
status
Enable/disable status.
enable
log
Enable/disable logging.
enable
log-packet
Enable/disable packet logging.
disable
action
Action.
pass
comment
Comment.
(Empty)

221
ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end

222
Description
Configuration
Description
Default Value
version
Internal category version.

223
ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end

224
Description
Configuration
Description
Default Value
name
Decoder name.
(Empty)
parameter
IPS group parameters.
(Empty)

225
ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end

226
Description
Configuration
Description
Default Value
fail-open
Enable/disable IPS fail open option.
disable
database
IPS database selection.
extended
traffic-submit
Enable/disable submit attack characteristics to

FortiGuard Service.
disable
anomaly-mode
Blocking mode for rate-based anomaly.
continuous
session-limit-mode
Counter mode for session-limit anomaly.
heuristic
intelligent-mode
Enable/disable intelligent scan mode.
enable
socket-size
IPS socket buffer size.
128
engine-count
Number of engines (0: use recommended

setting).
algorithm
Signature matching algorithm.
engine-pick
sync-session-ttl
Enable/disable use of kernel session TTL for IPS

sessions.
disable
np-accel-mode
Network Processor acceleration mode.
basic
ips-reserve-cpu
Enable/disable IPS daemon's use of CPUs other

than CPU 0
disable
cp-accel-mode
Content Processor acceleration mode.
advanced
skype-client-publicipaddr
Comma-separated client external IP address for

decrypting Skype protocol.
(Empty)
default-app-cat-mask
Default enabled application category mask.
1844674407370955161
5
deep-app-insp-timeout
Timeout for Deep application inspection (1 2147483647 sec., 0 = use recommended setting).
deep-app-insp-db-limit
Limit on number of entries in deep application

inspection database (1 - 2147483647, 0 = use
recommended setting)

227
exclude-signatures

Excluded signatures.
industrial
228
ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set service <user>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

229
Description
Configuration
Description
Default Value
name
Rule name.
(Empty)
status
Enable/disable status.
enable
log
Enable/disable logging.
enable
log-packet
Enable/disable packet logging.
disable
action
Action.
pass
group
Group.
(Empty)
severity
Severity.
(Empty)
location
Vulnerable location.
(Empty)
os
Vulnerable operation systems.
(Empty)
application
Vulnerable applications.
(Empty)
service
Vulnerable service.
(Empty)
rule-id
Rule ID.
rev
Revision.
date
Date.
metadata
Meta data.
(Empty)

230
ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

231
Description
Configuration
Description
Default Value
id
Rule ID.
tags
(Empty)

232
ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
233
set os <user>
set status {disable | enable | default}
set action {pass | block | reset | default}
set quarantine-expiry <integer>
end
config override
edit <name_str>
set action {pass | block | reset}
set quarantine-expiry <integer>
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end

234
Description
Configuration
Description
Default Value
name
Sensor name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
block-malicious-url
Enable/disable malicious URL blocking.
disable
entries
IPS sensor filter.
(Empty)
filter
IPS sensor filter.
(Empty)
override
IPS override rule.
(Empty)

235
ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end

236
Description
Configuration
Description
Default Value
packet-log-history
Number of packets to be recorded before alert (1

- 255).
packet-log-post-attack
Number of packets to be recorded after attack (0

- 255).
packet-log-memory
Maximum memory can be used by packet log (64

- 8192 kB).
256
ips-packet-quota
IPS packet quota.

237
log.disk/filter
CLI Syntax
config log.disk filter
edit <name_str>
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

238
Description
Configuration
Description
Default Value
severity
information
forward-traffic
Enable/disable log through traffic messages.
enable
local-traffic
Enable/disable log local in or out traffic

messages.
enable
multicast-traffic
Enable/disable log multicast traffic messages.
enable
sniffer-traffic
Enable/disable log sniffer traffic messages.
enable
anomaly
Enable/disable log anomaly messages.
enable
netscan-discovery
Enable/disable log netscan discovery events.
netscan-vulnerability
Enable/disable log netscan vulnerability events.
voip
Enable/disable log VoIP messages.
enable
dlp-archive
Enable/disable log DLP archive.
enable
gtp
Enable/disable log GTP messages.
enable
event
Enable/disable log event messages.
enable
system
Enable/disable log system activity messages.
enable
radius
Enable/disable log RADIUS messages.
enable
ipsec
Enable/disable log IPsec negotiation messages.
enable
dhcp
Enable/disable log DHCP service messages.
enable
ppp
Enable/disable log L2TP/PPTP/PPPoE

messages.
enable
admin
Enable/disable log admin login/logout messages.
enable
ha
Enable/disable log HA activity messages.
enable
auth
Enable/disable log firewall authentication

messages.
enable
pattern
Enable/disable log pattern update messages.
enable

239
sslvpn-log-auth
Enable/disable log SSL user authentication.
enable
sslvpn-log-adm
Enable/disable log SSL administration.
enable
sslvpn-log-session
Enable/disable log SSL session.
enable
vip-ssl
Enable/disable log VIP SSL messages.
enable
ldb-monitor
Enable/disable log VIP real server health

monitoring messages.
enable
wan-opt
Enable/disable log WAN optimization messages.
enable
wireless-activity
Enable/disable log wireless activity.
enable
cpu-memory-usage
Enable/disable log CPU & memory usage every 5

minutes.
disable
filter
Log filter for the log device.
(Empty)
filter-type
Include/exclude logs that match the filter setting.
include

240
log.disk/setting
CLI Syntax
config log.disk setting
edit <name_str>
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

241
Description
Configuration
Description
Default Value
status
Enable/disable local disk log.
disable
ips-archive
Enable/disable IPS packet archive.
enable
max-log-file-size
Maximum log file size in MB before rolling.
20
max-policy-packetcapture-size
Maximum size of policy sniffer in MB (0 =

unlimited).
10
roll-schedule
Frequency to check log file for rolling.
daily
roll-day
Days of week to roll logs.
sunday
roll-time
Time to roll logs (hh:mm).
00:00
diskfull
Policy to apply when disk is full.
overwrite
log-quota
Disk log quota (MB).
dlp-archive-quota
DLP archive quota (MB).
report-quota
Report quota (MB).
maximum-log-age
Delete log files older than (days).
upload
Enable/disable upload of log files upon rolling.
disable
upload-destination
Server type.
ftp-server
uploadip
IP address of log uploading server.
0.0.0.0
uploadport
Port of the log uploading server.
21
source-ip
Source IP address of the disk log uploading.
0.0.0.0
uploaduser
User account in the uploading server.
(Empty)
uploadpass
Password of the user account in the uploading

server.
(Empty)
uploaddir
Log file uploading remote directory.
(Empty)

242
uploadtype
Types of log files that need to be uploaded.
traffic event virus

webfilter IPS spamfilter
dlp-archive anomaly
voip dlp app-ctrl waf
netscan gtp
uploadzip
Enable/disable compression of uploaded logs.
disable
uploadsched
Scheduled upload (disable = upload when

rolling).
disable
uploadtime
Time of scheduled upload.
upload-delete-files
Delete log files after uploading (default=enable).
enable
upload-ssl-conn
Enable/disable SSL communication when

uploading.
default
full-first-warningthreshold
Log full first warning threshold (1 - 98, default =

75).
75
full-second-warningthreshold
Log full second warning threshold (2 - 99, default

= 90).
90
full-final-warningthreshold
Log full final warning threshold (3 - 100, default =

95).
95

243
log.fortianalyzer/filter
CLI Syntax
config log.fortianalyzer filter
edit <name_str>
rmation | debug}
set filter <string>
end

244
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include

245
log.fortianalyzer/override-filter
CLI Syntax
config log.fortianalyzer override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

246
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include

247
log.fortianalyzer/override-setting
CLI Syntax
config log.fortianalyzer override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

248
Description
Configuration
Description
Default Value
override
Enable/disable override FortiAnalyzer settings or

use the global settings.
disable
use-managementvdom
Enable/disable use of management VDOM IP

address as source IP for logs sent to
FortiAnalyzer.
disable
status
Enable/disable FortiAnalyzer.
disable
ips-archive
enable
server
IPv4 or IPv6 address of the remote FortiAnalyzer.
(Empty)
hmac-algorithm
FortiAnalyzer IPsec tunnel HMAC algorithm.
sha256
enc-algorithm
Enable/disable sending of FortiAnalyzer log data

with SSL encryption.
high
conn-timeout
FortiAnalyzer connection time-out in seconds (for

status and log buffer).
10
monitor-keepaliveperiod
Time between OFTP keepalives in seconds (for

monitor-failure-retryperiod
Time between FortiAnalyzer connection retries in

seconds (for status and log buffer).
mgmt-name
Hidden management name of FortiAnalyzer.
(Empty)
faz-type
Hidden setting index of FortiAnalyzer.
source-ip
Source IPv4 or IPv6 address used to

communicate with FortiAnalyzer.
(Empty)
__change_ip
Hidden attribute.
upload-option
Enable/disable logging to hard disk and then

upload to FortiAnalyzer.
realtime
upload-interval
Frequency to check log file for upload.
daily
upload-day
Days of week (month) to upload logs.
(Empty)

249
upload-time
Time to upload logs (hh:mm).
00:59
reliable
Enable/disable reliable logging to FortiAnalyzer.
disable

250
log.fortianalyzer/setting
CLI Syntax
config log.fortianalyzer setting
edit <name_str>
set server <string>
end

251
Description
Configuration
Description
Default Value
status
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm

high
conn-timeout

10


mgmt-name
FGh_Log1
faz-type
source-ip

(Empty)
__change_ip
Hidden attribute.
upload-option

realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable

252
log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
rmation | debug}
set filter <string>
end

253
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include

254
log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set server <string>
end

255
Description
Configuration
Description
Default Value
status
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm

high
conn-timeout

10


mgmt-name
FGh_Log2
faz-type
source-ip

(Empty)
__change_ip
Hidden attribute.
upload-option

realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable

256
log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
rmation | debug}
set filter <string>
end

257
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

258
log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set server <string>
end

259
Description
Configuration
Description
Default Value
status
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm

high
conn-timeout

10


mgmt-name
FGh_Log3
faz-type
source-ip

(Empty)
__change_ip
Hidden attribute.
upload-option

realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable

260
log.fortiguard/filter
CLI Syntax
config log.fortiguard filter
edit <name_str>
rmation | debug}
set filter <string>
end

261
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include

262
log.fortiguard/override-filter
CLI Syntax
config log.fortiguard override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

263
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include

264
log.fortiguard/override-setting
CLI Syntax
config log.fortiguard override-setting
edit <name_str>
end

265
Description
Configuration
Description
Default Value
override
Enable/disable override FortiGuard settings or

use the global settings.
disable
status
Enable FortiCloud.
disable
upload-option

upload to FortiCloud.
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:00

266
log.fortiguard/setting
CLI Syntax
config log.fortiguard setting
edit <name_str>
end

267
Description
Configuration
Description
Default Value
status
Enable FortiCloud.
disable
upload-option

upload to FortiCloud.
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:00
enc-algorithm
Enable/disable sending of FortiCloud log data

high
source-ip
Source IP address used to connect FortiCloud.
0.0.0.0

268
log.memory/filter
CLI Syntax
config log.memory filter
edit <name_str>
rmation | debug}
set radius {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
end

269
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
event
enable
system
enable
radius
Enable/disable log RADIUS messages.
enable
ipsec
Enable/disable log IPsec negotiation messages.
enable
dhcp
Enable/disable log DHCP service messages.
enable
ppp
Enable/disable log L2TP/PPTP/PPPoE

messages.
enable
admin
Enable/disable log admin login/logout messages.
enable
ha
Enable/disable log HA activity messages.
enable
auth
Enable/disable log firewall authentication

messages.
enable
pattern
Enable/disable log pattern update messages.
enable
sslvpn-log-auth
Enable/disable log SSL user authentication.
enable

270
sslvpn-log-adm
Enable/disable log SSL administration.
enable
sslvpn-log-session
Enable/disable log SSL session.
enable
vip-ssl
Enable/disable log VIP SSL messages.
enable
ldb-monitor
Enable/disable log VIP real server health

monitoring messages.
enable
wan-opt
enable
wireless-activity
enable
cpu-memory-usage
Enable/disable log CPU & memory usage every 5

minutes.
disable
filter
(Empty)
filter-type
include

271
log.memory/global-setting
CLI Syntax
config log.memory global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

272
Description
Configuration
Description
Default Value
max-size
Maximum memory buffer size for log (byte).
163840
full-first-warningthreshold
Log full first warning threshold (1 - 98, default =

75).
75
full-second-warningthreshold
Log full second warning threshold (2 - 99, default

= 90).
90
full-final-warningthreshold
Log full final warning threshold (3 - 100, default =

95).
95

273
log.memory/setting
CLI Syntax
config log.memory setting
edit <name_str>
set diskfull {overwrite}
end

274
Description
Configuration
Description
Default Value
status
Enable/disable memory buffer log.
enable
diskfull
Action when memory is full.
overwrite

275
log.syslogd/filter
CLI Syntax
config log.syslogd filter
edit <name_str>
rmation | debug}
set filter <string>
end

276
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

277
log.syslogd/override-filter
CLI Syntax
config log.syslogd override-filter
edit <name_str>
rmation | debug}
set filter <string>
end

278
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

279
log.syslogd/override-setting
CLI Syntax
config log.syslogd override-setting
edit <name_str>
set server <string>
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
end

280
Description
Configuration
Description
Default Value
override
Enable/disable override syslog settings.
disable
status
Enable/disable remote syslog logging.
disable
server
Address of remote syslog server.
(Empty)
reliable
Enable/disable reliable logging (RFC3195).
disable
port
Server listen port.
514
csv
Enable/disable CSV formatting of logs.
disable
facility
Remote syslog facility.
local7
source-ip
Source IP address of syslog.
(Empty)

281
log.syslogd/setting
CLI Syntax
config log.syslogd setting
edit <name_str>
set server <string>
set port <integer>
end

282
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
Server listen port.
514
csv
disable
facility
local7
source-ip
(Empty)

283
log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
rmation | debug}
set filter <string>
end

284
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

285
log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set server <string>
set port <integer>
end

286
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
Server listen port.
514
csv
disable
facility
local7
source-ip
(Empty)

287
log.syslogd3/filter
CLI Syntax
edit <name_str>
rmation | debug}
set filter <string>
end

288
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

289
CLI Syntax
edit <name_str>
set server <string>
set port <integer>
end

290
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
Server listen port.
514
csv
disable
facility
local7
source-ip
(Empty)

291
log.syslogd4/filter
CLI Syntax
edit <name_str>
rmation | debug}
set filter <string>
end

292
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

293
CLI Syntax
edit <name_str>
set server <string>
set port <integer>
end

294
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
Server listen port.
514
csv
disable
facility
local7
source-ip
(Empty)

295
log.webtrends/filter
CLI Syntax
config log.webtrends filter
edit <name_str>
rmation | debug}
set filter <string>
end

296
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic

messages.
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
voip
enable
gtp
enable
filter
(Empty)
filter-type
include

297
log.webtrends/setting
CLI Syntax
config log.webtrends setting
edit <name_str>
set server <string>
end

298
Description
Configuration
Description
Default Value
status
Enable/disable WebTrends logging.
disable
server
Address of the remote WebTrends.
(Empty)

299
log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end

300
Description
Configuration
Description
Default Value
id
ID.
(Empty)
name
Field name.
(Empty)
value
Field value.
(Empty)

301
log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set endpoint {enable | disable}
set compliance-check {enable | disable}
end

302
Description
Configuration
Description
Default Value
event
enable
system
enable
vpn
Enable/disable log VPN messages.
enable
user
Enable/disable log user activity messages.
enable
router
Enable/disable log router activity.
enable
wireless-activity
enable
wan-opt
enable
endpoint
Enable/disable log for endpoint events.
enable
ha
Enable/disable log for ha events.
enable
compliance-check
Enable/disable log for PCI DSS compliance

check.
enable

303
log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end

304
Description
Configuration
Description
Default Value
resolve-hosts
Resolve IP addresses to hostnames on the GUI

using reverse DNS lookup.
enable
resolve-apps
Resolve unknown applications on the GUI using

remote application database.
enable
fortiview-unscannedapps
Enable/disable inclusion of unscanned traffic in

FortiView application charts.
disable
fortiview-local-traffic
Enable/disable inclusion of local-in traffic in

FortiView realtime charts.
disable
location
GUI log location display.
memory

305
log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end

306
Description
Configuration
Description
Default Value
resolve-ip
Add resolved domain name into traffic log if

possible.
disable
resolve-port
Add resolved service name into traffic log if

possible.
enable
log-user-in-upper
Enable/disable collect log with user-in-upper.
disable
fwpolicy-implicit-log
Enable/disable collect firewall implicit policy log.
disable
fwpolicy6-implicit-log
Enable/disable collect firewall implicit policy6 log.
disable
log-invalid-packet
Enable/disable collect invalid packet traffic log.
disable
local-in-allow
Enable/disable collect local-in-allow log.
disable
local-in-deny-unicast
Enable/disable collect local-in-deny-unicast log.
disable
local-in-deny-broadcast
Enable/disable collect local-in-deny-broadcast

log.
disable
local-out
Enable/disable collect local-out log.
disable
daemon-log
Enable/disable collect daemon log.
disable
neighbor-event
Enable/disable collect neighbor event log.
disable
brief-traffic-format
Enable/disable use of brief format for traffic log.
disable
user-anonymize
Enable/disable anonymize log user name.
disable
fortiview-weekly-data
Enable/disable FortiView weekly data.
disable

307
log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
end
config application
edit <name_str>
set id <integer>
end
end

308
Description
Configuration
Description
Default Value
status
Enable/disable threat weight status.
enable
level
Level to score mapping.
Details below
Configuration
low
medium
high
critical
Default Value
5
10
30
50
blocked-connection
Score level for blocked connections for threat

weight.
high
failed-connection
Score level for failed connections for threat

weight.
low
malware-detected
Score level for detected malware for threat

weight.
critical
url-block-detected
Score level for URL blocking for threat weight.
high
botnet-connectiondetected
Score level for detected botnet connection for

threat weight.
critical
ips
IPS reputation settings.
Details below
Configuration
info-severity
low-severity
medium-severity
high-severity
critical-severity
Default Value
disable
low
medium
high
critical
web
Web-based threat weight settings.
(Empty)
geolocation
Geolocation-based threat weight settings.
(Empty)
application
Application-control based threat weight settings.
(Empty)

309
netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end

310
Description
Configuration
Description
Default Value
asset-id
Asset ID.
name
Name of this asset.
(Empty)
scheduled
Enable/disable including this asset in scheduled

vulnerability scan.
disable
addr-type
IP address or range.
ip
start-ip
IP address of asset or start of asset range.
0.0.0.0
end-ip
End of asset range.
0.0.0.0
auth-windows
Enable/disable authentication on Windows hosts.
disable
auth-unix
Enable/disable authentication on UNIX hosts.
disable
win-username
User name for Windows hosts.
(Empty)
win-password
Password for Windows hosts.
(Empty)
unix-username
User name for Unix hosts.
(Empty)
unix-password
Password for Unix hosts.
(Empty)

311
netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end

312
Description
Configuration
Description
Default Value
scan-mode
Level of vulnerability scanning to perform on

ports.
quick
scheduled-pause
Enable/disable set time during which scanning

should pause.
disable
time
Time of day to start the scan.
00:00
pause-from
Time of day to pause scanning.
00:00
pause-to
Time of day to resume scanning.
00:00
recurrence
Frequency at which the scans should recur.
weekly
day-of-week
Day of the week on which to run the scan.
sunday
day-of-month
Day of the month on which to run the scan.
tcp-ports
TCP ports scanned.
(Empty)
udp-ports
UDP ports scanned.
(Empty)
tcp-scan
Enable/disable TCP port scan.
auto
udp-scan
Enable/disable UDP port scan.
auto
service-detection
Enable/disable service detection.
auto
os-detection
Enable/disable OS detection.
auto

313
report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
end
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set caption <string>
set caption-font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
314
set extra-y-legend <string>

end
config category-series
edit <name_str>
end
config value-series
edit <name_str>
end
set title <string>
set title-font-size <integer>
set background <string>
set color-palette <string>
set legend {enable | disable}
set legend-font-size <integer>
config column
edit <name_str>
set id <integer>
set header-value <string>
set detail-value <string>
set footer-value <string>
set detail-unit <string>
set footer-unit <string>
config mapping
edit <name_str>
set id <integer>
set op {none | greater | greater-equal | less | less-equal | equal | betwe
en}
set
set
set
set
end
value-type {integer | string}

value1 <string>
value2 <string>
displayname <string>
end
end

315
Description
Configuration
Description
Default Value
name
Chart Widget Name
(Empty)
policy
Used by monitor policy.
type
Chart type.
graph
period
Time period.
last24h
drill-down-charts
Drill down charts.
(Empty)
comments
Comment.
(Empty)
dataset
Bind dataset to chart.
(Empty)
category
Category.
misc
favorite
Favorite.
no
graph-type
Graph type.
none
style
Style.
auto
dimension
Dimension.
3D
x-series
X-series of chart.
Details below
Configuration
databind
caption
caption-font-size
font-size
label-angle
is-category
scale-unit
scale-step
scale-direction
scale-format
unit
y-series

Default Value
(Empty)
(Empty)
0
0
45-degree
yes
day
1
decrease
YYYY-MM-DD-HH-MM
(Empty)
Y-series of chart.
Details below
316
Configuration
databind
caption
caption-font-size
font-size
label-angle
group
unit
extra-y
extra-databind
y-legend
extra-y-legend
category-series
Default Value
(Empty)
(Empty)
0
0
horizontal
(Empty)
(Empty)
disable
(Empty)
(Empty)
(Empty)
Category series of pie chart.
Configuration
databind
font-size
value-series
Details below
Default Value
(Empty)
0
Value series of pie chart.
Configuration
databind
Details below
Default Value
(Empty)
title
Chart title.
(Empty)
title-font-size
Font size of chart title.
background
Chart background.
(Empty)
color-palette
Color palette (system will pick color automatically

by default).
(Empty)
legend
Enable/Disable Legend area.
enable
legend-font-size
Font size of legend area.
column
Table column definition.
(Empty)

317
report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end

318
Description
Configuration
Description
Default Value
name
Name.
(Empty)
policy
Used by monitor policy.
query
SQL query statement.
(Empty)
field
Fields.
(Empty)
parameters
Parameters.
(Empty)

319
report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set type {text | image}
set style <string>
320

end
end
end
config body-item
edit <name_str>
set id <integer>
set type {text | image | chart | misc}
set style <string>
set top-n <integer>
set hide {enable | disable}
config parameters
edit <name_str>
set id <integer>
set name <string>
set value <string>
end
set text-component {text | heading1 | heading2 | heading3}
set list-component {bullet | numbered}
config list
edit <name_str>
set id <integer>
end
set chart <string>
set chart-options {include-no-data | hide-title | show-caption}
set drill-down-items <string>
set drill-down-types <string>
set table-column-widths <string>
set table-caption-style <string>
set table-head-style <string>
set table-odd-row-style <string>
set table-even-row-style <string>
set misc-component {hline | page-break | column-break | section-start}
set column <integer>
set title <string>
end
end

321
Description
Configuration
Description
Default Value
name
Report layout name.
(Empty)
title
Report title.
(Empty)
subtitle
Report subtitle.
(Empty)
description
Description.
(Empty)
style-theme
Report style theme.
(Empty)
options
Report layout options.
include-table-of-content
auto-numberingheading view-chart-asheading
format
Report format.
html
schedule-type
Report schedule type.
daily
day
Schedule days of week to generate report.
sunday
time
Schedule time to generate report [hh:mm].
00:00
cutoff-option
Cutoff-option is either run-time or custom.
run-time
cutoff-time
Custom cutoff time to generate report [hh:mm].
00:00
email-send
Enable/disable sending emails after reports are

generated.
disable
email-recipients
Email recipients for generated reports.
(Empty)
max-pdf-report
Maximum number of PDF reports to keep at one

time (oldest report is overwritten).
31
page
Configure report page.
Details below

322
Configuration
paper
column-break-before
page-break-before
options
header
footer
body-item

Default Value
a4
(Empty)
(Empty)
(Empty)
{"style":"","header-item":[]}
{"style":"","footer-item":[]}
Configure report body item.
(Empty)
323
report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end

324
Description
Configuration
Description
Default Value
pdf-report
Enable/disable PDF report.
enable
fortiview
Enable/disable historical FortiView.
enable
report-source
Report log source.
forward-traffic
web-browsingthreshold
Web browsing time calculation threshold (3 - 15

min).

325
report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end

326
Description
Configuration
Description
Default Value
name
Report style name.
(Empty)
options
Report style options.
(Empty)
font-family
Font family.
(Empty)
font-style
Font style.
normal
font-weight
Font weight.
normal
font-size
Font size.
(Empty)
line-height
Text line height.
(Empty)
fg-color
Foreground color.
(Empty)
bg-color
Background color.
(Empty)
align
Alignment.
(Empty)
width
Width.
(Empty)
height
Height.
(Empty)
margin-top
Margin top.
(Empty)
margin-right
Margin right.
(Empty)
margin-bottom
Margin bottom.
(Empty)
margin-left
Margin left.
(Empty)
border-top
Border top.
" none "
border-right
Border right.
" none "
border-bottom
Border bottom.
" none "
border-left
Border left.
" none "
padding-top
Padding top.
(Empty)
padding-right
Padding right.
(Empty)

327
padding-bottom
Padding bottom.
(Empty)
padding-left
Padding left.
(Empty)
column-span
Column span.
none
column-gap
Column gap.
(Empty)

328
report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set heading1-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end

329
Description
Configuration
Description
Default Value
name
Report theme name.
(Empty)
page-orient
Report page orientation.
portrait
column-count
Report page column count.
default-html-style
Default HTML report style.
(Empty)
default-pdf-style
Default PDF report style.
(Empty)
page-style
Report page style.
(Empty)
page-header-style
Report page header style.
(Empty)
page-footer-style
Report page footer style.
(Empty)
report-title-style
Report title style.
(Empty)
report-subtitle-style
Report subtitle style.
(Empty)
toc-title-style
Table of contents title style.
(Empty)
toc-heading1-style
Table of contents heading style.
(Empty)
toc-heading2-style
(Empty)
toc-heading3-style
(Empty)
toc-heading4-style
(Empty)
heading1-style
Report heading style.
(Empty)
heading2-style
(Empty)
heading3-style
(Empty)
heading4-style
(Empty)
normal-text-style
Normal text style.
(Empty)
bullet-list-style
Bullet list style.
(Empty)
numbered-list-style
Numbered list style.
(Empty)

330
image-style
Image style.
(Empty)
hline-style
Horizontal line style.
(Empty)
graph-chart-style
Graph chart style.
(Empty)
table-chart-style
Table chart style.
(Empty)
table-chart-captionstyle
Table chart caption style.
(Empty)
table-chart-head-style
Table chart head row style.
(Empty)
table-chart-odd-rowstyle
Table chart odd row style.
(Empty)
table-chart-even-rowstyle
Table chart even row style.
(Empty)

331
router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end

332
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)

333
router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end

334
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)

335
router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end

336
Description
Configuration
Description
Default Value
name
AS path list name.
(Empty)
rule
AS path list rule.
(Empty)

337
router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
end

338
Description
Configuration
Description
Default Value
name
Name of the entry.
(Empty)
device
Output interface.
(Empty)
gateway
Gateway IP address.
0.0.0.0

339
router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
end
end

340
Description
Configuration
Description
Default Value
neighbor
neighbor
(Empty)

341
router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
342
set prefix <ipv4-classnet-any>

set as-set {enable | disable}
set summary-only {enable | disable}
end
config aggregate-address6
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config neighbor
edit <name_str>
set ip <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
343

set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set restart-time <integer>
config conditional-advertise
edit <name_str>
set advertise-routemap <string>
set condition-routemap <string>
set condition-type {exist | non-exist}
end
end
config neighbor-group
edit <name_str>
set name <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
344
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
allowas-in6 <integer>
attribute-unchanged {as-path | med | next-hop}
attribute-unchanged6 {as-path | med | next-hop}
activate {enable | disable}
activate6 {enable | disable}
bfd {enable | disable}
capability-dynamic {enable | disable}
capability-orf {none | receive | send | both}
capability-orf6 {none | receive | send | both}
capability-graceful-restart {enable | disable}
capability-graceful-restart6 {enable | disable}
capability-route-refresh {enable | disable}
capability-default-originate {enable | disable}
capability-default-originate6 {enable | disable}
dont-capability-negotiate {enable | disable}
ebgp-enforce-multihop {enable | disable}
next-hop-self {enable | disable}
next-hop-self6 {enable | disable}
override-capability {enable | disable}
passive {enable | disable}
remove-private-as {enable | disable}
remove-private-as6 {enable | disable}
route-reflector-client {enable | disable}
route-reflector-client6 {enable | disable}
route-server-client {enable | disable}
route-server-client6 {enable | disable}
shutdown {enable | disable}
soft-reconfiguration {enable | disable}
soft-reconfiguration6 {enable | disable}
as-override {enable | disable}
as-override6 {enable | disable}
strict-capability-match {enable | disable}
default-originate-routemap <string>
default-originate-routemap6 <string>
description <string>
distribute-list-in <string>
distribute-list-in6 <string>
distribute-list-out <string>
distribute-list-out6 <string>
ebgp-multihop-ttl <integer>
filter-list-in <string>
filter-list-in6 <string>
filter-list-out <string>
filter-list-out6 <string>
interface <string>
maximum-prefix <integer>
maximum-prefix6 <integer>
maximum-prefix-threshold <integer>
maximum-prefix-threshold6 <integer>
maximum-prefix-warning-only {enable | disable}
maximum-prefix-warning-only6 {enable | disable}
prefix-list-in <string>
prefix-list-in6 <string>

345
set prefix-list-in6 <string>

set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set restart-time <integer>
end
config neighbor-range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set max-neighbor-num <integer>
set neighbor-group <string>
end
config network
edit <name_str>
set id <integer>
set backdoor {enable | disable}
set route-map <string>
end
config network6
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set backdoor {enable | disable}
end
config redistribute
edit <name_str>
set name <string>
end
config redistribute6
edit <name_str>
set name <string>
end
346
end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end

347
Description
Configuration
Description
Default Value
as
Router AS number.
router-id
Router ID.
0.0.0.0
keepalive-timer
Frequency to send keep alive requests.
60
holdtime-timer
Number of seconds to mark peer as dead.
180
always-compare-med
Enable/disable always compare MED.
disable
bestpath-as-pathignore
Enable/disable ignore AS path.
disable
bestpath-cmp-confedaspath
Enable/disable compare federation AS path

length.
disable
bestpath-cmp-routerid
Enable/disable compare router ID for identical

EBGP paths.
disable
bestpath-med-confed
Enable/disable compare MED among

confederation paths.
disable
bestpath-med-missingas-worst
Enable/disable treat missing MED as least

preferred.
disable
client-to-clientreflection
Enable/disable client-to-client route reflection.
enable
dampening
Enable/disable route-flap dampening.
disable
deterministic-med
Enable/disable enforce deterministic comparison

of MED.
disable
ebgp-multipath
Enable/disable EBGP multi-path.
disable
ibgp-multipath
Enable/disable IBGP multi-path.
disable
enforce-first-as
Enable/disable enforce first AS for EBGP routes.
enable
fast-external-failover
Enable/disable reset peer BGP session if link

goes down.
enable
log-neighbour-changes
Enable logging of BGP neighbour's changes
enable

348
network-import-check
Enable/disable ensure BGP network route exists

in IGP.
enable
ignore-optionalcapability
Don't send unknown optional capability

notification message
enable
cluster-id
Route reflector cluster ID.
0.0.0.0
confederation-identifier
Confederation identifier.
confederation-peers
Confederation peers.
(Empty)
dampening-route-map
Criteria for dampening.
(Empty)
dampeningreachability-half-life
Reachability half-life time for penalty (min).
15
dampening-reuse
Threshold to reuse routes.
750
dampening-suppress
Threshold to suppress routes.
2000
dampening-maxsuppress-time
Maximum minutes a route can be suppressed.
60
dampeningunreachability-half-life
Unreachability half-life time for penalty (min).
15
default-localpreference
Default local preference.
100
scan-time
Background scanner interval (sec).
60
distance-external
Distance for routes external to the AS.
20
distance-internal
Distance for routes internal to the AS.
200
distance-local
Distance for routes local to the AS.
200
synchronization
Enable/disable only advertise routes from iBGP if

routes present in an IGP.
disable
graceful-restart
Enable/disable BGP graceful restart capabilities.
disable
graceful-restart-time
Time needed for neighbors to restart (sec).
120
graceful-stalepath-time
Time to hold stale paths of restarting neighbor

(sec).
360

349
graceful-update-delay
Route advertisement/selection delay after restart

(sec).
120
aggregate-address
BGP aggregate address table.
(Empty)
aggregate-address6
BGP IPv6 aggregate address table.
(Empty)
neighbor
BGP neighbor table.
(Empty)
neighbor-group
BGP neighbor group table.
(Empty)
neighbor-range
BGP neighbor range table.
(Empty)
network
BGP network table.
(Empty)
network6
BGP IPv6 network table.
(Empty)
redistribute
BGP IPv4 redistribute table.
(Empty)
redistribute6
BGP IPv6 redistribute table.
(Empty)
admin-distance
Administrative distance modifications.
(Empty)

350
router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set regexp <string>
set match <string>
end
end

351
Description
Configuration
Description
Default Value
name
Community list name.
(Empty)
type
Community list type.
standard
rule
Community list rule.
(Empty)

352
router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-keychain-l1 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
353
set hello-multiplier-l2 <integer>

set hello-padding {enable | disable}
set lsp-interval <integer>
set lsp-retransmit-interval <integer>
set metric-l1 <integer>
set metric-l2 <integer>
set wide-metric-l1 <integer>
set wide-metric-l2 <integer>
set auth-send-only-l1 {enable | disable}
set auth-send-only-l2 {enable | disable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set priority-l1 <integer>
set priority-l2 <integer>
set mesh-group {enable | disable}
set mesh-group-id <integer>
end
config summary-address
edit <name_str>
set id <integer>
set level {level-1-2 | level-1 | level-2}
end
config redistribute
edit <name_str>
set protocol <string>
set metric <integer>
set metric-type {external | internal}
set level {level-1-2 | level-1 | level-2}
set routemap <string>
end
end

354
Description
Configuration
Description
Default Value
is-type
IS type.
level-1-2
auth-mode-l1
Level 1 authentication mode.
password
auth-mode-l2
Level 2 authentication mode.
password
auth-password-l1
Authentication password for level 1 PDUs.
(Empty)
auth-password-l2
Authentication password for level 2 PDUs.
(Empty)
auth-keychain-l1
Authentication key-chain for level 1 PDUs.
(Empty)
auth-keychain-l2
Authentication key-chain for level 2 PDUs.
(Empty)
auth-sendonly-l1
Enable/disable level 1 authentication send-only.
disable
auth-sendonly-l2
Enable/disable level 2 authentication send-only.
disable
ignore-lsp-errors
Enable/disable ignoring of LSP errors with bad

checksums.
disable
lsp-gen-interval-l1
Minimum interval for level 1 LSP regenerating.
30
lsp-gen-interval-l2
Minimum interval for level 2 LSP regenerating.
30
lsp-refresh-interval
LSP refresh time in seconds.
900
max-lsp-lifetime
Maximum LSP lifetime in seconds.
1200
spf-interval-exp-l1
Level 1 SPF calculation delay.
500 50000
spf-interval-exp-l2
Level 2 SPF calculation delay.
500 50000
dynamic-hostname
Enable/disable dynamic hostname.
disable
adjacency-check
Enable/disable adjacency check.
disable
overload-bit
Enable/disable signal other routers not to use us

in SPF.
disable
overload-bit-suppress
Suppress overload-bit for the specific prefixes.
(Empty)
overload-bit-on-startup
Overload-bit only temporarily after reboot.

355
default-originate
Enable/disable control distribution of default

information.
disable
metric-style
Use old-style (ISO 10589) or new-style packet

formats
narrow
redistribute-l1
Enable/disable redistribute level 1 routes into

level 2.
disable
redistribute-l1-list
Access-list for redistribute l1 to l2.
(Empty)
redistribute-l2
Enable/disable redistribute level 2 routes into

level 1.
disable
redistribute-l2-list
Access-list for redistribute l2 to l1.
(Empty)
isis-net
IS-IS net configuration.
(Empty)
isis-interface
IS-IS interface configuration.
(Empty)
summary-address
IS-IS summary addresses.
(Empty)
redistribute
IS-IS redistribute protocols.
(Empty)

356
router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end

357
Description
Configuration
Description
Default Value
name
Key-chain name.
(Empty)
key
Key.
(Empty)

358
router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set passive {enable | disable}
set neighbour-filter <string>
set hello-interval <integer>
359
set hello-holdtime <integer>

set cisco-exclude-genid {enable | disable}
set dr-priority <integer>
set propagation-delay <integer>
set state-refresh-interval <integer>
set rp-candidate {enable | disable}
set rp-candidate-group <string>
set rp-candidate-priority <integer>
set rp-candidate-interval <integer>
set multicast-flow <string>
set static-group <string>
config join-group
edit <name_str>
set address <ipv4-address-any>
end
config igmp
edit <name_str>
set access-group <string>
set version {3 | 2 | 1}
set immediate-leave-group <string>
set last-member-query-interval <integer>
set last-member-query-count <integer>
set query-max-response-time <integer>
set query-interval <integer>
set query-timeout <integer>
set router-alert-check {enable | disable}
end
end
end

360
Description
Configuration
Description
Default Value
route-threshold
Generate warnings when number of multicast

routes exceeds this number.
2147483647
route-limit
Maximum number of multicast routes.
2147483647
multicast-routing
Enable/disable multicast routing.
disable
pim-sm-global
PIM sparse-mode global settings.
Details below
Configuration
message-interval
join-prune-holdtime
accept-register-list
bsr-candidate
bsr-interface
bsr-priority
bsr-hash
bsr-allow-quick-refresh
cisco-register-checksum
cisco-register-checksum-group
cisco-crp-prefix
cisco-ignore-rp-set-priority
register-rp-reachability
register-source
register-source-interface
register-source-ip
register-supression
null-register-retries
rp-register-keepalive
spt-threshold
spt-threshold-group
ssm
ssm-range
register-rate-limit
rp-address
interface

Default Value
60
210
(Empty)
disable
(Empty)
0
10
disable
disable
(Empty)
disable
disable
enable
disable
(Empty)
0.0.0.0
60
1
185
enable
(Empty)
disable
(Empty)
0
(Empty)
PIM interfaces.
(Empty)
361
router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end

362
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
flows
Multicast-flow entries.
(Empty)

363
router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end

364
Description
Configuration
Description
Default Value
multicast-routing
Enable/disable multicast routing.
disable
interface
PIM interfaces.
(Empty)
pim-sm-global
PIM sparse-mode global settings.
Details below
Configuration
register-rate-limit
rp-address

Default Value
0
(Empty)
365
router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set rfc1583-compatible {enable | disable}
set spf-timers <user>
set distribute-list-in <string>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
366
edit <name_str>
set name <string>
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set cost <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
367
set poll-interval <integer>
set cost <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
edit <name_str>
set id <integer>
set tag <integer>
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set metric-type {1 | 2}
set tag <integer>
end
end

368
Description
Configuration
Description
Default Value
abr-type
Area border router type.
standard
auto-cost-ref-bandwidth
Reference bandwidth in terms of megabits per

second.
1000
distance-external
Administrative external distance.
110
distance-inter-area
Administrative inter-area distance.
110
distance-intra-area
Administrative intra-area distance.
110
database-overflow
Enable/disable database overflow.
disable
database-overflowmax-lsas
Database overflow maximum LSAs.
10000
database-overflowtime-to-recover
Database overflow time to recover (sec).
300
default-informationoriginate
Enable/disable generation of default route.
disable
default-informationmetric
Default information metric.
10
default-informationmetric-type
Default information metric type.
default-informationroute-map
Default information route map.
(Empty)
default-metric
Default metric of redistribute routes.
10
distance
Distance of the route.
110
rfc1583-compatible
Enable/disable RFC1583 compatibility.
disable
router-id
Router ID.
0.0.0.0
spf-timers
SPF calculation frequency.
5 10
bfd
Bidirectional Forwarding Detection (BFD).
disable

369
Enable logging of OSPF neighbour's changes
enable
distribute-list-in
Filter incoming routes.
(Empty)
distribute-route-map-in
Filter incoming external routes by route-map.
(Empty)
restart-mode
OSPF restart mode (graceful or LLS).
none
restart-period
Graceful restart period.
120
area
OSPF area configuration.
(Empty)
ospf-interface
OSPF interface configuration.
(Empty)
network
OSPF network configuration.
(Empty)
neighbor
OSPF neighbor configuration are used when

OSPF runs on non-broadcast media
(Empty)
passive-interface
Passive interface configuration.
(Empty)
summary-address
IP address summary configuration.
(Empty)
distribute-list
Distribute list configuration.
(Empty)
redistribute
Redistribute configuration.
(Empty)

370
router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
end
config virtual-link
edit <name_str>
set name <string>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set cost <integer>
371

set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
config neighbor
edit <name_str>
set ip6 <ipv6-address>
set poll-interval <integer>
set cost <integer>
end
end
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set metric-type {1 | 2}
end
edit <name_str>
set id <integer>
set tag <integer>
end
end

372
Description
Configuration
Description
Default Value
abr-type
Area border router type.
standard
auto-cost-ref-bandwidth
Reference bandwidth in terms of megabits per

second.
1000
disable
Enable logging of OSPFv3 neighbour's changes
enable
default-informationmetric
Default information metric.
10
default-informationmetric-type
Default information metric type.
default-informationroute-map
Default information route map.
(Empty)
default-metric
Default metric of redistribute routes.
20
router-id
A.B.C.D, in IPv4 address format.
0.0.0.0
spf-timers
SPF calculation frequency.
5 10
area
OSPF6 area configuration.
(Empty)
ospf6-interface
OSPF6 interface configuration.
(Empty)
passive-interface
(Empty)
redistribute
(Empty)
summary-address
IPv6 address summary configuration.
(Empty)

373
router/policy
CLI Syntax
config router policy
edit <name_str>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set start-source-port <integer>
set end-source-port <integer>
set output-device <string>
set tos <user>
set tos-mask <user>
end

374
Description
Configuration
Description
Default Value
seq-num
Sequence number.
input-device
Incoming interface name.
(Empty)
src
Source IP and mask (x.x.x.x/x).
(Empty)
srcaddr
(Empty)
src-negate
disable
dst
Destination IP and mask (x.x.x.x/x).
(Empty)
dstaddr
(Empty)
dst-negate

match.
disable
action
Action of the policy route.
permit
protocol
Protocol number.
start-port
Start destination port number.
end-port
End destination port number.
65535
start-source-port
Start source port number.
end-source-port
End source port number.
65535
gateway
IP address of gateway.
0.0.0.0
output-device
Outgoing interface name.
(Empty)
tos
Type of service bit pattern.
0x00
tos-mask
Type of service evaluated bits.
0x00
status
Enable/disable policy route.
enable
comments
Comment.
(Empty)

375
router/policy6
CLI Syntax
config router policy6
edit <name_str>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set output-device <string>
set tos <user>
set tos-mask <user>
end

376
Description
Configuration
Description
Default Value
seq-num
Sequence number.
input-device
Incoming interface name.
(Empty)
src
Source IPv6 prefix.
::/0
dst
Destination IPv6 prefix.
::/0
protocol
Protocol number.
start-port
Start port number.
end-port
End port number.
65535
gateway
IPv6 address of gateway.
::
output-device
Outgoing interface name.
(Empty)
tos
Type of service bit pattern.
0x00
tos-mask
Type of service evaluated bits.
0x00
status
Enable/disable policy route.
enable
comments
Comment.
(Empty)

377
router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

378
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)

379
router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

380
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)

381
router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
end
edit <name_str>
set id <integer>
set listname <string>
end
config neighbor
edit <name_str>
set id <integer>
end
config network
edit <name_str>
set id <integer>
end
config offset-list
edit <name_str>
set id <integer>
set offset <integer>
end
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
382

set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
set version {1 | 2}
config interface
edit <name_str>
set name <string>
set auth-keychain <string>
set auth-mode {none | text | md5}
set auth-string <password>
set receive-version {1 | 2}
set send-version {1 | 2}
set send-version2-broadcast {disable | enable}
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

383
Description
Configuration
Description
Default Value
disable
default-metric
Default metric.
max-out-metric
Maximum metric allowed to output(0 means 'not

set').
recv-buffer-size
Receiving buffer size.
655360
distance
distance
(Empty)
distribute-list
Distribute list.
(Empty)
neighbor
neighbor
(Empty)
network
network
(Empty)
offset-list
Offset list.
(Empty)
passive-interface
(Empty)
redistribute
(Empty)
update-timer
Update timer.
30
timeout-timer
Timeout timer.
180
garbage-timer
Garbage timer.
120
version
RIP version.
interface
RIP interface configuration.
(Empty)

384
router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set access-list6 <string>
end
edit <name_str>
set id <integer>
set listname <string>
end
config neighbor
edit <name_str>
set id <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
end
config offset-list
edit <name_str>
set id <integer>
set access-list6 <string>
set offset <integer>
end
edit <name_str>
385
set name <string>

end
config redistribute
edit <name_str>
set name <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
config interface
edit <name_str>
set name <string>
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

386
Description
Configuration
Description
Default Value
disable
default-metric
Default metric.
max-out-metric
Maximum metric allowed to output(0 means 'not

set').
distance
distance
(Empty)
distribute-list
Distribute list.
(Empty)
neighbor
neighbor
(Empty)
network
Network.
(Empty)
aggregate-address
Aggregate address.
(Empty)
offset-list
Offset list.
(Empty)
passive-interface
(Empty)
redistribute
(Empty)
update-timer
Update timer.
30
timeout-timer
Timeout timer.
180
garbage-timer
Garbage timer.
120
interface
RIPng interface configuration.
(Empty)

387
router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2 | none}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
end
config set-extcommunity-soo
edit <name_str>
end
388
set
set
set
set
set
set
set
set
set
set
set
set
end
set-ip-nexthop <ipv4-address>
set-ip6-nexthop <ipv6-address>
set-ip6-nexthop-local <ipv6-address>
set-local-preference <integer>
set-metric <integer>
set-metric-type {1 | 2 | none}
set-originator-id <ipv4-address-any>
set-origin {none | egp | igp | incomplete}
set-tag <integer>
set-weight <integer>
set-flags <integer>
match-flags <integer>
end

389
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)

390
router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end

391
Description
Configuration
Description
Default Value
show-filter
Prefix-list as filter for showing routes.
(Empty)
hostname
Hostname for this virtual domain router.
(Empty)

392
router/static
CLI Syntax
config router static
edit <name_str>
set dst <ipv4-classnet>
set device <string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end

393
Description
Configuration
Description
Default Value
seq-num
Entry number.
status
Enable/disable static route.
enable
dst
Destination IP and mask for this route.
0.0.0.0 0.0.0.0
gateway
Gateway IP for this route.
0.0.0.0
distance
Administrative distance (1 - 255).
10
weight
Administrative weight (0 - 255).
priority
Administrative priority (0 - 4294967295).
device
Enable/disable gateway out interface.
(Empty)
comment
Comment.
(Empty)
blackhole
Enable/disable black hole.
disable
dynamic-gateway
Enable use of dynamic gateway retrieved from a

DHCP or PPP server.
disable
virtual-wan-link
Enable/disable egress through the virtual-wanlink.
disable
dstaddr
Name of firewall address or address group.
(Empty)
internet-service
Application ID in the Internet service database.
internet-service-custom
Application name in the Internet service custom

database.
(Empty)

394
router/static6
CLI Syntax
config router static6
edit <name_str>
set dst <ipv6-network>
set device <string>
set devindex <integer>
set blackhole {enable | disable}
end

395
Description
Configuration
Description
Default Value
seq-num
Sequence number.
status
Enable/disable static route.
enable
dst
Destination IPv6 prefix for this route.
::/0
gateway
Gateway IPv6 address for this route.
::
device
Gateway out interface or tunnel.
(Empty)
devindex
Device index (0 - 4294967295).
distance
10
priority
Administrative priority (0 - 4294967295).
comment
Comment.
(Empty)
blackhole
Enable/disable black hole.
disable

396
spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end

397
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Anti-spam black/white list entries.
(Empty)

398
spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end

399
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Spam filter banned word.
(Empty)

400
spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set server <string>
set action {reject | spam}
end
end

401
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Spam filter DNSBL and ORBL server.
(Empty)

402
spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end

403
Description
Configuration
Description
Default Value
spam-submit-srv
Hostname of the spam submission server.
www.nospammer.net
spam-submit-force
Enable/disable force insertion of a new mime

entity for the submission text.
enable
spam-submit-txt2htm
Enable/disable conversion of text email to HTML

email.
enable

404
spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end

405
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Spam filter trusted IP addresses.
(Empty)

406
spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set id <integer>
set fieldname <string>
set fieldbody <string>
set action {spam | clear}
end
end

407
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Spam filter mime header content.
(Empty)

408
spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end

409
Description
Configuration
Description
Default Value
dns-timeout
DNS query time out (1 - 30 sec).

410
spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set flow-based {enable | disable}
set spam-log {disable | enable}
set spam-log-fortiguard-response {disable | enable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set action {pass | tag}
end
config smtp
edit <name_str>
set action {pass | tag | discard}
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
end
config yahoo-mail
edit <name_str>
411
end
config gmail
edit <name_str>
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end

412
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
flow-based
Enable/disable flow-based spam filtering.
disable
replacemsg-group
(Empty)
spam-log
Enable/disable spam logging for email filtering.
enable
spam-log-fortiguardresponse
Enable/disable logging FortiGuard spam

response.
disable
spam-filtering
Enable/disable spam filtering.
disable
external
Enable/disable external Email inspection.
disable
options
Options.
(Empty)
imap
IMAP.
Details below
Configuration
log
action
tag-type
tag-msg
pop3
Default Value
disable
tag
subject spaminfo
Spam
POP3.
Configuration
log
action
tag-type
tag-msg
smtp
Default Value
disable
tag
subject spaminfo
Spam
SMTP.

Details below
Details below
413
Configuration
log
action
tag-type
tag-msg
hdrip
local-override
mapi
Default Value
disable
discard
subject spaminfo
Spam
disable
disable
MAPI.
Configuration
log
action
msn-hotmail
Default Value
disable
discard
MSN Hotmail.
Configuration
log
yahoo-mail
Configuration
log
Details below
Default Value
disable
Yahoo! Mail.
Configuration
log
gmail
Details below
Details below
Default Value
disable
Gmail.
Details below
Default Value
disable
spam-bword-threshold
Spam banned word threshold.
10
spam-bword-table
Anti-spam banned word table ID.
spam-bwl-table
Anti-spam black/white list table ID.
spam-mheader-table
Anti-spam MIME header table ID.
spam-rbl-table
Anti-spam DNSBL table ID.
spam-iptrust-table
Anti-spam IP trust table ID.

414
system.autoupdate/push-update
CLI Syntax
config system.autoupdate push-update
edit <name_str>
set address <ipv4-address-any>
set port <integer>
end

415
Description
Configuration
Description
Default Value
status
Enable/disable push updates.
disable
override
Enable/disable push update override server.
disable
address
Push update override server.
0.0.0.0
port
Push update override port.
9443

416
system.autoupdate/schedule
CLI Syntax
config system.autoupdate schedule
edit <name_str>
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

417
Description
Configuration
Description
Default Value
status
Enable/disable scheduled updates.
enable
frequency
Update frequency.
every
time
Update time.
02:60
day
Update day.
Monday

418
system.autoupdate/tunneling
CLI Syntax
config system.autoupdate tunneling
edit <name_str>
set port <integer>
end

419
Description
Configuration
Description
Default Value
status
Enable/disable web proxy tunnelling.
disable
address
Web proxy IP address or FQDN.
(Empty)
port
Web proxy port.
username
Web proxy username.
(Empty)
password
Web proxy password.
(Empty)

420
system.dhcp/server
CLI Syntax
config system.dhcp server
edit <name_str>
set id <integer>
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set wifi-ac1 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
config ip-range
edit <name_str>
set id <integer>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
config options
edit <name_str>
set id <integer>
set code <integer>
set type {hex | string | ip}
set value <string>
set ip <user>
421
end
set server-type {regular | ipsec}
set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-update-override {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
end
config reserved-address
edit <name_str>
set id <integer>
set action {assign | block | reserved}
end
end

422
Description
Configuration
Description
Default Value
id
ID.
status
Enable/disable use this DHCP configuration.
enable
lease-time
Lease time in seconds.
604800
mac-acl-default-action
MAC access control default action.
assign
forticlient-on-net-status
Sending FortiGate serial number as a DHCP

option.
enable
dns-service
DNS service option.
specify
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0
dns-server3
DNS server 3.
0.0.0.0
wifi-ac1
WiFi AC 1.
0.0.0.0
wifi-ac2
WiFi AC 2.
0.0.0.0
wifi-ac3
WiFi AC 3.
0.0.0.0
ntp-service
NTP service option.
specify
ntp-server1
NTP server 1.
0.0.0.0
ntp-server2
NTP server 2.
0.0.0.0
ntp-server3
NTP server 3.
0.0.0.0
domain
Domain name.
(Empty)
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
default-gateway
Enable/disable default gateway.
0.0.0.0
next-server
Next bootstrap server.
0.0.0.0
netmask
Netmask.
0.0.0.0

423
interface
Interface name.
(Empty)
ip-range
DHCP IP range configuration.
(Empty)
timezone-option
Time zone settings.
disable
timezone
Time zone.
00
tftp-server
Hostname or IP address of the TFTP server.
(Empty)
filename
Boot file name.
(Empty)
options
DHCP options.
(Empty)
server-type
Type of DHCP service to provide.
regular
ip-mode
Method used to assign client IP.
range
conflicted-ip-timeout
Time conflicted IP is removed from the range

(seconds).
1800
ipsec-lease-hold
DHCP over IPsec leases expire this many

seconds after tunnel down (0 to disable forcedexpiry).
60
auto-configuration
Enable/disable auto configuration.
enable
ddns-update
Enable/disable DDNS update for DHCP.
disable
ddns-update-override
Enable/disable DDNS update override for DHCP.
disable
ddns-server-ip
DDNS server IP.
0.0.0.0
ddns-zone
Zone of your domain name (ex. DDNS.com).
(Empty)
ddns-auth
DDNS authentication mode.
disable
ddns-keyname
DDNS update key name.
(Empty)
ddns-key
DDNS update key (base 64 encoding).
'ENC
isr0V46YyB8yJjNbUYA
s/vUYxB1aL6ALCHlEb
Pq6PJBZtDpbY7N1pqs
liSaL2Fw4Jz0bZklu47K
49hcFNvrKsIh9YC2uAi
mJqm9qGNuxRLsBAi/
+1yyNDp0Hjjc='

424
ddns-ttl
TTL.
300
vci-match
Enable/disable VCI matching.
disable
vci-string
VCI strings.
(Empty)
exclude-range
DHCP exclude range configuration.
(Empty)
reserved-address
DHCP reserved IP address.
(Empty)

425
system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set domain <string>
set subnet <ipv6-prefix>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
end
end

426
Description
Configuration
Description
Default Value
id
ID.
status
Enable/disable use this DHCP configuration.
enable
rapid-commit
Enable/disable allow/disallow rapid commit.
disable
lease-time
Lease time in seconds.
604800
dns-service
DNS service option.
specify
dns-server1
DNS server 1.
::
dns-server2
DNS server 2.
::
dns-server3
DNS server 3.
::
domain
Domain name.
(Empty)
subnet
Subnet or subnet-id if the IP mode is delegated.
::/0
interface
Interface name.
(Empty)
option1
Option 1.
option2
Option 2.
option3
Option 3.
upstream-interface
Interface name from where delegated information

is provided.
(Empty)
ip-mode
Method used to assign client IP.
range
ip-range
DHCP IP range configuration.
(Empty)

427
system.replacemsg/admin
CLI Syntax
config system.replacemsg admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

428
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

429
system.replacemsg/alertmail
CLI Syntax
config system.replacemsg alertmail
edit <name_str>
end

430
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

431
system.replacemsg/auth
CLI Syntax
config system.replacemsg auth
edit <name_str>
end

432
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

433
system.replacemsg/device-detection-portal
CLI Syntax
config system.replacemsg device-detection-portal
edit <name_str>
end

434
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

435
system.replacemsg/ec
CLI Syntax
config system.replacemsg ec
edit <name_str>
end

436
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

437
system.replacemsg/fortiguard-wf
CLI Syntax
config system.replacemsg fortiguard-wf
edit <name_str>
end

438
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

439
system.replacemsg/ftp
CLI Syntax
config system.replacemsg ftp
edit <name_str>
end

440
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

441
system.replacemsg/http
CLI Syntax
config system.replacemsg http
edit <name_str>
end

442
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

443
system.replacemsg/mail
CLI Syntax
config system.replacemsg mail
edit <name_str>
end

444
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

445
system.replacemsg/nac-quar
CLI Syntax
config system.replacemsg nac-quar
edit <name_str>
end

446
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

447
system.replacemsg/nntp
CLI Syntax
config system.replacemsg nntp
edit <name_str>
end

448
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

449
system.replacemsg/spam
CLI Syntax
config system.replacemsg spam
edit <name_str>
end

450
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

451
system.replacemsg/sslvpn
CLI Syntax
config system.replacemsg sslvpn
edit <name_str>
end

452
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

453
system.replacemsg/traffic-quota
CLI Syntax
config system.replacemsg traffic-quota
edit <name_str>
end

454
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

455
system.replacemsg/utm
CLI Syntax
config system.replacemsg utm
edit <name_str>
end

456
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

457
system.replacemsg/webproxy
CLI Syntax
config system.replacemsg webproxy
edit <name_str>
end

458
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none

459
system.snmp/community
CLI Syntax
config system.snmp community
edit <name_str>
set id <integer>
set name <string>
config hosts
edit <name_str>
set id <integer>
set ip <user>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end

460
Description
Configuration
Description
Default Value
id
Community ID.
name
Community name.
(Empty)
status
Enable/disable this community.
enable
hosts
Allow hosts configuration.
(Empty)
hosts6
Allow hosts configuration for IPv6.
(Empty)
query-v1-status
Enable/disable SNMP v1 query.
enable
query-v1-port
SNMP v1 query port.
161
query-v2c-status
Enable/disable SNMP v2c query.
enable
query-v2c-port
SNMP v2c query port.
161
trap-v1-status
Enable/disable SNMP v1 trap.
enable
trap-v1-lport
SNMP v1 trap local port.
162
trap-v1-rport
SNMP v1 trap remote port.
162
trap-v2c-status
Enable/disable SNMP v2c trap.
enable
trap-v2c-lport
SNMP v2c trap local port.
162
trap-v2c-rport
SNMP v2c trap remote port.
162

461
events

SNMP trap events.
cpu-high mem-low logfull intf-ip vpn-tun-up

vpn-tun-down haswitch ha-hb-failure
ips-signature ipsanomaly av-virus avoversize av-pattern avfragmented fm-ifchange bgpestablished bgpbackward-transition hamember-up hamember-down entconf-change avconserve av-bypass
av-oversize-passed avoversize-blocked ipspkg-update ips-failopen temperature-high
voltage-alert powersupply-failure fazdisconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-realserver-down
462
system.snmp/sysinfo
CLI Syntax
config system.snmp sysinfo
edit <name_str>
set engine-id <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end

463
Description
Configuration
Description
Default Value
status
Enable/disable SNMP.
disable
engine-id
Local SNMP engineID string (maximum 24

characters).
(Empty)
description
System description.
(Empty)
contact-info
Contact information.
(Empty)
location
System location.
(Empty)
trap-high-cpu-threshold
CPU usage when trap is sent.
80
trap-low-memorythreshold
Memory usage when trap is sent.
80
trap-log-full-threshold
Log disk usage when trap is sent.
90

464
system.snmp/user
CLI Syntax
config system.snmp user
edit <name_str>
set name <string>
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ipv6 <ipv6-address>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end

465
Description
Configuration
Description
Default Value
name
SNMP user name.
(Empty)
status
Enable/disable this user.
enable
trap-status
Enable/disable traps for this user.
enable
trap-lport
SNMPv3 trap local port.
162
trap-rport
SNMPv3 trap remote port.
162
queries
Enable/disable queries for this user.
enable
query-port
SNMPv3 query port.
161
notify-hosts
Hosts to send notifications (traps) to.
(Empty)
notify-hosts6
IPv6 hosts to send notifications (traps) to.
(Empty)
source-ip
Source IP for SNMP trap.
0.0.0.0
source-ipv6
Source IPv6 for SNMP trap.
::
ha-direct
Enable/disable direct management of HA cluster

members.
disable

466
events
SNMP notifications (traps) to send.
cpu-high mem-low logfull intf-ip vpn-tun-up

vpn-tun-down haswitch ha-hb-failure
ips-signature ipsanomaly av-virus avoversize av-pattern avfragmented fm-ifchange bgpestablished bgpbackward-transition hamember-up hamember-down entconf-change avconserve av-bypass
av-oversize-passed avoversize-blocked ipspkg-update ips-failopen temperature-high
voltage-alert powersupply-failure fazdisconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-realserver-down
security-level
Security level for message authentication and

encryption.
no-auth-no-priv
auth-proto
Authentication protocol.
sha
auth-pwd
Password for authentication protocol.
(Empty)
priv-proto
Privacy (encryption) protocol.
aes
priv-pwd
Password for privacy (encryption) protocol.
(Empty)

467
system/accprofile
CLI Syntax

468
config system accprofile

edit <name_str>
set name <string>
set scope {vdom | global}
set mntgrp {none | read | read-write}
set admingrp {none | read | read-write}
set updategrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write | custom | w | r | rw}
set routegrp {none | read | read-write}
set fwgrp {none | read | read-write | custom | w | r | rw}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom | w | r | rw}
set wanoptgrp {none | read | read-write}
set endpoint-control-grp {none | read | read-write}
set wifi {none | read | read-write}
config fwgrp-permission
edit <name_str>
set policy {none | read | read-write}
set address {none | read | read-write}
set service {none | read | read-write}
set schedule {none | read | read-write}
set packet-capture {none | read | read-write}
set others {none | read | read-write}
end
config loggrp-permission
edit <name_str>
set config {none | read | read-write}
set data-access {none | read | read-write}
set report-access {none | read | read-write}
set threat-weight {none | read | read-write}
end
config utmgrp-permission
edit <name_str>
set antivirus {none | read | read-write}
set ips {none | read | read-write}
set webfilter {none | read | read-write}
set spamfilter {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set application-control {none | read | read-write}
set icap {none | read | read-write}
set casi {none | read | read-write}
set voip {none | read | read-write}
set waf {none | read | read-write}
set dnsfilter {none | read | read-write}
end
end

469
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
scope
Global or single VDOM access restriction.
vdom
comments
Comment.
(Empty)
mntgrp
Maintenance.
none
admingrp
Administrator Users.
none
updategrp
FortiGuard Update.
none
authgrp
User & Device.
none
sysgrp
System Configuration.
none
netgrp
Network Configuration.
none
loggrp
Log & Report.
none
routegrp
Router Configuration.
none
fwgrp
Firewall Configuration.
none
vpngrp
VPN Configuration.
none
utmgrp
Security Profile Configuration.
none
wanoptgrp
WAN Opt & Cache.
none
endpoint-control-grp
Endpoint Security.
none
wifi
Wireless controller.
none
fwgrp-permission
Custom firewall permission.
Details below
Configuration
policy
address
service
schedule
packet-capture
others

Default Value
none
none
none
none
none
none
470
loggrp-permission
Configuration
config
data-access
report-access
threat-weight
utmgrp-permission
Configuration
antivirus
ips
webfilter
spamfilter
data-loss-prevention
application-control
icap
casi
voip
waf
dnsfilter

Custom Log & Report permission.
Details below
Default Value
none
none
none
none
Custom UTM permission.
Details below
Default Value
none
none
none
none
none
none
none
none
none
none
none
471
system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-certificate <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
472
config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set dst-interface <string>
set tr-history-period1 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
473
edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
config gui-global-menu-favorites
edit <name_str>
set id <string>
end
config gui-vdom-menu-favorites
edit <name_str>
set id <string>
end
end

474
Description
Configuration
Description
Default Value
name
User name.
(Empty)
wildcard
Enable/disable wildcard RADIUS authentication.
disable
remote-auth
Enable/disable remote authentication.
disable
remote-group
User group name used for remote auth.
(Empty)
password
Admin user password.
ENC XXUp2ozpdysrQ
peer-auth
Enable/disable peer authentication.
disable
peer-group
Peer group name.
(Empty)
trusthost1
Admin user trust host IP, default 0.0.0.0 0.0.0.0

for all.
0.0.0.0 0.0.0.0
trusthost2

for all.
0.0.0.0 0.0.0.0
trusthost3

for all.
0.0.0.0 0.0.0.0
trusthost4

for all.
0.0.0.0 0.0.0.0
trusthost5

for all.
0.0.0.0 0.0.0.0
trusthost6

for all.
0.0.0.0 0.0.0.0
trusthost7

for all.
0.0.0.0 0.0.0.0
trusthost8

for all.
0.0.0.0 0.0.0.0
trusthost9

for all.
0.0.0.0 0.0.0.0
trusthost10

for all.
0.0.0.0 0.0.0.0

475
ip6-trusthost1
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost2
::/0
ip6-trusthost3
::/0
ip6-trusthost4
::/0
ip6-trusthost5
::/0
ip6-trusthost6
::/0
ip6-trusthost7
::/0
ip6-trusthost8
::/0
ip6-trusthost9
::/0
ip6-trusthost10
::/0
accprofile
Admin user access profile.
(Empty)
allow-remove-adminsession
Enable/disable allow admin session to be

removed by privileged admin users.
enable
comments
Comment.
(Empty)
hidden
Admin user hidden attribute.
vdom
Virtual domains.
(Empty)
is-admin
Is user admin.
ssh-public-key1
SSH public key1.
(Empty)
ssh-public-key2
SSH public key2.
(Empty)
ssh-public-key3
SSH public key3.
(Empty)
ssh-certificate
SSH certificate.
(Empty)
schedule
Schedule name.
(Empty)
accprofile-override
Enable/disable allow access profile to be

overridden from remote auth server.
disable
radius-vdom-override
Enable/disable allow VDOM to be overridden

from RADIUS.
disable

476
password-expire
Password expire time.
0000-00-00 00:00:00
force-password-change
Enable/disable force password change on next

login.
disable
dashboard
GUI custom dashboard.
(Empty)
two-factor
Enable/disable two-factor authentication.
disable
fortitoken
Two-factor recipient's FortiToken serial number.
(Empty)
email-to
Two-factor recipient's email address.
(Empty)
sms-server
Send SMS through FortiGuard or other external

server.
fortiguard
sms-custom-server
Two-factor recipient's SMS server.
(Empty)
sms-phone
Two-factor recipient's mobile phone number.
(Empty)
guest-auth
Enable/disable guest authentication.
disable
guest-usergroups
Select guest user groups.
(Empty)
guest-lang
Guest management portal language.
(Empty)
history0
history0
ENC
history1
history1
ENC
login-time
Record user login time.
(Empty)
gui-global-menufavorites
Favorite GUI menu IDs for the global VDOM.
(Empty)
gui-vdom-menufavorites
Favorite GUI menu IDs for VDOMs.
(Empty)

477
system/alarm
CLI Syntax
config system alarm
edit <name_str>
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end

478
Description
Configuration
Description
Default Value
status
Enable/disable alarm.
disable
audible
Enable/disable audible alarm.
disable
sequence
Sequence ID of alarms.
groups
Alarm groups.
(Empty)

479
system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
end

480
Description
Configuration
Description
Default Value
id
Unique integer ID of the entry.
interface
Interface name.
(Empty)
ip
IP address.
0.0.0.0
mac
MAC address.
00:00:00:00:00:00

481
system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end

482
Description
Configuration
Description
Default Value
auto-install-config
Enable/disable auto install the config in USB disk.
disable
auto-install-image
Enable/disable auto install the image in USB disk.
disable
default-config-file
Default config file name in USB disk.
fgt_system.conf
default-image-file
Default image file name in USB disk.
image.out

483
system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end

484
Description
Configuration
Description
Default Value
name
Auto script name.
(Empty)
interval
Repeat interval in seconds.
repeat
Number of times to repeat this script (0 = infinite).
start
Script starting mode.
manual
script
List of FortiOS CLI commands to repeat.
(Empty)

485
system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set addr-type {ipv4 | ipv6 | fqdn}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
set fqdn <string>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end

486
Description
Configuration
Description
Default Value
mode
Normal/backup management mode.
normal
type
Type of management server.
none
schedule-config-restore
Enable/disable scheduled configuration restore.
enable
schedule-script-restore
Enable/disable scheduled script restore.
enable
allow-pushconfiguration
Enable/disable push configuration.
enable
allow-pushd-firmware
Enable/disable push firmware.
enable
allow-remote-firmwareupgrade
Enable/disable remote firmware upgrade.
enable
allow-monitor
Enable/disable remote monitoring of device.
enable
serial-number
Serial number.
(Empty)
fmg
Address of FortiManager (IP or FQDN name).
(Empty)
fmg-source-ip
Source IPv4 address to use when connecting to

FortiManager.
0.0.0.0
fmg-source-ip6
Source IPv6 address to use when connecting to

FortiManager.
::
vdom
Virtual domain name.
root
server-list
FortiGuard override server list.
(Empty)
include-default-servers
Enable/disable inclusion of public FortiGuard

servers in the override server list.
enable
enc-algorithm
Use SSL encryption.
high

487
system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end

488
Description
Configuration
Description
Default Value
sync-id
Sync ID.
peervd
Peer connecting VDOM.
root
peerip
Peer connecting IP.
0.0.0.0
syncvd
VDOM of which sessions need to be synced.
(Empty)
session-sync-filter
Session sync filter.
Details below
Configuration
srcintf
dstintf
srcaddr
dstaddr
srcaddr6
dstaddr6
custom-service

Default Value
(Empty)
(Empty)
0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0
::/0
::/0
(Empty)
489
system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end

490
Description
Configuration
Description
Default Value
mode
Console mode.
line
baudrate
Console baud rate.
9600
output
Console output mode.
more
login
Enable/disable serial console and FortiExplorer.
enable
fortiexplorer
Enable/disable access for FortiExplorer.
enable

491
system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
end

492
Description
Configuration
Description
Default Value
name
Name.
(Empty)
filename
Custom language file path.
(Empty)
comments
Comment.
(Empty)

493
system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.ne
t | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS}
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set clear-text {disable | enable}
set ssl-certificate <string>
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
end
end

494
Description
Configuration
Description
Default Value
ddnsid
DDNS ID.
ddns-server
DDNS server.
(Empty)
ddns-server-ip
Generic DDNS server IP.
0.0.0.0
ddns-zone
Zone of your domain name (ex. DDNS.com).
(Empty)
ddns-ttl
TTL.
300
ddns-auth
DDNS authentication mode.
disable
ddns-keyname
DDNS update key name.
(Empty)
ddns-key
DDNS update key (base 64 encoding).
'ENC
ws+aR7RX+Kk/g41Bs0
SWGbHac+vOTiv271H
XGJTNf9n+sPaprfG5u
bPEPH+8ZxccOuEMm
sLafbDZ/F1ySfgOMVa
RSxojcUfjSLNndHqBK
YANZsnuAxu47RJMJ4
A='
ddns-domain
Your domain name (ex. yourname.DDNS.com).
(Empty)
ddns-username
DDNS user name.
(Empty)
ddns-sn
DDNS Serial Number.
(Empty)
ddns-password
DDNS password.
(Empty)
use-public-ip
Enable/disable use of public IP address.
disable
clear-text
Enable/disable use of clear text connection.
enable
ssl-certificate
Name of local certificate for SSL connection.
Fortinet_Factory
bound-ip
Bound IP address.
0.0.0.0
monitor-interface
Monitored interface.
(Empty)

495
system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end

496
Description
Configuration
Description
Default Value
status
Enable/disable dedicated management.
disable
interface
Dedicated management interface.
(Empty)
default-gateway
Default gateway for dedicated management

interface.
0.0.0.0
dhcp-server
Enable/disable DHCP server on management

interface.
disable
dhcp-netmask
DHCP netmask.
0.0.0.0
dhcp-start-ip
DHCP start IP for dedicated management.
0.0.0.0
dhcp-end-ip
DHCP end IP for dedicated management.
0.0.0.0

497
system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
end

498
Description
Configuration
Description
Default Value
primary
Primary DNS IP.
0.0.0.0
secondary
Secondary DNS IP.
0.0.0.0
domain
Local domain name.
(Empty)
ip6-primary
IPv6 primary DNS IP.
::
ip6-secondary
IPv6 secondary DNS IP.
::
dns-cache-limit
Maximum number of entries in DNS cache.
5000
dns-cache-ttl
TTL in DNS cache.
1800
cache-notfoundresponses
Enable/disable cache NOTFOUND responses

from DNS server.
disable
source-ip
Source IP for communications to DNS server.
0.0.0.0

499
system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
config dns-entry
edit <name_str>
set id <integer>
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ipv6 <ipv6-address>
set canonical-name <string>
end
end

500
Description
Configuration
Description
Default Value
name
Zone name.
(Empty)
status
Enable/disable DNS zone status.
enable
domain
Domain name.
(Empty)
allow-transfer
DNS zone transfer IP address list.
(Empty)
type
Zone type ('master' to manage entries directly,

'slave' to import entries from outside).
master
view
Zone view ('public' to serve public clients,

'shadow' to serve internal clients).
shadow
ip-master
IP address of master DNS server to import

entries of this zone.
0.0.0.0
primary-name
Domain name of the default DNS server for this

zone.
dns
contact
Email address of the administrator for this zone.

You can specify only the username (e.g. admin)
or full email address (e.g. admin.ca@test.com)
When using simple username, the domain of the
email will be this zone.
hostmaster
ttl
Default time-to-live value in units of seconds for

the entries of this zone (0 - 2147483647).
86400
authoritative
Enable/disable authoritative zone.
enable
forwarder
DNS zone forwarder IP address list.
(Empty)
source-ip
Source IP for forwarding to DNS server.
0.0.0.0
dns-entry
DNS entry.
(Empty)

501
system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
end

502
Description
Configuration
Description
Default Value
name
DNS server name.
(Empty)
mode
DNS server mode.
recursive
dnsfilter-profile
DNS filter profile.
(Empty)

503
system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
end

504
Description
Configuration
Description
Default Value
id
Item ID.
ds
DSCP(DiffServ) DS value (0 - 63).
priority
DSCP based priority level.
high

505
system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set security {none | starttls | smtps}
end

506
Description
Configuration
Description
Default Value
type
Use FortiGuard Message service or custom

server.
custom
reply-to
Reply-To email address.
(Empty)
server
SMTP server IP address or hostname.
(Empty)
port
SMTP server port.
25
source-ip
SMTP server source IP.
0.0.0.0
source-ip6
SMTP server source IPv6.
::
authenticate
Enable/disable authentication.
disable
validate-server
Enable/disable validation of server certificate.
disable
username
SMTP server user name for authentication.
(Empty)
password
SMTP server user password for authentication.
(Empty)
security
Connection security.
none

507
system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end

508
Description
Configuration
Description
Default Value
status
Enable/disable FIPS-CC mode.
disable
entropy-token
Enable/disable/dynamic entropy token.
enable
error-flag
Hidden CC error flag.
(Empty)
error-cause
Hidden CC error cause.
none
self-test-period
Self test period.
1440
key-generation-self-test
Enable/disable self tests after key generation.
disable

509
system/fm
CLI Syntax
config system fm
edit <name_str>
set id <string>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
end

510
Description
Configuration
Description
Default Value
status
Enable/disable FM.
disable
id
ID.
(Empty)
ip
IP address.
0.0.0.0
vdom
VDOM.
root
auto-backup
Enable/disable automatic backup.
disable
scheduled-configrestore
Enable/disable scheduled configuration restore.
disable
ipsec
Enable/disable IPsec.
disable

511
system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip6 <ipv6-address>
set ddns-server-port <integer>
end

512
Description
Configuration
Description
Default Value
port
Port used to communicate with the FortiGuard

servers.
53
service-account-id
Service account ID.
(Empty)
load-balance-servers
Number of servers to alternate between as first

FortiGuard option.
antispam-force-off
Enable/disable forcibly disable the service.
disable
antispam-cache
Enable/disable FortiGuard antispam cache.
enable
antispam-cache-ttl
Time-to-live for cache entries in seconds (300 86400).
1800
antispam-cachempercent
Maximum percent of memory the cache is

allowed to use (1 - 15%).
antispam-license
License type.
4294967295
antispam-expiration
License expiration.
antispam-timeout
Query time out (1 - 30 sec).
avquery-force-off
avquery-force-off
avquery-cache
avquery-cache
avquery-cache-ttl
avquery-cache-ttl
avquery-cachempercent
avquery-cache-mpercent
avquery-license
avquery-license
avquery-timeout
avquery-timeout
webfilter-force-off
Enable/disable forcibly disable the service.
disable
webfilter-cache
Enable/disable FortiGuard webfilter cache.
enable
webfilter-cache-ttl
Time-to-live for cache entries in seconds (300 86400).
3600

513
webfilter-license
License type.
4294967295
webfilter-expiration
License expiration.
webfilter-timeout
Query time out (1 - 30 sec).
15
sdns-server-ip
IP address of the FortiDNS server.
(Empty)
sdns-server-port
Port used to communicate with the FortiDNS

servers.
53
source-ip
Source IPv4 address used to communicate with

the FortiGuard service.
0.0.0.0
source-ip6
Source IPv6 address used to communicate with

the FortiGuard service.
::
ddns-server-ip
IP address of the FortiDDNS server.
0.0.0.0
ddns-server-port
Port used to communicate with the FortiDDNS

servers.
443

514
system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set vdom <string>
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end

515
Description
Configuration
Description
Default Value
ip
IP address.
0.0.0.0
vdom
root
ipsec
Enable/disable FortiManager IPsec tunnel.
disable
central-management
Enable/disable FortiManager central

management.
disable
central-mgmt-autobackup
Enable/disable central management auto backup.
disable
central-mgmt-scheduleconfig-restore
Enable/disable central management schedule

config restore.
disable
central-mgmt-schedulescript-restore
Enable/disable central management schedule

script restore.
disable

516
system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set server <ipv4-address-any>
set email <string>
end

517
Description
Configuration
Description
Default Value
status
Enable/disable FortiSandbox.
disable
server
Server IP.
0.0.0.0
source-ip
Source IP for communications to FortiSandbox.
0.0.0.0
enc-algorithm
Enable/disable sending of FortiSandbox data with

SSL encryption.
default
email
Notifier email address.
(Empty)

518
system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end

519
Description
Configuration
Description
Default Value
status
Enable/disable FSSO Polling Mode status.
enable
listening-port
Listening port to accept clients.
8000
authentication
Enable/disable FSSO Agent Authentication

status.
disable
auth-password
Password to connect to FSSO Agent.
(Empty)

520
system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
end
end

521
Description
Configuration
Description
Default Value
name
Location name.
(Empty)
description
Description.
(Empty)
country-id
Country ID.
(Empty)
ip-range
IP range.
(Empty)

522
system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
523
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
hostname <string>
alias <string>
strong-crypto {enable | disable}
ssh-cbc-cipher {enable | disable}
ssh-hmac-md5 {enable | disable}
snat-route-change {enable | disable}
cli-audit-log {enable | disable}
dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
fds-statistics {enable | disable}
fds-statistics-period <integer>
multicast-forward {enable | disable}
mc-ttl-notchange {enable | disable}
asymroute {enable | disable}
tcp-option {enable | disable}
phase1-rekey {enable | disable}
lldp-transmission {enable | disable}
explicit-proxy-auth-timeout <integer>
sys-perf-log-interval <integer>
check-protocol-header {loose | strict}
vip-arp-range {unlimited | restricted}
optimize {antivirus | session-setup | throughput}
reset-sessionless-tcp {enable | disable}
allow-traffic-redirect {enable | disable}
strict-dirty-session-check {enable | disable}
tcp-halfclose-timer <integer>
tcp-halfopen-timer <integer>
tcp-timewait-timer <integer>
udp-idle-timer <integer>
block-session-timer <integer>
ip-src-port-range <user>
pre-login-banner {enable | disable}
post-login-banner {disable | enable}
tftp {enable | disable}
av-failopen {pass | idledrop | off | one-shot}
av-failopen-session {enable | disable}
check-reset-range {strict | disable}
vdom-admin {enable | disable}
admin-port <integer>
admin-sport <integer>
admin-https-redirect {enable | disable}
admin-ssh-password {enable | disable}
admin-ssh-port <integer>
admin-ssh-grace-time <integer>
admin-ssh-v1 {enable | disable}
admin-telnet-port <integer>
admin-maintainer {enable | disable}
admin-server-cert <string>
user-server-cert <string>
admin-https-pki-required {enable | disable}
wifi-certificate <string>
wifi-ca-certificate <string>
auth-http-port <integer>
auth-https-port <integer>

524
set auth-https-port <integer>

set auth-keepalive {enable | disable}
set policy-auth-concurrent <integer>
set clt-cert-req {enable | disable}
set fortiservice-port <integer>
set endpoint-control-portal-port <integer>
set endpoint-control-fds-access {enable | disable}
set tp-mc-skip-policy {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <integer>
set reboot-upon-config-restore {enable | disable}
set admin-scp {enable | disable}
set registration-notification {enable | disable}
set service-expire-notification {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <integer>
set fortiextender-data-port <integer>
set fortiextender {enable | disable}
set switch-controller {disable | enable}
set switch-controller-reserved-network <ipv4-classnet>
set proxy-worker-count <integer>
set scanunit-count <integer>
set ssl-worker-count <integer>
set proxy-kxp-hardware-acceleration {disable | enable}
set proxy-cipher-hardware-acceleration {disable | enable}
set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attac
k | new-antivirus-db | new-attack-db}
set ipsec-hmac-offload {enable | disable}
set ipv6-accept-dad <integer>
set csr-ca-attribute {enable | disable}
set wimax-4g-usb {enable | disable}
set cert-chain-max <integer>
set sslvpn-max-worker-count <integer>
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set two-factor-ftk-expiry <integer>
set two-factor-email-expiry <integer>
set two-factor-sms-expiry <integer>
set two-factor-fac-expiry <integer>
set two-factor-ftm-expiry <integer>
set per-user-bwl {enable | disable}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {disable | enable}
set wad-worker-count <integer>
set login-timestamp {enable | disable}
set miglogd-children <integer>
set special-file-23-support {disable | enable}
set log-uuid {disable | policy-only | extended}
set arp-max-entry <integer>
set ips-affinity <string>
set av-affinity <string>
525
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
av-affinity <string>
miglog-affinity <string>
ndp-max-entry <integer>
br-fdb-max-entry <integer>
max-route-cache-size <integer>
ipsec-asic-offload {enable | disable}
device-idle-timeout <integer>
device-identification-active-scan-delay <integer>
compliance-check {enable | disable}
compliance-check-time <time>
gui-device-latitude <string>
gui-device-longitude <string>
private-data-encryption {disable | enable}
auto-auth-extension-device {enable | disable}
gui-theme {green | red | blue | melongene | mariner}
igmp-state-limit <integer>

526
Description
Configuration
Description
Default Value
language
GUI display language.
english
gui-ipv6
Enable/disable IPv6 settings in GUI.
disable
gui-certificates
Enable/disable certificates configuration in GUI.
enable
gui-custom-language
Enable/disable custom languages in GUI.
disable
gui-wirelessopensecurity
Enable/disable wireless open security option in

GUI.
disable
gui-display-hostname
Enable/disable display of hostname on GUI login

page.
disable
gui-lines-per-page
Number of lines to display per page for web

administration.
50
admin-https-sslversions
Allowed SSL/TLS versions for web

administration.
tlsv1-1 tlsv1-2
admin-https-bannedcipher
Banned ciphers for web administration.
rc4 low
admintimeout
Idle time-out for firewall administration.
admin-console-timeout
Idle time-out for console.
admin-concurrent
Enable/disable admin concurrent login.
enable
admin-lockoutthreshold
Lockout threshold for firewall administration.
admin-lockout-duration
Lockout duration (sec) for firewall administration.
60
refresh
Statistics refresh interval in GUI.
interval
Dead gateway detection interval.
failtime
Fail-time for server lost.
daily-restart
Enable/disable firewall daily reboot.
disable
restart-time
Daily restart time (hh:mm).
00:00

527
radius-port
RADIUS service port number.
1812
admin-login-max
Maximum number admin users logged in at one

time (1 - 100).
100
remoteauthtimeout
Remote authentication (RADIUS/LDAP) time-out.
ldapconntimeout
LDAP connection time-out (0 - 4294967295

milliseconds).
500
batch-cmdb
Enable/disable batch mode to execute in CMDB

server.
enable
max-dlpstat-memory
Maximum DLP stat memory (0 - 4294967295).
dst
Enable/disable daylight saving time.
enable
timezone
Time zone.
00
ntpserver
IP address/hostname of NTP Server.
(Empty)
ntpsync
Enable/disable synchronization with NTP Server.
disable
syncinterval
NTP synchronization interval.
traffic-priority
Traffic priority type.
tos
traffic-priority-level
Default TOS/DSCP priority level.
medium
anti-replay
Anti-replay control.
strict
send-pmtu-icmp
Enable/disable sending of PMTU ICMP

destination unreachable packet.
enable
honor-df
Enable/disable honoring Don't-Fragment flag.
enable
split-port
Split port(s) to multiple 10Gbps ports.
(Empty)
revision-image-autobackup
Enable/disable revision image backup

automatically when upgrading image.
disable
revision-backup-onlogout
Enable/disable revision config backup

automatically when logout.
disable
management-vdom
Management virtual domain name.
root
hostname
Firewall hostname.
(Empty)

528
alias
Device alias.
(Empty)
strong-crypto
Enable/disable strong crypto for HTTPS/SSH

access.
enable
ssh-cbc-cipher
Enable/disable CBC cipher for SSH access.
enable
ssh-hmac-md5
Enable/disable HMAC-MD5 for SSH access.
enable
snat-route-change
Enable/disable SNAT route change.
disable
cli-audit-log
Enable/disable CLI audit log.
disable
dh-params
Minimum size of Diffie-Hellman prime for

HTTPS/SSH.
2048
fds-statistics
Enable/disable FortiGuard statistics.
enable
fds-statistics-period
FortiGuard statistics update period (1 - 1440 min,

default = 60 min).
60
multicast-forward
Enable/disable multicast forwarding.
enable
mc-ttl-notchange
Enable/disable no modification of multicast TTL.
disable
asymroute
Enable/disable asymmetric route.
disable
tcp-option
Enable/disable TCP option.
enable
phase1-rekey
Enable/disable phase1 rekey.
enable
lldp-transmission
Enable/disable Link Layer Discovery Protocol

(LLDP) transmission.
disable
explicit-proxy-authtimeout
Authentication timeout (sec) for idle sessions in

explicit web proxy.
300
sys-perf-log-interval
The interval of performance statistics logging.
check-protocol-header
Level of checking protocol header.
loose
vip-arp-range
Control ARP behavior for VIP ranges.
restricted
optimize
Firmware optimization option.
antivirus
reset-sessionless-tcp
Enable/disable reset session-less TCP.
disable

529
allow-traffic-redirect
Enable/disable allow traffic redirect.
enable
strict-dirty-sessioncheck
Enable/disable strict dirty-session check.
enable
tcp-halfclose-timer
TCP half close timeout (1 - 86400 sec, default =

120).
120
tcp-halfopen-timer
TCP half open timeout (1 - 86400 sec, default =

10).
10
tcp-timewait-timer
TCP time wait timeout (0 - 300 sec, default = 1).
udp-idle-timer
UDP idle timeout (1 - 86400 sec, default = 180).
180
block-session-timer
Block-session timeout (1-300 sec, default = 30

sec).
30
ip-src-port-range
IP source port range for firewall originated traffic.
1024-25000
pre-login-banner
Enable/disable pre-login-banner.
disable
post-login-banner
Enable/disable post-login-banner.
disable
tftp
Enable/disable TFTP.
enable
av-failopen
AV fail open option.
pass
av-failopen-session
Enable/disable AV fail open session option.
disable
check-reset-range
Drop RST packets if out-of-window.
disable
vdom-admin
Enable/disable multiple VDOMs mode.
disable
admin-port
Admin access HTTP port (1 - 65535).
80
admin-sport
Admin access HTTPS port (1 - 65535).
443
admin-https-redirect
Enable/disable redirection of HTTP admin traffic

to HTTPS.
enable
admin-ssh-password
Enable/disable password authentication for SSH

admin access.
enable
admin-ssh-port
Admin access SSH port (1 - 65535).
22
admin-ssh-grace-time
Admin access login grace time (10 - 3600 sec).
120

530
admin-ssh-v1
Enable/disable SSH v1 compatibility.
disable
admin-telnet-port
Admin access TELNET port (1 - 65535).
23
admin-maintainer
Enable/disable login of maintainer user.
enable
admin-server-cert
Admin HTTPS server certificate.
Fortinet_Factory
user-server-cert
User HTTPS server certificate.
Fortinet_Factory
admin-https-pkirequired
Enable/disable require HTTPS login page when

PKI is enabled.
disable
wifi-certificate
WiFi certificate for WPA.
Fortinet_Wifi
wifi-ca-certificate
WiFi CA certificate for WPA.
Fortinet_Wifi_CA
auth-http-port
Authentication HTTP port (1 - 65535).
1000
auth-https-port
Authentication HTTPS port (1 - 65535).
1003
auth-keepalive
Enable/disable use of keep alive to extend

authentication.
disable
policy-auth-concurrent
Concurrent user to pass firewall authentication.
auth-cert
Fortinet_Factory
clt-cert-req
Enable/disable require client certificate for GUI

login.
disable
fortiservice-port
FortiService port number (default = 8013).
8013
endpoint-control-portalport
Endpoint control portal port (1 - 65535).
8009
endpoint-control-fdsaccess
Enable/disable access to FortiGuard servers for

non-compliant endpoints.
enable
tp-mc-skip-policy
Enable/disable skip policy check and allow

multicast through.
disable
cfg-save
Configuration file save mode for changes made

using the CLI.
automatic
cfg-revert-timeout
Time-out for reverting to the last saved

configuration.
600

531
reboot-upon-configrestore
Enable/disable reboot of system upon restoring

configuration.
enable
admin-scp
Enable/disable allow system configuration

download by SCP.
disable
registration-notification
Enable/disable allow license registration

notification.
enable
service-expirenotification
Enable/disable service expiration notification.
enable
wireless-controller
Enable/disable wireless controller.
enable
wireless-controller-port
Local wireless controller port (1024 - 49150).
5246
fortiextender-data-port
Fortiextender controller data port (1024 - 49150).
25246
fortiextender
Enable/disable FortiExtender controller.
disable
switch-controller
Enable/disable switch controller feature.
disable
switch-controllerreserved-network
Reserved network for switch-controller.
169.254.0.0
255.255.0.0
proxy-worker-count
Proxy worker count.
16
scanunit-count
Scanunit count.
39
ssl-worker-count
SSL worker count (0 - 4294967295).
proxy-kxp-hardwareacceleration
Enable/disable use of content processor to

encrypt or decrypt traffic.
enable
proxy-cipher-hardwareacceleration

enable
fgd-alert-subscription
FortiGuard alert subscription.
(Empty)
ipsec-hmac-offload
Enable/disable offload HMAC to hardware for

IPsec VPN.
enable
ipv6-accept-dad
Enable/disable acceptance of IPv6 DAD

(Duplicate Address Detection). 0: Disable DAD; 1:
Enable DAD (default); 2: Enable DAD, and
disable IPv6 operation if MAC-based duplicate
link-local address has been found.

532
csr-ca-attribute
Enable/disable CSR CA attribute.
enable
wimax-4g-usb
Enable/disable WiMAX USB device.
disable
cert-chain-max
Maximum depth for certificate chain.
sslvpn-max-workercount
Maximum number of worker processes for SSLVPN.
39
sslvpn-kxp-hardwareacceleration
Enable/disable KXP SSL-VPN hardware

acceleration.
disable
sslvpn-cipherhardware-acceleration
Enable/disable SSL-VPN cipher hardware

acceleration.
disable
sslvpn-plugin-versioncheck
Enable/disable SSL-VPN automatic checking of

browser plug-in version.
enable
two-factor-ftk-expiry
Expiration time for FortiToken authentication (60 600 sec, default = 60 sec).
60
two-factor-email-expiry
Expiration time for email token authentication (30

- 300 sec, default = 60 sec).
60
two-factor-sms-expiry
Expiration time for SMS token authentication (30

- 300 sec, default = 60 sec).
60
two-factor-fac-expiry
Expiration time for FortiAuthenticator token

authentication (10 - 3600 sec, default = 60 sec).
60
two-factor-ftm-expiry
Expiration time for FortiToken mobile provision (1

- 168 hr, default = 72 hr).
72
per-user-bwl
Enable/disable per-user black/white list filter.
disable
virtual-server-count
Number of concurrent virtual server workers.
20
virtual-serverhardware-acceleration

enable
wad-worker-count
Number of concurrent WAD workers.
20
login-timestamp
Enable/disable login time recording.
disable
miglogd-children
Number of miglog children.
special-file-23-support
Enable/disable support for special file 23.
disable

533
log-uuid
Universally Unique Identifier (UUID) log option.
policy-only
arp-max-entry
Maximum number of ARP table entries (set to

131,072 or higher).
131072
ips-affinity
Affinity setting for IPS (64-bit hexadecimal value

in the format of xxxxxxxxxxxxxxxx; allowed CPUs
must be less than total number of IPS engine
daemons).
av-affinity
Affinity setting for AV scanning (64-bit

hexadecimal value in the format of
xxxxxxxxxxxxxxxx).
miglog-affinity
Affinity setting for logging (64-bit hexadecimal

value in the format of xxxxxxxxxxxxxxxx).
ndp-max-entry
Maximum number of NDP table entries (set to

65,536 or higher; if set to 0, kernel holds 65,536
entries).
br-fdb-max-entry
Maximum number of bridge forwarding database

entries (set to 8192 or higher).
8192
max-route-cache-size
Maximum number of IP route cache entries (0 2147483647).
ipsec-asic-offload
Enable/disable ASIC offload for IPsec VPN.
enable
device-idle-timeout
Device idle timeout (30 - 31536000 sec, default =

300 sec).
300
device-identificationactive-scan-delay
How many seconds (20 - 3600, default 90) to

passively scan a device before performing an
active scan.
90
compliance-check
Enable/disable global PCI DSS compliance

check.
enable
compliance-check-time
PCI DSS compliance check time.
00:00:00
gui-device-latitude
Physical device latitude coordinate.
(Empty)
gui-device-longitude
Physical device longitude coordinate.
(Empty)

534
private-data-encryption
Enable/disable private data encryption using an

AES 128-bit key.
disable
auto-auth-extensiondevice
Enable/disable automatic authorization of

dedicated Fortinet extension device globally.
enable
gui-theme
Color scheme to use for the administration GUI.
green
igmp-state-limit
Maximum IGMP memberships (96 - 64000,

default = 3200).
3200

535
system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set dscp-copying {disable | enable}
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end

536
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
interface
Interface name.
(Empty)
remote-gw
IP address of the remote gateway.
0.0.0.0
local-gw
IP address of the local gateway.
0.0.0.0
sequence-numbertransmission
Enable/disable inclusion of sequence number in

transmitted GRE packets.
disable
sequence-numberreception
Enable/disable validation of sequence number in

received GRE packets.
disable
checksum-transmission
Enable/disable inclusion of checksum in

transmitted GRE packets.
disable
checksum-reception
Enable/disable validation of checksum in

received GRE packets.
disable
key-outbound
Include this key in transmitted GRE packets (0 4294967295).
key-inbound
Require received GRE packets contain this key (0

- 4294967295).
dscp-copying
Enable/disable DSCP copying.
disable
auto-asic-offload
Enable/disable tunnel ASIC offloading.
enable
keepalive-interval
Keepalive message interval (0 - 32767, 0 =

disabled).
keepalive-failtimes
Number of consecutive unreturned keepalive

messages before GRE connection is considered
down (1 - 255).
10

537
system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
538
set weight <user>

set cpu-threshold <user>
set memory-threshold <user>
set http-proxy-threshold <user>
set ftp-proxy-threshold <user>
set imap-proxy-threshold <user>
set nntp-proxy-threshold <user>
set pop3-proxy-threshold <user>
set smtp-proxy-threshold <user>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set pingserver-flip-timeout <integer>
set vdom <user>
config secondary-vcluster
edit <name_str>
set override-wait-time <integer>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set vdom <user>
end
end

539
Description
Configuration
Description
Default Value
group-id
Group ID (0 - 255).
group-name
Group name.
(Empty)
mode
Mode.
standalone
password
password
(Empty)
key
key
(Empty)
hbdev
Heartbeat interfaces.
"port1" 50 "mgmt1" 50
session-sync-dev
Session sync interfaces.
(Empty)
route-ttl
HA route TTL on master (5 - 3600 sec).
10
route-wait
Route update wait time (0 - 3600 sec).
route-hold
Wait time between route updates (0 - 3600 sec).
10
load-balance-all
Enable/disable load balance.
disable
sync-config
Enable/disable configuration synchronization.
enable
encryption
Enable/disable HA message encryption.
disable
authentication
Enable/disable HA message authentication.
disable
hb-interval
Configure heartbeat interval (1 - 20 (100*ms)).
hb-lost-threshold
Lost heartbeat threshold (1 - 60).
helo-holddown
Configure hello state hold-down time (5 - 300

sec).
20
gratuitous-arps
Enable/disable gratuitous ARPs.
enable
arps
Configure number of gratuitous ARPs (1 - 60).
arps-interval
Configure gratuitous ARPs interval (1 - 20 sec).
session-pickup
Enable/disable session pickup.
disable

540
session-pickupconnectionless
Enable/disable pickup non-TCP sessions.
disable
session-pickupexpectation
Enable/disable pickup expectation sessions.
disable
session-pickup-nat
Enable/disable pickup of NATed sessions.
disable
session-pickup-delay
Enable/disable delay session sync by 30

seconds.
disable
session-sync-daemonnumber
Session sync daemon process number.
link-failed-signal
Enable/disable link failed signal.
disable
uninterruptible-upgrade
Enable/disable uninterruptible HA upgrade.
enable
standalone-mgmt-vdom
Enable/disable standalone management VDOM.
disable
ha-mgmt-status
Enable/disable HA management interface

reservation.
disable
ha-mgmt-interface
Reserved interface of HA management.
(Empty)
ha-mgmt-interfacegateway
Gateway for reserved interface of HA

management.
0.0.0.0
ha-mgmt-interfacegateway6
IPv6 gateway for reserved interface of HA

management.
::
ha-eth-type
HA Ethernet type (4-digit hex).
8890
hc-eth-type
HC Ethernet type (4-digit hex).
8891
l2ep-eth-type
L2EP Ethernet type (4-digit hex).
8893
ha-uptime-diff-margin
HA uptime difference margin (sec).
300
standalone-config-sync
Enable/disable standalone config sync.
disable
vcluster2
Enable/disable secondary virtual cluster.
disable
vcluster-id
Cluster ID.
override
Enable/disable master HA unit overriding.
disable

541
priority
Priority value (0 - 255).
128
override-wait-time
Override wait time (0 - 3600 sec).
schedule
Schedule.
round-robin
weight
Weight for weight-round-robin schedule.
40
cpu-threshold
CPU threshold weight.
500
memory-threshold
Memory threshold weight.
500
http-proxy-threshold
HTTP proxy threshold.
500
ftp-proxy-threshold
FTP proxy threshold.
500
imap-proxy-threshold
IMAP proxy threshold.
500
nntp-proxy-threshold
NNTP proxy threshold.
500
pop3-proxy-threshold
POP3 proxy threshold.
500
smtp-proxy-threshold
SMTP proxy threshold.
500
monitor
Interfaces to monitor.
(Empty)
pingserver-monitorinterface
Monitor interfaces that has PING server enabled.
(Empty)
pingserver-failoverthreshold
Threshold at which HA failover occurs upon PING

server failure (0 - 50).
pingserver-slave-forcereset
Enable/disable force reset of slave after PING

server failure.
enable
pingserver-flip-timeout
Minutes to wait before HA failover flip-flop.
60
vdom
VDOM members.
(Empty)
secondary-vcluster
Secondary virtual cluster.
Details below

542
Configuration
vcluster-id
override
priority
override-wait-time
monitor
pingserver-monitor-interface
pingserver-failover-threshold
pingserver-slave-force-reset
vdom
ha-direct

Default Value
1
enable
128
0
(Empty)
(Empty)
0
enable
(Empty)
Enable/disable sending of messages (logs,

SNMP, RADIUS) directly from ha-mgmt interface.
disable
543
system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end

544
Description
Configuration
Description
Default Value
monitor-vlan
Enable/disable monitor VLAN interfaces.
disable
vlan-hb-interval
Configure heartbeat interval (seconds).
vlan-hb-lost-threshold
VLAN lost heartbeat threshold (1 - 60).

545
system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set pppoe-unnumbered-negotiate {enable | disable}
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
546
set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}

set pptp-timeout <integer>
set arpforward {enable | disable}
set ndiscforward {enable | disable}
set broadcast-forward {enable | disable}
set bfd {global | enable | disable}
set bfd-desired-min-tx <integer>
set bfd-detect-mult <integer>
set bfd-required-min-rx <integer>
set l2forward {enable | disable}
set icmp-redirect {enable | disable}
set vlanforward {enable | disable}
set stpforward {enable | disable}
set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}
set ips-sniffer-mode {enable | disable}
set ident-accept {enable | disable}
set ipmac {enable | disable}
set subst {enable | disable}
set macaddr <mac-address>
set substitute-dst-mac <mac-address>
set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000
auto | 10000full | 10000auto | 40000full}
set status {up | down}
set netbios-forward {disable | enable}
set wins-ip <ipv4-address>
set type {physical | vlan | aggregate | redundant | tunnel | vdom-link | loopback
| switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-vlan}
set dedicated-to {none | management}
set trust-ip-1 <ipv4-classnet-any>
set trust-ip6-1 <ipv6-prefix>
set mtu-override {enable | disable}
set mtu <integer>
set wccp {enable | disable}
set netflow-sampler {disable | tx | rx | both}
set sflow-sampler {enable | disable}
set drop-overlapped-fragment {enable | disable}
set drop-fragment {enable | disable}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
set explicit-web-proxy {enable | disable}
set explicit-ftp-proxy {enable | disable}
set tcp-mss <integer>
set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp}
set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
s_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tc
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm
547
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm

pland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ips
ecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_f
rag | drop_tcp_no_flag | drop_tcp_fin_noack}
set inbandwidth <integer>
set outbandwidth <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set vlanid <integer>
set forward-domain <integer>
set remote-ip <ipv4-address-any>
config member
edit <name_str>
end
set lacp-mode {static | passive | active}
set lacp-ha-slave {enable | disable}
set lacp-speed {slow | fast}
set min-links <integer>
set min-links-down {operational | administrative}
set algorithm {L2 | L3 | L4}
set link-up-delay <integer>
set priority-override {enable | disable}
set aggregate <string>
set redundant-interface <string>
config managed-device
edit <name_str>
set name <string>
end
set devindex <integer>
set vindex <integer>
set switch <string>
set alias <string>
set security-mode {none | captive-portal | 802.1X}
set security-mac-auth-bypass {enable | disable}
set security-external-web <string>
set security-external-logout <string>
set security-redirect-url <string>
set security-exempt-list <string>
config security-groups
edit <name_str>
set name <string>
end
set device-identification {enable | disable}
set device-user-identification {enable | disable}
set device-identification-active-scan {enable | disable}
set device-access-list <string>
set device-netscan {disable | enable}
548
set device-netscan {disable | enable}

set lldp-transmission {enable | disable | vdom}
set fortiheartbeat {enable | disable}
set broadcast-forticlient-discovery {enable | disable}
set endpoint-compliance {enable | disable}
set estimated-upstream-bandwidth <integer>
set estimated-downstream-bandwidth <integer>
set vrrp-virtual-mac {enable | disable}
config vrrp
edit <name_str>
set vrid <integer>
set vrgrp <integer>
set vrip <ipv4-address-any>
set adv-interval <integer>
set start-time <integer>
set preempt {enable | disable}
set vrdst <ipv4-address-any>
end
set role {lan | wan | dmz | undefined}
set snmp-index <integer>
set secondary-IP {enable | disable}
config secondaryip
edit <name_str>
set id <integer>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec
| radius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
end
set auto-auth-extension-device {enable | disable}
set ap-discover {enable | disable}
set fortilink {enable | disable}
set fortilink-stacking {enable | disable}
set fortilink-split-interface {enable | disable}
set internal <integer>
set fortilink-backup-link <integer>
set color <integer>
config ipv6
edit <name_str>
set ip6-mode {static | dhcp | pppoe | delegated}
set ip6-dns-server-override {enable | disable}
set ip6-address <ipv6-prefix>
config ip6-extra-addr
edit <name_str>
set prefix <ipv6-prefix>
end
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
549
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
set dhcp6-prefix-hint <ipv6-network>
set dhcp6-prefix-hint-plt <integer>
set dhcp6-prefix-hint-vlt <integer>
end
end

550
Description
Configuration
Description
Default Value
name
Name.
(Empty)
vdom
(Empty)
cli-conn-status
CLI connection status.
mode
Addressing mode (static, DHCP, PPPoE).
static
distance
Distance of learned routes.
priority
Priority of learned routes.
dhcp-relay-service
Enable/disable use DHCP relay service.
disable
dhcp-relay-ip
DHCP relay IP address.
(Empty)
dhcp-relay-type
DHCP relay type.
regular
ip
IP address of interface.
0.0.0.0 0.0.0.0
allowaccess
Allow management access to the interface.
(Empty)
gwdetect
Enable/disable detect gateway alive for first.
disable
ping-serv-status
PING server status.
detectserver
Gateway's ping server for this IP.
(Empty)
detectprotocol
Protocols used to detect the server.
ping
ha-priority
HA election priority for the PING server.
fail-detect
Enable/disable interface failed option status.
disable
fail-detect-option
Interface fail detect option.
link-down
fail-alert-method
Interface fail alert.
link-down
fail-action-on-extender
Action on extender when interface fail .
soft-restart
fail-alert-interfaces
Physical interfaces that will be alerted.
(Empty)
dhcp-client-identifier
DHCP client identifier.
(Empty)

551
ipunnumbered
PPPoE unnumbered IP.
0.0.0.0
username
User name.
(Empty)
pppoe-unnumberednegotiate
Enable/disable PPPoE unnumbered negotiation.
enable
password
Password
(Empty)
idle-timeout
PPPoE auto disconnect after idle timeout

seconds.
detected-peer-mtu
MTU of detected peer (0 - 4294967295).
disc-retry-timeout
PPPoE discovery init timeout value in sec.
padt-retry-timeout
PPPoE terminate timeout value in sec.
service-name
PPPoE service name.
(Empty)
ac-name
PPPoE AC name.
(Empty)
lcp-echo-interval
PPPoE LCP echo interval (sec).
lcp-max-echo-fails
Maximum missed LCP echo messages before

disconnect.
defaultgw
Enable/disable default gateway.
enable
dns-server-override
Enable/disable use DNS acquired by DHCP or

PPPoE.
enable
auth-type
PPP authentication type to use.
auto
pptp-client
Enable/disable PPTP client.
disable
pptp-user
PPTP user name.
(Empty)
pptp-password
PPTP password.
(Empty)
pptp-server-ip
PPTP server IP address.
0.0.0.0
pptp-auth-type
PPTP authentication type.
auto
pptp-timeout
Idle timer in minutes (0 for disabled).
arpforward
Enable/disable ARP forwarding.
enable

552
ndiscforward
Enable/disable NDISC forwarding.
enable
broadcast-forward
Enable/disable broadcast forwarding.
disable
bfd
Bidirectional Forwarding Detection (BFD).
global
bfd-desired-min-tx
BFD desired minimal transmit interval.
250
bfd-detect-mult
BFD detection multiplier.
bfd-required-min-rx
BFD required minimal receive interval.
250
l2forward
Enable/disable l2 forwarding.
disable
icmp-redirect
Enable/disable ICMP redirect.
enable
vlanforward
Enable/disable VLAN forwarding.
disable
stpforward
Enable/disable STP forwarding.
disable
stpforward-mode
Configure STP forwarding mode.
rpl-all-ext-id
ips-sniffer-mode
Enable/disable IPS sniffer mode.
disable
ident-accept
Enable/disable accept ident protocol.
disable
ipmac
Enable/disable IP/MAC binding status.
disable
subst
Enable/disable substitute MAC.
disable
macaddr
MAC address.
00:00:00:00:00:00
substitute-dst-mac
Substitute destination MAC address.
00:00:00:00:00:00
speed
Speed
auto
status
Interface status.
up
netbios-forward
Enable/disable NETBIOS forwarding.
disable
wins-ip
WINS server IP.
0.0.0.0
type
Interface type.
vlan
dedicated-to
Configure interface for single purpose.
none
trust-ip-1
Trusted host for dedicated management traffic

(0.0.0.0/24 for all hosts).
0.0.0.0 0.0.0.0

553
trust-ip-2

0.0.0.0 0.0.0.0
trust-ip-3

0.0.0.0 0.0.0.0
trust-ip6-1
Trusted IPv6 host for dedicated management

traffic (::/0 for all hosts).
::/0
trust-ip6-2

::/0
trust-ip6-3

::/0
mtu-override
Enable/disable use custom MTU.
disable
mtu
Maximum transportation unit.
1500
wccp
Enable/disable WCCP protocol on this interface.
disable
netflow-sampler
NetFlow measurement status.
disable
sflow-sampler
Enable/disable sFlow protocol.
disable
drop-overlappedfragment
Enable/disable drop overlapped fragment

packets.
disable
drop-fragment
Enable/disable drop fragment packets.
disable

servers.
disable
sample-rate
sFlow sampler sample rate.
2000
polling-interval
sFlow sampler counter polling interval.
20
sample-direction
sFlow sample direction.
both
explicit-web-proxy
Enable/disable explicit Web proxy.
disable
explicit-ftp-proxy
Enable/disable explicit FTP proxy.
disable
tcp-mss
Maximum sending TCP packet size.
mediatype
Select SFP media interface type
serdes-sfp

554
fp-anomaly
Pass or drop different types of anomalies using

Fastpath
(Empty)
inbandwidth
Bandwidth limit for incoming traffic (0 - 16776000

kbps).
outbandwidth
Bandwidth limit for outgoing traffic (0 - 16776000

kbps).
spillover-threshold
Egress Spillover threshold (0 - 16776000 kbps).
ingress-spilloverthreshold
Ingress Spillover threshold (0 - 16776000 kbps).
weight
Default weight for static routes (if route has no

weight configured).
interface
Interface name.
(Empty)
external
Enable/disable identifying interface as connected

to external side.
disable
vlanid
VLAN ID.
forward-domain
TP mode forward domain.
remote-ip
Remote IP address of tunnel.
0.0.0.0
member
Physical interfaces that belong to the

aggregate/redundant interface.
(Empty)
lacp-mode
LACP mode.
active
lacp-ha-slave
LACP HA slave.
enable
lacp-speed
LACP speed.
slow
min-links
Minimum number of aggregated ports that must

be up.
min-links-down
Action to take when there are less than min-links

active members.
operational
algorithm
Frame distribution algorithm.
L4
link-up-delay
Number of milliseconds to wait before

considering a link is up.
50

555
priority-override
Enable/disable fail back to higher priority port

once recovered.
enable
aggregate
Aggregate interface.
(Empty)
redundant-interface
Redundant interface.
(Empty)
managed-device
FortiLink interface managed device.
(Empty)
devindex
Device Index.
vindex
Switch control interface VLAN ID.
switch
Contained in switch.
(Empty)
description
Description.
(Empty)
alias
Alias.
(Empty)
security-mode
Security mode.
none
security-mac-authbypass
Enable/disable MAC authentication bypass.
disable
security-external-web
URL of external authentication web server.
(Empty)
security-external-logout
URL of external authentication logout server.
(Empty)
Specify replacement message override group.
(Empty)
security-redirect-url
(Empty)
security-exempt-list
Name of security-exempt-list.
(Empty)
security-groups
Group name.
(Empty)
device-identification
Enable/disable passive gathering of identity

information about source hosts on this interface.
disable
device-useridentification
Enable/disable passive gathering of user identity

enable
device-identificationactive-scan
Enable/disable active gathering of identity

enable
device-access-list
Device access list.
(Empty)

556
device-netscan
Enable/disable inclusion of devices detected on

this interface in network vulnerability scans.
lldp-transmission

vdom
fortiheartbeat
Enable/disable FortiHeartBeat (FortiTelemetry on

GUI).
disable
broadcast-forticlientdiscovery
Enable/disable broadcast FortiClient discovery

messages.
disable
endpoint-compliance
Enable/disable endpoint compliance

enforcement.
disable
estimated-upstreambandwidth
Estimated maximum upstream bandwidth (kbps).

Used to estimate link utilization.
estimated-downstreambandwidth
Estimated maximum downstream bandwidth

(kbps). Used to estimate link utilization.
vrrp-virtual-mac
Enable/disable use of virtual MAC for VRRP.
disable
vrrp
VRRP configuration.
(Empty)
role
Interface role.
undefined
snmp-index
Permanent SNMP Index of the interface.
secondary-IP
Enable/disable secondary IP.
disable
secondaryip
Second IP address of interface.
(Empty)
auto-auth-extensiondevice
Enable/disable automatic authorization of

dedicated Fortinet extension device on this
interface.
disable
ap-discover
Enable/disable automatic registration of unknown

FortiAP devices.
enable
fortilink
Enable/disable FortiLink to dedicated interface for

managing FortiSwitch devices.
disable
fortilink-stacking
Enable/disable FortiLink switch-stacking on this

interface.
enable

557
fortilink-split-interface
Enable/disable FortiLink split interface to connect

member link to different FortiSwitch in stack for
uplink redundancy (maximum 2 interfaces in the
"members" command).
disable
internal
Implicitly created.
fortilink-backup-link
fortilink split interface backup link.
color
GUI icon color.
ipv6
IPv6 of interface.
Details below
Configuration
ip6-mode
ip6-dns-server-override
ip6-address
ip6-extra-addr
ip6-allowaccess
ip6-send-adv
ip6-manage-flag
ip6-other-flag
ip6-max-interval
ip6-min-interval
ip6-link-mtu
ip6-reachable-time
ip6-retrans-time
ip6-default-life
ip6-hop-limit
autoconf
ip6-upstream-interface
ip6-subnet
ip6-prefix-list
ip6-delegated-prefix-list
dhcp6-relay-service
dhcp6-relay-type
dhcp6-relay-ip
dhcp6-client-options
dhcp6-prefix-delegation
dhcp6-prefix-hint
dhcp6-prefix-hint-plt
dhcp6-prefix-hint-vlt

Default Value
static
enable
::/0
(Empty)
(Empty)
disable
disable
disable
600
198
0
0
0
1800
0
disable
(Empty)
::/0
(Empty)
(Empty)
disable
regular
(Empty)
dns
disable
::/0
604800
2592000
558
system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
end

559
Description
Configuration
Description
Default Value
name
IPIP Tunnel name.
(Empty)
interface
Interface name.
(Empty)
remote-gw
IP address of the remote gateway.
0.0.0.0
local-gw
Enable/disable IP address of the local gateway.
0.0.0.0
auto-asic-offload
enable

560
system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
end

561
Description
Configuration
Description
Default Value
address
DNS server IP address.
0.0.0.0
status
Enable/disable this server for queries.
enable

562
system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set ipv6 <ipv6-address>
end

563
Description
Configuration
Description
Default Value
id
interface
Interface name.
(Empty)
ipv6
IPv6 address.
::
mac
MAC address.
00:00:00:00:00:00

564
system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
end

565
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
source
Local IPv6 address of tunnel.
::
destination
Remote IPv6 address of tunnel.
::
interface
Interface name.
(Empty)
auto-asic-offload
enable

566
system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
config server
edit <name_str>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set recoverytime <integer>
set security-mode {none | authentication}
set packet-size <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
end

567
Description
Configuration
Description
Default Value
name
Link monitor name.
(Empty)
srcintf
Interface where the monitor traffic is sent.
(Empty)
server
Server address(es).
(Empty)
protocol
Protocols used to detect the server.
ping
port
Port number to poll.
80
gateway-ip
Gateway IP used to PING the server.
0.0.0.0
source-ip
Source IP used in packet to the server.
0.0.0.0
http-get
HTTP GET URL string.
http-match
Response value from detected server in http-get.
(Empty)
interval
Detection interval.
timeout
Detect request timeout.
failtime
Number of retry attempts before bringing server

down.
recoverytime
Number of retry attempts before bringing server

up.
security-mode
Twamp controller security mode.
none
password
Twamp controller password in authentication

mode
(Empty)
packet-size
Packet size of a twamp test session,
64
ha-priority
HA election priority (1 - 50).
update-cascadeinterface
Enable/disable update cascade interface.
enable
update-static-route
Enable/disable update static route.
enable
status
Enable/disable Link monitor administrative status.
enable

568
system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set reply-substitute <mac-address>
end

569
Description
Configuration
Description
Default Value
mac
MAC address.
00:00:00:00:00:00
interface
Interface name.
(Empty)
reply-substitute
New MAC for reply traffic.
00:00:00:00:00:00

570
system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end

571
Description
Configuration
Description
Default Value
status
Enable/disable FGFM tunnel.
enable
allow-config-restore
Enable/disable allow config restore.
enable
allow-pushconfiguration
Enable/disable push configuration.
enable
allow-push-firmware
Enable/disable push firmware.
enable
allow-collect-statistics
Enable/disable collection of run time statistics.
enable
authorized-manageronly
Enable/disable restriction of authorized manager

only.
enable
serial-number
Serial number.
(Empty)

572
system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
end
end

573
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
status
Enable/disable this mobile tunnel.
enable
roaming-interface
Roaming interface name.
(Empty)
home-agent
IP address of the NEMO HA.
0.0.0.0
home-address
Home IP address.
0.0.0.0
renew-interval
Time before lifetime expiraton to send NMMO HA

re-registration.
60
lifetime
NMMO HA registration request lifetime.
65535
reg-interval
NMMO HA registration interval.
reg-retry
NMMO HA registration maximal retries.
n-mhae-spi
NEMO authentication spi.
256
n-mhae-key-type
NEMO authentication key type.
ascii
n-mhae-key
NEMO authentication key.
'ENC
AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='
hash-algorithm
Hash Algorithm.
hmac-md5
tunnel-mode
NEMO tunnnel mode.
gre
network
NEMO network configuration.
(Empty)

574
system/nat64
CLI Syntax
config system nat64
edit <name_str>
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end

575
Description
Configuration
Description
Default Value
status
Enable/disable NAT64.
disable
nat64-prefix
NAT64 prefix must be ::/96.
64:ff9b::/96
always-synthesizeaaaa-record
Enable/disable AAAA record synthesis.
enable
generate-ipv6fragment-header
Enable/disable IPv6 fragment header generation.
disable

576
system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

577
Description
Configuration
Description
Default Value
collector-ip
Collector IP.
0.0.0.0
collector-port
NetFlow collector port.
2055
source-ip
Source IP for NetFlow agent.
0.0.0.0
active-flow-timeout
Timeout to report active flows (min).
30
inactive-flow-timeout
Timeout for periodic report of finished flows (sec).
15
template-tx-timeout
Timeout for periodic template flowset

transmission (min).
30
template-tx-counter
Counter of flowset records before resending a

template flowset record.
20

578
system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end

579
Description
Configuration
Description
Default Value
destination-visibility
Enable/disable logging of destination visibility.
enable
source-location
Enable/disable logging of source geographical

location visibility.
enable
destination-hostnamevisibility
Enable/disable logging of destination hostname

visibility.
enable
hostname-ttl
TTL of hostname table entries.
86400
hostname-limit
Limit of hostname table entries.
5000
destination-location
Enable/disable logging of destination

geographical location visibility.
enable

580
system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set key <password>
set key-id <integer>
end
set server-mode {enable | disable}
config interface
edit <name_str>
end
end

581
Description
Configuration
Description
Default Value
ntpsync
Enable/disable synchronization with NTP Server.
disable
type
FortiGuard or custom NTP Server.
fortiguard
syncinterval
NTP synchronization interval.
ntpserver
NTP Server.
(Empty)
source-ip
Source IP for communications to NTP server.
0.0.0.0
server-mode
Enable/disable NTP Server Mode.
disable
interface
List of interfaces with NTP server mode enabled.
(Empty)

582
system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end

583
Description
Configuration
Description
Default Value
name
Tag name.
(Empty)

584
system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end

585
Description
Configuration
Description
Default Value
status
Enable/disable password policy.
disable
apply-to
Apply password policy to.
admin-password
minimum-length
Minimum password length.
min-lower-case-letter
Minimum number of lowercase characters in

password.
min-upper-case-letter
Minimum number of uppercase characters in

password.
min-non-alphanumeric
Minimum number of non-alphanumeric

characters in password.
min-number
Minimum number of numeric characters in

password.
change-4-characters
Enable/disable changing at least 4 characters for

new password.
disable
expire-status
Enable/disable password expiration.
disable
expire-day
Number of days after which admin users'

password will expire.
90
reuse-password
Enable/disable reuse of password.
enable

586
system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
end

587
Description
Configuration
Description
Default Value
port
Port number to response.
8008
http-probe-value
Value to respond to the monitoring server.
OK
ttl-mode
Mode for TWAMP packet TTL modification.
retain
mode
SLA response mode.
none
security-mode
Twamp respondor security mode.
none
password
Twamp respondor password in authentication

mode
(Empty)
timeout
An inactivity timer for a twamp test session.
300

588
system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
end

589
Description
Configuration
Description
Default Value
id
interface
Interface acting proxy-ARP.
(Empty)
ip
IP address or start IP to be proxied.
0.0.0.0
end-ip
End IP of IP range to be proxied.
0.0.0.0

590
system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set group-type {default | utm
config mail
edit <name_str>
set header {none | http |
set format {none | text |
end
config http
edit <name_str>
end
config webproxy
edit <name_str>
end
config ftp
edit <name_str>
end
config nntp
edit <name_str>
end
config fortiguard-wf
edit <name_str>
end
| auth | ec}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
591
config spam
edit <name_str>
set format {none | text | html |
end
config alertmail
edit <name_str>
end
config admin
edit <name_str>
end
config auth
edit <name_str>
end
config sslvpn
edit <name_str>
end
config ec
edit <name_str>
end
config device-detection-portal
edit <name_str>
end
config nac-quar
edit <name_str>
wml}
wml}
wml}
wml}
wml}
wml}
wml}
592

set header {none | http
set format {none | text
end
config traffic-quota
edit <name_str>
end
config utm
edit <name_str>
end
config custom-message
edit <name_str>
end
end

| 8bit}
| html | wml}
| 8bit}
| html | wml}
| 8bit}
| html | wml}
| 8bit}
| html | wml}
593
Description
Configuration
Description
Default Value
name
Group name.
(Empty)
comment
Comment.
(Empty)
group-type
Group type.
default
mail
Replacement message table entries.
(Empty)
http
(Empty)
webproxy
(Empty)
ftp
(Empty)
nntp
(Empty)
fortiguard-wf
(Empty)
spam
(Empty)
alertmail
(Empty)
admin
(Empty)
auth
(Empty)
sslvpn
(Empty)
ec
(Empty)
device-detection-portal
(Empty)
nac-quar
(Empty)
traffic-quota
(Empty)
utm
(Empty)
custom-message
(Empty)

594
system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end

595
Description
Configuration
Description
Default Value
name
Image name.
(Empty)
image-type
Image type.
(Empty)
image-base64
Image data.
(null)

596
system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end

597
Description
Configuration
Description
Default Value
session
Maximum number of sessions.
ipsec-phase1
Maximum number of VPN IPsec phase1 tunnels.
ipsec-phase2
Maximum number of VPN IPsec phase2 tunnels.
dialup-tunnel
Maximum number of dial-up tunnels.
firewall-policy
Maximum number of firewall policies.
firewall-address
Maximum number of firewall addresses.
firewall-addrgrp
Maximum number of firewall address groups.
custom-service
Maximum number of firewall custom services.
service-group
Maximum number of firewall service groups.
onetime-schedule
Maximum number of firewall one-time schedules.
recurring-schedule
Maximum number of firewall recurring schedules.
user
Maximum number of local users.
user-group
Maximum number of user groups.
sslvpn
Maximum number of SSL-VPN.
proxy
Maximum number of concurrent explicit proxy

users.
log-disk-quota
Log disk quota in MB.

598
system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set port <integer>
end

599
Description
Configuration
Description
Default Value
id
Session helper ID.
name
Helper name.
(Empty)
protocol
Protocol number.
port
Protocol port.

600
system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set timeout <user>
end
end

601
Description
Configuration
Description
Default Value
default
Default timeout.
3600
port
Session TTL port.
(Empty)

602
system/settings
CLI Syntax
config system settings
edit <name_str>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
603
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
sip-tcp-port <integer>
sip-udp-port <integer>
sip-ssl-port <integer>
sccp-port <integer>
multicast-forward {enable | disable}
multicast-ttl-notchange {enable | disable}
multicast-skip-policy {enable | disable}
allow-subnet-overlap {enable | disable}
deny-tcp-with-icmp {enable | disable}
ecmp-max-paths <integer>
discovered-device-timeout <integer>
email-portal-check-dns {disable | enable}
default-voip-alg-mode {proxy-based | kernel-helper-based}
gui-icap {enable | disable}
gui-nat46-64 {enable | disable}
gui-implicit-policy {enable | disable}
gui-dns-database {enable | disable}
gui-load-balance {enable | disable}
gui-multicast-policy {enable | disable}
gui-dos-policy {enable | disable}
gui-object-colors {enable | disable}
gui-replacement-message-groups {enable | disable}
gui-voip-profile {enable | disable}
gui-ap-profile {enable | disable}
gui-dynamic-profile-display {enable | disable}
gui-ipsec-manual-key {enable | disable}
gui-local-in-policy {enable | disable}
gui-local-reports {enable | disable}
gui-wanopt-cache {enable | disable}
gui-explicit-proxy {enable | disable}
gui-dynamic-routing {enable | disable}
gui-dlp {enable | disable}
gui-sslvpn-personal-bookmarks {enable | disable}
gui-sslvpn-realms {enable | disable}
gui-policy-based-ipsec {enable | disable}
gui-threat-weight {enable | disable}
gui-multiple-utm-profiles {enable | disable}
gui-spamfilter {enable | disable}
gui-application-control {enable | disable}
gui-casi {enable | disable}
gui-ips {enable | disable}
gui-endpoint-control {enable | disable}
gui-endpoint-on-net {enable | disable}
gui-dhcp-advanced {enable | disable}
gui-vpn {enable | disable}
gui-wireless-controller {enable | disable}
gui-switch-controller {enable | disable}
gui-fortiap-split-tunneling {enable | disable}
gui-webfilter-advanced {enable | disable}
gui-traffic-shaping {enable | disable}
gui-wan-load-balancing {enable | disable}
gui-antivirus {enable | disable}
gui-webfilter {enable | disable}

604
set
set
set
set
set
set
set
set
set
set
set
set
set
end
gui-webfilter {enable | disable}

gui-dnsfilter {enable | disable}
gui-waf-profile {enable | disable}
gui-fortiextender-controller {enable | disable}
gui-advanced-policy {enable | disable}
gui-allow-unnamed-policy {enable | disable}
gui-email-collection {enable | disable}
gui-domain-ip-reputation {enable | disable}
gui-multiple-interface-policy {enable | disable}
gui-policy-learning {enable | disable}
compliance-check {enable | disable}
ike-session-resume {enable | disable}
ike-quick-crash-detect {enable | disable}

605
Description
Configuration
Description
Default Value
comments
VDOM comments.
(Empty)
opmode
Firewall operation mode.
nat
inspection-mode
Inspection mode.
proxy
http-external-dest
HTTP service external inspection destination.
fortiweb
check-all
manageip
(Empty)
gateway
Default gateway IP address.
0.0.0.0
ip
0.0.0.0 0.0.0.0
manageip6
Management IPv6 address prefix for transparent

mode.
::/0
gateway6
Default gateway IPv6 address.
::
ip6
IPv6 address prefix for NAT mode.
::/0
device
Interface.
(Empty)
bfd
Enable/disable Bi-directional Forwarding

Detection (BFD) on all interfaces.
disable
bfd-desired-min-tx
BFD desired minimal transmit interval.
250
bfd-required-min-rx
BFD required minimal receive interval.
250
bfd-detect-mult
BFD detection multiplier.
bfd-dont-enforce-srcport
Enable/disable verify source port of BFD Packets.
disable
utf8-spam-tagging
Convert spam tags to UTF-8 for better non-ASCII

character support.
enable
wccp-cache-engine
Enable/disable WCCP cache engine.
disable
vpn-stats-log
Enable/disable periodic VPN log statistics.
ipsec pptp l2tp ssl

606
vpn-stats-period
Period to send VPN log statistics (sec).
600
v4-ecmp-mode
IPv4 ECMP mode.
source-ip-based
mac-ttl
Bridge MAC address expiration time (sec).
300
fw-session-hairpin
Check every cross.
disable
snat-hairpin-traffic
Enable/disable SNAT hairpin traffic.
enable
dhcp-proxy
Enable/disable DHCP Proxy.
disable
dhcp-server-ip
DHCP Server IP address.
(Empty)
dhcp6-server-ip
DHCPv6 server IP address.
(Empty)
central-nat
Enable/disable central NAT.
disable
gui-default-policycolumns
Default columns to display for firewall policy list

on GUI.
(Empty)
lldp-transmission

global
asymroute
Enable/disable asymmetric route.
disable
asymroute-icmp
Enable/disable asymmetric ICMP route.
disable
tcp-session-without-syn
Enable/disable creation of TCP session without

SYN flag.
disable
ses-denied-traffic
Enable/disable insertion of denied traffic into

session table.
disable
strict-src-check
Enable/disable strict source verification.
disable
asymroute6
Enable/disable asymmetric IPv6 route.
disable
asymroute6-icmp
Enable/disable asymmetric ICMPv6 route.
disable
sip-helper
Enable/disable helper to add dynamic SIP firewall

allow rule.
enable
sip-nat-trace
Enable/disable adding original IP if NATed.
enable
status
Enable/disable this VDOM.
enable

607
sip-tcp-port
TCP port the SIP proxy will monitor for SIP traffic.
5060
sip-udp-port
UDP port the SIP proxy will monitor for SIP traffic.
5060
sip-ssl-port
TCP SSL port the SIP proxy will monitor for SIP
traffic.
5061
sccp-port
TCP port the SCCP proxy will monitor for SCCP

traffic.
2000
multicast-forward
Enable/disable multicast forwarding.
enable
multicast-ttl-notchange
Enable/disable modification of multicast TTL.
disable
multicast-skip-policy
Enable/disable skip policy check and allow

multicast through.
disable
allow-subnet-overlap
Enable/disable allow one interface subnet overlap

with other interfaces.
disable
deny-tcp-with-icmp
Enable/disable deny TCP with ICMP.
disable
ecmp-max-paths
Maximum number of ECMP next-hops.
10
discovered-devicetimeout
Discard discovered devices after N days of

inactivity.
28
email-portal-check-dns
Enable/disable DNS to validate domain names

used in the email address collection captive
portal.
enable
default-voip-alg-mode
Default ALG mode for VoIP traffic (when no VoIP

profile on firewall policy).
proxy-based
gui-icap
Enable/disable ICAP settings in GUI.
disable
gui-nat46-64
Enable/disable NAT46 and NAT64 settings in

GUI.
disable
gui-implicit-policy
Enable/disable implicit firewall policies in GUI.
enable
gui-dns-database
Enable/disable DNS database in GUI.
disable
gui-load-balance
Enable/disable load balance in GUI.
disable
gui-multicast-policy
Enable/disable multicast firewall policies in GUI.
disable

608
gui-dos-policy
Enable/disable DoS policy display in GUI.
enable
gui-object-colors
Enable/disable object colors in GUI.
enable
gui-replacementmessage-groups
Enable/disable replacement message groups in

GUI.
disable
gui-voip-profile
Enable/disable VoIP profiles in GUI.
disable
gui-ap-profile
Enable/disable AP profiles in GUI.
enable
gui-dynamic-profiledisplay
Enable/disable dynamic profiles in GUI.
disable
gui-ipsec-manual-key
Enable/disable IPsec manual Key configuration in

GUI.
disable
gui-local-in-policy
Enable/disable Local-In policies in GUI.
disable
gui-local-reports
Enable/disable local reports in the GUI.
disable
gui-wanopt-cache
Enable/disable WAN Opt & Cache configuration

in GUI.
disable
gui-explicit-proxy
Enable/disable explicit proxy configuration in GUI.
disable
gui-dynamic-routing
Enable/disable dynamic routing menus in GUI.
enable
gui-dlp
Enable/disable DLP settings in GUI.
disable
gui-sslvpn-personalbookmarks
Enable/disable SSL-VPN personal bookmark

management in GUI.
disable
gui-sslvpn-realms
Enable/disable SSL-VPN custom login pages in

GUI.
disable
gui-policy-based-ipsec
Enable/disable policy-based IPsec VPN.
disable
gui-threat-weight
Enable/disable threat weight feature in GUI.
enable
gui-multiple-utmprofiles
Enable/disable multiple UTM profiles in GUI.
enable
gui-spamfilter
Enable/disable spamfilter profiles in GUI.
disable
gui-application-control
Enable/disable application control profiles in GUI.
enable

609
gui-casi
Enable/disable CASI profiles in GUI.
enable
gui-ips
Enable/disable IPS sensors in GUI.
enable
gui-endpoint-control
Enable/disable endpoint control in GUI.
enable
gui-endpoint-on-net
Enable/disable endpoint on-net/off-net options in

GUI.
disable
gui-dhcp-advanced
Enable/disable advanced DHCP configuration in

GUI.
enable
gui-vpn
Enable/disable VPN tunnels in GUI.
enable
gui-wireless-controller
Enable/disable wireless controller in GUI.
enable
gui-switch-controller
Enable/disable switch controller in GUI.
enable
gui-fortiap-splittunneling
Enable/disable FortiAP split tunneling in GUI.
disable
gui-webfilter-advanced
Enable/disable advanced web filter configuration

in GUI.
disable
gui-traffic-shaping
Enable/disable traffic shaping in GUI.
enable
gui-wan-load-balancing
Enable/disable WAN link load balancing in GUI.
enable
gui-antivirus
Enable/disable AntiVirus profile display in GUI.
enable
gui-webfilter
Enable/disable WebFilter profile display in GUI.
enable
gui-dnsfilter
Enable/disable DNS Filter profile display in GUI.
enable
gui-waf-profile
Enable/disable Web Application Firewall Profile

display in GUI.
disable
gui-fortiextendercontroller
Enable/disable FortiExtender controller in GUI.
disable
gui-advanced-policy
Enable/disable advanced policy configuration in

GUI.
disable
gui-allow-unnamedpolicy
Enable/disable relaxation of requirement for

policy to have a name when created in GUI.
disable
gui-email-collection
Enable/disable email collection feature.
disable

610
gui-domain-ipreputation
Enable/disable Domain and IP Reputation

feature.
disable
gui-multiple-interfacepolicy
Enable/disable the ability to configure multiple

interfaces in a policy in the GUI.
disable
gui-policy-learning
Enable/disable learning mode for firewall policies

in the GUI.
enable
compliance-check
Enable/disable PCI DSS compliance check.
disable
ike-session-resume
Enable/disable IKEv2 session resumption (RFC

5723).
disable
ike-quick-crash-detect
Enable/disable IKE quick crash detection (RFC

6290).
disable

611
system/sflow
CLI Syntax
config system sflow
edit <name_str>
end

612
Description
Configuration
Description
Default Value
collector-ip
Collector IP.
0.0.0.0
collector-port
sFlow collector port.
6343
source-ip
Source IP for sFlow agent.
0.0.0.0

613
system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
end

614
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
source
Source IP address of tunnel.
0.0.0.0
destination
Destination IP address of tunnel.
0.0.0.0
ip6
IPv6 address of tunnel.
::/0
interface
Interface name.
(Empty)
auto-asic-offload
enable

615
system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end

616
Description
Configuration
Description
Default Value
name
Name of SMS server.
(Empty)
mail-server
Email-to-SMS server domain name.
(Empty)

617
system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end

618
Description
Configuration
Description
Default Value
name
Storage name.
default_n
partition
Label of underlying partition.
<unknown>
media-type
Media of underlying disk.
device
Partition device.
size
Partition size.

619
system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
end
config member
edit <name_str>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end

620
Description
Configuration
Description
Default Value
name
Interface name.
(Empty)
vdom
VDOM.
(Empty)
span-dest-port
Span destination port.
(Empty)
span-source-port
Span source ports.
(Empty)
member
Interfaces compose the virtual switch.
(Empty)
type
Type.
switch
intra-switch-policy
Enable/disable policies between the members of

the switch interface.
implicit
span
Enable/disable span port.
disable
span-direction
SPAN direction.
both

621
system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
end

622
Description
Configuration
Description
Default Value
id
Item ID.
tos
IP ToS value (0 - 15).
priority
ToS based priority level.
high

623
system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set temporary <integer>
end

624
Description
Configuration
Description
Default Value
name
VDOM name.
(Empty)
vcluster-id
Virtual cluster ID (0 - 4294967295).
temporary
Temporary.

625
system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
end

626
Description
Configuration
Description
Default Value
vdom-dns
Enable/disable DNS per VDOM.
disable
primary
VDOM primary DNS IP.
0.0.0.0
secondary
VDOM secondary DNS IP.
0.0.0.0
ip6-primary
VDOM IPv6 primary DNS IP.
::
ip6-secondary
VDOM IPv6 Secondary DNS IP.
::
source-ip
Source IP for communications to DNS server.
0.0.0.0

627
system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end

628
Description
Configuration
Description
Default Value
name
VDOM link name.
(Empty)
vcluster
Virtual cluster.
vcluster1
type
Type.
ppp

629
system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
end

630
Description
Configuration
Description
Default Value
vdom-netflow
Enable/disable NetFlow per VDOM.
disable
collector-ip
Collector IP.
0.0.0.0
collector-port
NetFlow collector port.
2055
source-ip
Source IP for NetFlow agent.
0.0.0.0

631
system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end

632
Description
Configuration
Description
Default Value
name
VDOM name.
(Empty)
description
Description.
(Empty)
snmp-index
Permanent SNMP Index of the virtual domain.
session
Maximum number (guaranteed number) of

sessions.
00
ipsec-phase1
Maximum number (guaranteed number) of VPN

IPsec phase1 tunnels.
00
ipsec-phase2
Maximum number (guaranteed number) of VPN

IPsec phase2 tunnels.
00
dialup-tunnel
Maximum number (guaranteed number) of dialup tunnels.
00
firewall-policy

firewall policies.
00
firewall-address

firewall addresses.
00
firewall-addrgrp

firewall address groups.
00
custom-service

firewall custom services.
00
service-group

firewall service groups.
00
onetime-schedule

firewall one-time schedules.
00
recurring-schedule

firewall recurring schedules.
00
user
Maximum number (guaranteed number) of local

users.
00

633
user-group
Maximum number (guaranteed number) of user

groups.
00
sslvpn
Maximum number (guaranteed number) of SSLVPN.
00
proxy

concurrent proxy users.
00
log-disk-quota
Log disk quota in MB.
00

634
system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set radius-server-vdom <string>
end

635
Description
Configuration
Description
Default Value
name
Name of virtual domain for server settings.
(Empty)
status
Enable/disable or disable the entry.
disable
radius-server-vdom
Virtual domain of dynamic profile radius server to

use for dynamic profile traffic in the current vdom.
(Empty)

636
system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
end

637
Description
Configuration
Description
Default Value
vdom-sflow
Enable/disable sFlow per VDOM.
disable
collector-ip
Collector IP.
0.0.0.0
collector-port
sFlow collector port.
6343
source-ip
Source IP for sFlow agent.
0.0.0.0

638
system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set load-balance-mode {source-ip-based | weight-based | usage-based | source-destip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set packet-size <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
639
edit <name_str>
set name <string>
set id <integer>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
set link-cost-threshold <integer>
config priority-members
edit <name_str>
end
end
end

640
Description
Configuration
Description
Default Value
status
Enable/disable using the virtual-wan-link settings.
disable
load-balance-mode
Load balance mode among virtual WAN link

members.
source-ip-based
fail-detect
Enable/disable fail detection.
disable
fail-alert-interfaces
Physical interfaces that will be alerted.
(Empty)
members
Members belong to the virtual-wan-link.
(Empty)
health-check
Health check.
(Empty)
service
Service to be distributed.
(Empty)

641
system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
end
set wildcard-vlan {enable | disable}
end

642
Description
Configuration
Description
Default Value
name
virtual-wire-pair name.
(Empty)
member
Interfaces belong to the port pair.
(Empty)
wildcard-vlan
Enable/disable wildcard VLAN.
disable

643
system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end

644
Description
Configuration
Description
Default Value
service-id
Service ID.
(Empty)
router-id
IP address which is known by all web cache

servers.
0.0.0.0
cache-id
IP address which is known by all routers.
0.0.0.0
group-address
IP multicast address.
0.0.0.0
server-list
Addresses of potential cache servers.
(Empty)
router-list
Addresses of potential routers.
(Empty)
ports-defined
Match method.
(Empty)
ports
Service ports.
(Empty)
authentication
Enable/disable MD5 authentication.
disable
password
Password of MD5 authentication.
(Empty)
forward-method
Method traffic is forwarded to cache servers.
GRE
cache-engine-method
Method traffic is forwarded to route or returned to

cache engine.
GRE
service-type
Service type auto/standard/dynamic.
auto
primary-hash
Hash method.
dst-ip
priority
Service priority.
protocol
Service protocol.
assignment-weight
Cache server hash weight.
assignment-bucketformat
Hash table bucket format.
cisco-implementation
return-method
Method traffic is returned back to firewall.
GRE
assignment-method
Assignment method preference.
HASH

645
system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
end
end

646
Description
Configuration
Description
Default Value
name
Zone name.
(Empty)
intrazone
Intra-zone traffic.
deny
interface
Interfaces belong to the zone.
(Empty)

647
user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end

648
Description
Configuration
Description
Default Value
name
Name.
(Empty)
server-name
FSSO agent name.
(Empty)
polling-id
FSSO polling ID.

649
user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set user <string>
set master-device <string>
set avatar <var-string>
set type {android-phone | android-tablet | blackberry-phone | blackberry-playbook
| forticam | fortifone | fortinet-device | gaming-console | ip-phone | ipad | iphone |
linux-pc | mac | media-streaming | printer | router-nat-device | windows-pc | windows
-phone | windows-tablet | other-network-device}
end

650
Description
Configuration
Description
Default Value
alias
Device alias.
(Empty)
mac
Device MAC address(es).
00:00:00:00:00:00
user
User name.
(Empty)
master-device
Master device (optional).
(Empty)
comment
Comment.
(Empty)
avatar
Image file for avatar (maximum 4K base64

encoded).
(Empty)
type
Device type.
other-network-device

651
user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
end
end

652
Description
Configuration
Description
Default Value
name
Device access list name.
(Empty)
default-action
Allow or block unknown devices.
accept
device-list
Device list.
(Empty)

653
user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
end

654
Description
Configuration
Description
Default Value
name
Device category name.
(Empty)
desc
Device category description.
(Empty)
comment
Comment.
(Empty)

655
user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

656
Description
Configuration
Description
Default Value
name
Device group name.
(Empty)
member
Device group member.
(Empty)
comment
Comment.
(Empty)

657
user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end

658
Description
Configuration
Description
Default Value
serial-number
Serial number.
(Empty)
status
Status
active
seed
Token seed.
(Empty)
comments
Comment.
(Empty)
license
Mobile token license.
(Empty)
activation-code
Mobile token user activation-code.
(Empty)
activation-expire
Mobile token user activation-code expire time.

659
user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set server2 <string>
set port2 <integer>
set password2 <password>
set port3 <integer>
set port4 <integer>
set port5 <integer>
end

660
Description
Configuration
Description
Default Value
name
Name.
(Empty)
server
Address of the 1st FSSO agent.
(Empty)
port
Port of the 1st FSSO agent.
8000
password
Password of the 1st FSSO agent.
(Empty)
server2
Address of the 2nd FSSO agent.
(Empty)
port2
Port of the 2nd FSSO agent.
8000
password2
Password of the 2nd FSSO agent.
(Empty)
server3
Address of the 3rd FSSO agent.
(Empty)
port3
Port of the 3rd FSSO agent.
8000
password3
Password of the 3rd FSSO agent.
(Empty)
server4
Address of the 4th FSSO agent.
(Empty)
port4
Port of the 4th FSSO agent.
8000
password4
Password of the 4th FSSO agent.
(Empty)
server5
Address of the 5th FSSO agent.
(Empty)
port5
Port of the 5th FSSO agent.
8000
password5
Password of the 5th FSSO agent.
(Empty)
ldap-server
LDAP server to get group information.
(Empty)
source-ip
Source IP for communications to FSSO agent.
0.0.0.0

661
user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end

662
Description
Configuration
Description
Default Value
id
Active Directory server ID.
status
Enable/disable poll Active Directory status.
enable
server
Active Directory server name/IP address.
(Empty)
default-domain
Default domain in this server.
(Empty)
port
Port of the Active Directory server.
user
Active Directory server user account.
(Empty)
password
Password to connect to Active Directory server.
(Empty)
ldap-server
LDAP Server NAME for group name and users.
(Empty)
logon-history
hours to keep as an active logon. 0 means

keeping forever
polling-frequency
Polling frequency (1 - 30 s).
10
adgrp
LDAP Group Info.
(Empty)

663
user/group
CLI Syntax

664
config user group

edit <name_str>
set name <string>
set group-type {firewall | sslvpn | fsso-service | directory-service | active-dire
ctory | rsso | guest}
set authtimeout <integer>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
set http-digest-realm <string>
set sso-attribute-value <string>
config member
edit <name_str>
set name <string>
end
config match
edit <name_str>
set id <integer>
set server-name <string>
set group-name <string>
end
set user-id {email | auto-generate | specify}
set password {auto-generate | specify | disable}
set user-name {disable | enable}
set sponsor {optional | mandatory | disabled}
set company {optional | mandatory | disabled}
set email {disable | enable}
set mobile-phone {disable | enable}
set expire-type {immediately | first-successful-login}
set expire <integer>
set max-accounts <integer>
set multiple-guest-add {disable | enable}
config guest
edit <name_str>
set user-id <string>
set name <string>
set group <string>
set mobile-phone <string>
set sponsor <string>
set company <string>
set email <string>
set expiration <user>
end
end

665
Description
Configuration
Description
Default Value
name
Group name.
(Empty)
group-type
Type of user group.
firewall
authtimeout
Authentication timeout.
auth-concurrentoverride
Enable/disable concurrent authentication

override.
disable
auth-concurrent-value
Maximum number of concurrent authenticated

connections per user (0 - 100).
http-digest-realm
Realm attribute for MD5-digest authentication.
(Empty)
sso-attribute-value
Single Sign On Attribute Value.
(Empty)
member
Group members.
(Empty)
match
Group matches.
(Empty)
user-id
User ID.
email
password
Password.
auto-generate
user-name
Enable/disable user name.
disable
sponsor
Sponsor.
optional
company
Company.
optional
email
Enable/disable email address.
enable
mobile-phone
Enable/disable mobile phone.
disable
sms-server

server.
fortiguard
sms-custom-server
SMS server.
(Empty)
expire-type
Point at which expiration count down begins.
immediately
expire
Expiration (1 - 31536000 sec).
14400

666
max-accounts
Maximum number of guest accounts that can be

created for this group (0 = unlimited).
multiple-guest-add
Enable/disable addition of multiple guests.
disable
guest
Guest User.
(Empty)

667
user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set group-member-check {user-attr | group-object | posix-group-object}
set group-object-filter <string>
set group-object-search-base <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end

668
Description
Configuration
Description
Default Value
name
LDAP server entry name.
(Empty)
server
LDAP server CN domain name or IP.
(Empty)
secondary-server
Secondary LDAP server CN domain name or IP.
(Empty)
tertiary-server
Tertiary LDAP server CN domain name or IP.
(Empty)
source-ip
Source IP for communications to LDAP server.
0.0.0.0
cnid
Common Name Identifier (default = "cn").
cn
dn
Distinguished Name.
(Empty)
type
Type of LDAP binding.
simple
username
Username (full DN) for initial binding.
(Empty)
password
Password for initial binding.
(Empty)
group-member-check
Group member checking options.
user-attr
group-object-filter
Filter used for group searching.
(&
(objectcategory=group)
(member=*))
group-object-searchbase
Search base used for group searching.
(Empty)
secure
SSL connection.
disable
ca-cert
CA certificate name.
(Empty)
port
Port number of the LDAP server (default = 389).
389
password-expirywarning
Enable/disable password expiry warnings.
disable
password-renewal
Enable/disable online password renewal.
disable
member-attr
Name of attribute from which to get group

membership.
memberOf
search-type
Search type.
(Empty)

669
user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end

670
Description
Configuration
Description
Default Value
name
User name.
(Empty)
status
Enable/disable user.
enable
type
Authentication type.
(Empty)
passwd
User password.
(Empty)
ldap-server
LDAP server name.
(Empty)
radius-server
RADIUS server name.
(Empty)
tacacs+-server
TACACS+ server name.
(Empty)
two-factor
Enable/disable two-factor authentication.
disable
fortitoken
Two-factor recipient's FortiToken serial number.
(Empty)
email-to
Two-factor recipient's email address.
(Empty)
sms-server

server.
fortiguard
sms-custom-server
Two-factor recipient's SMS server.
(Empty)
sms-phone
Two-factor recipient's mobile phone number.
(Empty)
passwd-policy
Password policy.
(Empty)
passwd-time
Password last update time.
0000-00-00 00:00:00
authtimeout
Authentication timeout.
workstation
Name of remote user workstation.
(Empty)
auth-concurrentoverride
Enable/disable concurrent authentication

override.
disable
auth-concurrent-value
Maximum number of concurrent authenticated

connections per user.

671
user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end

672
Description
Configuration
Description
Default Value
name
Password policy name.
(Empty)
expire-days
Number of days password will expire.
180
warn-days
Number of days to warn before password

expires.
15

673
user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end

674
Description
Configuration
Description
Default Value
name
Peer name.
(Empty)
mandatory-ca-verify
Enable/disable mandatory CA verify.
enable
ca
Peer certificate CA (CA name in local).
(Empty)
subject
Peer certificate name constraints.
(Empty)
cn
Peer certificate common name.
(Empty)
cn-type
Peer certificate common name type.
string
ldap-server
LDAP server for access rights check.
(Empty)
ldap-username
Username for LDAP server bind.
(Empty)
ldap-password
Password for LDAP server bind.
(Empty)
ldap-mode
Peer LDAP mode.
password
ocsp-override-server
OSCP server.
(Empty)
two-factor
Enable/disable 2-factor authentication (certificate

+ password).
disable
passwd
User password.
(Empty)

675
user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

676
Description
Configuration
Description
Default Value
name
Peer group name.
(Empty)
member
Peer group members.
(Empty)

677
user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end

678
Description
Configuration
Description
Default Value
name
POP3 server entry name.
(Empty)
server
{<name_str|ip_str>} server domain name or IP.
(Empty)
port
POP3 service port number.
secure
SSL connection.
starttls

679
user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-secret <password>
set tertiary-secret <password>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set username-case-sensitive {enable | disable}
config class
edit <name_str>
set name <string>
end
set password-renewal {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | FramedAppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | AcctInput-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
680
ermination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-St

ate | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | F
ramed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time |
Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Mult
i-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-L
AT-Port}
set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NA
S-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Fram
ed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Servi
ce | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | F
ramed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Actio
n | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LATService | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalkNetwork | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octe
ts | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | AcctInput-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | A
cct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
set sso-attribute-key <string>
set sso-attribute-value-override {enable | disable}
set rsso-context-timeout <integer>
set rsso-log-period <integer>
set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | ac
counting-event | endpoint-block | radiusd-other | none}
set rsso-flush-ip-session {enable | disable}
config accounting-server
edit <name_str>
set id <integer>
set server <string>
set secret <password>
set port <integer>
end
end

681
Description
Configuration
Description
Default Value
name
RADIUS server entry name.
(Empty)
server
{<name_str|ip_str>} primary server CN domain

name or IP.
(Empty)
secret
Secret key to access the primary server.
(Empty)
secondary-server
{<name_str|ip_str>} secondary RADIUS CN

domain name or IP.
(Empty)
secondary-secret
Secret key to access the secondary server.
(Empty)
tertiary-server
{<name_str|ip_str>} tertiary RADIUS CN domain

name or IP.
(Empty)
tertiary-secret
Secret key to access the tertiary server.
(Empty)
timeout
Authentication time-out.
all-usergroup
Enable/disable automatically include this RADIUS

server to all user groups.
disable
use-managementvdom
Enable/disable using management VDOM to

send requests.
disable
nas-ip
NAS IP address.
0.0.0.0
acct-interim-interval
Number of seconds between each accouting

interim update message (600 - 86400 sec).
radius-coa
Enable/Disable RADIUS CoA.
disable
radius-port
RADIUS service port number.
h3c-compatibility
Enable/disable H3C compatibility.
disable
auth-type
Authentication Protocol.
auto
source-ip
Source IP for communications to RADIUS server.
0.0.0.0
username-casesensitive
Enable/disable username case sensitive.
disable

682
class
Class name(s).
(Empty)
password-renewal
Enable/disable password renewal.
disable
rsso
Enable/disable RADIUS based single sign on

feature.
disable
rsso-radius-server-port
UDP port to listen on for RADIUS accounting

packets.
1813
rsso-radius-response
Enable/disable sending RADIUS response

packets.
disable
rsso-validate-requestsecret
Enable/disable validating RADIUS request shared

secret.
disable
rsso-secret
RADIUS shared secret for responses / validating

requests.
(Empty)
rsso-endpoint-attribute
RADIUS Attribute used to hold End Point name.
Calling-Station-Id
rsso-endpoint-blockattribute
RADIUS Attribute used to hold endpoint to block.
(Empty)
sso-attribute
RADIUS Attribute used to match the single sign

on group value.
Class
sso-attribute-key
Key prefix for single-sign-on group value in the

sso-attribute.
(Empty)
sso-attribute-valueoverride
Enable/disable override old attribute value with

new value for the same endpoint.
enable
rsso-context-timeout
Timeout value for RADIUS server database

entries (0 = infinite).
28800
rsso-log-period
Minimum time period to use for event logs.
rsso-log-flags
Events to log.
protocol-error profilemissing accountingstop-missed

accounting-event
endpoint-block radiusdother

683
rsso-flush-ip-session
Enable/disable flush user IP sessions on RADIUS

accounting stop.
disable
accounting-server
Additional accounting servers.
(Empty)

684
user/security-exempt-list
CLI Syntax
config user security-exempt-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end
end

685
Description
Configuration
Description
Default Value
name
Name of the exempt list.
(Empty)
description
Description.
(Empty)
rule
Exempt rules.
(Empty)

686
user/setting
CLI Syntax
config user setting
edit <name_str>
set auth-type {http | https | ftp | telnet}
set auth-ca-cert <string>
set auth-secure-http {enable | disable}
set auth-http-basic {enable | disable}
set auth-multi-group {enable | disable}
set auth-timeout <integer>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
set auth-portal-timeout <integer>
set radius-ses-timeout-act {hard-timeout | ignore-timeout}
set auth-blackout-time <integer>
set auth-invalid-max <integer>
set auth-lockout-threshold <integer>
set auth-lockout-duration <integer>
config auth-ports
edit <name_str>
set id <integer>
set type {http | https | ftp | telnet}
set port <integer>
end
end

687
Description
Configuration
Description
Default Value
auth-type
Allowed firewall policy authentication methods.
http https ftp telnet
auth-cert
(Empty)
auth-ca-cert
HTTPS CA certificate for policy authentication.
(Empty)
auth-secure-http
Enable/disable use of HTTPS for HTTP

authentication.
disable
auth-http-basic
Enable/disable use of HTTP BASIC for HTTP

authentication.
disable
auth-multi-group
Enable/disable retrieval of groups to which a user

belongs.
enable
auth-timeout
Firewall user authentication time-out.
auth-timeout-type
Authenticated policy expiration behavior.
idle-timeout
auth-portal-timeout
Firewall captive portal authentication time-out (1 30 min, default - 3).
radius-ses-timeout-act
RADIUS session timeout behavior.
hard-timeout
auth-blackout-time
Authentication blackout time (0 - 3600 s).
auth-invalid-max
Number of invalid auth tries allowed before

blackout.
auth-lockout-threshold
Maximum number of failed login attempts before

lockout (1 - 10).
auth-lockout-duration
Lockout period in seconds after too many login

failures.
auth-ports
Authentication port table.
(Empty)

688
user/tacacs+
CLI Syntax
config user tacacs+
edit <name_str>
set name <string>
set server <string>
set port <integer>
set key <password>
set secondary-key <password>
set tertiary-key <password>
set authen-type {mschap | chap | pap | ascii | auto}
set authorization {enable | disable}
end

689
Description
Configuration
Description
Default Value
name
TACACS+ server entry name.
(Empty)
server
{<name_str|ip_str>} server CN domain name or

IP.
(Empty)
secondary-server
{<name_str|ip_str>} secondary server CN domain

name or IP.
(Empty)
tertiary-server
{<name_str|ip_str>} tertiary server CN domain

name or IP.
(Empty)
port
Port number of the TACACS+ server.
49
key
Key to access the server.
(Empty)
secondary-key
Key to access the secondary server.
(Empty)
tertiary-key
Key to access the tertiary server.
(Empty)
authen-type
Authentication type to use.
auto
authorization
Enable/disable TACACS+ authorization.
disable
source-ip
source IP for communications to TACACS+

server.
0.0.0.0

690
voip/profile
CLI Syntax
config voip profile
edit <name_str>
set name <string>
config sip
edit <name_str>
set rtp {disable | enable}
set open-register-pinhole {disable | enable}
set open-contact-pinhole {disable | enable}
set strict-register {disable | enable}
set register-rate <integer>
set invite-rate <integer>
set max-dialogs <integer>
set max-line-length <integer>
set block-long-lines {disable | enable}
set block-unknown {disable | enable}
set call-keepalive <integer>
set block-ack {disable | enable}
set block-bye {disable | enable}
set block-cancel {disable | enable}
set block-info {disable | enable}
set block-invite {disable | enable}
set block-message {disable | enable}
set block-notify {disable | enable}
set block-options {disable | enable}
set block-prack {disable | enable}
set block-publish {disable | enable}
set block-refer {disable | enable}
set block-register {disable | enable}
set block-subscribe {disable | enable}
set block-update {disable | enable}
set register-contact-trace {disable | enable}
set open-via-pinhole {disable | enable}
set open-record-route-pinhole {disable | enable}
set rfc2543-branch {disable | enable}
set log-violations {disable | enable}
set log-call-summary {disable | enable}
set nat-trace {disable | enable}
set subscribe-rate <integer>
set message-rate <integer>
set notify-rate <integer>
set refer-rate <integer>
set update-rate <integer>
set options-rate <integer>
set ack-rate <integer>
set prack-rate <integer>
691
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
info-rate <integer>
publish-rate <integer>
bye-rate <integer>
cancel-rate <integer>
preserve-override {disable | enable}
no-sdp-fixup {disable | enable}
contact-fixup {disable | enable}
max-idle-dialogs <integer>
block-geo-red-options {disable | enable}
hosted-nat-traversal {disable | enable}
hnt-restrict-source-ip {disable | enable}
max-body-length <integer>
unknown-header {discard | pass | respond}
malformed-request-line {discard | pass | respond}
malformed-header-via {discard | pass | respond}
malformed-header-from {discard | pass | respond}
malformed-header-to {discard | pass | respond}
malformed-header-call-id {discard | pass | respond}
malformed-header-cseq {discard | pass | respond}
malformed-header-rack {discard | pass | respond}
malformed-header-rseq {discard | pass | respond}
malformed-header-contact {discard | pass | respond}
malformed-header-record-route {discard | pass | respond}
malformed-header-route {discard | pass | respond}
malformed-header-expires {discard | pass | respond}
malformed-header-content-type {discard | pass | respond}
malformed-header-content-length {discard | pass | respond}
malformed-header-max-forwards {discard | pass | respond}
malformed-header-allow {discard | pass | respond}
malformed-header-p-asserted-identity {discard | pass | respond}
malformed-header-sdp-v {discard | pass | respond}
malformed-header-sdp-o {discard | pass | respond}
malformed-header-sdp-s {discard | pass | respond}
malformed-header-sdp-i {discard | pass | respond}
malformed-header-sdp-c {discard | pass | respond}
malformed-header-sdp-b {discard | pass | respond}
malformed-header-sdp-z {discard | pass | respond}
malformed-header-sdp-k {discard | pass | respond}
malformed-header-sdp-a {discard | pass | respond}
malformed-header-sdp-t {discard | pass | respond}
malformed-header-sdp-r {discard | pass | respond}
malformed-header-sdp-m {discard | pass | respond}
provisional-invite-expiry-time <integer>
ips-rtp {disable | enable}
ssl-mode {off | full}
ssl-send-empty-frags {enable | disable}
ssl-client-renegotiation {allow | deny | secure}
ssl-algorithm {high | medium | low}
ssl-pfs {require | deny | allow}
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-client-certificate <string>
ssl-server-certificate <string>

692
set ssl-server-certificate <string>

set ssl-auth-client <string>
set ssl-auth-server <string>
end
config sccp
edit <name_str>
set block-mcast {disable | enable}
set verify-header {disable | enable}
set log-call-summary {disable | enable}
set log-violations {disable | enable}
set max-calls <integer>
end
end

693
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
sip
SIP.
Details below
Configuration
status
rtp
open-register-pinhole
open-contact-pinhole
strict-register
register-rate
invite-rate
max-dialogs
max-line-length
block-long-lines
block-unknown
call-keepalive
block-ack
block-bye
block-cancel
block-info
block-invite
block-message
block-notify
block-options
block-prack
block-publish
block-refer
block-register
block-subscribe
block-update
register-contact-trace
open-via-pinhole
open-record-route-pinhole
rfc2543-branch
log-violations
log-call-summary
nat-trace
subscribe-rate
Default Value
enable
enable
enable
enable
disable
0
0
0
998
enable
enable
0
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
enable
disable
disable
enable
enable
0
694
message-rate
notify-rate
refer-rate
update-rate
options-rate
ack-rate
prack-rate
info-rate
publish-rate
bye-rate
cancel-rate
preserve-override
no-sdp-fixup
contact-fixup
max-idle-dialogs
block-geo-red-options
hosted-nat-traversal
hnt-restrict-source-ip
max-body-length
unknown-header
malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
0
0
0
0
0
0
0
0
0
0
0
disable
disable
enable
0
disable
disable
disable
0
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
695
malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m
provisional-invite-expiry-time
ips-rtp
ssl-mode
ssl-algorithm
ssl-pfs
ssl-min-version
ssl-max-version
ssl-client-certificate
ssl-server-certificate
ssl-auth-client
ssl-auth-server
sccp
pass
pass
pass
pass
pass
210
enable
off
enable
allow
high
allow
tls-1.0
tls-1.2
(Empty)
(Empty)
(Empty)
(Empty)
SCCP.
Configuration
status
block-mcast
verify-header
log-call-summary
log-violations
max-calls

Details below
Default Value
enable
disable
disable
disable
disable
0
696
vpn.certificate/ca
CLI Syntax
config vpn.certificate ca
edit <name_str>
set name <string>
set ca <user>
set trusted {enable | disable}
set auto-update-days <integer>
set auto-update-days-warning <integer>
end

697
Description
Configuration
Description
Default Value
name
Name.
(Empty)
ca
CA certificate.
(Empty)
range
CA certificate range.
vdom
source
CA certificate source.
user
trusted
Enable/disable trusted CA.
enable
scep-url
URL of SCEP server.
(Empty)
auto-update-days
Days to auto-update before expired, 0=disabled.
auto-update-dayswarning
Days to send update before auto-update

(0=disabled).
source-ip
0.0.0.0

698
vpn.certificate/crl
CLI Syntax
config vpn.certificate crl
edit <name_str>
set name <string>
set crl <user>
set update-vdom <string>
set http-url <string>
set scep-cert <string>
set update-interval <integer>
end

699
Description
Configuration
Description
Default Value
name
Name.
(Empty)
crl
Certificate Revocation List.
(Empty)
range
CRL range.
vdom
source
CRL source.
user
update-vdom
Virtual domain for CRL update.
root
ldap-server
LDAP server.
(Empty)
ldap-username
Login name for LDAP server.
(Empty)
ldap-password
Login password for LDAP server.
(Empty)
http-url
URL of HTTP server for CRL update.
(Empty)
scep-url
URL of CA server for CRL update via SCEP.
(Empty)
scep-cert
Local certificate used for CRL update via SCEP.
Fortinet_CA_SSL
update-interval
Second between updates, 0=disabled.
source-ip
Source IP for communications to CA

(HTTP/SCEP) server.
0.0.0.0

700
vpn.certificate/local
CLI Syntax
config vpn.certificate local
edit <name_str>
set name <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

701
Description
Configuration
Description
Default Value
name
Name.
(Empty)
password
Password.
(Empty)
comments
Comment.
(Empty)
private-key
Private key.
(Empty)
certificate
Certificate.
(Empty)
csr
Certificate Signing Request.
(Empty)
state
Certificate Signing Request State.
(Empty)
scep-url
URL of SCEP server.
(Empty)
range
Certificate range.
vdom
source
Certificate source.
user
auto-regenerate-days
Days to auto-regenerate before expired,

0=disabled.
auto-regenerate-dayswarning
Days to send warning before auto-regeneration,

0=disabled.
scep-password
SCEP server challenge password for autoregeneration.
(Empty)
ca-identifier
CA identifier of the CA server for signing via

SCEP.
(Empty)
name-encoding
Name encoding for auto-regeneration.
printable
source-ip
0.0.0.0
ike-localid
IKE local ID.
(Empty)
ike-localid-type
IKE local ID type.
asn1dn

702
vpn.certificate/ocsp-server
CLI Syntax
config vpn.certificate ocsp-server
edit <name_str>
set name <string>
set url <string>
set cert <string>
set secondary-url <string>
set secondary-cert <string>
set unavail-action {revoke | ignore}
end

703
Description
Configuration
Description
Default Value
name
OCSP server entry name.
(Empty)
url
URL to OCSP server.
(Empty)
cert
OCSP server certificate.
(Empty)
secondary-url
URL to secondary OCSP server.
(Empty)
secondary-cert
Secondary OCSP server certificate.
(Empty)
unavail-action
Action when server is unavailable.
revoke
source-ip
Enable/disable source IP for communications to

OCSP server.
0.0.0.0

704
vpn.certificate/remote
CLI Syntax
config vpn.certificate remote
edit <name_str>
set name <string>
set remote <user>
end

705
Description
Configuration
Description
Default Value
name
Name.
(Empty)
remote
Remote certificate.
(Empty)
range
Remote certificate range.
vdom
source
Remote certificate source.
user

706
vpn.certificate/setting
CLI Syntax
config vpn.certificate setting
edit <name_str>
set ocsp-status {enable | disable}
set ocsp-default-server <string>
set check-ca-cert {enable | disable}
set strict-crl-check {enable | disable}
set strict-ocsp-check {enable | disable}
end

707
Description
Configuration
Description
Default Value
ocsp-status
OCSP status.
disable
ocsp-default-server
Default OCSP server.
(Empty)
check-ca-cert
Enable/disable check CA certificate.
enable
strict-crl-check
Enable/disable check CRL in strict mode.
disable
strict-ocsp-check
Enable/disable check OCSP in strict mode.
disable

708
vpn.ipsec/concentrator
CLI Syntax
config vpn.ipsec concentrator
edit <name_str>
set name <string>
set src-check {disable | enable}
config member
edit <name_str>
set name <string>
end
end

709
Description
Configuration
Description
Default Value
name
Concentrator name.
(Empty)
src-check
Enable/disable use of source selector when

choosing appropriate tunnel.
disable
member
Concentrator members.
(Empty)

710
vpn.ipsec/forticlient
CLI Syntax
config vpn.ipsec forticlient
edit <name_str>
set realm <string>
set usergroupname <string>
set phase2name <string>
end

711
Description
Configuration
Description
Default Value
realm
FortiClient realm name.
(Empty)
usergroupname
User group name.
(Empty)
phase2name
Tunnel (phase2) name.
(Empty)
status
Enable/disable realm status.
enable

712
vpn.ipsec/manualkey
CLI Syntax
config vpn.ipsec manualkey
edit <name_str>
set name <string>
set authentication {null | md5 | sha1 | sha256 | sha384 | sha512}
set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 |
aria256 | seed}
set authkey <user>
set enckey <user>
set localspi <user>
set remotespi <user>
set npu-offload {enable | disable}
end

713
Description
Configuration
Description
Default Value
name
IPsec tunnel name.
(Empty)
interface
Interface name.
(Empty)
remote-gw
Peer gateway.
0.0.0.0
local-gw
Local gateway.
0.0.0.0
authentication
Authentication algorithm.
null
encryption
Encryption algorithm.
null
authkey
Authentication key.
enckey
Encryption key.
localspi
Local SPI.
0x100
remotespi
Remote SPI.
0x100
npu-offload
Enable/disable NPU offloading.
enable

714
vpn.ipsec/manualkey-interface
CLI Syntax
config vpn.ipsec manualkey-interface
edit <name_str>
set name <string>
set addr-type {4 | 6}
set remote-gw6 <ipv6-address>
set local-gw6 <ipv6-address>
set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512}
set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | ar
ia256 | seed}
set auth-key <user>
set enc-key <user>
set local-spi <user>
set remote-spi <user>
end

715
Description
Configuration
Description
Default Value
name
IPsec tunnel name.
(Empty)
interface
Interface name.
(Empty)
ip-version
IP version to use for VPN interface.
addr-type
IP version to use for IP packets.
remote-gw
Remote IPv4 address of VPN gateway.
0.0.0.0
remote-gw6
::
local-gw
Local IPv4 address of VPN gateway.
0.0.0.0
local-gw6
Local IPv6 address of VPN gateway.
::
auth-alg
Authentication algorithm.
null
enc-alg
Encryption algorithm.
null
auth-key
Authentication key.
enc-key
Encryption key.
local-spi
Local SPI.
0x100
remote-spi
Remote SPI.
0x100
npu-offload
Enable/disable offloading NPU.
enable

716
vpn.ipsec/phase1
CLI Syntax
config vpn.ipsec phase1
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set usrgrp <string>
set peer <string>
set peergrp <string>
set autoconfig {disable | client | gateway}
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-prefix <integer>
717

edit <name_str>
set id <integer>
end
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
718

-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

719
Description
Configuration
Description
Default Value
name
IPsec remote gateway name.
(Empty)
type
Remote gateway type (static, dialup, or DDNS).
static
interface
Local outgoing interface.
(Empty)
ike-version
IKE protocol version (IKEv1 or IKEv2).
remote-gw
Remote VPN gateway.
0.0.0.0
local-gw
Local VPN gateway.
0.0.0.0
remotegw-ddns
Domain name of remote gateway (eg.

name.DDNS.com).
(Empty)
keylife
Phase1 keylife.
86400
certificate
Certificate name for signature.
(Empty)
authmethod
Authentication method.
psk
mode
Mode.
main
peertype
Peer type.
any
peerid
Peer ID.
(Empty)
usrgrp
User group.
(Empty)
peer
Accept this peer certificate.
(Empty)
peergrp
Accept this peer certificate group.
(Empty)
autoconfig
Auto-configuration type.
mode-cfg
Enable/disable configuration method.
disable
assign-ip
Enable/disable assignment of IP to IPsec

interface via configuration method.
enable
assign-ip-from
Method by which the IP address will be assigned.
range
ipv4-start-ip
Start of IPv4 range.
0.0.0.0

720
ipv4-end-ip
End of IPv4 range.
0.0.0.0
ipv4-netmask
IPv4 Netmask.
255.255.255.255
dns-mode
DNS server mode.
manual
ipv4-dns-server1
IPv4 DNS server 1.
0.0.0.0
ipv4-dns-server2
IPv4 DNS server 2.
0.0.0.0
ipv4-dns-server3
IPv4 DNS server 3.
0.0.0.0
ipv4-wins-server1
WINS server 1.
0.0.0.0
ipv4-wins-server2
WINS server 2.
0.0.0.0
ipv4-exclude-range
Configuration Method IPv4 exclude ranges.
(Empty)
ipv4-split-include
IPv4 split-include subnets.
(Empty)
split-include-service
Split-include services.
(Empty)
ipv6-start-ip
::
ipv6-end-ip
End of IPv6 range.
::
ipv6-prefix
IPv6 prefix.
128
ipv6-dns-server1
IPv6 DNS server 1.
::
ipv6-dns-server2
IPv6 DNS server 2.
::
ipv6-dns-server3
IPv6 DNS server 3.
::
ipv6-exclude-range
Configuration method IPv6 exclude ranges.
(Empty)
ipv6-split-include
(Empty)
unity-support
Enable/disable support for Cisco UNITY

Configuration Method extensions.
enable
domain
Instruct unity clients about the default DNS

domain.
(Empty)
banner
Message that unity client should display after

connecting.
(Empty)

721
include-local-lan
Enable/disable allow local LAN access on unity

clients.
disable
save-password
Enable/disable saving XAuth username and

password on VPN clients.
disable
client-auto-negotiate
Enable/disable allowing the VPN client to bring up

the tunnel when there is no traffic.
disable
client-keep-alive
Enable/disable allowing the VPN client to keep

the tunnel up when there is no traffic.
disable
backup-gateway
Instruct unity clients about the backup gateway

address(es).
(Empty)
proposal
Phase1 proposal.
aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
aes256-sha1 3dessha1
add-route
Enable/disable control addition of a route to peer

destination selector.
disable
exchange-interface-ip
Enable/disable exchange of IPsec interface IP

address.
disable
add-gw-route
Enable/disable automatically add a route to the

remote gateway.
disable
psksecret
Pre-shared secret for PSK authentication.
(Empty)
keepalive
NAT-T keep alive interval.
10
distance
Distance for routes added by IKE (1 - 255).
15
priority
Priority for routes added by IKE (0 4294967295).
localid
Local ID.
(Empty)
localid-type
Local ID type.
auto
auto-negotiate
Enable/disable automatic initiation of IKE SA

negotiation.
enable

722
negotiate-timeout
IKE SA negotiation timeout in seconds (1 - 300).
30
fragmentation
Enable/disable fragment IKE message on retransmission.
enable
dpd
Dead Peer Detection mode.
on-demand
dpd-retrycount
Number of DPD retry attempts.
dpd-retryinterval
DPD retry interval.
20
forticlient-enforcement
Enable/disable FortiClient enforcement.
disable
comments
Comment.
(Empty)
npu-offload
enable
send-cert-chain
Enable/disable sending certificate chain.
enable
dhgrp
DH group.
14 5
suite-b
Use Suite-B.
disable
eap
Enable/disable IKEv2 EAP authentication.
disable
eap-identity
IKEv2 EAP peer identity type.
use-id-payload
acct-verify
Enable/disable verification of RADIUS accounting

record.
disable
wizard-type
GUI VPN Wizard Type.
custom
xauthtype
XAuth type.
disable
reauth
Enable/disable re-authentication upon IKE SA

lifetime expiration.
disable
authusr
XAuth user name.
(Empty)
authpasswd
XAuth password (max 35 characters).
(Empty)
authusrgrp
Authentication user group.
(Empty)
mesh-selector-type
Add selectors containing subsets of the

configuration depending on traffic.
disable
idle-timeout
Enable/disable IPsec tunnel idle timeout.
disable

723
idle-timeoutinterval
IPsec tunnel idle timeout in minutes (10 - 43200).
15
ha-sync-esp-seqno
Enable/disable sequence number jump ahead for

IPsec HA.
enable
nattraversal
Enable/disable NAT traversal.
enable
esn
Extended sequence number (ESN) negotiation.
disable

724
vpn.ipsec/phase1-interface
CLI Syntax
config vpn.ipsec phase1-interface
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set local-gw6 <ipv6-address>
set remote-gw6 <ipv6-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set default-gw <ipv4-address>
set default-gw-priority <integer>
set usrgrp <string>
set peer <string>
set peergrp <string>
set monitor-hold-down-type {immediate | delay | time}
set monitor-hold-down-delay <integer>
set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday |
thursday | friday | saturday}
set monitor-hold-down-time <user>
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
edit <name_str>
set id <integer>
725

end
set split-include-service <string>
set ipv6-prefix <integer>
edit <name_str>
set id <integer>
end
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
726

set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set auto-discovery-sender {enable | disable}
set auto-discovery-receiver {enable | disable}
set auto-discovery-forwarder {enable | disable}
set auto-discovery-psk {enable | disable}
set encapsulation {none | gre | vxlan}
set encapsulation-address {ike | ipv4 | ipv6}
set encap-local-gw4 <ipv4-address>
set encap-local-gw6 <ipv6-address>
set encap-remote-gw4 <ipv4-address>
set encap-remote-gw6 <ipv6-address>
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

727
Description
Configuration
Description
Default Value
name
IPsec remote gateway name.
(Empty)
type
Remote gateway type (static, dialup, or DDNS).
static
interface
Local outgoing interface.
(Empty)
ip-version
IP version to use for VPN interface.
ike-version
IKE protocol version (IKEv1 or IKEv2).
local-gw
Local IPv4 address of VPN.
0.0.0.0
local-gw6
Local IPv6 address of VPN.
::
remote-gw
0.0.0.0
remote-gw6
Remote IPv6 address of VPN.
::
remotegw-ddns
Domain name of remote gateway (eg.

name.DDNS.com).
(Empty)
keylife
Phase1 keylife.
86400
certificate
Certificate name for signature.
(Empty)
authmethod
Authentication method.
psk
mode
Mode.
main
peertype
Peer type.
any
peerid
Peer ID.
(Empty)
default-gw
IPv4 address of default route gateway to use for

traffic exiting the interface.
0.0.0.0
default-gw-priority
Priority for default gateway route.
usrgrp
User group.
(Empty)
peer
Accept this peer certificate.
(Empty)
peergrp
Accept this peer certificate group.
(Empty)

728
monitor
IPsec interface to backup.
(Empty)
monitor-hold-down-type
Control recovery time when primary reestablishes.
immediate
monitor-hold-downdelay
Number of seconds to wait before recovery once

primary re-establishes.
monitor-hold-downweekday
Day of the week to recover once primary reestablishes.
sunday
monitor-hold-down-time
Time of day to recover once primary reestablishes.
00:00
mode-cfg
Enable/disable configuration method.
disable
assign-ip
Enable/disable assignment of IP to IPsec

interface via configuration method.
enable
assign-ip-from
Method by which the IP address will be assigned.
range
ipv4-start-ip
0.0.0.0
ipv4-end-ip
End of IPv4 range.
0.0.0.0
ipv4-netmask
IPv4 Netmask.
255.255.255.255
dns-mode
DNS server mode.
manual
ipv4-dns-server1
IPv4 DNS server 1.
0.0.0.0
ipv4-dns-server2
IPv4 DNS server 2.
0.0.0.0
ipv4-dns-server3
IPv4 DNS server 3.
0.0.0.0
ipv4-wins-server1
WINS server 1.
0.0.0.0
ipv4-wins-server2
WINS server 2.
0.0.0.0
ipv4-exclude-range
Configuration Method IPv4 exclude ranges.
(Empty)
ipv4-split-include
(Empty)
split-include-service
Split-include services.
(Empty)
ipv6-start-ip
::

729
ipv6-end-ip
End of IPv6 range.
::
ipv6-prefix
IPv6 prefix.
128
ipv6-dns-server1
IPv6 DNS server 1.
::
ipv6-dns-server2
IPv6 DNS server 2.
::
ipv6-dns-server3
IPv6 DNS server 3.
::
ipv6-exclude-range
Configuration method IPv6 exclude ranges.
(Empty)
ipv6-split-include
(Empty)
unity-support
Enable/disable support for Cisco UNITY

Configuration Method extensions.
enable
domain
Instruct unity clients about the default DNS

domain.
(Empty)
banner
Message that unity client should display after

connecting.
(Empty)
include-local-lan
Enable/disable allow local LAN access on unity

clients.
disable
save-password
Enable/disable saving XAuth username and

password on VPN clients.
disable
client-auto-negotiate
Enable/disable allowing the VPN client to bring up

the tunnel when there is no traffic.
disable
client-keep-alive
Enable/disable allowing the VPN client to keep

the tunnel up when there is no traffic.
disable
backup-gateway
Instruct unity clients about the backup gateway

address(es).
(Empty)
proposal
Phase1 proposal.
aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
add-route
Enable/disable control addition of a route to peer

destination selector.
enable

730
exchange-interface-ip
Enable/disable exchange of IPsec interface IP

address.
disable
add-gw-route
Enable/disable automatically add a route to the

remote gateway.
disable
psksecret
(Empty)
keepalive
NAT-T keep alive interval.
10
distance
Distance for routes added by IKE (1 - 255).
15
priority
Priority for routes added by IKE (0 4294967295).
localid
Local ID.
(Empty)
localid-type
Local ID type.
auto
auto-negotiate
Enable/disable automatic initiation of IKE SA

negotiation.
enable
negotiate-timeout
IKE SA negotiation timeout in seconds (1 - 300).
30
fragmentation
Enable/disable fragment IKE message on retransmission.
enable
dpd
Dead Peer Detection mode.
on-demand
dpd-retrycount
Number of DPD retry attempts.
dpd-retryinterval
DPD retry interval.
20
forticlient-enforcement
Enable/disable FortiClient enforcement.
disable
comments
Comment.
(Empty)
npu-offload
enable
send-cert-chain
Enable/disable sending certificate chain.
enable
dhgrp
DH group.
14 5
suite-b
Use Suite-B.
disable
eap
Enable/disable IKEv2 EAP authentication.
disable

731
eap-identity
IKEv2 EAP peer identity type.
use-id-payload
acct-verify
Enable/disable verification of RADIUS accounting

record.
disable
wizard-type
GUI VPN Wizard Type.
custom
xauthtype
XAuth type.
disable
reauth
Enable/disable re-authentication upon IKE SA

lifetime expiration.
disable
authusr
XAuth user name.
(Empty)
authpasswd
XAuth password (max 35 characters).
(Empty)
authusrgrp
Authentication user group.
(Empty)
mesh-selector-type
Add selectors containing subsets of the

configuration depending on traffic.
disable
idle-timeout
Enable/disable IPsec tunnel idle timeout.
disable
idle-timeoutinterval
IPsec tunnel idle timeout in minutes (10 - 43200).
15
ha-sync-esp-seqno
Enable/disable sequence number jump ahead for

IPsec HA.
enable
auto-discovery-sender
Enable/disable sending auto-discovery short-cut

messages.
disable
auto-discovery-receiver
Enable/disable accepting auto-discovery short-cut

messages.
disable
auto-discoveryforwarder
Enable/disable forwarding auto-discovery shortcut messages.
disable
auto-discovery-psk
Enable/disable use of pre-shared secrets for

authentication of auto-discovery tunnels.
disable
encapsulation
Enable/disable GRE/VXLAN encapsulation.
none
encapsulation-address
Source for GRE/VXLAN tunnel address.
ike
encap-local-gw4
Local IPv4 address of GRE/VXLAN tunnel.
0.0.0.0
encap-local-gw6
Local IPv6 address of GRE/VXLAN tunnel.
::

732
encap-remote-gw4
Remote IPv4 address of GRE/VXLAN tunnel.
0.0.0.0
encap-remote-gw6
Remote IPv6 address of GRE/VXLAN tunnel.
::
nattraversal
Enable/disable NAT traversal.
enable
esn
Extended sequence number (ESN) negotiation.
disable

733
vpn.ipsec/phase2
CLI Syntax
config vpn.ipsec phase2
edit <name_str>
set name <string>
set dhcp-ipsec {enable | disable}
set use-natip {enable | disable}
set selector-match {exact | subset | auto}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set add-route {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name}
set dst-start-ip <ipv4-address-any>
734
set
set
set
set
set
set
end
dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>

735
Description
Configuration
Description
Default Value
name
IPsec tunnel name.
(Empty)
phase1name
IKE phase1 name.
(Empty)
dhcp-ipsec
Enable/disable DHCP-IPsec.
disable
use-natip
Enable/disable source NAT selector fix-up.
enable
selector-match
Match type to use when comparing selectors.
auto
proposal
Phase2 proposal.
aes128-sha1 aes256sha1 3des-sha1

aes128-sha256
pfs
Enable/disable PFS feature.
enable
dhgrp
Phase2 DH group.
14 5
replay
Enable/disable replay detection.
enable
keepalive
Enable/disable keep alive.
disable
auto-negotiate
Enable/disable IPsec SA auto-negotiation.
disable
add-route
Enable/disable automatic route addition.
phase1
keylifeseconds
Phase2 key life in time in seconds (120 172800).
43200
keylifekbs
Phase2 key life in number of bytes of traffic (5120

- 4294967295).
5120
keylife-type
Keylife type.
seconds
single-source
Enable/disable single source IP restriction.
disable
route-overlap
Action for overlapping routes.
use-new
encapsulation
ESP encapsulation mode.
tunnel-mode
l2tp
Enable/disable L2TP over IPsec.
disable

736
comments
Comment.
(Empty)
protocol
Quick mode protocol selector (1 - 255 or 0 for all).
src-name
Local proxy ID name.
(Empty)
src-name6
(Empty)
src-addr-type
Local proxy ID type.
subnet
src-start-ip
Local proxy ID start.
0.0.0.0
src-start-ip6
Local proxy ID IPv6 start.
::
src-end-ip
Local proxy ID end.
0.0.0.0
src-end-ip6
Local proxy ID IPv6 end.
::
src-subnet
Local proxy ID subnet.
0.0.0.0 0.0.0.0
src-subnet6
Local proxy ID IPv6 subnet.
::/0
src-port
Quick mode source port (1 - 65535 or 0 for all).
dst-name
Remote proxy ID name.
(Empty)
dst-name6
(Empty)
dst-addr-type
Remote proxy ID type.
subnet
dst-start-ip
Remote proxy ID IPv4 start.
0.0.0.0
dst-start-ip6
::
dst-end-ip
Remote proxy ID IPv4 end.
0.0.0.0
dst-end-ip6
::
dst-subnet
Remote proxy ID IPv4 subnet.
0.0.0.0 0.0.0.0
dst-subnet6
::/0
dst-port
Quick mode destination port (1 - 65535 or 0 for

all).

737
vpn.ipsec/phase2-interface
CLI Syntax
config vpn.ipsec phase2-interface
edit <name_str>
set name <string>
set dhcp-ipsec {enable | disable}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set add-route {phase1 | enable | disable}
set auto-discovery-sender {phase1 | enable | disable}
set auto-discovery-forwarder {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set dst-start-ip <ipv4-address-any>
738
set
set
set
set
set
set
end
dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>

739
Description
Configuration
Description
Default Value
name
IPsec tunnel name.
(Empty)
phase1name
IKE phase1 name.
(Empty)
dhcp-ipsec
Enable/disable DHCP-IPsec.
disable
proposal
Phase2 proposal.
aes128-sha1 aes256sha1 3des-sha1

aes128-sha256
pfs
Enable/disable PFS feature.
enable
dhgrp
Phase2 DH group.
14 5
replay
Enable/disable replay detection.
enable
keepalive
Enable/disable keep alive.
disable
auto-negotiate
Enable/disable IPsec SA auto-negotiation.
disable
add-route
Enable/disable automatic route addition.
phase1
auto-discovery-sender
Enable/disable sending short-cut messages.
phase1
auto-discoveryforwarder
Enable/disable forwarding short-cut messages.
phase1
keylifeseconds
Phase2 key life in time in seconds (120 172800).
43200
keylifekbs
Phase2 key life in number of bytes of traffic (5120

- 4294967295).
5120
keylife-type
Keylife type.
seconds
single-source
Enable/disable single source IP restriction.
disable
route-overlap
Action for overlapping routes.
use-new
encapsulation
ESP encapsulation mode.
tunnel-mode

740
l2tp
Enable/disable L2TP over IPsec.
disable
comments
Comment.
(Empty)
protocol
Quick mode protocol selector (1 - 255 or 0 for all).
src-name
(Empty)
src-name6
(Empty)
src-addr-type
Local proxy ID type.
subnet
src-start-ip
Local proxy ID start.
0.0.0.0
src-start-ip6
Local proxy ID IPv6 start.
::
src-end-ip
Local proxy ID end.
0.0.0.0
src-end-ip6
Local proxy ID IPv6 end.
::
src-subnet
Local proxy ID subnet.
0.0.0.0 0.0.0.0
src-subnet6
Local proxy ID IPv6 subnet.
::/0
src-port
Quick mode source port (1 - 65535 or 0 for all).
dst-name
(Empty)
dst-name6
(Empty)
dst-addr-type
Remote proxy ID type.
subnet
dst-start-ip
0.0.0.0
dst-start-ip6
::
dst-end-ip
0.0.0.0
dst-end-ip6
::
dst-subnet
0.0.0.0 0.0.0.0
dst-subnet6
::/0
dst-port
Quick mode destination port (1 - 65535 or 0 for

all).

741
vpn.ssl.web/host-check-software
CLI Syntax
config vpn.ssl.web host-check-software
edit <name_str>
set name <string>
set type {av | fw}
set version <string>
set guid <user>
config check-item-list
edit <name_str>
set id <integer>
set action {require | deny}
set type {file | registry | process}
set target <string>
set version <string>
config md5s
edit <name_str>
set id <string>
end
end
end

742
Description
Configuration
Description
Default Value
name
Name.
(Empty)
type
Type.
av
version
Version.
(Empty)
guid
Globally unique ID.
"00000000-0000-00000000-000000000000"
check-item-list
Check item list.
(Empty)

743
vpn.ssl.web/portal
CLI Syntax
config vpn.ssl.web portal
edit <name_str>
set name <string>
set tunnel-mode {enable | disable}
set ip-mode {range | user-group}
set auto-connect {enable | disable}
set keep-alive {enable | disable}
set save-password {enable | disable}
config ip-pools
edit <name_str>
set name <string>
end
set exclusive-routing {enable | disable}
set service-restriction {enable | disable}
set split-tunneling {enable | disable}
config split-tunneling-routing-address
edit <name_str>
set name <string>
end
set ipv6-tunnel-mode {enable | disable}
config ipv6-pools
edit <name_str>
set name <string>
end
set ipv6-exclusive-routing {enable | disable}
set ipv6-service-restriction {enable | disable}
set ipv6-split-tunneling {enable | disable}
config ipv6-split-tunneling-routing-address
edit <name_str>
set name <string>
end
set web-mode {enable | disable}
set display-bookmark {enable | disable}
set user-bookmark {enable | disable}
set user-group-bookmark {enable | disable}
config bookmark-group
edit <name_str>
set name <string>
config bookmarks
744
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | te
lnet | vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set remote-port <integer>
set show-status-window {enable | disable}
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwer
ty | sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
set display-connection-tools {enable | disable}
set display-history {enable | disable}
set display-status {enable | disable}
set heading <string>
set redir-url <var-string>
set theme {blue | green | red | melongene | mariner}
set custom-lang <string>
set host-check {none | av | fw | av-fw | custom}
set host-check-interval <integer>
config host-check-policy
edit <name_str>
set name <string>
end
set limit-user-logins {enable | disable}
set mac-addr-check {enable | disable}
set mac-addr-action {allow | deny}
config mac-addr-check-rule
edit <name_str>
set name <string>
set mac-addr-mask <integer>
config mac-addr-list
edit <name_str>
set addr <mac-address>
end
745
end
end
set os-check {enable | disable}
config os-check-list
edit <name_str>
set name <string>
set action {deny | allow | check-up-to-date}
set tolerance <integer>
set latest-patch-level <user>
end
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <string>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
end

746
Description
Configuration
Description
Default Value
name
Portal name.
(Empty)
tunnel-mode
Enable/disable SSL VPN tunnel mode.
disable
ip-mode
IP mode is range or by user group.
range
auto-connect
Enable/disable automatic connect by client when

system is up.
disable
keep-alive
Enable/disable automatic re-connect by client.
disable
save-password
Enable/disable save of user password by client.
disable
ip-pools
Tunnel IP pools.
(Empty)
exclusive-routing
Enable/disable all traffic go through tunnel only.
disable
service-restriction
Enable/disable tunnel service restriction.
disable
split-tunneling
Enable/disable split tunneling.
enable
split-tunneling-routingaddress
Split tunnelling address range for client routing.
(Empty)
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
ipv6-tunnel-mode
Enable/disable SSL VPN IPV6 tunnel mode.
disable
ipv6-pools
Tunnel IP pools.
(Empty)
ipv6-exclusive-routing
Enable/disable all IPv6 traffic go through tunnel

only.
disable
ipv6-service-restriction
Enable/disable IPv6 tunnel service restriction.
disable
ipv6-split-tunneling
Enable/disable IPv6 split tunneling.
enable

747
ipv6-split-tunnelingrouting-address
IPv6 split tunnelling address range for client

routing.
(Empty)
ipv6-dns-server1
IPv6 DNS server 1.
::
ipv6-dns-server2
IPv6 DNS server 2.
::
ipv6-wins-server1
IPv6 WINS server 1.
::
ipv6-wins-server2
IPv6 WINS server 2.
::
web-mode
Enable/disable SSL VPN web mode.
disable
display-bookmark
Enable/disable displaying of bookmark widget.
enable
user-bookmark
Enable/disable user defined bookmark.
enable
user-group-bookmark
Enable/disable user group defined bookmark.
enable
bookmark-group
Portal bookmark group.
(Empty)
display-connectiontools
Enable/disable displaying of connection tools

widget.
enable
display-history
Enable/disable displaying of user login history

widget.
enable
display-status
Enable/disable display of status widget.
enable
heading
Portal heading message.
SSL-VPN Portal
redir-url
Client login redirect URL.
(Empty)
theme
Color scheme for the portal.
blue
custom-lang
Custom portal language.
(Empty)
host-check
Configure host check settings.
none
host-check-interval
Periodic host check interval.
host-check-policy
Host check policy.
(Empty)
limit-user-logins
Enable/disable allow users to have only one

active SSL VPN connection at a time.
disable
mac-addr-check
Client MAC address check.
disable

748
mac-addr-action
Client MAC address action.
allow
mac-addr-check-rule
Client MAC address check rule.
(Empty)
os-check
Enable/disable SSL VPN OS check.
disable
os-check-list
SSL VPN OS checks.
(Empty)
virtual-desktop
Enable/disable SSL VPN virtual desktop.
disable
virtual-desktop-app-list
Virtual desktop application list.
(Empty)
virtual-desktopclipboard-share
Enable/disable sharing of clipboard in virtual

desktop.
disable
virtual-desktopdesktop-switch
Enable/disable switch to virtual desktop.
enable
virtual-desktop-logoutwhen-browser-close
Enable/disable logout when browser is close in

virtual desktop.
disable
virtual-desktopnetwork-share-access
Enable/disable network share access in virtual

desktop.
disable
virtual-desktop-printing
Enable/disable printing in virtual desktop.
disable
virtual-desktopremovable-mediaaccess
Enable/disable access to removable media in

virtual desktop.
disable
skip-check-forunsupported-os
Skip check for unsupported OS.
enable
skip-check-forunsupported-browser
Skip check for unsupported browsers.
enable

749
vpn.ssl.web/realm
CLI Syntax
config vpn.ssl.web realm
edit <name_str>
set url-path <string>
set max-concurrent-user <integer>
set login-page <var-string>
set virtual-host <var-string>
end

750
Description
Configuration
Description
Default Value
url-path
URL path to access SSL-VPN login page.
(Empty)
max-concurrent-user
Maximum concurrent users (0 - 65535, 0 for

unlimited).
login-page
Replacement HTML for SSL-VPN login page.
(Empty)
virtual-host
Virtual host name for realm.
(Empty)

751
vpn.ssl.web/user-bookmark
CLI Syntax
config vpn.ssl.web user-bookmark
edit <name_str>
set name <string>
set custom-lang <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet
| vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set remote-port <integer>
set show-status-window {enable | disable}
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty |
sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end

752
Description
Configuration
Description
Default Value
name
User and group name.
(Empty)
custom-lang
Personal language.
(Empty)
bookmarks
Bookmark table.
(Empty)

753
vpn.ssl.web/virtual-desktop-app-list
CLI Syntax
config vpn.ssl.web virtual-desktop-app-list
edit <name_str>
set name <string>
set action {allow | block}
config apps
edit <name_str>
set name <string>
config md5s
edit <name_str>
set id <string>
end
end
end

754
Description
Configuration
Description
Default Value
name
(Empty)
action
Action.
allow
apps
Applications.
(Empty)

755
vpn.ssl/settings
CLI Syntax
config vpn.ssl settings
edit <name_str>
set reqclientcert {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set banned-cipher {RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CA
MELLIA | 3DES | SHA1 | SHA256 | SHA384}
set ssl-big-buffer {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set https-redirect {enable | disable}
set ssl-client-renegotiation {disable | enable}
set force-two-factor-auth {enable | disable}
set unsafe-legacy-renegotiation {enable | disable}
set servercert <string>
set algorithm {high | medium | default | low}
set idle-timeout <integer>
set auth-timeout <integer>
config tunnel-ip-pools
edit <name_str>
set name <string>
end
config tunnel-ipv6-pools
edit <name_str>
set name <string>
end
set dns-suffix <var-string>
set route-source-interface {enable | disable}
set url-obscuration {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set deflate-compression-level <integer>
set deflate-min-data-size <integer>
set port <integer>
set port-precedence {enable | disable}
set auto-tunnel-static-route {enable | disable}
set header-x-forwarded-for {pass | add | remove}
config source-interface
756
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
set default-portal <string>
config authentication-rule
edit <name_str>
set id <integer>
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set portal <string>
set realm <string>
set client-cert {enable | disable}
set cipher {any | high | medium}
set auth {any | local | radius | tacacs+ | ldap}
end
set dtls-tunnel {enable | disable}
set check-referer {enable | disable}
end

757
Description
Configuration
Description
Default Value
reqclientcert
Enable/disable require client certificate.
disable
sslv3
Enable/disable SSLv3.
disable
tlsv1-0
Enable/disable TLSv1.0.
disable
tlsv1-1
enable
tlsv1-2
enable
banned-cipher
Banned ciphers for SSLVPN
(Empty)
ssl-big-buffer
Enable/disable big SSLv3 buffer.
disable
ssl-insert-emptyfragment
Enable/disable insertion of empty fragment.
enable
https-redirect
Enable/disable redirect of port 80 to SSL-VPN

port.
disable
disable
force-two-factor-auth
Enable/disable force two-factor authentication.
disable
unsafe-legacyrenegotiation
Enable/disable unsafe legacy re-negotiation.
disable
servercert
Server certificate.
Fortinet_Factory
algorithm
Allow algorithms.
high
idle-timeout
SSL VPN disconnects if idle for specified time.
300
auth-timeout
Forced re-authentication after timeout.
28800
tunnel-ip-pools
Tunnel IP pools.
(Empty)
tunnel-ipv6-pools
Tunnel IPv6 pools.
(Empty)
dns-suffix
DNS suffix.
(Empty)
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0

758
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
ipv6-dns-server1
IPv6 DNS server 1.
::
ipv6-dns-server2
IPv6 DNS server 2.
::
ipv6-wins-server1
IPv6 WINS server 1.
::
ipv6-wins-server2
IPv6 WINS server 2.
::
route-source-interface
Enable/disable bind client side outgoing interface.
disable
url-obscuration
Enable/disable URL obscuration.
disable
http-compression
Enable/disable support HTTP compression.
disable
http-only-cookie
Enable/disable support HTTP only cookie.
enable
deflate-compressionlevel
Compression level (0~9).
deflate-min-data-size
Minimum size to start compression (200 - 65535).
300
port
SSL VPN access HTTPS port (1 - 65535).
10443
port-precedence
Enable/disable SSLVPN port precedence over

admin GUI HTTPS port.
enable
auto-tunnel-static-route
Enable/disable auto create static route for tunnel

IP addresses.
enable
header-x-forwarded-for
Action when HTTP x-forwarded-for header to

forwarded requests.
add
source-interface
SSL VPN source interface of incoming traffic.
(Empty)
source-address
Source address of incoming traffic.
(Empty)
source-address-negate
disable
source-address6
IPv6 source address of incoming traffic.
(Empty)
source-address6negate
Enable/disable negated source IPv6 address

match.
disable

759
default-portal
Default SSL VPN portal.
(Empty)
authentication-rule
Authentication rule for SSL VPN.
(Empty)
dtls-tunnel
Enable/disable DTLS tunnel.
enable
check-referer
Enable/disable verification of referer field in HTTP

request header.
disable

760
vpn/l2tp
CLI Syntax
config vpn l2tp
edit <name_str>
set eip <ipv4-address>
set sip <ipv4-address>
set usrgrp <string>
end

761
Description
Configuration
Description
Default Value
eip
End IP.
0.0.0.0
sip
Start IP.
0.0.0.0
status
Enable/disable FortiGate as a L2TP gateway.
disable
usrgrp
User group.
(Empty)

762
vpn/pptp
CLI Syntax
config vpn pptp
edit <name_str>
set ip-mode {range | usrgrp}
set eip <ipv4-address>
set sip <ipv4-address>
set local-ip <ipv4-address>
set usrgrp <string>
end

763
Description
Configuration
Description
Default Value
status
Enable/disable FortiGate as a PPTP gateway.
disable
ip-mode
IP assignment mode for PPTP client.
range
eip
End IP.
0.0.0.0
sip
Start IP.
0.0.0.0
local-ip
Local IP to be used for peer's remote IP.
0.0.0.0
usrgrp
User group.
(Empty)

764
waf/main-class
CLI Syntax
config waf main-class
edit <name_str>
set name <string>
set id <integer>
end

765
Description
Configuration
Description
Default Value
name
Main signature class name.
(Empty)
id
Main signature class ID.

766
waf/profile
CLI Syntax
config waf profile
edit <name_str>
set name <string>
set external {disable | enable}
config signature
edit <name_str>
config main-class
edit <name_str>
set id <integer>
set action {allow | block | erase}
set severity {high | medium | low}
end
config disabled-sub-class
edit <name_str>
set id <integer>
end
config disabled-signature
edit <name_str>
set id <integer>
end
set credit-card-detection-threshold <integer>
config custom-signature
edit <name_str>
set name <string>
set action {allow | block | erase}
set direction {request | response}
set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req
-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hd
r | resp-status}
end
end
config constraint
edit <name_str>
config header-length
edit <name_str>
set length <integer>
767
end
config content-length
edit <name_str>
set severity {high | medium |
end
config param-length
edit <name_str>
end
config line-length
edit <name_str>
end
config url-param-length
edit <name_str>
end
config version
edit <name_str>
end
config method
edit <name_str>
end
config hostname
edit <name_str>

low}
low}
low}
low}
low}
low}
low}
768

end
config malformed
edit <name_str>
end
config max-cookie
edit <name_str>
set max-cookie <integer>
end
config max-header-line
edit <name_str>
set max-header-line <integer>
end
config max-url-param
edit <name_str>
set max-url-param <integer>
end
config max-range-segment
edit <name_str>
set max-range-segment <integer>
end
config exception
edit <name_str>
set id <integer>
set regex {enable | disable}
set header-length {enable | disable}
set content-length {enable | disable}
set param-length {enable | disable}
set line-length {enable | disable}
set url-param-length {enable | disable}
set version {enable | disable}

769
set
set
set
set
set
set
set
set
end
version {enable | disable}

method {enable | disable}
hostname {enable | disable}
malformed {enable | disable}
max-cookie {enable | disable}
max-header-line {enable | disable}
max-url-param {enable | disable}
max-range-segment {enable | disable}
end
config method
edit <name_str>
set default-allowed-methods {get | post | put | head | connect | trace | optio
ns | delete | others}
config method-policy
edit <name_str>
set id <integer>
set allowed-methods {get | post | put | head | connect | trace | options |
delete | others}
end
end
config address-list
edit <name_str>
set blocked-log {enable | disable}
config trusted-address
edit <name_str>
set name <string>
end
config blocked-address
edit <name_str>
set name <string>
end
end
config url-access
edit <name_str>
set id <integer>
set action {bypass | permit | block}
config access-pattern
edit <name_str>
set id <integer>
set srcaddr <string>
770

set negate {enable | disable}
end
end
end

771
Description
Configuration
Description
Default Value
name
WAF Profile name.
(Empty)
external
Disable/Enable external HTTP Inspection.
disable
signature
WAF signatures.
Details below
Configuration
main-class
disabled-sub-class
disabled-signature
credit-card-detection-threshold
custom-signature
constraint

Default Value
(Empty)
(Empty)
(Empty)
3
(Empty)
WAF HTTP protocol restrictions.
Details below
772
Configuration
header-length
content-length
param-length
line-length
url-param-length
version
method
hostname
malformed
max-cookie
max-header-line
max-url-param
max-range-segment
exception
method
Configuration
status
log
severity
default-allowed-methods
method-policy
address-list

Default Value
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":67108864,"action":"allow","log":"disa
ble","severity":"medium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
dium"}
dium"}
dium"}
{"status":"disable","maxcookie":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-headerline":32,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-urlparam":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-rangesegment":5,"action":"allow","log":"disable","severity":"medium"}
(Empty)
Method restriction.
Details below
Default Value
disable
disable
medium
(Empty)
(Empty)
Black address list and white address list.
Details below
773
Configuration
status
blocked-log
severity
trusted-address
blocked-address
Default Value
disable
disable
medium
(Empty)
(Empty)
url-access
URL access list
(Empty)
comment
Comment.
(Empty)

774
waf/signature
CLI Syntax
config waf signature
edit <name_str>
set desc <string>
set id <integer>
end

775
Description
Configuration
Description
Default Value
desc
Signature description.
(Empty)
id
Signature ID.

776
waf/sub-class
CLI Syntax
config waf sub-class
edit <name_str>
set name <string>
set id <integer>
end

777
Description
Configuration
Description
Default Value
name
Signature subclass name.
(Empty)
id
Signature subclass ID.

778
wanopt/auth-group
CLI Syntax
config wanopt auth-group
edit <name_str>
set name <string>
set auth-method {cert | psk}
set psk <password>
set cert <string>
set peer-accept {any | defined | one}
set peer <string>
end

779
Description
Configuration
Description
Default Value
name
Auth-group name.
(Empty)
auth-method
Group authentication method.
cert
psk
(Empty)
cert
Name of certificate to identify this host.
(Empty)
peer-accept
Peer acceptance method.
any
peer
Peer host ID.
(Empty)

780
wanopt/peer
CLI Syntax
config wanopt peer
edit <name_str>
set peer-host-id <string>
end

781
Description
Configuration
Description
Default Value
peer-host-id
Peer host ID.
(Empty)
ip
Peer IP address.
0.0.0.0

782
wanopt/profile
CLI Syntax
config wanopt profile
edit <name_str>
set name <string>
set transparent {enable | disable}
set auth-group <string>
config http
edit <name_str>
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
set ssl {enable | disable}
set ssl-port <integer>
set unknown-http-version {reject | tunnel | best-effort}
set tunnel-non-http {enable | disable}
end
config cifs
edit <name_str>
set port <integer>
end
config mapi
edit <name_str>
set port <integer>
end
config ftp
edit <name_str>
783
set port <integer>

end
config tcp
edit <name_str>
set byte-caching-opt {mem-only | mem-disk}
set port <user>
set ssl {enable | disable}
set ssl-port <integer>
end
end

784
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
transparent
Enable/disable transparent mode.
enable
comments
Comment.
(Empty)
auth-group
Peer authentication group.
(Empty)
http
HTTP protocol settings.
Details below
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
ssl
ssl-port
unknown-http-version
tunnel-non-http
cifs
Default Value
disable
disable
enable
fix
private
enable
80
disable
443
tunnel
disable
CIFS protocol settings.
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
mapi
Default Value
disable
disable
enable
fix
private
enable
445
MAPI protocol settings.

Details below
Details below
785
Configuration
status
secure-tunnel
byte-caching
tunnel-sharing
log-traffic
port
ftp
Default Value
disable
disable
enable
private
enable
135
FTP protocol settings.
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
tcp
Default Value
disable
disable
enable
fix
private
enable
21
TCP protocol settings.
Configuration
status
secure-tunnel
byte-caching
byte-caching-opt
tunnel-sharing
log-traffic
port
ssl
ssl-port

Details below
Details below
Default Value
disable
disable
disable
mem-only
private
enable
1-65535
disable
443 990 995 465 993
786
wanopt/settings
CLI Syntax
config wanopt settings
edit <name_str>
set host-id <string>
set tunnel-ssl-algorithm {high | medium | low}
set auto-detect-algorithm {simple | diff-req-resp}
end

787
Description
Configuration
Description
Default Value
host-id
Host identity.
default-id
tunnel-ssl-algorithm

accepted in tunnel negotiation.
high
auto-detect-algorithm
Auto detection algorithms used in tunnel

negotiation.
simple

788
wanopt/storage
CLI Syntax
config wanopt storage
edit <name_str>
set name <string>
set size <integer>
set webcache-storage-percentage <integer>
set webcache-storage-size <user>
set wan-optimization-cache-storage-size <user>
end

789
Description
Configuration
Description
Default Value
name
Storage name.
(Empty)
size
Maximum total size of files within the storage

(MB).
1024
webcache-storagepercentage
Percentage of storage available for Web cache.

The rest is used for WAN optimization
50
webcache-storage-size
Web cache storage size.
(Empty)
wan-optimizationcache-storage-size
WAN optimization cache storage size.
(Empty)

790
wanopt/webcache
CLI Syntax
config wanopt webcache
edit <name_str>
set max-object-size <integer>
set neg-resp-time <integer>
set fresh-factor <integer>
set max-ttl <integer>
set min-ttl <integer>
set default-ttl <integer>
set ignore-ims {enable | disable}
set ignore-conditional {enable | disable}
set ignore-pnc {enable | disable}
set ignore-ie-reload {enable | disable}
set cache-expired {enable | disable}
set cache-cookie {enable | disable}
set reval-pnc {enable | disable}
set always-revalidate {enable | disable}
set cache-by-default {enable | disable}
set host-validate {enable | disable}
end

791
Description
Configuration
Description
Default Value
max-object-size
Maximum cacheable object size in kB, the

maximum is 2147483 (2GB).
512000
neg-resp-time
Duration of negative responses cache.
fresh-factor
Fresh factor percentage (1 - 100 percent).
100
max-ttl
Maximum TTL in minutes (default = 7200 (5

days); maximum = 5256000 (100 years)).
7200
min-ttl
Minimum TTL in minutes (default = 5; maximum

= 5256000 (100 years)).
default-ttl
Default TTL minutes (default = 1440 (1 day);

maximum = 5256000 (100 years)).
1440
ignore-ims
Enable/disable ignore if-modified-since.
disable
ignore-conditional
Enable/disable ignore HTTP 1.1 conditionals.
disable
ignore-pnc
Enable/disable ignore pragma-no-cache.
disable
ignore-ie-reload
Enable/disable ignore IE reload.
enable
cache-expired
Enable/disable cache expired objects.
disable
cache-cookie
Enable/disable caching of HTTP response with

Set-Cookie header.
disable
reval-pnc
Enable/disable re-validation of pragma-no-cache.
disable
always-revalidate
Enable/disable re-validation of requested cached

object with content server before serving it to
client.
disable
cache-by-default
Enable/disable caching of content lacking explicit

caching policy from server.
disable
host-validate
Enable/disable validating "Host:" with original

server IP.
disable
external
Enable/disable external cache.
disable

792
web-proxy/debug-url
CLI Syntax
config web-proxy debug-url
edit <name_str>
set name <string>
set url-pattern <string>
set exact {enable | disable}
end

793
Description
Configuration
Description
Default Value
name
Debug URL name.
(Empty)
url-pattern
URL exemption pattern.
(Empty)
status
Enable/disable this URL exemption.
enable
exact
Enable/disable match exact path.
enable

794
web-proxy/explicit
CLI Syntax
config web-proxy explicit
edit <name_str>
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <integer>
set https-incoming-port <integer>
set ftp-incoming-port <integer>
set socks-incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set ipv6-status {enable | disable}
set incoming-ip6 <ipv6-address>
set outgoing-ip6 <ipv6-address>
set strict-guest {enable | disable}
set pref-dns-result {ipv4 | ipv6}
set unknown-http-version {reject | best-effort}
set realm <string>
set sec-default-action {accept | deny}
set https-replacement-message {enable | disable}
set message-upon-server-error {enable | disable}
set pac-file-server-status {enable | disable}
set pac-file-server-port <integer>
set pac-file-name <string>
set pac-file-data <user>
set pac-file-url <user>
set ssl-algorithm {high | medium | low}
end

795
Description
Configuration
Description
Default Value
status
Enable/disable explicit Web proxy.
disable
ftp-over-http
Enable/disable FTP-over-HTTP.
disable
socks
Enable/disable SOCKS proxy.
disable
http-incoming-port
Accept incoming HTTP requests on ports other

than port 80.
8080
https-incoming-port
Accept incoming HTTPS requests on this port.
ftp-incoming-port
Accept incoming FTP-over-HTTP requests on this

port.
socks-incoming-port
Accept incoming SOCKS proxy requests on this

port.
incoming-ip
Accept incoming HTTP requests from this IP. An

0.0.0.0
outgoing-ip
Outgoing HTTP requests will leave this IP. An

(Empty)
ipv6-status
Enable/disable IPv6 destination in policy.
disable
incoming-ip6
Accept incoming HTTP requests from this IP. An

::
outgoing-ip6
Outgoing HTTP requests will leave this IP. An

(Empty)
strict-guest
Enable/disable strict guest user check in explicit

proxy.
disable
pref-dns-result
IPv4 or IPv6 DNS result preference.
ipv4
Unknown HTTP version handling.
reject
realm
Authentication realm.
default
sec-default-action
Default action to allow or deny when no webproxy firewall policy exists.
deny

796
https-replacementmessage
Default action to enable or disable return

replacement message for HTTPS requests.
enable
message-upon-servererror
Enable/disable return of replacement message

upon server error detection.
enable
pac-file-server-status
Enable/disable PAC file server.
disable
pac-file-server-port
PAC file server listening port.
pac-file-name
PAC file name.
proxy.pac
pac-file-data
PAC file contents.
(Empty)
pac-file-url
PAC file access URL.
(Empty)
ssl-algorithm

accepted in HTTPS deep-scan.
low

797
web-proxy/forward-server
CLI Syntax
config web-proxy forward-server
edit <name_str>
set name <string>
set fqdn <string>
set addr-type {ip | fqdn}
set port <integer>
set healthcheck {disable | enable}
set server-down-option {block | pass}
end

798
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip
Forward server IP.
0.0.0.0
fqdn
Forward server FQDN.
(Empty)
addr-type
Address type.
ip
port
Forward server port.
3128
healthcheck
Enable/disable forward server health checking.
disable
monitor
Forward health checking URL.
http://www.google.com
server-down-option
Action when forward server is down.
block
comment
Comment.
(Empty)

799
web-proxy/forward-server-group
CLI Syntax
config web-proxy forward-server-group
edit <name_str>
set name <string>
set affinity {enable | disable}
set ldb-method {weighted | least-session}
set group-down-option {block | pass}
config server-list
edit <name_str>
set name <string>
end
end

800
Description
Configuration
Description
Default Value
name
Forward server group name.
(Empty)
affinity
Enable/disable affinity.
enable
ldb-method
Load balance method.
weighted
group-down-option
Action when group is down.
block
server-list
Forward server list.
(Empty)

801
web-proxy/global
CLI Syntax
config web-proxy global
edit <name_str>
set proxy-fqdn <string>
set max-request-length <integer>
set max-message-length <integer>
set strict-web-check {enable | disable}
set forward-proxy-auth {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {reject | tunnel | best-effort}
set forward-server-affinity-timeout <integer>
set max-waf-body-cache-length <integer>
set webproxy-profile <string>
end

802
Description
Configuration
Description
Default Value
proxy-fqdn
Proxy FQDN.
default.fqdn
max-request-length
Maximum length of HTTP request line (1kB units

(1024 Bytes)).
max-message-length
Maximum length of HTTP message not including

body (1kB units (1024 Bytes)).
32
strict-web-check
Enable/disable strict web check.
disable
forward-proxy-auth
Enable/disable forward proxy authentication.
disable
tunnel-non-http
Enable/disable non-HTTP tunnel.
enable
Unknown HTTP version handling.
best-effort
forward-server-affinitytimeout
Timeout of the forward server affinity (6 - 60 min,

default = 30 min).
30
max-waf-body-cachelength
Maximum length of HTTP message (1kB units

(1024 Bytes)) processed by Web Application
Firewall.
100
webproxy-profile
Web proxy profile using when none matched

policy.
(Empty)

803
web-proxy/profile
CLI Syntax
config web-proxy profile
edit <name_str>
set name <string>
set header-client-ip {pass | add | remove}
set header-via-request {pass | add | remove}
set header-via-response {pass | add | remove}
set header-x-forwarded-for {pass | add | remove}
set header-front-end-https {pass | add | remove}
config headers
edit <name_str>
set id <integer>
set name <string>
set action {add-to-request | add-to-response | remove-from-request | remove-fr
om-response}
end
end

804
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
header-client-ip
Action when HTTP client-IP header to forwarded

requests.
pass
header-via-request
Action when HTTP via header to forwarded

requests.
pass
header-via-response
Action when HTTP via header to forwarded

responses.
pass
header-x-forwarded-for
Action when HTTP x-forwarded-for header to

forwarded requests.
pass
header-front-end-https
Action when HTTP front-end-HTTPS header to

forwarded requests.
pass
headers
Configure HTTP forwarded requests headers.
(Empty)

805
web-proxy/url-match
CLI Syntax
config web-proxy url-match
edit <name_str>
set name <string>
set url-pattern <string>
set forward-server <string>
set cache-exemption {enable | disable}
end

806
Description
Configuration
Description
Default Value
name
Configure URL name.
(Empty)
status
Enable/disable per URL pattern web proxy

forwarding and cache exemptions.
enable
url-pattern
URL pattern.
(Empty)
forward-server
Forward server name.
(Empty)
cache-exemption
Enable/disable cache exemption for this URL

pattern.
disable
comment
Comment.
(Empty)

807
webfilter/content
CLI Syntax
config webfilter content
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set name <string>
set lang {western | simch | trach | japanese | korean | french | thai | spanis
h | cyrillic}
set score <integer>
set action {block | exempt}
end
end

808
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Configure web filter banned word.
(Empty)

809
webfilter/content-header
CLI Syntax
config webfilter content-header
edit <name_str>
set id <integer>
set name <string>
config entries
edit <name_str>
set action {block | allow | exempt}
set category <user>
end
end

810
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
Configure content types used by web filter.
(Empty)

811
webfilter/cookie-ovrd
CLI Syntax
config webfilter cookie-ovrd
edit <name_str>
set auth-epoch <integer>
set redir-host <string>
set redir-port <integer>
set cookie-name <string>
end

812
Description
Configuration
Description
Default Value
auth-epoch
Current authentication epoch - changing this

value will invalidate all currently issued override
cookies.
redir-host
Domain name or IP of host that will be used to

validate override authentication cookies.
(Empty)
redir-port
TCP port that will be used on "redir-host" to

validate override authentication cookies.
20080
cookie-name
Name to use for override authentication cookies.
wfovrdZnkHSb2CESh

813
webfilter/fortiguard
CLI Syntax
config webfilter fortiguard
edit <name_str>
set cache-mode {ttl | db-ver}
set cache-prefix-match {enable | disable}
set cache-mem-percent <integer>
set ovrd-auth-port-http <integer>
set ovrd-auth-port-https <integer>
set ovrd-auth-port-warning <integer>
set ovrd-auth-https {enable | disable}
set warn-auth-https {enable | disable}
set close-ports {enable | disable}
set request-packet-size-limit <integer>
set ovrd-auth-port <integer>
end

814
Description
Configuration
Description
Default Value
cache-mode
Cache entry expiration mode.
ttl
cache-prefix-match
Enable/disable prefix matching in the cache.
enable
cache-mem-percent
Maximum percentage of available memory

allocated to caching (1 - 15%).
ovrd-auth-port-http
Port to use for FortiGuard Web Filter HTTP

override authentication
8008
ovrd-auth-port-https
Port to use for FortiGuard Web Filter HTTPS

override authentication.
8010
ovrd-auth-port-warning
Port to use for FortiGuard Web Filter Warning

override authentication.
8020
ovrd-auth-https
Enable/disable use of HTTPS for override

authentication.
enable
warn-auth-https
Enable/disable use of HTTPS for warning and

authentication.
enable
close-ports
Close ports used for HTTP/HTTPS override

authentication and disable user overrides.
disable
request-packet-sizelimit
Limit size of URL request packets sent to

FortiGuard server (0 for default).
ovrd-auth-port
Port to use for FortiGuard Web Filter override

authentication.
8008

815
webfilter/ftgd-local-cat
CLI Syntax
config webfilter ftgd-local-cat
edit <name_str>
set id <integer>
set desc <string>
end

816
Description
Configuration
Description
Default Value
id
Local category ID.
desc
Local category description.
(Empty)

817
webfilter/ftgd-local-rating
CLI Syntax
config webfilter ftgd-local-rating
edit <name_str>
set url <string>
set rating <user>
end

818
Description
Configuration
Description
Default Value
url
URL to rate locally.
(Empty)
status
Enable/disable local rating.
enable
rating
Local rating.

819
webfilter/ftgd-warning
CLI Syntax
config webfilter ftgd-warning
edit <name_str>
set id <integer>
set scope {user | user-group | ip | ip6}
set user <string>
set user-group <string>
set old-profile <string>
set expires <user>
set rating <integer>
end

820
Description
Configuration
Description
Default Value
id
Specify the override rule ID.
status
Enable/disable override rule.
disable
scope
Specify the scope of the override rule.
user
ip
Specify the IP address for which the override

applies.
0.0.0.0
user
Specify the username for which the override

applies.
(Empty)
user-group
Specify the user group for which the override

applies.
(Empty)
old-profile
Specify the web-filter profile for which the

override applies.
(Empty)
expires
Specify when the override expires.
1969/12/31 17:00:00
rating
Ratings associated with the overridden filter.

821
webfilter/ips-urlfilter-cache-setting
CLI Syntax
config webfilter ips-urlfilter-cache-setting
edit <name_str>
set dns-retry-interval <integer>
set extended-ttl <integer>
end

822
Description
Configuration
Description
Default Value
dns-retry-interval
Retry interval. Refresh DNS faster than TTL to

capture multiple IPs for hosts. 0 means use DNS
server's TTL only.
extended-ttl
Extend time to live beyond reported by DNS. 0

means use DNS server's TTL

823
webfilter/ips-urlfilter-setting
CLI Syntax
config webfilter ips-urlfilter-setting
edit <name_str>
set device <string>
end

824
Description
Configuration
Description
Default Value
device
Enable/disable gateway out interface.
(Empty)
distance
gateway
Gateway IP for this route.
0.0.0.0

825
webfilter/override
CLI Syntax
config webfilter override
edit <name_str>
set id <integer>
set user <string>
set new-profile <string>
set expires <user>
set initiator <string>
end

826
Description
Configuration
Description
Default Value
id
status
disable
scope
user
ip

applies.
0.0.0.0
user

applies.
(Empty)
user-group

applies.
(Empty)
old-profile

override applies.
(Empty)
new-profile
Specify the new web-filter profile to apply

override.
(Empty)
ip6
Specify the IPv6 address for which the override

applies.
::
expires
1969/12/31 17:00:00
initiator
Initiating user of override (not settable).
(Empty)

827
webfilter/override-user
CLI Syntax
config webfilter override-user
edit <name_str>
set id <integer>
set user <string>
set new-profile <string>
set expires <user>
set initiator <string>
end

828
Description
Configuration
Description
Default Value
id
status
disable
scope
user
ip

applies.
0.0.0.0
user

applies.
(Empty)
user-group

applies.
(Empty)
old-profile

override applies.
(Empty)
new-profile
Specify the new web-filter profile to apply

override.
(Empty)
ip6
Specify the IPv6 address for which the override

applies.
::
expires
1969/12/31 17:00:00
initiator
Initiating user of override (not settable).
(Empty)

829
webfilter/profile
CLI Syntax
config webfilter profile
edit <name_str>
set name <string>
set inspection-mode {proxy | flow-based | dns}
set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invali
d-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-urlscan | per-user-bwl}
set https-replacemsg {enable | disable}
set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override |
contenttype-check-override}
set post-action {normal | comfort | block}
config override
edit <name_str>
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | browser | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <user>
set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Addr
ess | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmas
k | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Log
in-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-R
oute | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Terminati
on-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Lo
gin-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-Ap
pleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-In
put-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time
| Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sessio
n-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
config ovrd-user-group
edit <name_str>
set name <string>
end
config profile
edit <name_str>
set name <string>
end
end
config web
edit <name_str>
set bword-threshold <integer>
set bword-table <integer>
set urlfilter-table <integer>
set content-header-list <integer>
set blacklist {enable | disable}
830
set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | ex

empt-dlp | exempt-rangeblock | extended-log-others}
set safe-search {url | header}
set youtube-edu-filter-id <string>
set log-search {enable | disable}
config keyword-match
edit <name_str>
end
end
config ftgd-wf
edit <name_str>
set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip
| redir-block | connect-request-bypass | ftgd-disable}
set category-override <user>
set exempt-quota <user>
set ovrd <user>
config filters
edit <name_str>
set id <integer>
set action {block | authenticate | monitor | warning}
set warn-duration <user>
config auth-usr-grp
edit <name_str>
set name <string>
end
set override-replacemsg <string>
set warning-prompt {per-domain | per-category}
set warning-duration-type {session | timeout}
end
config quota
edit <name_str>
set id <integer>
set category <user>
set type {time | traffic}
set unit {B | KB | MB | GB}
set value <integer>
set duration <user>
set override-replacemsg <string>
end
set max-quota-timeout <integer>
set rate-image-urls {disable | enable}
set rate-javascript-urls {disable | enable}
set rate-css-urls {disable | enable}
set rate-crl-urls {disable | enable}
end
set wisp {enable | disable}
config wisp-servers
edit <name_str>
set name <string>
end
831
end
set wisp-algorithm {primary-secondary | round-robin | auto-learning}
set log-all-url {enable | disable}
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-url-log {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
end

832
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
inspection-mode
Web filtering inspection mode.
proxy
options
Options.
(Empty)
https-replacemsg
Enable replacement message display for nondeep SSL inspection.
enable
ovrd-perm
Override permit option.
(Empty)
post-action
Action for HTTP POST requests.
normal
override
Web Filter override settings.
Details below
Configuration
ovrd-cookie
ovrd-scope
profile-type
ovrd-dur-mode
ovrd-dur
profile-attribute
ovrd-user-group
profile
web
Default Value
deny
user
list
constant
15m
Login-LAT-Service
(Empty)
(Empty)
Web settings.
Configuration
bword-threshold
bword-table
urlfilter-table
content-header-list
blacklist
whitelist
safe-search
youtube-edu-filter-id
log-search
keyword-match
Details below
Default Value
10
0
0
0
disable
(Empty)
(Empty)
(Empty)
disable
(Empty)
833
ftgd-wf
FortiGuard Web Filter settings.
Configuration
options
category-override
exempt-quota
ovrd
filters
quota
max-quota-timeout
rate-image-urls
rate-javascript-urls
rate-css-urls
rate-crl-urls
Details below
Default Value
ftgd-disable
17
(Empty)
(Empty)
300
enable
enable
enable
enable
wisp
Enable/disable web proxy WISP.
disable
wisp-servers
WISP servers.
(Empty)
wisp-algorithm
WISP server selection algorithm.
auto-learning
log-all-url
Enable/disable log all URLs visited.
disable
web-content-log
Enable/disable logging for web filter content

blocking.
enable
web-filter-activex-log
Enable/disable logging for web script filtering on

ActiveX.
enable
web-filter-commandblock-log
Enable/disable logging for web filtering on

command blocking.
enable
web-filter-cookie-log

cookies.
enable
web-filter-applet-log

Java applets.
enable
web-filter-jscript-log

JScripts.
enable
web-filter-js-log

Java scripts.
enable
web-filter-vbs-log

VB scripts.
enable

834
web-filter-unknown-log

unknown scripts.
enable
web-filter-referer-log
Enable/disable logging of web filter referrer block.
enable
web-filter-cookieremoval-log
Enable/disable logging of web filter cookie block.
enable
web-url-log
Enable/disable logging for URL filtering.
enable
web-invalid-domain-log
Enable/disable logging for web filtering of invalid

domain name.
enable
web-ftgd-err-log
Enable/disable logging for FortiGuard Web Filter

rating errors.
enable
web-ftgd-quota-usage
Enable/disable logging for FortiGuard Web Filter

quota usage each day.
enable

835
webfilter/search-engine
CLI Syntax
config webfilter search-engine
edit <name_str>
set name <string>
set url <string>
set query <string>
set safesearch {disable | url | header}
set charset {utf-8 | gb2312}
set safesearch-str <string>
end

836
Description
Configuration
Description
Default Value
name
Search engine name.
(Empty)
hostname
Hostname regular expression.
(Empty)
url
URL regular expression.
(Empty)
query
Query string (must end with an equals character).
(Empty)
safesearch
Safe search enable.
disable
charset
Search engine charset.
utf-8
safesearch-str
Safe search parameter.
(Empty)

837
webfilter/urlfilter
CLI Syntax
config webfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set one-arm-ips-urlfilter {enable | disable}
set ip-addr-block {enable | disable}
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {exempt | block | allow | monitor}
set exempt {av | filepattern | web-content | activex-java-cookie | dlp | forti
guard | range-block | pass | all}
set web-proxy-profile <string>
set referrer-host <string>
end
end

838
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
one-arm-ips-urlfilter
Enable/disable DNS resolver for one-arm IPS

URL filter operation.
disable
ip-addr-block
Enable/disable block URLs when hostname

appears as an IP address.
disable
entries
Web filter/URL filter.
(Empty)

839
wireless-controller/ap-status
CLI Syntax
config wireless-controller ap-status
edit <name_str>
set id <integer>
set bssid <mac-address>
set ssid <string>
set status {rogue | accepted | suppressed}
end

840
Description
Configuration
Description
Default Value
id
AP ID.
bssid
AP's BSSID.
00:00:00:00:00:00
ssid
AP's SSID.
(Empty)
status
AP status.
rogue

841
wireless-controller/global
CLI Syntax
config wireless-controller global
edit <name_str>
set name <string>
set max-retransmit <integer>
set data-ethernet-II {enable | disable}
set link-aggregation {enable | disable}
set mesh-eth-type <integer>
set fiapp-eth-type <integer>
set discovery-mc-addr <ipv4-address-multicast>
set max-clients <integer>
set rogue-scan-mac-adjacency <integer>
set ap-log-server {enable | disable}
set ap-log-server-ip <ipv4-address>
set ap-log-server-port <integer>
end

842
Description
Configuration
Description
Default Value
name
Name.
(Empty)
location
Location.
(Empty)
max-retransmit
Maximum # of retransmissions for tunnel packet.
data-ethernet-II
Enable/disable ethernet frame type with 802.3

data tunnel mode.
disable
link-aggregation
Enable/disable CAPWAP transmit hash

calculation for selecting link aggregation slaves.
disable
mesh-eth-type
Ethernet type for wireless backhaul tunnel packet.
8755
fiapp-eth-type
Ethernet type for Fortinet Inter-Access Point

Protocol (IAPP) packets.
5252
discovery-mc-addr
Discovery multicast address.
224.0.1.140
max-clients
Maximum number of stations supported by the

AC.
rogue-scan-macadjacency
Range of numerical difference between AP's

Ethernet MAC and AP's BSSID, given the
identical OUI (default = 7).
ap-log-server
Enable/disable AP log server.
disable
ap-log-server-ip
AP log server IP address.
0.0.0.0
ap-log-server-port
AP log server port.

843
wireless-controller/setting
CLI Syntax
config wireless-controller setting
edit <name_str>
set account-id <string>
set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ |
BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG |
SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | I
D | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO
| MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG
| PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA |
ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY |
UZ | VE | VN | YE | ZW | JP | AU | CA}
end

844
Description
Configuration
Description
Default Value
account-id
FortiCloud customer account ID.
(Empty)
country
Country.
US

845
wireless-controller/timers
CLI Syntax
config wireless-controller timers
edit <name_str>
set echo-interval <integer>
set discovery-interval <integer>
set client-idle-timeout <integer>
set rogue-ap-log <integer>
set fake-ap-log <integer>
set darrp-optimize <integer>
set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturda
y}
config darrp-time
edit <name_str>
set time <string>
end
set sta-stats-interval <integer>
set vap-stats-interval <integer>
set radio-stats-interval <integer>
set sta-capability-interval <integer>
set sta-locate-timer <integer>
end

846
Description
Configuration
Description
Default Value
echo-interval
Interval before WTP sends Echo Request after

joining AC (1 - 255, default = 30 sec).
30
discovery-interval
Interval between Discovery Request (2 - 180 sec,

default = 5 sec).
client-idle-timeout
Wireless station idle timeout (0 no client-idle

check, 20 - 3600 sec, default = 300 sec).
300
rogue-ap-log
Rogue AP periodic log reporting interval (default

= 0 min).
fake-ap-log
Fake AP periodic log reporting interval (default =

1 min).
darrp-optimize
DARRP optimization interval (default = 1800 sec).
1800
darrp-day
Weekday on which DARRP optimization is

executed.
(Empty)
darrp-time
Time at which DARRP optimization is executed

(Up to 8 time points).
(Empty)
sta-stats-interval
WTP interval for which station statistics are sent

(1 - 255, default = 1 sec).
vap-stats-interval
WTP interval for which vap statistics are sent (1 255, default = 15 sec).
15
radio-stats-interval
WTP interval for which radio statistics are sent (1

- 255, default = 15 sec).
15
sta-capability-interval
WTP interval for which station capability

information is sent (1 - 255, default = 30 sec).
30
sta-locate-timer
Interval at which the WTP flushes the station

presence (default = 1800 sec).
1800

847
wireless-controller/vap
CLI Syntax
config wireless-controller vap
edit <name_str>
set name <string>
set vdom <string>
set fast-roaming {enable | disable}
set external-fast-roaming {enable | disable}
set mesh-backhaul {enable | disable}
set max-clients-ap <integer>
set ssid <string>
set broadcast-ssid {enable | disable}
set security-obsolete-option {enable | disable}
set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal
+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-porta
l | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa
2-only-enterprise}
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
set tkip-counter-measure {enable | disable}
set external-web <string>
set external-logout <string>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <string>
set auth {psk | radius | usergroup}
set encrypt {TKIP | AES | TKIP-AES}
set keyindex <integer>
set key <password>
set passphrase <password>
set radius-server <string>
set acct-interim-interval <integer>
config usergroup
edit <name_str>
set name <string>
end
set portal-message-override-group <string>
config portal-message-overrides
edit <name_str>
set auth-disclaimer-page <string>
set auth-reject-page <string>
set auth-login-page <string>
set auth-login-failed-page <string>
end
set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
config selected-usergroups
edit <name_str>
848
set name <string>

end
set security-exempt-list <string>
set security-redirect-url <string>
set intra-vap-privacy {enable | disable}
set local-standalone {enable | disable}
set local-standalone-nat {enable | disable}
set local-bridging {enable | disable}
set split-tunneling {enable | disable}
set local-authentication {enable | disable}
set vlanid <integer>
set vlan-auto {enable | disable}
set dynamic-vlan {enable | disable}
set alias <string>
set multicast-rate {0 | 6000 | 12000 | 24000}
set multicast-enhance {enable | disable}
set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp
-unknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-o
ther-mc | all-other-bc}
set me-disable-thresh <integer>
set probe-resp-suppression {enable | disable}
set probe-resp-threshold <string>
set vlan-pooling {wtp-group | round-robin | hash | disable}
config vlan-pool
edit <name_str>
set id <integer>
set wtp-group <string>
end
set ptk-rekey {enable | disable}
set ptk-rekey-intv <integer>
set gtk-rekey {enable | disable}
set gtk-rekey-intv <integer>
set eap-reauth {enable | disable}
set eap-reauth-intv <integer>
set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 11 | 11-basic | 6 | 6
-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic |
48 | 48-basic | 54 | 54-basic}
set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 11 | 11-basic | 6 |
6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic
| 48 | 48-basic | 54 | 54-basic}
set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 |
mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2}
set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mc
s22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4
| mcs31/4}
set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1
| mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs
6/2 | mcs7/2 | mcs8/2 | mcs9/2}
set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3
| mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
849
6/4 | mcs7/4 | mcs8/4 | mcs9/4}

set mac-filter {enable | disable}
set mac-filter-policy-other {allow | deny}
config mac-filter-list
edit <name_str>
set id <integer>
set mac-filter-policy {allow | deny}
end
end

850
Description
Configuration
Description
Default Value
name
Virtual AP name.
(Empty)
vdom
Owning VDOM.
(Empty)
fast-roaming
Enable/disable fast roaming.
enable
external-fast-roaming
Enable/disable fast roaming with external nonmanaged AP.
disable
mesh-backhaul
Enable/disable mesh backhaul.
disable
max-clients
Maximum number of STAs supported by the

VAP.
max-clients-ap
Maximum number of STAs supported by the VAP

(per AP radio).
ssid
IEEE 802.11 Service Set Identifier.
fortinet
broadcast-ssid
Enable/disable SSID broadcast in the beacon.
enable
security-obsoleteoption
Enable/disable obsolete security options.
disable
security
Wireless access security of SSID.
wpa2-only-personal
pmf
Protected Management Frames (PMF) support.
disable
pmf-assoc-comebacktimeout
Protected Management Frames (PMF) comeback

maximum timeout (1-20 sec).
pmf-sa-query-retrytimeout
Protected Management Frames (PMF) SA query

retry timeout interval (1 - 5 in 100s of msec).
okc
Enable/disable Opportunistic Key Caching (OKC).
enable
tkip-counter-measure
Enable/disable TKIP counter measure.
enable
external-web
URL of external authentication web server.
(Empty)
external-logout
URL of external authentication logout server.
(Empty)

851
radius-mac-auth
Enable/disable RADIUS-based MAC

authentication.
disable
radius-mac-auth-server
RADIUS-based MAC authentication server.
(Empty)
auth
Authentication protocol.
psk
encrypt
Data encryption.
AES
keyindex
WEP key index (1 - 4).
key
WEP Key.
(Empty)
passphrase
Pre-shared key for WPA.
(Empty)
radius-server
WiFi RADIUS server.
(Empty)
acct-interim-interval
WiFi RADIUS accounting interim interval (60 86400 sec, default = 0).
usergroup
Selected user group.
(Empty)
portal-messageoverride-group
Specify captive portal replacement message

override group.
(Empty)
portal-messageoverrides
Individual message overrides.
Details below
Configuration
auth-disclaimer-page
auth-reject-page
auth-login-page
auth-login-failed-page
Default Value
(Empty)
(Empty)
(Empty)
(Empty)
portal-type
Captive portal type.
auth
selected-usergroups
Selected user group.
(Empty)
security-exempt-list
Security exempt list name.
(Empty)
security-redirect-url
(Empty)
intra-vap-privacy
Enable/disable intra-SSID privacy.
disable
schedule
VAP schedule name.
(Empty)
local-standalone
Enable/disable AP local standalone.
disable

852
local-standalone-nat
Enable/disable AP local standalone NAT mode.
disable
ip
IP address and subnet mask for the local

standalone NAT subnet.
0.0.0.0 0.0.0.0
local-bridging
Enable/disable FortiAP local VAP-to-Ethernet

bridge.
disable
split-tunneling
Enable/disable split tunneling.
disable
local-authentication
Enable/disable AP local authentication.
disable
vlanid
Optional VLAN ID.
vlan-auto
Enable/disable automatic management of SSID

VLAN interface.
disable
dynamic-vlan
Enable/disable dynamic VLAN assignment.
disable
alias
Alias.
(Empty)
multicast-rate
Multicast rate (kbps).
multicast-enhance
Enable/disable multicast enhancement.
disable
broadcast-suppression
Suppress broadcast frames from WiFi clients.
dhcp-up arp-known
me-disable-thresh
Threshold of number of multicast clients to

disable multicast enhancement.
32
probe-respsuppression
Enable/disable probe response suppression.
disable
probe-resp-threshold
Threshold at which FortiAP responds to probe

requests (signal level must be no lower than this
value).
-80
vlan-pooling
Enable/disable VLAN pooling.
disable
vlan-pool
VLAN pool.
(Empty)
ptk-rekey
Enable/disable PTK rekey for WPA-Enterprise

security.
disable
ptk-rekey-intv
PTK rekey interval interval (1800 - 864000 sec,

default = 86400).
86400

853
gtk-rekey
Enable/disable GTK rekey for WPA security.
disable
gtk-rekey-intv
GTK rekey interval interval (1800 - 864000 sec,

default = 86400).
86400
eap-reauth
Enable/disable EAP re-authentication for WPAEnterprise security.
disable
eap-reauth-intv
EAP re-authentication interval (1800 - 864000

sec, default = 86400).
86400
rates-11a
Configure allowed data rates for 802.11a.
(Empty)
rates-11bg
Configure allowed data rates for 802.11b/g.
(Empty)
rates-11n-ss12
Configure allowed data rates for 802.11n with 1 or (Empty)

2 spatial streams.
rates-11n-ss34
Configure allowed data rates for 802.11n with 3 or (Empty)

4 spatial streams.
rates-11ac-ss12
Configure allowed data rates for 802.11ac with 1

or 2 spatial streams.
(Empty)
rates-11ac-ss34
Configure allowed data rates for 802.11ac with 3

or 4 spatial streams.
(Empty)
mac-filter
Enable/disable MAC filter status.
disable
mac-filter-policy-other
Deny or allow STAs whose MAC addresses are

not in the filter list.
allow
mac-filter-list
MAC filter list.
(Empty)

854
wireless-controller/vap-group
CLI Syntax
config wireless-controller vap-group
edit <name_str>
set name <string>
config vaps
edit <name_str>
set name <string>
end
end

855
Description
Configuration
Description
Default Value
name
Group Name
(Empty)
comment
Comment.
(Empty)
vaps
Selected list of SSIDs to be included in the group.
(Empty)

856
wireless-controller/wids-profile
CLI Syntax
config wireless-controller wids-profile
edit <name_str>
set name <string>
set ap-scan {disable | enable}
set ap-bgscan-period <integer>
set ap-bgscan-intv <integer>
set ap-bgscan-duration <integer>
set ap-bgscan-idle <integer>
set ap-bgscan-report-intv <integer>
set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | frid
ay | saturday}
set ap-bgscan-disable-start <user>
set ap-bgscan-disable-end <user>
set ap-fgscan-report-intv <integer>
set ap-scan-passive {enable | disable}
set rogue-scan {enable | disable}
set ap-auto-suppress {enable | disable}
set wireless-bridge {enable | disable}
set deauth-broadcast {enable | disable}
set null-ssid-probe-resp {enable | disable}
set long-duration-attack {enable | disable}
set long-duration-thresh <integer>
set invalid-mac-oui {enable | disable}
set weak-wep-iv {enable | disable}
set auth-frame-flood {enable | disable}
set auth-flood-time <integer>
set auth-flood-thresh <integer>
set assoc-frame-flood {enable | disable}
set assoc-flood-time <integer>
set assoc-flood-thresh <integer>
set spoofed-deauth {enable | disable}
set asleap-attack {enable | disable}
set eapol-start-flood {enable | disable}
set eapol-start-thresh <integer>
set eapol-start-intv <integer>
set eapol-logoff-flood {enable | disable}
set eapol-logoff-thresh <integer>
set eapol-logoff-intv <integer>
set eapol-succ-flood {enable | disable}
set eapol-succ-thresh <integer>
set eapol-succ-intv <integer>
set eapol-fail-flood {enable | disable}
set eapol-fail-thresh <integer>
set eapol-fail-intv <integer>
set eapol-pre-succ-flood {enable | disable}
set eapol-pre-succ-thresh <integer>
857
set
set
set
set
set
end
eapol-pre-succ-intv <integer>
eapol-pre-fail-flood {enable | disable}
eapol-pre-fail-thresh <integer>
eapol-pre-fail-intv <integer>
deauth-unknown-src-thresh <integer>

858
Description
Configuration
Description
Default Value
name
WIDS profile name.
(Empty)
comment
Comment.
(Empty)
ap-scan
Enable/disable AP scan.
disable
ap-bgscan-period
Interval between two rounds of scanning (60 3600 sec).
600
ap-bgscan-intv
Interval between two scanning channels (1 - 600

sec).
ap-bgscan-duration
Listening time on a scanning channel (10 - 1000

msec).
20
ap-bgscan-idle
Channel idle time before scanning channel (0 1000 msec).
ap-bgscan-report-intv
Interval between two background scan reports

(15 - 600 sec).
30
ap-bgscan-disable-day
Weekday on which background scan is disabled.
(Empty)
ap-bgscan-disable-start
Start time at which background scan is disabled.
00:00
ap-bgscan-disable-end
End time at which background scan is disabled.
00:00
ap-fgscan-report-intv
Interval between two foreground scan reports (15

- 600 sec)
15
ap-scan-passive
Enable/disable passive scan on all channels.
disable
rogue-scan
Enable/disable rogue AP on-wire scan.
disable
ap-auto-suppress
Enable/disable on-wire rogue AP auto-suppress.
disable
wireless-bridge
Enable/disable wireless bridge detection.
disable
deauth-broadcast
Enable/disable broadcasting de-authentication

detection.
disable
null-ssid-probe-resp
Enable/disable null SSID probe response

detection.
disable

859
long-duration-attack
Enable/disable long duration attack detection

based on user configured threshold.
disable
long-duration-thresh
Threshold value (usec) for long duration attack

detection.
8200
invalid-mac-oui
Enable/disable invalid MAC OUI detection.
disable
weak-wep-iv
Enable/disable weak WEP IV (Initialization

Vector) detection.
disable
auth-frame-flood
Enable/disable authentication frame flooding

detection.
disable
auth-flood-time
Number of seconds after which an STA is

considered not connected.
10
auth-flood-thresh
Threshold value for authentication flooding.
30
assoc-frame-flood
Enable/disable association frame flooding

detection.
disable
assoc-flood-time
Number of seconds after which an STA is

considered not connected.
10
assoc-flood-thresh
Threshold value for association flooding.
30
spoofed-deauth
Enable/disable spoofed de-authentication attack

detection.
disable
asleap-attack
Enable/disable asleap attack detection.
disable
eapol-start-flood
Enable/disable EAPOL-Start flooding (to AP)

detection.
disable
eapol-start-thresh
The threshold value for EAPOL-Start flooding in

specified interval.
10
eapol-start-intv
The detection interval for EAPOL-Start flooding in

sec.
eapol-logoff-flood
Enable/disable EAPOL-Logoff flooding (to AP)

detection.
disable
eapol-logoff-thresh
The threshold value for EAPOL-Logoff flooding in

specified interval.
10

860
eapol-logoff-intv
The detection interval for EAPOL-Logoff flooding

in sec.
eapol-succ-flood
Enable/disable EAPOL-Success flooding (to AP)

detection.
disable
eapol-succ-thresh
The threshold value for EAPOL-Success flooding

in specified interval.
10
eapol-succ-intv
The detection interval for EAPOL-Success

flooding in sec.
eapol-fail-flood
Enable/disable EAPOL-Failure flooding (to AP)

detection.
disable
eapol-fail-thresh
The threshold value for EAPOL-Failure flooding

in specified interval.
10
eapol-fail-intv
The detection interval for EAPOL-Failure flooding

in sec.
eapol-pre-succ-flood
Enable/disable premature EAPOL-Success

flooding (to STA) detection.
disable
eapol-pre-succ-thresh
The threshold value for premature EAPOLSuccess flooding in specified interval.
10
eapol-pre-succ-intv
The detection interval for premature EAPOLSuccess flooding in sec.
eapol-pre-fail-flood
Enable/disable premature EAPOL-Failure

flooding (to STA) detection.
disable
eapol-pre-fail-thresh
The threshold value for premature EAPOLFailure flooding in specified interval.
10
eapol-pre-fail-intv
The detection interval for premature EAPOLFailure flooding in sec.
deauth-unknown-srcthresh
Threshold value per second to deauth unknown

src for DoS attack(0: no limit).
10

861
wireless-controller/wtp
CLI Syntax
config wireless-controller wtp
edit <name_str>
set wtp-id <string>
set index <integer>
set admin {discovered | disable | enable}
set name <string>
set wtp-mode {normal | remote}
set wtp-profile <string>
set override-led-state {enable | disable}
set led-state {enable | disable}
set override-wan-port-mode {enable | disable}
set wan-port-mode {wan-lan | wan-only}
set override-ip-fragment {enable | disable}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set override-split-tunnel {enable | disable}
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set override-lan {enable | disable}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
end
set override-allowaccess {enable | disable}
862
set allowaccess {telnet | http | https | ssh}

set override-login-passwd-change {enable | disable}
set login-passwd-change {yes | default | no}
set login-passwd <password>
config radio-1
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set override-txpower {enable | disable}
set override-vaps {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
863
edit <name_str>
set chan <string>
end
end
set image-download {enable | disable}
set mesh-bridge-enable {default | enable | disable}
set coordinate-enable {enable | disable}
set coordinate-x <string>
set coordinate-y <string>
end

864
Description
Configuration
Description
Default Value
wtp-id
WTP ID.
(Empty)
index
Index (0 - 4294967295).
admin
Admin status.
enable
name
WTP name.
(Empty)
location
WTP location.
(Empty)
wtp-mode
WTP mode.
normal
wtp-profile
WTP profile name.
(Empty)
override-led-state
Enable/disable override of LED state.
disable
led-state
Enable/disable use of LEDs on WTP.
enable
override-wan-portmode
Enable/disable override of wan-port-mode.
disable
wan-port-mode
Enable/disable use of WAN port as LAN port.
wan-only
override-ip-fragment
Enable/disable override of IP fragment

prevention.
disable
ip-fragment-preventing
Prevent IP fragmentation for CAPWAP tunnelled

control and data packets.
tcp-mss-adjust
tun-mtu-uplink
Uplink tunnel MTU.
tun-mtu-downlink
Downlink tunnel MTU.
override-split-tunnel
Enable/disable override of split tunneling.
disable
split-tunneling-acllocal-ap-subnet
Enable/disable split tunneling ACL local AP

subnet.
disable
split-tunneling-acl
Split tunneling ACL filter list.
(Empty)
override-lan
Enable/disable override of WTP LAN port.
disable
lan
WTP LAN port mapping.
Details below

865
Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid
Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
override-allowaccess
Enable/disable override of management access

to managed AP.
disable
allowaccess
Allow management access to managed AP.
(Empty)
override-login-passwdchange
Enable/disable override of login password of

managed AP.
disable
login-passwd-change
Configuration options for login password of

managed AP.
no
login-passwd
Login password of managed AP.
(Empty)
radio-1
Radio 1.
Details below

866
Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel
radio-2
Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel
Default Value
0
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)
Radio 2.
Details below
Default Value
1
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)
image-download
Enable/disable WTP image download.
enable
mesh-bridge-enable
Enable/disable mesh Ethernet bridge when WTP

is configured as a mesh branch/leaf AP.
default
coordinate-enable
Enable/disable WTP coordinates.
disable
coordinate-x
X axis coordinate.

867
coordinate-y

Y axis coordinate.
868
wireless-controller/wtp-profile
CLI Syntax
config wireless-controller wtp-profile
edit <name_str>
set name <string>
config platform
edit <name_str>
set type {AP-11N | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C
| 28C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321
C | S322C | S323C | S311C | S313C | S321CR | S322CR | S323CR | S421E | S422E | S423E}
end
set wan-port-mode {wan-lan | wan-only}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
end
set led-state {enable | disable}
set dtls-policy {clear-text | dtls-enabled}
set dtls-in-kernel {enable | disable}
set handoff-rssi <integer>
set handoff-sta-thresh <integer>
set handoff-roaming {enable | disable}
config deny-mac-list
edit <name_str>
set id <integer>
end
set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | B
Z | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG
| SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
869
| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU |
MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA |
PG | PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | Z
A | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY
| UZ | VE | VN | YE | ZW | JP | AU | CA}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set allowaccess {telnet | http | https | ssh}
set login-passwd-change {yes | default | no}
set login-passwd <password>
set lldp {enable | disable}
config radio-1
edit <name_str>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
870

set max-distance <integer>
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set wids-profile <string>
set max-distance <integer>
871

set ap-handoff {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config lbs
edit <name_str>
set ekahau-blink-mode {enable | disable}
set ekahau-tag <mac-address>
set erc-server-ip <ipv4-address-any>
set erc-server-port <integer>
set aeroscout {enable | disable}
set aeroscout-server-ip <ipv4-address-any>
set aeroscout-server-port <integer>
set aeroscout-mu-factor <integer>
set aeroscout-mu-timeout <integer>
set fortipresence {enable | disable}
set fortipresence-server <ipv4-address-any>
set fortipresence-port <integer>
set fortipresence-secret <password>
set fortipresence-project <string>
set fortipresence-frequency <integer>
set fortipresence-rogue {enable | disable}
set fortipresence-unassoc {enable | disable}
set station-locate {enable | disable}
end
end

872
Description
Configuration
Description
Default Value
name
WTP profile name.
(Empty)
comment
Comment.
(Empty)
platform
WTP platform.
Details below
Configuration
type
Default Value
220B
wan-port-mode
Enable/disable use of WAN port as LAN port.
wan-only
lan
WTP LAN port mapping.
Details below
Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid
Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
led-state
Enable/disable use of LEDs on WTP.
enable
dtls-policy
WTP data channel DTLS policy.
clear-text
dtls-in-kernel
Enable/disable data channel DTLS in kernel.
disable
max-clients
Maximum number of STAs supported by the

WTP.

873
handoff-rssi
Minimum RSSI value for handoff.
25
handoff-sta-thresh
Threshold value for AP handoff.
30
handoff-roaming
Enable/disable handoff when a client is roaming.
enable
deny-mac-list
Deny MAC filter list.
(Empty)
ap-country
AP country code.
NA
ip-fragment-preventing
Prevent IP fragmentation for CAPWAP tunneled

control and data packets.
tcp-mss-adjust
tun-mtu-uplink
Uplink tunnel MTU.
tun-mtu-downlink
Downlink tunnel MTU.
split-tunneling-acllocal-ap-subnet
Enable/disable split tunneling ACL local AP

subnet.
disable
split-tunneling-acl
Split tunneling ACL filter list.
(Empty)
allowaccess
Allow management access to managed AP.
(Empty)
login-passwd-change
Configuration options for login password of

managed AP.
no
login-passwd
Login password of managed AP.
(Empty)
lldp
Enable/disable LLDP.
disable
radio-1
Radio 1.
Details below

874
Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
radio-2

Default Value
0
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
36
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Radio 2.
Details below
875
Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
lbs
Default Value
1
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
6
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Location based service.

Details below
876
Configuration
ekahau-blink-mode
ekahau-tag
erc-server-ip
erc-server-port
aeroscout
aeroscout-server-ip
aeroscout-server-port
aeroscout-mu-factor
aeroscout-mu-timeout
fortipresence
fortipresence-server
fortipresence-port
fortipresence-secret
fortipresence-project
fortipresence-frequency
fortipresence-rogue
fortipresence-unassoc
station-locate

Default Value
disable
01:18:8e:00:00:00
0.0.0.0
8569
disable
0.0.0.0
0
20
5
disable
0.0.0.0
3000
fortinet
fortipresence
30
disable
disable
disable
877
execute
backup
execute
The execute commands perform immediate operations on the FortiGate unit, including:
l
Maintenance operations, such as back up and restore the system configuration, reset the configuration to factory
settings, update antivirus and attack definitions, view and delete log messages, set the date and time.
Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnose
network problems.
Generate certificate requests and install certificates for VPN authentication.
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USB
disk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysis
and Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.
When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup file
depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator
account can restore the configuration from this file.
Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config management-station <comment_str>
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup config usb <filename_str> [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]
| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_
password_str>]
execute backup config-with-forticlient-info usb [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup full-config usb <filename_str> [<backup_password_str>]
execute backup full-config usb-mode <filename_str> [<backup_password_str>]
execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>
execute backup {disk|memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]

878
backup
execute
execute backup {disk|memory} alllogs tftp <server_ipv4>

execute backup {disk|memory} alllogs usb
execute backup {disk|memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> <username_str> <password_str> {traffic |event |ids |virus |webfilter
|spam |dlp |voip |app-ctrl |netscan}
execute backup {disk|memory} log tftp <server_ipv4> {traffic|event |ids |virus
|webfilter |spam |dlp |voip |app-ctrl |netscan}
execute backup {disk|memory} log usb {traffic|event |ids |virus |webfilter
|spam |dlp |voip |app-ctrl |netscan}
Variable
Description
config flash <comment>
Back up the system configuration to the flash disk.

Optionally, include a comment.
config ftp <filename_str> <server_

ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str>
[<password_str>]] [<backup_
password_str>]
config management-station
<comment_str>
Back up the system configuration to an FTP server.

Optionally, you can specify a password to protect the
saved data.
Back up the system configuration to a configured
management station. If you are adding a comment, do
not add spaces, underscore characters (_), or quotation
marks () or any other punctuation marks.
The comment you enter displays in both the portal
website and FortiGate web-based manager (System >
Maintenance > Revision).
config tftp <filename_str>

<server_ipv4> [<backup_password_
str>]
Back up the system configuration to a file on a TFTP

server. Optionally, you can specify a password to protect
the saved data.
config usb <filename_str>

[<backup_password_str>]
Back up the system configuration to a file on a USB disk.

saved data.
config usb-mode [<backup_password_

str>]
Back up the system configuration to a USB disk (Global

admin only). Optionally, you can specify a password to
protect the saved data.
config-with-forticlient-info ftp
<filename_str> <server_ipv4[:port_
int] | server_fqdn[:port_int]>
[<username_str> [<password_str>]]
Back up the system configuration to a file on an FTP

the saved data.
config-with-forticlient-info tftp
<filename_str> <server_ipv4>
Back up the system configuration to a file on a TFTP

the saved data.

879
execute
backup
Variable
Description
config-with-forticlient-info usb
Back up the system configuration to a file on a USB disk.

saved data.
config-with-forticlient-info usbmode [<backup_password_str>]
Back up the system configuration to a USB disk (Global

admin only). Optionally, you can specify a password to
protect the saved data.
full-config ftp <filename_str>

<server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str>
[<password_str>]] [<backup_
password_str>]
Back up the full system configuration to a file on an FTP

server. You can optionally specify a password to protect
the saved data.
full-config tftp <filename_str>

<server_ipv4> [<backup_password_
str>]
Back up the full system configuration to a file on a TFTP

server. You can optionally specify a password to protect
the saved data.
full-config usb <filename_str>

Back up the full system configuration to a file on a USB

disk. You can optionally specify a password to protect
the saved data.
full-config usb-mode <filename_

str> [<backup_password_str>]
Back up the full system configuration to a file on a USB

disk (Global admin only). You can optionally specify a
password to protect the saved data.
ipsuserdefsig ftp <filename_str>

[<password_str>]]
Backup IPS user-defined signatures to a file on an FTP

server.
ipsuserdefsig tftp tftp <filename_

str> <server_ipv4>
Back up IPS user-defined signatures to a file on a TFTP

server.
{disk|memory} alllogs ftp

<password_str>]
Back up either all memory or all hard disk log files for this
VDOM to an FTP server. The disk option is available on
FortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>
{disk|memory} alllogs tftp

<server_ipv4>
VDOM to a TFTP server. he disk option is available on

880
batch
execute
Variable
Description
{disk|memory} alllogs usb
VDOM to a USB disk. he disk option is available on
{disk|memory} log ftp <server_

ipv4[:port_int] | server_fqdn
[:port_int]> <username_str>
<password_str> {traffic |event
|ids |virus |webfilter |spam
|dlp |voip |app-ctrl |netscan}
{disk|memory} log tftp <server_
ipv4> {traffic|event |ids
|virus |webfilter |spam |dlp
|voip |app-ctrl |netscan}
{disk|memory} log usb

{traffic|event |ids |virus
|webfilter |spam |dlp |voip
|app-ctrl |netscan}
Back up the specified type of log file from either hard

disk or memory to an FTP server.
The disk option is available on FortiGate models that log
to a hard disk.
disk or memory to a TFTP server.
to a hard disk.
disk or memory to a USB disk.
to a hard disk.
Example
This example shows how to backup the FortiGate unit system configuration to a file named fgt.cfg on a
TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
batch
Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)
access control group.
Syntax
execute batch [<cmd_cue>]
where <cmd_cue> is one of:

end exit session and run the batch commands
lastlog read the result of the last batch commands
start start batch mode
status batch mode status reporting if batch mode is running or stopped

881
execute
bypass-mode
Example
To start batch mode:
execute batch start
Enter batch mode...
To enter commands to run in batch mode:

config system global
set refresh 5
end
To execute the batch commands:

execute batch end
Exit and run batch commands...
bypass-mode
Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is available
in transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypass
mode is disabled.
Syntax
execute bypass-mode {enable|disable}
carrier-license
Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on a
FortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.
Contact Fortinet Support for more information about this command.
Syntax
execute carrier-license <license_key>
Variable
Description
<license_key>
Enter the FortiOS Carrier license key supplied by Fortinet.
central-mgmt
Update Central Management Service account information. Also used receive configuration file updates from an
attached FortiManager unit.
Syntax
execute central-mgmt set-mgmt-id <management_id>

882
cfg reload
execute
execute central-mgmt register-device <fmg-serial-number> <fmg-register-password> <fgtuser-name> <fgt-password>

execute central-mgmt unregister-device <fmg-serial-number>
set-mgmt-id is used to change or initially set the management ID, or your account number for Central
Management Services. This account ID must be set for the service to be enabled.
register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.
You must also specify the administrator name and password that the FortiManager unit uses to log on to the
FortiGate unit.
unregister-device removes the FortiGate unit from the specified FortiManager units device list.
update is used to update your Central Management Service contract with your new management account ID.
This command is to be used if there are any changes to your management service account.
Example
If you are registering with the Central Management Service for the first time, and your account number is 123456,
you would enter the following:
execute central-mgmt set-mgmt-id 123456
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual or
revert. This command has no effect if the mode is automatic, the default. The setcfg-save command
in systemglobal sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.
In the default configuration change mode, automatic, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the executecfgsave command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. You set the timeout in systemglobal using the setcfg-revert-timeout command.
Syntax
execute cfg reload
Example
This is sample output from the command when successful:
# execute cfg reload
configs reloaded. system will reboot.This is sample output from the command when not in
runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.

883
execute
cfg save
cfg save
Use this command to save configuration changes when the configuration change mode is manual or revert. If
the mode is automatic, the default, all changes are added to the saved configuration as you make them and
this command has no effect. The set cfg-save command in system global sets the configuration change
mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically if
the administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. To change the timeout from the default of 600 seconds, go to system global and use the
set cfg-revert-timeout command.
Syntax
execute cfg save
Example
This is sample output from the command:
# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# execute cfg save
no config to be saved.
clear system arp table

Clear all the entries in the arp table.
Syntax
execute clear system arp table
cli check-template-status
Reports the status of the secure copy protocol (SCP) script template.
Syntax
execute cli check-template-status

884
cli status-msg-only
execute
cli status-msg-only
Enable or disable displaying standardized CLI error output messages. If executed, this command stops other
debug messages from displaying in the current CLI session. This command is used for compatibility with
FortiManager.
Syntax
execute cli status-msg-only [enable|disable]
Variable
Description
status-msg-only
[enable|disable]
Enable or disable standardized CLI error output messages.

Entering the command without enable or disable disables
displaying standardized output.
Default
enable
client-reputation
Use these commands to retrieve or remove client reputation information.
Syntax
To erase all client reputation data
execute client-reputation erase
To retrieve client reputation host count

execute client-reputation host-count <rows>
To retrieve client reputation host details

execute client-reputation host detail <host>
To retrieve client reputation host summary

execute client-reputation host summary <host>
To purge old data

execute client-reputation purge
To view the top n records

execute client-reputation <n|all>
date
Get or set the system date.

885
execute
disk
Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd, where

yyyy is the year and can be 2001 to 2037
mm is the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as 06
instead of 2006 for the year or 1 instead of 01 for month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execute date 2004-09-17
disk
Use this command to list and format hard disks installed in FortiGate units or individual partitions on these hard
disks.
Syntax
execute disk format <partition1_ref_int> [...<partitionn_ref_int>]
execute disk list
execute disk scan <ref_int>
Variable
Description
Format the referenced disk partitions or disks. Separate
reference numbers with spaces.
format
If you enter a partition reference number the disk partition is

formatted. If you enter a disk reference number the entire disk
and all of its partitions are formatted.
list
List the disks and partitions and the reference number for each
one.
scan
Scan a disk or partition and repair errors.
<ref_int>
Disk (device) or partition reference number.
The execute disk format command formats the specified partitions or disks and then reboots the system if
a reboot is required.
In most cases you need to format the entire disk only if there is a problem with the partition. Formatting the
partition removes all data from the partition. Formatting the disk removes all data from the entire disk and creates
a single partition on the disk.

886
disk raid
execute
Examples
Use the following command to list the disks and partitions.
execute disk list
Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sda
partition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3
In this example, there is only one partition and its reference number is 3.
Enter the following command to format the partition.
execute disk format 3
After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.
disk raid
Use this command to view information about and change the raid settings on FortiGate units that support RAID.
Syntax
execute
execute
execute
execute
disk
disk
disk
disk
raid
raid
raid
raid
disable
enable {Raid-0 | Raid-1 | Raid-5}
rebuild
status
Variable
Description
disable
Disable raid for the FortiGate unit.
enable {Raid-0 |Raid-1

|Raid-5}
Change the RAID level on the FortiGate unit.
rebuild
Rebuild RAID on the FortiGate unit at the same RAID level. You can only
execute this command if a RAID error has been detected. Changing the
RAID level takes a while and deletes all data on the disk array.
status
Display information about the RAID disk array in the FortiGate unit.
Examples
Use the following command to display information about the RAID disk array in a FortiGate-82C.
execute disk raid status
RAID Level: Raid-1
RAID Status: OK
RAID Size: 1000GB
Disk
Disk
Disk
Disk
1:
2:
3:
4:
OK Used 1000GB
OK Used 1000GB
OK Used 1000GB
Unavailable Not-Used 0GB

887
execute
disk scan
disk scan
Use this command to run a disk check operation.
Syntax
execute disk scan <ref_int>
where n is the partition "ref:" number for the disk, shown by execute disk list.
The operation requires the FortiGate unit to reboot. The command responds:
Example
# execute disk scan 3
scan requested for: 3/Internal (device=/dev/sda3)
This action requires the unit to reboot.
Do you want to continue? (y/n)
dhcp lease-clear
Clear all DHCP address leases.
Syntax
For IPv4:
execute dhcp lease-clear
For IPv6
execute dhcp6 lease-clear
dhcp lease-list
Display DHCP leases on a given interface
Syntax
For IPv4:
execute dhcp lease-list [interface_name]
For IPv6:
execute dhcp6 lease-list [interface_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includes
all leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.

888
disconnect-admin-session
execute
disconnect-admin-session
Disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators
by using the following command:
executedisconnect-admin-session ?
The list of logged-in administrators looks like this:

Connected:
INDEXUSERNAME
TYPEFROMTIME
0adminWEB
172.20.120.51Mon Aug 14 12:57:23 2006
1admin2CLI
ssh(172.20.120.54)Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect the logged administrator admin2 from the above list.
execute disconnect-admin-session 1
enter
Use this command to go from global commands to a specific virtual domain (VDOM).
Only available when virtual domains are enabled and you are in config global.
After you enter the VDOM, the prompt will not change from (global). However you will be in the VDOM with
all the commands that are normally available in VDOMs.
Syntax
execute enter <vdom>
Use ? to see a list of available VDOMs.
erase-disk
Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restore
the image from a TFTP server after erasing.
Syntax
execute erase-disk <disk_name>
The <disk_name> for the boot device is boot.

889
execute
factoryreset
factoryreset
Reset the FortiGate configuration to factory default settings.
Syntax
execute factoryreset [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGate
configuration and reverts the system to its original configuration, including resetting interface addresses.
factoryreset2
Reset the FortiGate configuration to factory default settings except VDOM and interface settings.
Syntax
execute factoryreset2 [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Syntax
execute formatlogdisk
In addition to deleting logs, this operation will erase all other data on the
disk, including system configuration, quarantine files, and databases for
antivirus and IPS.
forticarrier-license
Use this command to perform a FortiCarrier license upgrade.
Syntax
execute forticarrier-license <activation-code>
forticlient
Use these commands to manage FortiClient licensing.

890
FortiClient-NAC
execute
Syntax
To view FortiClient license information
execute forticlient info
To show current FortiClient count

execute forticlient list <connection_type>
where <connection_type> is one of:

0 - IPsec
1 - SSLVPN
2 - NAC (Endpoint Security)
3 - WAN optimization
4 - Test
To upgrade FortiClient licenses

execute forticlient upgrade <license_key_str>
FortiClient-NAC
Use the following command to load a FortiClient license onto a FortiGate unit.
Syntax
execute FortiClient-NAC update-registration-license <code>
where <code> is the FortiClient registration license key/activation code.
fortiguard-log
Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.
Syntax
To create a FortiCloud account
execute fortiguard-log create-account
To perform FortiCloud certification

execute fortiguard-log certification
To retrieve the FortiCloud agreement

execute fortiguard-log agreement

891
execute
fortitoken
To test connection to a FortiCloud account

execute fortiguard-log try <account-id> <password>
To join FortiCloud
execute fortiguard-log join
To log in to a FortiCloud account

execute fortiguard-log login <account-id> <password>
To update the FortiGuard Analysis and Management Service contract

execute fortiguard-log update
fortitoken
Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factor
authentication of administrator and user account logons. The device generates a random six-digit code that you
enter during the logon process along with user name and password.
Before they can be used to authenticate account logins, FortiToken devices must be activated with the
FortiGuard service. When successfully activated, the status of the FortiToken device will change from New to
Active.
Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual for
new FortiToken units to require synchronization before being put into service. Synchronization is accomplished by
entering two sequential codes provided by the FortiToken.
Syntax
To activate one or more FortiToken devices
execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]
To import FortiToken OTP seeds

execute fortitoken import <seeds_file> <seeds_file_preshared_key>
To synchronize a FortiToken device

execute fortitoken sync <serial_number> <code> <next code>
To import a set of FortiToken serial numbers

execute fortitoken import-sn-file <ftk-sn>
FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specified
FortiToken device.

892
fortitoken-mobile
execute
fortitoken-mobile
Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used in
two-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digit
code to the mobile device by email or SMS that the user enters during the logon process along with user name
and password.
Syntax
To import the FortiToken Mobile card serial number
execute fortitoken-mobile import <activation_code>
To poll a FortiToken Mobile token state

execute fortitoken-mobile poll
To provision a FortiToken Mobile token

execute fortitoken-mobile provision <token_serial_number>
fsso refresh
Use this command to manually refresh user group information from Directory Service servers connected to the
FortiGate unit using the Fortinet Single Sign On (FSSO) agent.
Syntax
execute fsso refresh
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial number
of the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask to
this interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. After
the unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiate
and may select a new primary unit.
To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of the
disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to 0.0.0.0.
The interface specified in the command is set to the IP address and netmask that you specify in the command. In
addition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can use
SSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.
Syntax
execute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>
<address_ipv4mask>

893
execute
ha ignore-hardware-revision
Variable
Description
cluster-memberserial_str
The serial number of the cluster unit to be disconnected.
interface_str
The name of the interface to configure. The command

configures the IP address and netmask for this interface and also
enables all management access for this interface.
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internal
interface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect FGT5002803033050 internal 1.1.1.1 255.255.255.0
ha ignore-hardware-revision
Use this command to set ignore-hardware-revision status.
Syntax
To view ignore-hardware-revision status
execute ha ignore-hardware-revision status
To set ignore-hardware-revision status

execute ha ignore-hardware-revision {enable|disable}
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in the
cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinate
unit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primary
unit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to the
configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.
Syntax
execute ha manage <cluster-index>

894
ha synchronize
Variable
execute
Description
cluster-index
The cluster index is assigned by the FortiGate Clustering

Protocol according to cluster unit serial number. The cluster unit
with the highest serial number has a cluster index of 0. The
cluster unit with the second highest serial number has a cluster
index of 1 and so on.
Enter ? to list the cluster indexes of the cluster units that you can
log into. The list does not show the unit that you are already
logged into.
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example you
have already logged into the primary unit. The primary unit has serial number FGT3082103000056. The
subordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execute ha manage ?
<id>please input slave cluster index.
<0>Subsidary unit FGT3012803021709
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLI
prompt changes to the host name of this unit. To return to the primary unit, type exit.
From the subordinate unit you can also use the execute ha manage command to log into the primary unit or
into another subordinate unit. Enter the following command:
execute ha manage ?
<id>please input slave cluster index.
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.
The CLI prompt changes to the host name of this unit.
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.
Syntax
execute ha synchronize {start | stop}
Variable
Description
start
Start synchronizing the cluster configuration.
stop
Stop the cluster from completing synchronizing its configuration.

895
execute
interface dhcpclient-renew
interface dhcpclient-renew
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP
connection on the specified port, there is no output.
Syntax
execute interface dhcpclient-renew <port>
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
interface pppoe-reconnect
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE
connection on the specified port, there is no output.
Syntax
execute interface pppoe-reconnect <port>
log backup
Use this command to back up all logs, index files, and report databases. The files are compressed and combined
into a TAR archive.
Syntax
execute log backup <file name>
where <file name> is the name of the backup file to create.
log client-reputation-report
Use these commands to control client-reputation log actions.
Syntax
To accept a host so that it has its own baselines
execute log client-reputation-report accept <policy-id> <host>

896
log client-reputation-report
execute
To clear all auto-profile data

execute log client-reputation-report clear
To ignore a host, removing it from the abnormal list

execute log client-reputation-report ignore <policy-id> <host>
To refresh the data of one option result

execute log client-reputation-report refresh <policy-id> <option> <action>
<option> is one of bandwidth, session, failconn, geo, or app

<action> is one of data, baseline, or data_baseline (both data and baseline)
To get baseline/average information of one option

execute log client-reputation-report result baseline <policy-id> <option>
<option> is one of bandwidth, session, or failconn
To get hourly data of a host visiting a country or using an application

execute log client-reputation-report result details {hourly | total} <policy-id>
<option> <name> <host>
<option> is geo or app

<name> is the name of the country or application
To list abnormal hosts of one or all options

execute log client-reputation-report result list <policy-id> <option>
<option> is geo, app, or all
To list periodical data of one host of one option

execute log client-reputation-report result period <policy-id> <option> <host>
<periods>

<periods> is number of periods to list
To list the top 10 abnormal hosts of one option

execute log client-reputation-report result top10 <policy-id> <option>
To run reports immediately

execute log client-reputation-report run <policy-id>

897
execute
log convert-oldlogs
log convert-oldlogs
Use this command to convert old compact logs to the new format. This command is available only if you have
upgraded from an earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log convert-oldlogs
log delete-all
Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If your
FortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted to
confirm the command.
Syntax
execute log delete-all
log delete-oldlogs
Use this command to delete old compact logs. This command is available only if you have upgraded from an
earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log delete-oldlogs
log detail
Display UTM-related log entries for traffic log entries in this VDOM.
Syntax
execute log detail <category> <utm-ref>
where <category> is one of:

2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-spam
9: utm-dlp
10: utm-app-ctrl

898
log display
execute
You can obtain <utm-ref> from the execute log display output.
log display
Use this command to display log messages for this VDOM that you have selected with the execute log
filter command.
Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do
this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the
commands
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the command
execute log filter reset
log downgrade-log
Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.
Syntax
execute log downgrade-log
log filter
Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category on
one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of
log messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want to
view.
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
log
log
log
log
log
log
log
log
log
filter
filter
filter
filter
filter
filter
filter
filter
filter

category <category_name>
device {disk |memory}
dump
field <name> <value> [<value2>,...<valuen>] [not]
ha-member <unitsn_str>
reset [all | field]
rolled_number <number>
sortby <field> [max-sort-lines]
start-line <line_number>
899
execute
log fortianalyzer test-connectivity
execute log filter view-lines <count>
Variable
Description
category
<category_name>
Enter the type of log you want to select. To

see a list of available categories, enter
Default
event
execute log filter category
device {disk
|memory}
Device where the logs are stored.
disk
dump
Display current filter settings.
No
default.
field <name>
<value>
[<value2>,...<value
n>] [not]
Enter execute log filter field to

view the list of field names.
Press Enter after <name> to view information
about value parameters for that field.
No
default.
not inverts the field value condition.

ha-member
<unitsn_str>
Select logs from the specified HA cluster

member. Enter the serial number of the unit.
reset [all | field]
Execute this command to reset all filter

settings. You can use field option to reset only
filter field settings.
No
default.
rolled_number
<number>
Select logs from rolled log file. 0 selects

current log file.
sortby <field>
[max-sort-lines]
Sort logs by specified field.
No
default.
start-line <line_
number>
Select logs starting at specified line number.
view-lines <count>
Set lines per view. Range: 5 to 1000
10
log fortianalyzer test-connectivity

Use this command to test the connection to the FortiAnalyzer unit. This command is available only when
FortiAnalyzer is configured.
Syntax
execute log fortianalyzer test-connectivity
Example
When FortiAnalyzer is connected, the output looks like this:
FortiAnalyzer Host Name: FortiAnalyzer-800B

900
log list
execute
FortiGate Device ID: FG50B3G06500085

Registration: registered
Connection: allow
Disk Space (Used/Allocated): 468/1003 MB
Total Free Space: 467088 MB
Log: Tx & Rx
Report: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Error
log list
You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,
size and timestamp.
Syntax
execute log list <category>
To see a list of available categories, enter

execute log list
Example
The output looks like this:
elog 8704 Fri March 6 14:24:35 2009
elog.1 1536 Thu March 5 18:02:51 2009
elog.2 35840 Wed March 4 22:22:47 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event log file(s) found.
log rebuild-sqldb
Use this command to rebuild the SQL database from log files.
If run in the VDOM context, only this VDOMs SQL database is rebuilt. If run in the global context, the SQL
database is rebuilt for all VDOMs.
If SQL logging is disabled, this command is unavailable.
Syntax
execute log rebuild-sqldb
log recreate-sqldb
Use this command to recreate SQL log database.

901
execute
log-report reset
Syntax
execute log recreate-sqldb
log-report reset
Use this command to delete all logs, archives and user configured report templates.
Syntax
execute log-report reset
log restore
Use this command to restore up all logs, index files, and report databases from a backup file created with the "log
backup" on page 27 command.
This command will wipe out all existing logs and report database for the vdom. It is only available for debug
firmware builds.
It is recommended to kill reportd and miglogd prior to running this command.
kill -3 1
killall miglogd
killall reportd
Syntax
execute log restore <file name>
where <file name> is the name of the backup file to use.
log roll
Use this command to roll all log files.
Syntax
execute log roll
log shift-time
Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. You
can load a log set generated previously to do demos or testing without needing to regenerate data.

902
log upload-progress
execute
Syntax
execute log shift-time <number of hours>
log upload-progress
Use this command to display the progress of the latest log upload.
Syntax
execute log upload-progress
modem dial
Dial the modem.
The dial command dials the accounts configured in config system modem until it makes a connection or it
has made the maximum configured number of redial attempts.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem dial
modem hangup
Hang up the modem.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem hangup
modem trigger
This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its current
state. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modem
should not be connected but is, this command will cause the modem to disconnect.
Syntax
execute modem trigger

903
execute
mrouter clear
mrouter clear
Clear multicast routes, RP-sets, IGMP membership records or routing statistics.
Syntax
Clear IGMP memberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}
execute mrouter clear igmp-interface <interface-name>
Clear multicast routes:

execute mrouter clear <route-type> {<group-address> {<source-address>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):

execute mrouter clear sparse-mode-bsr
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}
Variable
Description
<interface-name>
Enter the name of the interface on which you want to clear IGMP
memberships.
<group-address>
Optionally enter a group address to limit the command to a

particular group.
Enter one of:
dense-routes - clear only PIM dense routes
<route-type>
multicast-routes - clear all types of multicast routes

sparse-routes - clear only sparse routes
<source-address>
Optionally, enter a source address to limit the command to a

particular source address. You must also specify
group-address.
netscan
Use this command to start and stop the network vulnerability scanner and perform related functions.
Syntax
execute
execute
execute
execute
execute
netscan
netscan
netscan
netscan
netscan

import
list
start scan
status
stop
904
pbx
execute
Variable
Description
import
Import hosts discovered on the last asset discovery scan.
list
List the hosts discovered on the last asset discover scan.
start scan
Start configured vulnerability scan.
status
Display the status of the current network vulnerability scan.
stop
Stop the current network vulnerability scan.
pbx
Use this command to view active channels and to delete, list or upload music files for when music is playing while
a caller is on hold.
Syntax
execute pbx active-call <list>
execute pbx extension <list>
execute pbx ftgd-voice-pkg {sip-trunk}
execute pbx music-on-hold {delete |list |upload}
execute pbx prompt upload ftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload tftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload usb <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx restore-default-prompts
execute pbx sip-trunk list
Variables
Description
active-call <list>
Enter to display a list of the active calls being processed by the

FortiGate Voice unit.
extension <list>
Enter to display the status of all extensions with SIP phones that
have connected to the FortiGate Voice unit.
ftgd-voice-pkg
{sip-trunk}
Enter to retrieve FortiGuard voice package sip trunk information.
music-on-hold
{delete |list |upload}
Enter to either delete, list or upload music on hold files. You can
upload music on hold files using FTP, TFTP, or from a USB drive
plugged into the FortiGate Voice unit.

905
execute
pbx
Variables
Description
prompt upload ftp

<file.tgz> <ftp_
server_address>
[:port] [<username>]
[password>]
Upload new pbx voice prompt files using FTP. The voice prompt
files should be added to a tar file and zipped. This file would
usually have the extension tgz. You must include the filename,
FTP server address (domain name of IPv4 address) and if
required the username and password for the server.
prompt upload tftp

<file.tgz> <ftp_
server_address>
[password>]
Upload new pbx voice prompt files using TFTP. The voice
prompt files should be added to a tar file and zipped. This file
would usually have the extension tgz. You must include the
filename and TFTP server IP address.
prompt upload usb

<file.tgz> <ftp_
server_address>
[password>]
Upload new pbx voice prompt files from a USB drive plugged into
the FortiGate Voice unit. The voice prompt files should be added
to a tar file and zipped. This file would usually have the extension
tgz. You must include the filename.
restore-defaultprompts
Restore default English voicemail and other PBX system

prompts. Use this command if you have changed the default
prompts and want to restore the default settings.
sip-trunk list
Enter to display the status of all SIP trunks that have been added
to the FortiGate Voice configuration.
Example command output

Enter the following command to view active calls:
execute pbx active-call
Call-FromCall-ToDurationed
6016600600:00:46
Enter the following command to display the status of all extensions

execute pbx extension list
Extension Host Dialplan
6052 Unregister company-default
6021/6021 172.30.63.34 company-default
Enter the following command to display the status of all SIP trunks
execute pbx sip-trunk list
Name
Host
Username
Provider_1 192.169.20.1+5555555

Account-Type
State
StaticN/A
906
ping
execute
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and another
network device.
Syntax
execute ping {<address_ipv4> | <host-name_str>}
<host-name_str> should be an IP address, or a fully qualified domain name.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes
64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5
ms
ms
ms
ms
ms
--- 172.20.120.16 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
ping-options, ping6-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGate
unit and another network device.
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
Variable
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
data-size <bytes>
df-bit {yes | no}
pattern <2-byte_hex>
repeat-count <repeats>
source {auto | <source-intf_ip>}
timeout <seconds>
tos <service_type>
ttl <hops>
validate-reply {yes | no}
view-settings
Description
data-size
<bytes>

Specify the datagram size in bytes.
Default
56
907
execute
ping-options, ping6-options
Variable
Description
Default
df-bit {yes | no}
Set df-bit to yes to prevent the ICMP packet

from being fragmented. Set df-bit to no to
allow the ICMP packet to be fragmented.
no
pattern <2byte_hex>
Used to fill in the optional data buffer at the end of

the ICMP packet. The size of the buffer is
specified using the data_size parameter. This
allows you to send out packets of different sizes
for testing the effect of packet size on the
connection.
No
default.
repeat-count
<repeats>
Specify how many times to repeat ping.
source
{auto |
<source-intf_
ip>}
Specify the FortiGate interface from which to send

the ping. If you specify auto, the FortiGate unit
selects the source address and interface based on
the route to the <host-name_str> or <host_
ip>. Specifying the IP address of a FortiGate
interface tests connections to different network
segments from the specified interface.
auto
timeout
<seconds>
Specify, in seconds, how long to wait until ping

times out.
Set the ToS (Type of Service) field in the packet

header to provide an indication of the quality of
service wanted.
tos <service_
type>
lowdelay = minimize delay
throughput = maximize throughput

reliability = maximize reliability
lowcost = minimize cost
ttl <hops>
Specify the time to live. Time to live is the number

of hops the ping packet should be allowed to make
before being discarded or returned.
64
validate-reply
{yes | no}
Select yes to validate reply data.
no
view-settings
Display the current ping-option settings.
No
default.
Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.

908
ping6
execute
execute ping-options source 192.168.10.23
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6
capable network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
policy-packet-capture delete-all
Use this command to delete captured packets.
Syntax
execute policy-packet-capture delete-all
You will be asked to confirm that you want delete the packets.
reboot
Restart the FortiGate unit.
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute reboot <comment comment_string>
<comment comment_string> allows you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute reboot comment December monthly maintenance

909
execute
report
report
Use these commands to manage reports.
Syntax
To flash report caches:
execute report flash-cache
To recreate the report database:

execute report recreate-db
To generate a report:
execute report run [<layout_name>["start-time" "end-time"]]
The start and end times have the format yyyy-mm-dd hh:mm:ss
report-config reset
Use this command to reset report templates to the factory default. Logs are not deleted.
Syntax
execute report-config reset
restore
Use this command to
l
restore the configuration from a file
change the FortiGate firmware
change the FortiGate backup firmware
restore an IPS custom signature file
When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content of
the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to
which the administrator belongs. Only a regular administrator account can restore the configuration from this file.

910
restore
execute
Syntax
execute restore av ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore av tftp <filename_str> <server_ipv4[:port_int]>
execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
int]> [<username_str> <password_str>] [<backup_password_str>]
execute restore config management-station {normal |template |script} <rev_int>
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore config usb <filename_str> [<backup_password_str>]
execute restore config usb-mode [<backup_password_str>]
execute restore forticlient tftp <filename_str> <server_ipv4>
execute restore image flash <revision>
execute restore image ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore image usb <filename_str>
execute restore ips ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
execute restore ips tftp <filename_str> <server_ipv4>
execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] |server_fqdn
[:port_int]> [<username_str> <password_str>]
execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] |server_
fqdn[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
execute restore secondary-image usb <filename_str>
execute restore src-vis <src-vis-pkgfile>
execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>
execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>
Variable
Description
av ftp <filename_
str> <server_ipv4
[:port_int] |server_
fqdn[:port_int]>
[<username_str>
<password_str>]
Download the antivirus database file from an FTP server to the

FortiGate unit.
av tftp <filename_
str> <server_ipv4
[:port_int]>
Download the antivirus database file from a TFTP server to the

FortiGate unit.
config flash
<revision>
Restore the specified revision of the system configuration from

the flash disk.

911
execute
Variable
config ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
[<backup_
password_str>]
restore
Description
Restore the system configuration from an FTP server. The new

configuration replaces the existing configuration, including
administrator accounts and passwords.
If the backup file was created with a password, you must specify
the password.
config
managementstation {normal
|template |script}
<rev_int>
Restore the system configuration from the central management

server. The new configuration replaces the existing
configuration, including administrator accounts and passwords.
config tftp
<filename_str>
<server_ipv4>
[<backup_
password_str>]
Restore the system configuration from a file on a TFTP server.

The new configuration replaces the existing configuration,
including administrator accounts and passwords.
config usb
<filename_str>
[<backup_
password_str>]
config usb-mode
[<backup_
password_str>]
rev_int is the revision number of the saved configuration to

restore. Enter 0 for the most recent revision.
the password.
Restore the system configuration from a file on a USB disk. The
new configuration replaces the existing configuration, including
administrator accounts and passwords.
the password.
Restore the system configuration from a USB disk. The new
configuration replaces the existing configuration, including
administrator accounts and passwords. When the USB drive is
removed, the FortiGate unit needs to reboot and revert to the
units existing configuration.
the password.
forticlient tftp
<filename_str>
<server_ipv4>
Download the FortiClient image from a TFTP server to the

FortiGate unit. The filename must have the format:
FortiClientSetup_versionmajor. versionminor.build.exe.
For example, FortiClientSetup.4.0.377.exe.
image flash
<revision>
Restore specified firmware image from flash disk.

912
restore
Variable
image ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
image
managementstation <version_
int>
execute
Description
Download a firmware image from an FTP server to the FortiGate

unit. The FortiGate unit reboots, loading the new firmware.
This command is not available in multiple VDOM mode.
Download a firmware image from the central management

station. This is available if you have configured a FortiManager
unit as a central management server. This is also available if
your account with FortiGuard Analysis and Management Service
allows you to upload firmware images.
image tftp
<filename_str>
<server_ipv4>
Download a firmware image from a TFTP server to the FortiGate

image usb
<filename_str>
Download a firmware image from a USB disk to the FortiGate

ips ftp <filename_

str> <server_ipv4
[:port_int] |server_
fqdn[:port_int]>
[<username_str>
<password_str>]
Download the IPS database file from an FTP server to the

FortiGate unit.
ips tftp <filename_

str> <server_ipv4>
Download the IPS database file from a TFTP server to the

FortiGate unit.
ipsuserdefsig ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
Restore IPS custom signature file from an FTP server. The file
will overwrite the existing IPS custom signature file.
ipsuserdefsig tftp
<filename_str>
<server_ipv4>
Restore an IPS custom signature file from a TFTP server. The

file will overwrite the existing IPS custom signature file.

913
execute
revision
Variable
Description
secondary-image ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
Download a firmware image from an FTP server as the backup

firmware of the FortiGate unit. Available on models that support
backup firmware images.
secondary-image
tftp <filename_str>
<server_ipv4>
Download a firmware image from a TFTP server as the backup

firmware of the FortiGate unit. Available on models that support
backup firmware images.
secondary-image
usb <filename_str>
Download a firmware image from a USB disk as the backup

firmware of the FortiGate unit. The unit restarts when the upload
is complete. Available on models that support backup firmware
images.
src-vis <src-vispkgfile>
Download source visibility signature package.
vcm {ftp | tftp}

<filename_str>
<server_ipv4>
Restore VCM engine/plugin from an ftp or tftp server.
vmlicense {ftp | tftp}

<filename_str>
<server_ipv4>
Restore VM license (VM version of product only).
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart the
FortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
revision
Use these commands to manage configuration and firmware image files on the local disk.
Syntax
To delete a configuration file
execute revision delete config <revision>
To delete a firmware image file

execute revision delete image <revision>

914
router clear bfd session
execute
To list the configuration files

execute revision list config
To delete a firmware image file

execute revision list image
router clear bfd session

Use this command to clear bi-directional forwarding session.
Syntax
execute router clear bfd session <src_ip> <dst_ip> <interface>
Variable
Description
<src_ip>
Select the source IP address of the session.
<dst_ip>
Select the destination IP address of the session.
<interface>
Select the interface for the session.
router clear bgp

Use this command to clear BGP peer connections.
Syntax
execute
execute
execute
execute
execute
execute
router
router
router
router
router
router
Variable
clear
clear
clear
clear
clear
clear
bgp
bgp
bgp
bgp
bgp
bgp
all [soft] [in | out]

as <as_number> [soft] [in | out]
dampening {ip_address | ip/netmask}
external {in prefix-filter} [soft] [in | out]
flap-statistics {ip_address | ip/netmask}
ip <ip_address> [soft] [in | out]
Description
all
Clear all BGP peer connections.
as <as_number>
Clear BGP peer connections by AS number.
dampening {ip_
address |
ip/netmask}
Clear route flap dampening information for peer or network.
external {in prefixfilter}
Clear all external peers.

915
execute
router clear ospf process
Variable
Description
ip <ip_address>
Clear BGP peer connections by IP address.
peer-group
Clear all members of a BGP peer-group.
[in | out]
Optionally limit clear operation to inbound only or outbound only.
flap-statistics {ip_
address |
ip/netmask}
Clear flap statistics for peer or network.
soft
Do a soft reset that changes the configuration but does not

disturb existing sessions.
router clear ospf process

Use this command to clear and restart the OSPF router.
Syntax
IPv4:
execute router clear ospf process
IPv6:
execute router clear ospf6 process
router restart
Use this command to restart the routing software.
Syntax
execute router restart
send-fds-statistics
Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval to
expire.
Syntax
execute send-fds-statistics

916
set system session filter
execute
set system session filter

Use these commands to define the session filter for get system session commands.
Syntax
To clear the filter settings
execute set system session filter clear
{all|dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify destination port

execute set system session filter dport <port_range>
To specify destination IP address

execute set system session filter dst <ip_range>
To specify duration
execute set system session filter duration <duration_range>
To specify expiry
execute set system session filter expire <expire_range>
To list the filter settings

execute set system session filter list
To invert a filter setting

execute set system session filter negate
{dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify firewall policy ID

execute set system session filter policy <policy_range>
To specify protocol
execute set system session filter proto <protocol_range>
To specify source port

execute set system session filter sport <port_range>
To specify source IP address

execute set system session filter src <ip_range>

917
execute
set-next-reboot
To specify virtual domain

execute set system session filter vd <vdom_index>
Variable
Description
<duration_range>
The start and end times, separated by a space.
<expire_range>
The start and end times, separated by a space.
<ip_range>
The start and end IP addresses, separated by a space.
<policy_range>
The start and end policy numbers, separated by a space.
<port_range>
The start and end port numbers, separated by a space.
<protocol_range>
The start and end protocol numbers, separated by a space.
<vdom_index>
The VDOM index number. -1 means all VDOMs.
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Available
on models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primary
partition.
VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
Syntax
execute set-next-reboot {primary | secondary}
sfp-mode-sgmii
Change the SFP mode for an NP2 card to SGMII. By default when an AMC card is inserted the SFP mode is set
to SERDES mode by default.
If a configured NP2 card is removed and re-inserted, the SFP mode goes back to the default.
In these situations, the sfpmode-sgmii command will change the SFP mode from SERDES to SGMII for the
interface specified.
Syntax
execute sfpmode-sgmii <interface>
<interface> is the NP2 interface where you are changing the SFP mode.
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.

918
ssh
execute
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute shutdown [comment <comment_string>]
comment is optional but you can use it to add a message that will appear in the event log message that records
the shutdown. The comment message of the does not appear on the Alert Message console. If the message is
more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute shutdown comment emergency facility shutdown
An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown
the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'
ssh
Use this command to establish an ssh session with another system.
Syntax
execute ssh <destination> [<port>]
<destination> - the destination in the form user@ip or user@host.
[<port>] - optional TCP port number
Example
execute ssh admin@172.20.120.122
To end an ssh session, type exit:

FGT-6028030112 # exit
Connection to 172.20.120.122 closed.
FGT-8002805000 #
sync-session
Use this command to force a session synchronization.
Syntax
execute sync-session

919
execute
system custom-language import
system custom-language import

Use this command to import a custom language file from a TFTP server.
The web-based manager provides a downloadable template file. Go to System > Config > Advanced.
Syntax
execute system custom-language import <lang_name> <file_name> <tftp_server_ip>
<lang_name> - language name
<file_name> - the language file name

<tftp_server_ip> the TFTP server IP address
system fortisandbox test-connectivity

Use this command to query FortiSandbox connection status.
Syntax
execute fortisandbox test-connectivity
tac report
Use this command to create a debug report to send to Fortinet Support. Normally you would only use this
command if requested to by Fortinet Support.
Syntax
execute tac report
telnet
Use telnet client. You can use this tool to test network connectivity.
Syntax
execute telnet <telnet_ipv4>
<telnet_ipv4> is the address to connect with.

Type exit to close the telnet session.
time
Get or set the system time.

920
traceroute
execute
Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where

hh is the hour and can be 00 to 23
mm is the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1
are allowed.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
traceroute
Test the connection between the FortiGate unit and another network device, and display information about the
network hops between the device and the FortiGate unit.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute docs.forticare.com
traceroute to docs.forticare.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2* * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote hostnamed locations with traceroute.
tracert6
Test the connection between the FortiGate unit and another network device using IPv6 protocol, and display
information about the network hops between the device and the FortiGate unit.
Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]
[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]

921
execute
update-av
Variable
Description
-F
Set Dont Fragment bit.
-d
Enable debugging.
-n
Do not resolve numeric address to domain name.
-f <first_ttl>
Set the initial time-to-live used in the first outgoing probe packet.
-i <interface>
Select interface to use for tracert.
-m <max_ttl>
Set the max time-to-live (max number of hops) used in outgoing

probe packets.
-s <src_addr>
Set the source IP address to use in outgoing probe packets.
-q <nprobes>
Set the number probes per hop.
-w <waittime>
Set the time in seconds to wait for response to a probe. Default

is5.
-z <sendwait>
Set the time in milliseconds to pause between probes.
host
Enter the IP address or FQDN to probe.
<paddatalen>
Set the packet size to use when probing.
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus and attack
definitions, use the execute update-now command.
Syntax
execute update-av
update-geo-ip
Use this command to obtain an update to the IP geography database from FortiGuard.
Syntax
execute update-geo-ip
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engine
update. To update both virus and attack definitions, use the execute update-now command.

922
update-list
execute
Syntax
execute update-ips
update-list
Use this command to download an updated FortiGuard server list.
Syntax
execute update-list
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virus
or attack definitions, use the execute update-av or execute update-ids command respectively.
Syntax
execute update-now
update-src-vis
Use this command to trigger an FDS update of the source visibility signature package.
Syntax
execute update-src-vis
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet to
increase the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximum
of 10 VDOMs.
Available on FortiGate models that can be licensed for more than 10 VDOMs.
Syntax
execute upd-vd-license <license_key>
Variable
<license_key>

Description
The license key is a 32-character string supplied by Fortinet.
Fortinet requires your unit serial number to generate the license
key.
923
execute
upload
upload
Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, or
USB sources.
Syntax
To upload configuration files:
execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>
execute upload config usb <filename_str> <comment>
To upload firmware image files:

execute upload image ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn
execute upload image tftp <filename_str> <comment> <server_ipv4>
execute upload image usb <filename_str> <comment>
To upload report image files:

execute upload report-img ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
execute upload report-img tftp <filename_str> <server_ipv4>
Variable
Description
<comment>
Comment string.
<filename_str>
Filename to upload.
<server_fqdn[:port_
int]>
Server fully qualified domain name and optional port.
<server_ipv4[:port_
int]>
Server IP address and optional port number.
<username_str>
Username required on server.
<password_str>
Password required on server.
<backup_password_
str>
Password for backup file.
usb-device
Use these commands to manage FortiExplorer IOS devices.

924
usb-disk
execute
Syntax
List connected FortiExplorer IOS devices
execute usb-device list
Disconnect FortiExplorer IOS devices

execute usb-device disconnect
usb-disk
Use these commands to manage your USB disks.
Syntax
execute
execute
execute
execute
usb-disk
usb-disk
usb-disk
usb-disk
Variable
delete <filename>
format
list
rename <old_name> <new_name>
Description
delete <filename>
Delete the named file from the USB disk.
format
Format the USB disk.
list
List the files on the USB disk.
rename <old_
name> <new_
name>
Rename a file on the USB disk.
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CA
certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

925
execute
vpn certificate crl
Syntax
execute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file-name_str> <tftp_ip>
Variable
Description
import
Import the CA certificate from a TFTP server to the FortiGate

unit.
export
Export or copy the CA certificate from the FortiGate unit to a file

on the TFTP server. Type ? for a list of certificates.
<certificate-name_
str>
Enter the name of the CA certificate.
<file-name_str>
Enter the file name on the TFTP server.
<tftp_ip>
Enter the TFTP server address.
auto
Retrieve a CA certificate from a SCEP server.
tftp
Import the CA certificate to the FortiGate unit from a file on a

TFTP server (local administrator PC).
<ca_server_url>
Enter the URL of the CA certificate server.
<ca_identifier_str>
CA identifier on CA certificate server (optional).
Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP
server with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54
vpn certificate crl

Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update configuration.
In order to use the command execute vpn certificate crl, the authentication servers must already be configured.
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that

926
vpn certificate local export
execute
Syntax
execute vpn certificate crl import auto <crl-name>
Variable
Description
import
Import the CRL from the configured LDAP, HTTP, or SCEP

authentication server to the FortiGate unit.
<crl-name>
Enter the name of the CRL.
auto
Trigger an auto-update of the CRL from the configured LDAP,

HTTP, or SCEP authentication server.
vpn certificate local export

Use this command to export a local certificate from the FortiGate unit to a TFTP server.
prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that
Syntax
execute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_
ip>
Variable
export
Description
Export or copy the local certificate from the FortiGate unit to a
file on the TFTP server. Type ? for a list of certificates.
Enter the name of the local certificate.
<certificate-name_
str>
To view a list of the local certificates, you can enter:

execute vpn certificate local export tftp ?
<file-name_str>
<tftp_ip>
Example
Use the following command to export the local certificate request generated in the above example from the
FortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the

927
execute
vpn certificate local generate
TFTP server address 192.168.21.54.

execute vpn certificate local export branch_cert testcert 192.168.21.54

Use this command to generate a local certificate.
When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The
public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the vpn certificate local command to install it
on the FortiGate unit.
Syntax
To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca
To generate the default server key used by SSL Inspection

execute vpn certificate local generate default-ssl-serv-key
To generate an elliptical curve certificate request

execute vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name>
<subject_str> [<optional_information>]
To generate an RSA certificate request

execute vpn certificate local generate rsa <certificate-name_str> <key-length>
<subject_str> [<optional_information>]
Variable
<certificate-name_
str>

Description
Enter a name for the certificate. The name can contain numbers
(0-9), uppercase and lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and spaces are not
allowed.
928
Variable
execute
Description
<elliptic-curvename>
Enter the elliptic curve name: secp256rl, secp384rl, or

secp521rl.
<key-length>
Enter 1024, 1536 or 2048 for the size in bits of the encryption
key.
<subject_str>
Enter the FortiGate unit host IP address, its fully qualified

domain name, or an email address to identify the FortiGate unit
being certified.
An IP address or domain name is preferred. If this is impossible
(such as with a dialup client), use an e-mail address.
If you specify a host IP or domain name, use the IP address or
domain name associated with the interface on which IKE
negotiations will take place (usually the external interface of the
local FortiGate unit). If the IP address in the certificate does not
match the IP address of this interface (or if the domain name in
the certificate does not match a DNS query of the FortiGate
units IP), then some implementations of IKE may reject the
connection. Enforcement of this rule varies for different IPSec
products.
[<optional_
information>]
Enter optional_information as required to further identify

the certificate. See Optional information variables on page 60 for
the list of optional information variables. You must enter the
optional variables in order that they are listed in the table. To
enter any optional variable you must enter all of the variables
that come before it in the list. For example, to enter the
organization_name_str, you must first enter the
country_code_str, state_name_str, and city_name_
str. While entering optional variables, you can type ? for help
on the next required variable.
Optional information variables

Variable
Description
<country_code_str>
Enter the two-character country code. Enter execute vpn

certificates local generate <name_str>
country followed by a ? for a list of country codes. The country
code is case sensitive. Enter null if you do not want to specify
a country.
<state_name_str>
Enter the name of the state or province where the FortiGate unit
is located.

929
execute
vpn certificate local import
Variable
Description
<city_name_str>
Enter the name of the city, or town, where the person or

organization certifying the FortiGate unit resides.
<organization-name_
str>
Enter the name of the organization that is requesting the

certificate for the FortiGate unit.
<organization-unit_
name_str>
Enter a name that identifies the department or unit within the

organization that is requesting the certificate for the FortiGate
unit.
<email_address_str>
Enter a contact e-mail address for the FortiGate unit.
<ca_server_url>
Enter the URL of the CA (SCEP) certificate server that allows

auto-signing of the request.
<challenge_
password>
Enter the challenge password for the SCEP certificate server.
Example
Use the following command to generate a local certificate request with the name branch_cert, the domain
name www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 www.example.com
vpn certificate local import

Use this command to import a local certificate to the FortiGate unit from a TFTP server.
Syntax
execute vpn certificate local import tftp <file-name_str> <tftp_ip>
Variable
<certificate-name_
str>

Description
Enter the name of the local certificate.
930
vpn certificate remote
Variable
execute
Description
<file-name_str>
<tftp_ip>
Example
Use the following command to import the signed local certificate named branch_cert to the FortiGate unit
from a TFTP server with the address 192.168.21.54.
execute vpn certificate local import branch_cert 192.168.21.54
vpn certificate remote

Use this command to import a remote certificate from a TFTP server, or export a remote certificate from the
FortiGate unit to a TFTP server. The remote certificates are public certificates without a private key. They are
used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
execute vpn certificate remote import tftp <file-name_str> <tftp_ip>
execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>
<tftp_ip>
Field/variable
Description
import
Import the remote certificate from the TFTP server to the

FortiGate unit.
export
Export or copy the remote certificate from the FortiGate unit to a

file on the TFTP server. Type ? for a list of certificates.
<certificate-name_
str>
Enter the name of the public certificate.
<file-name_str>
<tftp_ip>
tftp
Import/export the remote certificate via a TFTP server.
vpn ipsec tunnel down

Use this command to shut down an IPsec VPN tunnel.
Syntax
execute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]
where:

931
execute
vpn ipsec tunnel up
<phase2> is the phase2 name

<phase2_serial> is the phase2 serial number
<phase1> is required on a dial-up tunnel.
vpn ipsec tunnel up

Use this command to activate an IPsec VPN tunnel.
Syntax
execute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]
where:

<phase2_serial> is the phase2 serial number
This command cannot activate a dial-up tunnel.
vpn sslvpn del-all

Use this command to delete all SSL VPN connections in this VDOM.
Syntax
execute vpn sslvpn del-all
vpn sslvpn del-tunnel

Use this command to delete an SSL tunnel connection.
Syntax
execute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.
vpn sslvpn del-web

Use this command to delete an active SSL VPN web connection.
Syntax
execute vpn sslvpn del-web <web_index>

932
vpn sslvpn list
execute
<web_index> identifies which web connection to delete if there is more than one active connection.
vpn sslvpn list

Use this command to list current SSL VPN tunnel connections.
Syntax
execute vpn sslvpn list {web | tunnel}
webfilter quota-reset
Use this command to reset user quota.
Syntax
execute webfilter quota-reset <wf-profile> <user_ip4addr>
execute webfilter quota-reset <wf-profile> <user_name>
wireless-controller delete-wtp-image
Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physical
access points.
Syntax
execute wireless-controller delete-wtp-image
wireless-controller list-wtp-image
Use this command to list all firmware images for WLAN Termination Points (WTPs), also known as WiFi physical
access points.
Syntax
execute wireless-controller list-wtp-image
Example output
WTP Images on AC:
ImageName ImageSize(B) ImageInfo ImageMTime
FAP22A-IMG.wtp 3711132 FAP22A-v4.0-build212 Mon Jun 6 12:26:41 2011

933
execute
wireless-controller reset-wtp
wireless-controller reset-wtp
Use this command to reset a physical access point (WTP).
If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and install
it. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGate
unit.
Syntax
execute wireless-controller reset-wtp {<serialNumber_str> | all}
where <serialNumber_str> is the FortiWiFi unit serial number.

Use the all option to reset all APs.
wireless-controller restart-acd
Use this command to restart the wireless-controller daemon.
Syntax
execute wireless-controller restart-acd
wireless-controller restart-wtpd
Use this command to restart the wireless access point daemon.
Syntax
execute wireless-controller restart-wtpd
wireless-controller upload-wtp-image
Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by this
wireless controller can download the image as needed. Use the execute wireless-controller reset-wtp command
to trigger FortiAP units to update their firmware.
Syntax
FTP:
execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_
TFTP:
execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>

934
application internet-service status
get
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
application internet-service status

Use this command to display Internet service information.
Syntax
get application internet-service status [<app-id>]
All application IDs are listed if <app-id> is not specified.
Example output
FG-5KD3914800284 # get application internet-service status 1245324
id: 1245324 app-name: "Fortinet-FortiGuard"
application internet-service-summary
Use this command to display information about the Internet service database.
Syntax
get application internet-service-summary
Example output
FG-5KD3914800284 # get application internet-service-summary
Version: 00002.00679
Timestamp: 201512161002
Number of Entries: 1267
certificate
Display detailed information about local and CA certificates installed on the FortiGate.This is a global level
command. At the VDOM level, use get vpn certificate.
Syntax
get certificate {local | ca} details [certificate_name]

935
get
extender modem-status
extender modem-status
Use this command to display detailed FortiExtender modem status information.
Syntax
get extender modem-status <serno>
where <serno> is the FortiExtender serial number.
Example output
physical_port: Internal
manufacture: Sierra Wireless, Incorporated
product: AirCard 313U
model: AirCard 313U
revision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 11:58:38
imsi: 310410707582825
pin_status: READY
service: N/A
signal_strength: 73
RSSI: -68 dBm
connection_status: connected
Profile 1: broadband
Profile 13: wap.cingular
NAI: w.tp
Profile: 0 Disabled
home_addr: 127.219.10.128
primary_ha: 127.218.246.40
secondary_ha: 119.75.69.176
aaa_spi: 0
ha_spi: 4
esn_imei: 012615000227604
activation_status: Activated
roaming_status: N/A
usim_status: N/A
oma_dm_version: N/A
plmn: N/A
band: B17
signal_rsrq: N/A
signal_rsrp: N/A
lte_sinr: N/A
lte_rssi: N/A
lte_rs_throughput: N/A
lte_ts_throughput: N/A
lte_physical_cellid: N/A
modem_type:
drc_cdma_evdo: N/A
current_snr: N/A
wireless_operator:
operating_mode: N/A
wireless_signal: 73
usb_wan_mac: 16:78:f7:db:01:07

936
extender sys-info
get
extender sys-info
Use this command to display detailed FortiExtender system information.
Syntax
get extender sys-info
firewall dnstranslation
Use this command to display the firewall DNS translation table.
Syntax
get firewall dnstranslation
firewall iprope appctrl

Use this command to list all application control signatures added to an application control list and display a
summary of the application control configuration.
Syntax
get firewall iprope appctrl {list | status}
Example output
In this example, the FortiGate unit includes one application control list that blocks the FTP application.
get firewall iprope appctrl list
app-list=app_list_1/2000 other-action=Pass
app-id=15896 list-id=2000 action=Block
get firewall iprope appctrl status

appctrl table 3 list 1 app 1 shaper 0
firewall iprope list

Use this command to list all of the FortiGate unit iprope firewall policies. Optionally include a group number in
hexidecimal format to display a single policy. Policies are listed in FortiOS format.
Syntax
get firewall iprope list [<group_number_hex>]

937
get
firewall proute, proute6
Example output
get firewall iprope list 0010000c
policy flag (8000000): pol_stats
flag2 (20): ep_block shapers: / per_ip=
imflag: sockport: 1011 action: redirect index: 0
schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000
chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0
npu_sensor_id=0
tunnel=
zone(1): 0 ->zone(1): 0
source(0):
dest(0):
source wildcard(0):
destination wildcard(0):
service(1):
[6:0x8:1011/(0,65535)->(80,80)]
nat(0):
mms: 0 0
firewall proute, proute6

Use these commands to list policy routes.
Syntax
For IPv4 policy routes:
get firewall proute
For IPv6 policy routes:

get firewall proute6
Example output
get firewall proute
list route policy info(vf=root):
iff=5 src=1.1.1.0/255.255.255.0 tos=0x00 tos_mask=0x00 dst=0.0.0.0/0.0.0.0 protocol=80
port=1:65535
oif=3 gwy=1.2.3.4
firewall service custom

Use this command to view the list of custom services. If you do not specify a <service_name> the command lists
all of the pre-defined services.
Syntax
get firewall service custom
This lists the services.

938
firewall shaper
get
To view details about all services

config firewall service custom
show full-configuration
To view details about a specific service

This example lists the configuration for the ALL_TCP service:
config firewall service custom
edit ALL_TCP
show full-configuration
Example output
This is a partial output.
get firewall service custom
== [ALL ]
name: ALL
== [ALL_TCP ]
name: ALL_TCP
== [ALL_UDP ]
name: ALL_UDP
== [ALL_ICMP ]
name: ALL_ICMP
== [ALL_ICMP6 ]
name: ALL_ICMP6
== [GRE ]
name: GRE
== [AH ]
name: AH
== [ESP ]
name: ESP
== [AOL ]
name: AOL
== [BGP ]
name: BGP
== [DHCP ]
name: DHCP
== [DNS ]
name: DNS
== [FINGER ]
name: FINGER
firewall shaper
Use these command to retrieve information about traffic shapers.
Syntax
To get information about per-ip traffic shapers
get firewall shaper per-ip

939
get
grep
To get information about shared traffic shapers

get firewall shaper traffic-shaper
grep
In many cases the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output you can use the grep command to filter
the output to only display what you are looking for. The grep command is based on the standard UNIX grep,
used for searching text output based on regular expressions.
Information about how to use grep and regular expressions is available from the Internet. For example, see
http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.
Syntax
{get | show| diagnose} | grep <regular_expression>
Example output
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number
in the output
get system session list | grep -n tcp
19:tcp 1110 10.31.101.10:1862 172.20.120.122:30670 69.111.193.57:1469 27:tcp 3599 10.31.101.10:2061 - 10.31.101.100:22 38:tcp 3594 10.31.101.10:4780 172.20.120.122:49700 172.20.120.100:445 43:tcp 3582 10.31.101.10:4398 172.20.120.122:49574 24.200.188.171:48726 -
Use the following command to display all lines in HTTP replacement message commands that contain URL
(upper or lower case):
show system replacemsg http | grep -i url
set buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"
config system replacemsg http "url-block"
set buffer "<HTML><BODY>The URL you requested has been blocked. URL =
%%URL%%</BODY></HTML>"
config system replacemsg http "urlfilter-err"
.
.
.
gui console status

Display information about the CLI console.
Syntax
get gui console status

940
gui topology status
get
Example
Preferences:
User: admin
Colour scheme (RGB): text=FFFFFF, background=000000
Font: style=monospace, size=10pt
History buffer=50 lines, external input=disabled
gui topology status

Display information about the topology viewer database. The topology viewer is available only if the Topology
widget has been added to a customized web-based manager menu layout.
Syntax
get gui topology status
Example output
Preferences:
Canvas dimensions (pixels): width=780, height=800
Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee
Background image: type=none, placement: x=0, y=0
Line style: thickness=2
Custom background image file: none
Topology element database:
__FortiGate__: x=260, y=340
Office: x=22, y=105
ISPnet: x=222, y=129
__Text__: x=77, y=112: "Ottawa"
__Text__: x=276, y=139: "Internet"
hardware cpu
Use this command to display detailed information about all of the CPUs in your FortiGate unit.
Syntax
get hardware cpu
Example output
get hardware npu legacy list
No npu ports are found
620_ha_1 # get hardware cpu
processor : 0

941
get
hardware memory
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
hardware memory
Use this command to display information about FortiGate unit memory use including the total, used, and free
memory.
Syntax
get hardware memory
Example output
get hardware memory
total: used: free: shared: buffers: cached: shm:
Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304
Swap: 0 0 0
MemTotal: 3617132 kB

942
hardware nic
get
MemFree: 3276396 kB
MemShared: 0 kB
Buffers: 188 kB
Cached: 136664 kB
SwapCached: 0 kB
Active: 22172 kB
Inactive: 114740 kB
HighTotal: 1703936 kB
HighFree: 1443712 kB
LowTotal: 1913196 kB
LowFree: 1832684 kB
SwapTotal: 0 kB
SwapFree: 0 kB
hardware nic
Use this command to display hardware and status information about each FortiGate interface. The hardware
information includes details such as the driver name and version and chip revision. Status information includes
transmitted and received packets, and different types of errors.
Syntax
get hardware nic <interface_name>
Variable
Description
<interface_name>
A FortiGate interface name such as port1, wan1, internal, etc.
Example output
get hardware nic port9
Chip_Model FA2/ISCP1B-v3/256MB
FPGA_REV_TAG 06101916
Driver Name iscp1a/b-DE
Driver Version 0.1
Driver Copyright Fortinet Inc.
Link down
Speed N/A
Duplex N/A
State up
Rx_Packets 0
Tx_Packets 0
Rx_Bytes 0
Tx_Bytes 0
Current_HWaddr 00:09:0f:77:09:68
Permanent_HWaddr 00:09:0f:77:09:68
Frame_Received 0
Bad Frame Received 0
Tx Frame 0
Tx Frame Drop 0

943
get
hardware npu
Receive IP Error 0
FIFO Error 0
Small PktBuf Left 125
Normal PktBuf Left 1021
Jumbo PktBuf Left 253
NAT Anomaly 0
hardware npu
Use this command to display information about the network processor unit (NPU) hardware installed in a
FortiGate unit. The NPUs can be built-in or on an installed AMC module.
Syntax
get
get
get
get
get
hardware npu legacy {list | session <device_name_str> | setting <device_name_str>}

hardware npu np1 {list | status}
hardware npu np2 {list | performance <device_id_int> | status <device_id_int>}
hardware npu np4 {list | status <device_id_int>}
hardware npu np6 {dce | ipsec-stats | port-list | session-stats <device_id_int> |
sse-stats <device_id_int> | synproxy-stats}
get hardware npu sp {list | status}
Example output
get hardware npu np1 list
ID Interface
0 port9 port10
get hardware npu np1 status
ISCP1A 10ee:0702
RX SW Done 0 MTP 0x00000000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Total Number of Interfaces: 2
Number of Interface In-Use: 2
Interface[0] Tx done: 0
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
Interface[1] Tx done: 0
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
NAT Information:
head = 0x00000001 tail = 00000001
ISCP1A Performance [Top]:
Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000
PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000
PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000
CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000
IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000

944
hardware npu
get
TOTUP : 0x00000000 RSVD MEMU : 0x00000010

MSG Performance:
QLEN: 0x00001000(QW) HEAD: 0x00000000
Performance:
TOTMSG: 0x00000000 BADMSG: 0x00000000 TOUTMSG: 0x00000000 QUERY: 0x00000000
NULLTK: 0x00000000
NAT Performance: BYPASS (Enable) BLOCK (Disable)
IRQ : 00000001 QFTL : 00000000 DELF : 00000000 FFTL : 00000000
OVTH : 00000001 QRYF : 00000000 INSF : 00000000 INVC : 00000000
ALLO : 00000000 FREE : 00000000 ALLOF : 00000000 BPENTR: 00000000 BKENTR: 00000000
PBPENTR: 00000000 PBKENTR: 00000000 NOOP : 00000000 THROT : 00000000(0x002625a0)
SWITOT : 00000000 SWDTOT : 00000000 ITDB : 00000000 OTDB : 00000000
SPISES : 00000000 FLUSH : 00000000
APS (Disabled) information:
MODE: BOTH UDPTH 255 ICMPTH 255 APSFLAGS: 0x00000000
IPSEC Offload Status: 0x58077dcb
get hardware npu np2 list

ID PORTS
-- ----0 amc-sw1/1
0 amc-sw1/2
0 amc-sw1/3
0 amc-sw1/4
ID PORTS
-- ----1 amc-dw2/1
ID PORTS
-- ----2 amc-dw2/2
get hardware npu np2 status 0

NP2 Status
ISCP2 f7750000 (Neighbor 00000000) 1a29:0703 256MB Base f8aad000 DBG 0x00000000
RX SW Done 0 MTP 0x0
desc_alloc = f7216000
nxt_to_u = 0x0 nxt_to_f = 0x0
Total Interfaces: 4 Total Ports: 4
Number of Interface In-Use: 4
Interface f7750100 netdev 81b1e000 0 Name amc-sw1-1
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750694, 00000000, 00000000, 00000000
Port f7750694 Id 0 Status Down ictr 4
desc = 8128c000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f7750100
Interface f7750264 netdev 81b2cc00 1 Name amc-sw1-2
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750748, 00000000, 00000000, 00000000
Port f7750748 Id 1 Status Down ictr 0
desc = 81287000

945
get
hardware status
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000

Intf f7750264
Interface f77503c8 netdev 81b2c800 2 Name amc-sw1-3
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77507fc, 00000000, 00000000, 00000000
Port f77507fc Id 2 Status Down ictr 0
desc = 81286000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f77503c8
Interface f775052c netdev 81b2c400 3 Name amc-sw1-4
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77508b0, 00000000, 00000000, 00000000
Port f77508b0 Id 3 Status Down ictr 0
desc = 81281000
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f775052c
NAT Information:
cmdq_qw = 0x2000 cmdq = 82160000
head = 0x1 tail = 0x1
APS (Enabled) information:
Session Install when TMM TSE OOE: Disable
Session Install when TMM TAE OOE: Disable
IPS anomaly check policy: Follow config
MSG Base = 82150000 QL = 0x1000 H = 0x0
hardware status
Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,
flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset
(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGate
unit to Fortinet Support, or confirming the features that your FortiGate model supports.
Syntax
get hardware status
Example output
Model name: Fortigate-620B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
RAM: 2020 MB
Compact Flash: 493 MB /dev/sda
Hard disk: 76618 MB /dev/sdb
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)

946
ips decoder status
get
ips decoder status

Displays all the port settings of all the IPS decoders.
Syntax
get ips decoder status
Example output
# get ips decoder status
decoder-name: "back_orifice"
decoder-name: "dns_decoder"
port_list: 53
decoder-name: "ftp_decoder"
port_list: 21
decoder-name: "http_decoder"
decoder-name: "im_decoder"
decoder-name: "imap_decoder"
port_list: 143
Ports are shown only for decoders with configurable port settings.
ips rule status

Displays current configuration information about IPS rules.
Syntax
get ips rule status
Example output
# get ips rule status
rule-name: "IP.Land"
rule-id: 12588
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 3.high
service: All
location: server, client
os: All
application: All
rule-name: "IP.Loose.Src.Record.Route.Option"

947
get
ips session
rule-id: 12805
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 2.medium
service: All
location: server, client
os: All
application: All
ips session
Displays current IPS session status.
Syntax
get ips session
Example output
get ips session
SYSTEM:
memory capacity 279969792
memory used 5861008
recent pps\bps 0\0K
session in-use 0
TCP: in-use\active\total 0\0\0
UDP: in-use\active\total 0\0\0
ICMP: in-use\active\total 0\0\0
ips view-map
Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips view
map, it means IPS is not used or enabled.
Syntax
get ips view-map <id>
Example output
id : 1
id-policy-id : 0
policy-id : 2
vdom-id : 0
which : firewall

948
ipsec tunnel
Variable
get
Description
id
IPS policy ID
id-policy-id
Identity-based policy ID (0 means none)
policy-id
Policy ID
vdom-id
VDOM, identified by ID number
which
Type of policy id: firewall, firewall6, sniffer, sniffer6, interface,

interface6
ipsec tunnel
List the current IPSec VPN tunnels and their status.
Syntax
To view details of all IPsec tunnels:
get ipsec tunnel details
To list IPsec tunnels by name:

get ipsec tunnel name
To view a summary of IPsec tunnel information:

get ipsec tunnel summary
mgmt-data status
Use this command to display information additional to that provided by getsystemstatus or
gethardwarestatus.
Syntax
get mgmt-data status
Sample output
FG100D3G12801361 # get mgmt-data status
Model name: FortiGate-100D
CPU: 4
RAM: 1977 MB
is_ssd_available: 0
is_logdisk_mounted: 1

949
get
pbx branch-office
is_support_log_on_boot_device: 1
is_rev_support_wanopt: 1
pbx branch-office
Use this command to list the configured branch offices.
Syntax
get pbx branch-office
Example output
== [Branch 15 ]
name: Branch 15
== [Branch 12 ]
name: Branch 12
pbx dialplan
Use this command to list the configured dial plans.
Syntax
get pbx dialplan
Example output
== [company-default ]
name: company-default
== [inbound ]
name: inbound
pbx did
Use this command to list the configured direct inward dial (DID) numbers.
Syntax
get pbx did
Example output
== [Operator ]
name: Operator
== [Emergency ]
name: Emergency

950
pbx extension
get
pbx extension
Use this command to list the configured extensions.
Syntax
get pbx extension
Example output
== [6555 ]
extension: 6555
== [6777 ]
extension: 6777
== [6111 ]
extension: 6111
pbx ftgd-voice-pkg
Use this command to display the current FortiGate Voice service package status.
Syntax
get pbx ftgd-voice-pkg status
Example output
Status: Activated
Total 1 Packages:
Package Type: B, Credit Left: 50.00, Credit Used: 0.00,
Expiration Date: 2011-01-01 12:00:00
Total 1 Dids:
12345678901
Total 1 Efaxs:
12345678902
Total 0 Tollfrees:
pbx global
Use this command to display the current global pbx settings.
Syntax
get pbx global
Example output
block-blacklist : enable
country-area : USA
country-code : 1

951
get
pbx ringgrp
efax-check-interval : 5
extension-pattern : 6XXX
fax-admin-email : faxad@example.com
ftgd-voice-server : service.fortivoice.com
local-area-code : 408
max-voicemail : 60
outgoing-prefix : 9
ring-timeout : 20
rtp-hold-timeout : 0
rtp-timeout : 60
voicemail-extension : *97
pbx ringgrp
Use this command to display the currently configured ring groups.
Syntax
get pbx ringgrp
Example output
== [6001 ]
name: 6001
== [6002 ]
name: 6002
pbx sip-trunk
Use this command to display the currently configured SIP trunks.
Syntax
get pbx sip-trunk
Example output
== [__FtgdVoice_1 ]
name: __FtgdVoice_1
pbx voice-menu
Use this command to display the current voice menu and recorder extension configuration.
Syntax
get pbx voice-menu

952
router info bfd neighbor
get
Example output
comment : general
password : *
press-0:
ring-group : 6001
type : ring-group
press-1:
type : voicemail
press-2:
type : directory
press-3:
type : none
press-4:
type : none
press-5:
type : none
press-6:
type : none
press-7:
type : none
press-8:
type : none
press-9:
type : none
recorder-exten : *30
router info bfd neighbor

Use this command to list state information about the neighbors in the bi-directional forwarding table.
Syntax
get router info bfd neighbour
router info bgp

Use this command to display information about the BGP configuration.
Syntax
get router info bgp <keyword>
<keyword>
Description
cidr-only
Show all BGP routes having non-natural network masks.
community
Show all BGP routes having their COMMUNITY attribute set.

953
get
router info bgp
<keyword>
Description
community-info
Show general information about the configured BGP

communities, including the routes in each community and their
associated network addresses.
community-list
Show all routes belonging to configured BGP community lists.

Display information about dampening:
dampening
{dampened-paths
|flap-statistics
|parameters}
Type dampened-paths to show all paths that have been

suppressed due to flapping.
Type flap-statistics to show flap statistics related to BGP
routes.
Type parameters to show the current dampening settings.
filter-list
Show all routes matching configured AS-path lists.
inconsistent-as
Show all routes associated with inconsistent autonomous

systems of origin.
memory
Show the BGP memory table.
neighbors
[<address_ipv4>
|<address_ipv4>
advertised-routes
|<address_ipv4>
received prefix-filter
|<address_ipv4>
received-routes
|<address_ipv4>
routes]
Show information about connections to TCP and BGP neighbors.
network [<address_
ipv4mask>]
Show general information about the configured BGP networks,

including their network addresses and associated prefixes.
network-longerprefixes <address_
ipv4mask>
Show general information about the BGP route that you specify
(for example, 12.0.0.0/14) and any specific routes
associated with the prefix.
paths
Show general information about BGP AS paths, including their

prefix-list <name>
Show all routes matching configured prefix list <name>.
quote-regexp
<regexp_str>
Enter the regular expression to compare to the AS_PATH

attribute of BGP routes (for example, ^730$) and enable the use
of output modifiers (for example, include, exclude, and
begin) to search the results.

954
router info bgp
<keyword>
get
Description
regexp <regexp_str>

attribute of BGP routes (for example, ^730$).
route-map
Show all routes matching configured route maps.
scan
Show information about next-hop route scanning, including the

scan interval setting.
summary
Show information about BGP neighbor status.
Example output
get router info bgp memory
Memory type Alloc count Alloc bytes
=================================== ============= ===============
BGP structure : 2 1408
BGP VR structure : 2 104
BGP global structure : 1 56
BGP peer : 2 3440
BGP as list master : 1 24
Community list handler : 1 32
BGP Damp Reuse List Array : 2 4096
BGP table : 62 248
----------------------------------- ------------- --------------Temporary memory : 4223 96095
Hash : 7 140
Hash index : 7 28672
Hash bucket : 11 132
Thread master : 1 564
Thread : 4 144
Link list : 32 636
Link list node : 24 288
Show : 1 396
Show page : 1 4108
Show server : 1 36
Prefix IPv4 : 10 80
Route table : 4 32
Route node : 63 2772
Vector : 2180 26160
Vector index : 2180 18284
Host config : 1 2
Message of The Day : 1 100
IMI Client : 1 708
VTY master : 1 20
VTY if : 11 2640
VTY connected : 5 140
Message handler : 2 120
NSM Client Handler : 1 12428
NSM Client : 1 1268
Host : 1 64
Log information : 2 72
Context : 1 232
----------------------------------- ------------- --------------bgp proto specifc allocations : 9408 B

955
get
router info isis
bgp generic allocations : 196333 B

bgp total allocations : 205741 B
router info isis

Use this command to display information about the FortiGate ISIS.
Syntax
get
get
get
get
get
get
router
router
router
router
router
router
info
info
info
info
info
info
isis
isis
isis
isis
isis
isis
interface
neighbor
is-neighbor
database
route
topology
router info kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.
Syntax
get router info kernel [<routing_type_int>]
router info multicast

Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.
Multicast routing is supported in the root virtual domain only.
Syntax
get router info multicast <keywords>

956
router info multicast
<keywords>
get
Description
Show Internet Group Management Protocol (IGMP) membership
information according to one of these qualifiers:
Type groups [{<interface-name> | <groupaddress>}] to show IGMP information for the multicast group
(s) associated with the specified interface or multicast group
address.
igmp
Type groups-detail [{<interface-name> |

<group-address>}] to show detailed IGMP information for
the multicast group(s) associated with the specified interface or
multicast group address.
Type interface [<interface-name>] to show IGMP
information for all multicast groups associated with the specified
interface.
Show information related to dense mode operation according to
one of these qualifiers:
Type interface to show information about PIM-enabled
interfaces.
Type interface-detail to show detailed information about
PIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.
pim dense-mode
Type neighbor-detail to show detailed information about

PIM neighbors.
Type next-hop to show information about next-hop PIM
routers.
Type table [<group-address>][<source-address>]
to show the multicast routing table entries associated with the
specified multicast group address and/or multicast source
address.

957
get
router info ospf
<keywords>
Description
Show information related to sparse mode operation according to
one of these qualifiers:
Type bsr-info to show Boot Strap Router (BSR) information.
Type interface to show information about PIM-enabled
interfaces.
Type interface-detail to show detailed information about
PIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.
pim sparse-mode
Type neighbor-detail to show detailed information about

PIM neighbors.
Type next-hop to show information about next-hop PIM
routers.
Type rp-mapping to show Rendezvous Point (RP) information.
Type table [<group-address>][<source-address>]
to show the multicast routing table entries associated with the
address.
table
[<group-address>]
[<source-address>]
Show the multicast routing table entries associated with the

address.
table-count
[<group-address>]
[<source-address>]
Show statistics related to the specified multicast group address

and/or multicast source address.
router info ospf

Use this command to display information about the FortiGate OSPF configuration and/or the Link-State
Advertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of all
OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the
shortest path to a destination.
Syntax
get router info ospf <keyword>
<keyword>
border-routers

Description
Show OSPF routing table entries that have an Area
Border Router (ABR) or Autonomous System
Boundary Router (ASBR) as a destination.
958
router info ospf
get
<keyword>
Description
Show information from the OSPF routing database
according to the of these qualifiers.
Some qualifiers require a target that can be one of
the following values:
Type adv_router <address_ipv4> to limit the
information to LSAs originating from the router at the
specified IP address.
database <qualifier>
Type self-originate <address_ipv4> to

limit the information to LSAs originating from the
FortiGate unit.
advrouter
<address_
ipv4>
Type adv-router <address_ipv4> to show

ospf Advertising Router link states for the router at
the given IP address.
asbrsummary
<target>
Type asbr-summary to show information about

ASBR summary LSAs.
brief
Type brief to show the number and type of LSAs

associated with each OSPF area.
external
<target>
Type external to show information about external

LSAs.
max-age
Type max-age to show all LSAs in the MaxAge list.
network
<target>
Type network to show information about network

LSAs.
nssaexternal
<target>
Type nssa-external to show information about

not-so-stubby external LSAs.
opaquearea
<address_
ipv4>
Type opaque-area <address_ipv4> to show

information about opaque Type 10 (area-local) LSAs
(see RFC 2370).
opaque-as
<address_
ipv4>
Type opaque-as <address_ipv4> to show

information about opaque Type 11 LSAs (see RFC
2370), which are flooded throughout the AS.
opaquelink
<address_
ipv4>
Type opaque-link <address_ipv4> to show

information about opaque Type 9 (link-local) LSAs
(see RFC 2370).

959
get
router info protocols
<keyword>
Description
router
<target>
Type router to show information about router

LSAs.
selforiginate
Type self-originate to show self-originated

LSAs.
summary
<target>
Type summary to show information about summary

LSAs.
interface [<interface_name>]
Show the status of one or all FortiGate interfaces

and whether OSPF is enabled on those interfaces.
Show general information about OSPF neighbors,
excluding down-status neighbors:
Type all to show information about all neighbors,
including down-status neighbors.
Type <neighbor_id> to show detailed
information about the specified neighbor only.
neighbor [all |<neighbor_id>

|detail |detail all
|interface<address_ipv4>]
Type detail to show detailed information about all

neighbors, excluding down-status neighbors.
Type detail all to show detailed information
about all neighbors, including down-status
neighbors.
Type interface <address_ipv4> to show
neighbor information based on the FortiGate
interface IP address that was used to establish the
neighbors relationship.
route
Show the OSPF routing table.
status
Show general information about the OSPF routing

processes.
virtual-links
Show information about OSPF virtual links.
router info protocols

Use this command to show the current states of active routing protocols. Inactive protocols are not displayed.
Syntax
get router info protocols
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set

960
router info rip
get
Incoming update filter list for all interface is not set

Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Distance: (default is 120)
Routing Protocol is "ospf 0"
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing:
Routing for Networks:
Routing Information Sources: Gateway Distance Last Update
Distance: (default is 110) Address Mask Distance List
Routing Protocol is "bgp 5"
IGP synchronization is disabled
Automatic route summarization is disabled
Default local-preference applied to incoming route is 100
Redistributing:
Neighbor(s):
Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight
192.168.20.10 unicast
router info rip

Use this command to display information about the RIP configuration.
Syntax
get router info rip <keyword>
<keyword>
Description
database
interface
[<interface_name>]
Show the entries in the RIP routing database.

Show the status of the specified FortiGate unit interface
<interface_name> and whether RIP is enabled.
If interface is used alone it lists all the FortiGate unit interfaces
and whether RIP is enabled on each.
router info routing-table

Use this command to display the routes in the routing table.

961
get
router info vrrp
Syntax
get router info routing-table <keyword>
<keyword>
Description
all
Show all entries in the routing table.
bgp
Show the BGP routes in the routing table.
connected
Show the connected routes in the routing table.
database
Show the routing information database.
details [<address_
ipv4mask>]
Show detailed information about a route in the routing table,

including the next-hop routers, metrics, outgoing interfaces, and
protocol-specific information.
ospf
Show the OSPF routes in the routing table.
rip
Show the RIP routes in the routing table.
static
Show the static routes in the routing table.
router info vrrp

Use this command to display information about the VRRP configuration.
Syntax
get router info vrrp
Example output
Interface: port1, primary IP address: 9.1.1.2
VRID: 1
vrip: 9.1.1.254, priority: 100, state: BACKUP
adv_interval: 1, preempt: 1, start_time: 3
vrdst: 0.0.0.0
router info6 bgp

Use this command to display information about the BGP IPv6 configuration.
Syntax
get router info6 bgp <keyword>
<keyword>
community

Description
Show all BGP routes having their COMMUNITY attribute set.
962
router info6 interface
<keyword>
community-list
get
Description
Show all routes belonging to configured BGP community lists.
Display information about dampening:
dampening
{dampened-paths
|flap-statistics
|parameters}
Type dampened-paths to show all paths that have been

suppressed due to flapping.
Type flap-statistics to show flap statistics related to BGP
routes.
Type parameters to show the current dampening settings.
filter-list
Show all routes matching configured AS-path lists.
inconsistent-as
Show all routes associated with inconsistent autonomous

systems of origin.
neighbors
[<address_
ipv6mask>
Show information about connections to TCP and BGP neighbors.
network [<address_
ipv6mask>]
Show general information about the configured BGP networks,

including their network addresses and associated prefixes.
network-longerprefixes <address_
ipv6mask>
Show general information about the BGP route that you specify
(for example, 12.0.0.0/14) and any specific routes
associated with the prefix.
paths
Show general information about BGP AS paths, including their

prefix-list <name>
Show all routes matching configured prefix list <name>.
quote-regexp
<regexp_str>

attribute of BGP routes (for example, ^730$) and enable the use
of output modifiers (for example, include, exclude, and
begin) to search the results.
regexp <regexp_str>

attribute of BGP routes (for example, ^730$).
route-map
Show all routes matching configured route maps.
summary
Show information about BGP neighbor status.
router info6 interface

Use this command to display information about IPv6 interfaces.

963
get
router info6 kernel
Syntax
get router info6 interface <interface_name>
Example output
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [administratively down/down]
2001:db8:85a3:8d3:1319:8a2e:370:7348
fe80::209:fff:fe04:4cfd
router info6 kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.
Syntax
get router info6 kernel
router info6 ospf

Use this command to display information about the OSPF IPv6 configuration.
Syntax
get router info6 ospf
router info6 protocols

Use this command to display information about the configuration of all IPv6 dynamic routing protocols.
Syntax
get router info6 protocols
router info6 rip

Use this command to display information about the RIPng configuration.
Syntax
get router info6 rip

964
router info6 routing-table
get
router info6 routing-table

Use this command to display the routes in the IPv6 routing table.
Syntax
get router info6 routing-table <item>
where <item> is one of the following:
Variable
Description
<ipv6_ip>
Destination IPv6 address or prefix.
bgp
Show BGP routing table entries.
connected
Show connected routing table entries.
database
Show routing information base.
ospf
Show OSPF routing table entries.
rip
Show RIP routing table entries.
static
Show static routing table entries.
switch-controller poe
Retrieve information about PoE ports.
Syntax
get switch-controller poe <vdom-name> <fortiswitch-id>
system admin list

View a list of all the current administration sessions.
Syntax
get system admin list
Example output
# get system admin list
usernamelocaldeviceremotestarted
adminsshv2port1:172.20.120.148:22172.20.120.16:41672006-08-0912:24:20
adminhttpsport1:172.20.120.148:443172.20.120.161:563652006-08-0912:24:20
adminhttpsport1:172.20.120.148:443172.20.120.16:42142006-08-0912:25:29

965
get
system admin status
Variable
Description
username
Name of the admin account for this session
local
The protocol this session used to connect to the FortiGate unit.
device
The interface, IP address, and port used by this session to

connect to the FortiGate unit.
remote
The IP address and port used by the originating computer to

connect to the FortiGate unit.
started
The time the current session started.
system admin status

View the status of the currently logged in admin and their session.
Syntax
get system admin status
Example
# get system admin status
username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12
Variable
Description
username
Name of the admin account currently logged in.
login local
The protocol used to start the current session.
login device
The login information from the FortiGate unit including interface,

IP address, and port number.
login remote
The computer the user is logging in from including the IP address

and port number.
login vdom
The virtual domain the admin is current logged into.
login started
The time the current session started.
current time
The current time of day on the FortiGate unit

966
system arp
get
system arp
View the ARP table entries on the FortiGate unit.
Syntax
get system arp
Example output
# get system arp
Address Age(min) Hardware Addr Interface
172.20.120.16 0 00:0d:87:5c:ab:65 internal
172.20.120.138 0 00:08:9b:09:bb:01 internal
system auto-update
Use this command to display information about the status FortiGuard updates on the FortiGate unit.
Syntax
get system auto-update status
get system auto-update versions
Example output
get system auto-update status
FDN availability: available at Thu Apr 1 08:22:58 2010
Push update: disable
Scheduled update: enable
Update daily: 8:22
Virus definitions update: enable
IPS definitions update: enable
Server override: disable
Push address override: disable
Web proxy tunneling: disable
system central-management
View information about the Central Management System configuration.
Syntax
get system central-management
Example

967
get
system checksum
FG600B3908600705 # get system central-management

status : enable
type : fortimanager
auto-backup : disable
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-pushd-firmware: enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
fmg : 172.20.120.161
vdom : root
authorized-manager-only: enable
serial-number : "FMG-3K2404400063"
system checksum
View the checksums for global, root, and all configurations. These checksums are used by HA to compare the
configurations of each cluster unit.
Syntax
get system checksum status
Example output
# get system checksum status
global: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15
root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fb
all: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88
system cmdb status

View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.
Syntax
get system cmdb status
Example output
# get system cmdb status
version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68
last request type: 29
last request: 78

968
system fortianalyzer-connectivity
Variable
get
Description
version
Version of the cmdb software.
owner id
Process ID of the cmdbsvr daemon.
update index
The updated index shows how many changes have been made in
cmdb.
config checksum
The config file version used by FortiManager.
last request pid
The last process to access the cmdb.
last requst type
Type of the last attempted access of cmdb.
last request
The number of the last attempted access of cmdb.
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
Syntax
get fortianalyzer-connectivity status
Example output
# get system fortianalyzer-connectivity status
Status: connected
Disk Usage: 0%
system fortiguard-log-service status

Command returns information about the status of the FortiGuard Log & Analysis Service including license and
disk information.
Syntax
get system fortiguard-log-service status
Example output
# get system fortiguard-log-service status
FortiGuard Log & Analysis Service
Expire on: 20071231
Total disk quota: 1111 MB
Max daily volume: 111 MB
Current disk quota usage: n/a

969
get
system fortiguard-service status
system fortiguard-service status

COMMAND REPLACED. Command returns information about the status of the FortiGuard service including the
name, version late update, method used for the last update and when the update expires. This information is
shown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.
Syntax
get system fortiguard-service status
Example output
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine2.0022006-01-26 19:45:00
Virus Definitions6.5132006-06-02 22:01:00
Attack Definitions2.2992006-06-09 19:19:00
IPS Attack Engine1.0152006-05-09 23:29:00
manual
manual
manual
manual
2006-06-12
2006-06-12
2006-06-12
2006-06-12
08:00:00
08:00:00
08:00:00
08:00:00
system ha-nonsync-csum
FortiManager uses this command to obtain a system checksum.
Syntax
get system ha-nonsync-csum
system ha status
Use this command to display information about an HA cluster. The command displays general HA configuration
settings. The command also displays information about how the cluster unit that you have logged into is
operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha status
command displays information about the primary unit first, and also displays the HA state of the primary unit (the
primary unit operates in the work state). However, if you log into the primary unit and then use the execute ha
manage command to log into a subordinate unit, (or if you use a console connection to log into a subordinate
unit) the get system status command displays information about this subordinate unit first, and also
displays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active cluster
and standby for an active-passive cluster.
For a virtual cluster configuration, the get system ha status command displays information about how the
cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if you
connect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,
the output of the get system ha status command shows virtual cluster 1 in the work state and virtual
cluster 2 in the standby state. The get system ha status command also displays additional information
about virtual cluster 1 and virtual cluster 2.

970
system ha status
get
Syntax
get system ha status
The command display includes the following fields. For more information see the examples that follow.
Variable
Description
Model
The FortiGate model number.
Mode
The HA mode of the cluster: a-a or a-p.
Group
The group ID of the cluster.
Debug
The debug status of the cluster.
ses_pickup
The status of session pickup: enable or disable.
load_balance
The status of the load-balance-all field: enable or disable.

Displayed for active-active clusters only.
schedule
The active-active load balancing schedule. Displayed for activeactive clusters only.
Master displays the device priority, host name, serial number,
and actual cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number,
and actual cluster index of the subordinate (or slave, or backup)
unit or units.
Master
Slave
The list of cluster units changes depending on how you log into
the CLI. Usually you would use SSH or telnet to log into the
primary unit CLI. In this case the primary unit would be at the top
the list followed by the other cluster units.
If you use execute ha manage or a console connection to log
into a subordinate unit CLI, and then enter get system ha
status the subordinate unit that you have logged into appears
at the top of the list of cluster units.
number of vcluster

The number of virtual clusters. If virtual domains are not

enabled, the cluster has one virtual cluster. If virtual domains are
enabled the cluster has two virtual clusters.
971
get
system ha status
Variable
Description
The HA state (hello, work, or standby) and HA heartbeat IP
address of the cluster unit that you have logged into in virtual
cluster 1. If virtual domains are not enabled, vcluster1
displays information for the cluster. Ifvirtual domains are
enabled, vcluster1 displays information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.1 if you are logged into a
the primary unit of virtual cluster 1 and 10.0.0.2 if you are logged
into a subordinate unit of virtual cluster 1.
vcluster1 also lists the primary unit (master) and
subordinate units (slave) in virtual cluster 1. The list includes the
operating cluster index and serial number of each cluster unit in
virtual cluster 1. The cluster unit that you have logged into is at
the top of the list.
If virtual domains are not enabled and you connect to the primary
unit CLI, the HA state of the cluster unit in virtual cluster 1 is
work. The display lists the cluster units starting with the primary
unit.
vcluster 1
If virtual domains are not enabled and you connect to a

subordinate unit CLI, the HA state of the cluster unit in virtual
cluster 1 is standby. The display lists the cluster units starting
with the subordinate unit that you have logged into.
If virtual domains are enabled and you connect to the virtual
cluster 1 primary unit CLI, the HA state of the cluster unit in
virtual cluster 1 is work. The display lists the cluster units starting
with the virtual cluster 1 primary unit.
If virtual domains are enabled and you connect to the virtual
cluster 1 subordinate unit CLI, the HA state of the cluster unit in
virtual cluster 1 is standby. The display lists the cluster units
starting with the subordinate unit that you are logged into.
In a cluster consisting of two cluster units operating without
virtual domains enabled all clustering actually takes place in
virtual cluster 1. HA is designed to work this way to support virtual
clustering. If this cluster was operating with virtual domains
enabled, adding virtual cluster 2 is similar to adding a new copy
of virtual cluster 1. Virtual cluster 2 is visible in the get system
ha status command output when you add virtual domains to
virtual cluster 2.

972
system info admin status
Variable
get
Description
vcluster2 only appears if virtual domains are enabled.
vcluster2 displays the HA state (hello, work, or standby) and
HA heartbeat IP address of the cluster unit that you have logged
into in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 if
you are logged into the primary unit of virtual cluster 2 and
10.0.0.1 if you are logged into a subordinate unit of virtual cluster
2.
vcluster2 also lists the primary unit (master) and
subordinate units (slave) in virtual cluster 2. The list includes the
cluster index and serial number of each cluster unit in virtual
cluster 2. The cluster unit that you have logged into is at the top
of the list.
vcluster 2
If you connect to the virtual cluster 2 primary unit CLI, the HA

state of the cluster unit in virtual cluster 2 is work. The display
lists the cluster units starting with the virtual cluster 2 primary
unit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HA
state of the cluster unit in virtual cluster 2 is standby. The
display lists the cluster units starting with the subordinate unit
that you are logged into.
system info admin status

Use this command to display administrators that are logged into the FortiGate unit.
Syntax
get system info admin status
Example
This shows sample output.
Index User name Login type From
0 admin CLI ssh(172.20.120.16)
1 admin WEB 172.20.120.16
Variable
Description
Index
The order the administrators logged in.
User name
The name of the user account logged in.
Login type
Which interface was used to log in.
From
The IP address this user logged in from.

973
get
system info admin ssh
Related topics
"system info admin ssh" on page 105
system info admin ssh

Use this command to display information about the SSH configuration on the FortiGate unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
Syntax
get system info admin ssh
Example output
# get system info admin ssh
SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
internal
SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99
SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
system interface physical

Use this command to list information about the units physical network interfaces.
Syntax
get system interface physical

# get system interface physical
== [onboard]
==[dmz1]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[dmz2]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[internal]
mode: static
ip: 172.20.120.146 255.255.255.0
status: up

974
system ip-conflict status
get
speed: 100
==[wan1]
mode: pppoe
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[wan2]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[modem]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
system ip-conflict status

List interface names and IP addresses in conflict.
Syntax
get system ip-conflict status
system mgmt-csum
FortiManager uses this command to obtain checksum information from FortiGate units.
Syntax
get system mgmt-csum {global | vdom | all}
where
global retrieves global object checksums

vdom retrieves VDOM object checksums
all retrieves all object checksums.
system performance firewall

Use this command to display packet distribution and traffic statistics information for the FortiGate firewall.
Syntax
get system performance firewall packet-distribution
get system performance firewall statistics

975
get
system performance status
Variable
packetdistribution
Description
Display a list of packet size ranges and the number of packets of
each size accepted by the firewall since the system restarted.
You can use this information to learn about the packet size
distribution on your network.
Note: these counts do not include packets offloaded to the NPU.
statistics
Display a list of traffic types (browsing, email, DNS etc) and the
number of packets and number of payload bytes accepted by the
firewall for each type since the FortiGate unit was restarted.
Example output
get system performance firewall packet-distribution
getting packet distribution statistics...
0 bytes - 63 bytes: 655283 packets
> 1500 bytes: 0 packets
get system performance firewall statistics
getting traffic statistics...
Browsing: 623738 packets, 484357448 bytes
DNS: 5129187383836672 packets, 182703613804544 bytes
E-Mail: 23053606 packets, 2 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 654722117362778112 packets, 674223966126080 bytes
VoIP: 16834455 packets, 10 bytes
Generic TCP: 266287972352 packets, 8521215115264 bytes
Generic UDP: 0 packets, 0 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 0 packets, 0 bytes
system performance status

Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS attacks,
and system up time.

976
system performance top
get
Syntax
get system performance status
Variable
Description
The percentages of CPU cycles used by user, system, nice and
idle categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
CPU states
nice - CPU usage of user-space processes having other-thannormal running priority

idle - Idle CPU cycles
Adding user, system, and nice produces the total CPU usage as
seen on the CPU widget on the web-based system status
dashboard.
Memory states
The percentage of memory used.
Average network
usage
The average amount of network traffic in kbps in the last 1, 10

and 30 minutes.
Average sessions
The average number of sessions connected to the FortiGate unit

over the list 1, 10 and 30 minutes.
Virus caught
The number of viruses the FortiGate unit has caught in the last 1
minute.
IPS attacks blocked
The number of IPS attacks that have been blocked in the last 1
minute.
Uptime
How long since the FortiGate unit has been restarted.
Example output
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 18% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 9days, 22 hours, 0 minutes
system performance top

Use this command to display the list of processes running on the FortiGate unit (similar to the Linux top
command).

977
get
system session list
You can use the following commands when get system performance top is running:
Press Q or Ctrl+C to quit.
Press P to sort the processes by the amount of CPU that the processes are using.
Press M to sort the processes by the amount of memory that the processes are using.
Syntax
get system performance top [<delay_int>] <max_lines_int>]]
Variable
Description
<delay_int>
The delay, in seconds, between updating the process list. The

default is 5seconds.
<max_lines_
int>
The maximum number of processes displayed in the output. The

default is 20 lines.
system session list

Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if virtual
domain mode is enabled.
Syntax
get system session list
Example output
PROTOEXPIRESOURCESOURCE-NATDESTINATIONDESTINATION-NAT
tcp 0 127.0.0.1:1083 127.0.0.1:514 tcp 0 127.0.0.1:1085 127.0.0.1:514 tcp 10 127.0.0.1:1087 127.0.0.1:514 tcp 20 127.0.0.1:1089 127.0.0.1:514 tcp 30 127.0.0.1:1091 127.0.0.1:514 tcp 40 127.0.0.1:1093 127.0.0.1:514 tcp 60 127.0.0.1:1097 127.0.0.1:514 tcp 70 127.0.0.1:1099 127.0.0.1:514 tcp 80 127.0.0.1:1101 127.0.0.1:514 tcp 90 127.0.0.1:1103 127.0.0.1:514 tcp 100 127.0.0.1:1105 127.0.0.1:514 tcp 110 127.0.0.1:1107 127.0.0.1:514 tcp 103 172.20.120.16:3548 -172.20.120.133:22 tcp 3600 172.20.120.16:3550 -172.20.120.133:22 udp 175 127.0.0.1:1026 127.0.0.1:53 tcp 5 127.0.0.1:1084 127.0.0.1:514 tcp 5 127.0.0.1:1086 127.0.0.1:514 tcp 15 127.0.0.1:1088 127.0.0.1:514 tcp 25 127.0.0.1:1090 127.0.0.1:514 tcp 45 127.0.0.1:1094 127.0.0.1:514 tcp 59 127.0.0.1:1098 127.0.0.1:514 tcp 69 127.0.0.1:1100 127.0.0.1:514 tcp 79 127.0.0.1:1102 127.0.0.1:514 -

978
system session status
get
tcp 99 127.0.0.1:1106 tcp 109 127.0.0.1:1108 tcp 119 127.0.0.1:1110 -
Variable
127.0.0.1:514 127.0.0.1:514 127.0.0.1:514 -
Description
PROTO
The transfer protocol of the session.
EXPIRE
How long before this session will terminate.
SOURCE
The source IP address and port number.
SOURCE-NAT
The source of the NAT. - indicates there is no NAT.
DESTINATION
The destination IP address and port number.
DESTINATION-NAT
The destination of the NAT. - indicates there is no NAT.
system session status

Use this command to display the number of active sessions on the FortiGate unit, or if virtual domain mode is
enabled it returns the number of active sessions on the current VDOM. In both situations it will say the current
VDOM.
Syntax
get system session status
Example output
The total number of sessions for the current VDOM: 3100
system session-helper-info list

Use this command to list the FortiGate session helpers and the protocol and port number configured for each
one.
Syntax
get system sesion-helper-info list
Example output
list builtin help module:
mgcp
dcerpc
rsh
pmap
dns-tcp
dns-udp
rtsp
pptp

979
get
system session-info
sip
mms
tns
h245
h323
ras
tftp
ftp
list session help:
help=pmap, protocol=17 port=111
help=rtsp, protocol=6 port=8554
help=pptp, protocol=6 port=1723
help=sip, protocol=17 port=5060
help=pmap, protocol=6 port=111
help=rsh, protocol=6 port=512
help=dns-udp, protocol=17 port=53
help=tftp, protocol=17 port=69
help=tns, protocol=6 port=1521
help=mgcp, protocol=17 port=2727
help=dcerpc, protocol=17 port=135
help=rsh, protocol=6 port=514
help=ras, protocol=17 port=1719
help=ftp, protocol=6 port=21
help=mgcp, protocol=17 port=2427
help=dcerpc, protocol=6 port=135
help=mms, protocol=6 port=1863
help=h323, protocol=6 port=1720
system session-info
Use this command to display session information.
Syntax
get
get
get
get
get
system
system
system
system
system
session-info
session-info
session-info
session-info
session-info
Variable
expectation
full-stat
list
statistics
ttl
Description
expectation
Display expectation sessions.
full-stat
Display detailed information about the FortiGate session table

including a session table and expect session table summary,
firewall error statistics, and other information.

980
system source-ip
Variable
get
Description
list
Display detailed information about all current FortiGate sessions.

For each session the command displays the protocol number,
traffic shaping information, policy information, state information,
statistics and other information.
statistics
Display the same information as the full-stat command

except for the session table and expect session table summary.
ttl
Display the current setting of the config system sessionttl command including the overall session timeout as well as
the timeouts for specific protocols.
Example output
get system session-info statistics
misc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752
removeable=14
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000001
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
system source-ip
Use this command to list defined source-IPs.
Syntax
get system source-ip
Example output
# get sys source-ip status
The following services force their communication to use
a specific source IP address:
service=NTP source-ip=172.18.19.101
service=DNS source-ip=172.18.19.101
vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101

981
get
system startup-error-log
vdom=root service=FSAE name=pc26 source-ip=172.18.19.101

vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101
vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101
vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101
system startup-error-log
Use this command to display information about system startup errors. This command only displays information if
an error occurs when the FortiGate unit starts up.
Syntax
get system startup-error-log
system stp list

Use this command to display Spanning Tree Protocol status.
Syntax
get system stp list
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode VDOMs and
VDOM status
current HA status
system time
the revision of the WiFi chip in a FortiWiFi unit
Syntax
get system status

982
test
get
Example output
Version: Fortigate-620B v4.0,build0271,100330 (MR2)
Virus-DB: 11.00643(2010-03-31 17:49)
Extended DB: 11.00643(2010-03-31 17:50)
Extreme DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00778(2010-03-31 12:55)
FortiClient application signature package: 1.167(2010-04-01 10:11)
Serial-Number: FG600B3908600705
BIOS version: 04000006
Log hard disk: Available
Hostname: 620_ha_1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Distribution: International
Branch point: 271
Release Version Information: MR2
System time: Thu Apr 1 15:27:29 2010
test
Use this command to display information about FortiGate applications and perform operations on FortiGate
applications. You can specify an application name and a test level. Enter ? to display the list of applications. The
test level performs various functions depending on the application but can include displaying memory usage,
dropping connections and restarting the application.
The test levels are different for different applications. In some cases when you enter the command and include
an application name but no test level (or an invalid test level) the command output includes a list of valid test
levels.
Syntax
get test <application_name_str> <test_level_int>
Example output
get test http
Proxy Worker 0 - http
[0:H] HTTP Proxy Test Usage
[0:H]
[0:H] 2: Drop all connections
[0:H] 22: Drop max idle connections
[0:H] 222: Drop all idle connections
[0:H] 4: Display connection stat
[0:H] 44: Display info per connection
[0:H] 444: Display connections per state
[0:H] 4444: Display per-VDOM statistics
[0:H] 44444: Display information about idle connections
[0:H] 55: Display tcp info per connection

983
get
test
get test http 4

HTTP Common
Current Connections 0/8032
HTTP Stat
Bytes sent 0 (kb)
Bytes received 0 (kb)
Error Count (alloc) 0
Error Count (accept) 0
Error Count (bind) 0
Error Count (connect) 0
Error Count (socket) 0
Error Count (read) 0
Error Count (write) 0
Error Count (retry) 0
Error Count (poll) 0
Error Count (scan reset) 0
Error Count (urlfilter wait) 0
Last Error 0
Web responses clean 0
Web responses scan errors 0
Web responses detected 0
Web responses infected with worms 0
Web responses infected with viruses 0
Web responses infected with susp 0
Web responses file blocked 0
Web responses file exempt 0
Web responses bannedword detected 0
Web requests oversize pass 0
Web requests oversize block 0
URL requests exempt 0
URL requests blocked 0
URL requests passed 0
URL requests submit error 0
URL requests rating error 0
URL requests rating block 0
URL requests rating allow 0
URL requests infected with worms 0
Web requests detected 0
Web requests file blocked 0
Web requests file exempt 0
POST requests clean 0
POST requests scan errors 0
POST requests infected with viruses 0
POST requests infected with susp 0
POST requests file blocked 0
POST requests bannedword detected 0
POST requests oversize pass 0
POST requests oversize block 0
Web request backlog drop 0
Web response backlog drop 0
HTTP Accounting
setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0
urlfilter=0/0/0 uf_lookupf=0
scan=0 clt=0 srv=0

984
user adgrp
get
user adgrp
Use this command to list Directory Service user groups.
Syntax
get user adgrp [<dsgroupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. For
example:
== [DOCTEST/Cert Publishers ]
name: DOCTEST/Cert Publishers server-name: DSserv1
== [DOCTEST/Developers ]
name: DOCTEST/Developers server-name: DSserv1
== [DOCTEST/Domain Admins ]
name: DOCTEST/Domain Admins server-name: DSserv1
== [DOCTEST/Domain Computers ]
name: DOCTEST/Domain Computers server-name: DSserv1
== [DOCTEST/Domain Controllers ]
name: DOCTEST/Domain Controllers server-name: DSserv1
== [DOCTEST/Domain Guests ]
name: DOCTEST/Domain Guests server-name: DSserv1
== [DOCTEST/Domain Users ]
name: DOCTEST/Domain Users server-name: DSserv1
== [DOCTEST/Enterprise Admins ]
name: DOCTEST/Enterprise Admins server-name: DSserv1
== [DOCTEST/Group Policy Creator Owners ]
name: DOCTEST/Group Policy Creator Owners server-name: DSserv1
== [DOCTEST/Schema Admins ]
name: DOCTEST/Schema Admins server-name: DSserv1
If you specify a Directory Service group name, the command returns information for only that group. For example:
name : DOCTEST/Developers
server-name : ADserv1
The server-name is the name you assigned to the Directory Service server when you configured it in the user
fsae command.
vpn certificate
Display detailed information about local and CA certificates installed on the FortiGate. This is a VDOM level
command. The global command is get certificate.
Syntax
get vpn certificate {local | ca} details [certificate_name]

985
get
vpn ike gateway
vpn ike gateway

Use this command to display information about FortiGate IPsec VPN IKE gateways.
Syntax
get vpn ike gateway [<gateway_name_str>]
vpn ipsec tunnel details

Use this command to display detailed information about IPsec tunnels.
Syntax
get vpn ipsec tunnel details
vpn ipsec tunnel name

Use this command to display information about a specified IPsec VPN tunnel.
Syntax
get vpn ipsec tunnel name <tunnel_name_str>
vpn ipsec tunnel summary

Use this command to display summary information about IPsec tunnels.
Syntax
get vpn ipsec tunnel summary
vpn ipsec stats crypto

Use this command to display information about the FortiGate hardware and software crypto configuration.
Syntax
get vpn ipsec stats crypto
Example output
get vpn ipsec stats crypto
IPsec crypto devices in use:

986
vpn ipsec stats tunnel
get
CP6 (encrypted/decrypted):
null:00
des:00
3des:00
aes:00
CP6 (generated/validated):
null:00
md5:
00
sha1:
00
sha256:00
SOFTWARE (encrypted/decrypted):
null:00
des:00
3des:00
aes:00
SOFTWARE (generated/validated):
null:00
md5:00
sha1:00
sha256:00
vpn ipsec stats tunnel

Use this command to view information about IPsec tunnels.
Syntax
get vpn ipsec stats tunnel
Example output
#get vpn ipsec stats tunnel
tunnels
total: 0
static/ddns: 0
dynamic: 0
manual: 0
errors: 0
selectors
total: 0
up: 0
vpn ssl monitor

Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.

987
get
vpn status l2tp
Syntax
get vpn ssl monitor
Example output
vpn status l2tp

Use this command to display information about L2TP tunnels.
Syntax
get vpn status l2tp
vpn status pptp

Use this command to display information about PPTP tunnels.
Syntax
get vpn status pptp
vpn status ssl

Use this command to display SSL VPN tunnels and to also verify that the FortiGate unit includes the CP6 or
greater FortiASIC device that supports SSL acceleration.
Syntax
get vpn status ssl hw-acceleration-status
get vpn status ssl list
Variable
Description
hwaccelerationstatus
Display whether or not the FortiGate unit contains a FortiASIC

device that supports SSL acceleration.
list
Display information about all configured SSL VPN tunnels.
webfilter categories
List the FortiGuard Web Filtering categories.

988
webfilter ftgd-statistics
get
Syntax
get webfilter categories
Example output (partial)

FG-5KD3914800284 # get webfilter categories
g01 Potentially Liable:
1 Drug Abuse
3 Hacking
4 Illegal or Unethical
5 Discrimination
6 Explicit Violence
12 Extremist Groups
59 Proxy Avoidance
62 Plagiarism
83 Child Abuse
g02 Adult/Mature Content:
2 Alternative Beliefs
7 Abortion
8 Other Adult Materials
9 Advocacy Organizations
11 Gambling
13 Nudity and Risque
14 Pornography
15 Dating
16 Weapons (Sales)
57 Marijuana
63 Sex Education
64 Alcohol
65 Tobacco
66 Lingerie and Swimsuit
67 Sports Hunting and War Games
g04 Bandwidth Consuming:
19 Freeware and Software Downloads
24 File Sharing and Storage
25 Streaming Media and Download
72 Peer-to-peer File Sharing
75 Internet Radio and TV
76 Internet Telephony
g05 Security Risk:
26 Malicious Websites
61 Phishing
86 Spam URLs
88 Dynamic DNS
...
Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.

989
get
Syntax
get webfilter ftgd-statistics
Example output
get webfilter ftgd-statistics
Rating Statistics:
=====================
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Wrong package type : 0
Hash table miss : 0
Unknown server : 0
Incorrect CRC : 0
Proxy request failures : 0
Request timeout : 0
Total requests : 0
Requests to FortiGuard servers : 0
Server errored responses : 0
Relayed rating : 0
Invalid profile : 0
Allowed : 0
Blocked : 0
Logged : 0
Errors : 0
Cache Statistics:
=====================
Maximum memory : 0
Memory usage : 0
Nodes : 0
Leaves : 0
Prefix nodes : 0
Exact nodes : 0
Requests : 0
Misses : 0
Hits : 0
Prefix hits : 0
Exact hits : 0
No cache directives : 0
Add after prefix : 0
Invalid DB put : 0
DB updates : 0
Percent full : 0%
Branches : 0%
Leaves : 0%
Prefix nodes : 0%

990
webfilter status
get
Exact nodes : 0%
Miss rate : 0%
Hit rate : 0%
Prefix hits : 0%
Exact hits : 0%
webfilter status
Use this command to display FortiGate Web Filtering rating information.
Syntax
get webfilter status [<refresh-rate_int>]
wireless-controller client-info
Use this command to get information about WiFi clients.
Syntax
get wireless-controller client-info <vfid> <interface> <client_ip>

# get wireless-controller client-info 0 test-local 192.168.2.100
count=1
status: sta_mac=10:fe:ed:26:aa:e0 ap_sn=FP320C3X14006184, ap_name=FP320C3X14006184,
chan=6, radio_type=11N
wireless-controller rf-analysis
Use this command to show information about RF conditions at the access point.
Syntax
get wireless-controller rf-analysis [<wtp_id>]
Example output
# get wireless-controller rf-analysis
<wtp-id> wtp id
FWF60C3G11004319 (global) # get wireless-controller rf-analysis
WTP: FWF60C-WIFI0 0-127.0.0.1:15246
channel rssi-total rf-score overlap-ap interfere-ap
1 418 1 24 26
2 109 5 0 34
3 85 7 1 34
4 64 9 0 35

991
get
wireless-controller scan
5 101 6 1 35
6 307 1 8 11
7 82 7 0 16
8 69 8 1 15
9 42 10 0 15
10 53 10 0 14
11 182 1 5 6
12 43 10 0 6
13 20 10 0 5
14 8 10 0 5
Controller: FWF60C3G11004319-0
channel rssi_total
1 418
2 109
3 85
4 64
5 101
6 307
7 82
8 69
9 42
10 53
11 182
12 43
13 20
14 8
wireless-controller scan
Use this command to view the list of access points detected by wireless scanning.
Syntax
get wireless-controller scan
Example output
CMW SSID
BSSID
CHAN RATE S:N INT CAPS ACT LIVE AGE WIRED
UNN
00:0e:8f:24:18:6d 64 54M
16:0 100 Es
N 62576 1668 ?
UNN ftiguest 00:15:55:23:d8:62 157 130M
6:0 100 EPs N 98570 2554 ?
wireless-controller spectral-info
Use this command to display wireless controller spectrum analysis.
Syntax
get wireless-controller spectral-info

992
wireless-controller status
get
wireless-controller status
Use this command to view the numbers of wtp sessions and clients.
Syntax
get wireless-controller status
Example output
# get wireless-controller status
Wireless Controller :
wtp-session-count: 1
client-count : 1/0
wireless-controller vap-status
Use this command to view information about your SSIDs.
Syntax
get wireless-controller vap-status
Example output
# get wireless-controller vap-status
WLAN: mesh.root
name : mesh.root
vdom : root
ssid : fortinet.mesh.root
status : up
mesh backhaul : yes
ip : 0.0.0.0
mac : 00:ff:0a:57:95:ca
station info : 0/0
WLAN: wifi
name : wifi
vdom : root
ssid : ft-mesh
status : up
mesh backhaul : yes
ip : 10.10.80.1
mac : 00:ff:45:e1:55:81
station info : 1/0
wireless-controller wlchanlistlic
Use this command to display a list of the channels allowed in your region, including
the maximum permitted power for each channel

993
get
wireless-controller wlchanlistlic
the channels permitted for each wireless type (802.11n, for example)
The list is in XML format.
Syntax
get wireless-controller wlchanlistlic
Sample output
country name: UNITED STATES2, country code:841, iso name:US
channels on 802.11A band without channel bonding:
channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
on 802.11B band without channel bonding:

1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
on 802.11G band without channel bonding:

channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
on 802.11N 2.4GHz band without channel bonding:

1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower=

63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
994
wireless-controller wtp-status
get

channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
on 802.11N 2.4GHz band with channel bonding plus:

channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
on 802.11N 2.4GHz band with channel bonding minus:

channels on
channel= 36
channel= 40
channel= 44
channel= 48
channel=149
channel=153
channel=157
channel=161
channel=165
802.11N 5GHz band

maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 30
maxRegTxPower= 30
maxRegTxPower= 30
maxRegTxPower= 30
maxRegTxPower= 30
without channel bonding:

maxTxPower= 63/2 minTxPower=
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
channels on
channel= 36
channel= 40
channel= 44
channel= 48
channel=149
channel=153
channel=157
channel=161
802.11N 5GHz band

maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 23
maxRegTxPower= 30
maxRegTxPower= 30
maxRegTxPower= 30
maxRegTxPower= 30
with channel bonding all:

63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
Syntax
get wireless-controller wtp-status
Example output
# get wireless-controller wtp-status

995
get
WTP: FAP22B3U11005354 0-192.168.3.110:5246

wtp-id : FAP22B3U11005354
region-code :
name :
mesh-uplink : mesh
mesh-downlink : disabled
mesh-hop-count : 1
parent-wtp-id :
software-version :
local-ipv4-addr : 0.0.0.0
board-mac : 00:00:00:00:00:00
join-time : Mon Apr 2 10:23:32 2012
connection-state : Disconnected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Monitor
Radio 2 : Ap
country-name : NA
country-code : N/A
client-count : 0
base-bssid : 00:00:00:00:00:00
max-vaps : 7
oper-chan : 0
Radio 3 : Not Exist
WTP: FWF60C-WIFI0 0-127.0.0.1:15246
wtp-id : FWF60C-WIFI0
region-code : ALL
name :
mesh-uplink : ethernet
mesh-downlink : enabled
mesh-hop-count : 0
parent-wtp-id :
software-version : FWF60C-v5.0-build041
local-ipv4-addr : 127.0.0.1
board-mac : 00:09:0f:fe:cc:56
join-time : Mon Apr 2 10:23:35 2012
connection-state : Connected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Ap
country-name : US
country-code : N/A
client-count : 1
base-bssid : 00:0e:8e:3b:63:99
max-vaps : 7
oper-chan : 1
Radio 2 : Not Exist
Radio 3 : Not Exist

996

997
tree
tree
The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.
Each configuration command forms a branch of the tree.
Syntax
tree [branch] [sub-branch]
You can enter the tree command from the top of the configuration tree the command displays the complete
configuration tree. Commands are displayed in the order that they are processed when the FortiGate unit starts
up. For example, the following output shows the first 10 lines of tree command output:
tree
-- -- system -- [vdom] --*name (12)
+- vcluster-id (0,0)
|- <global> -- language
|- gui-ipv6
|- gui-voip-profile
|- gui-lines-per-page (20,1000)
|- admintimeout (0,0)
|- admin-concurrent
|- admin-lockout-threshold (0,0)
|- admin-lockout-duration (1,2147483647)
|- refresh (0,2147483647)
|- interval (0,0)
|- failtime (0,0)
|- daily-restart
|- restart-time
...
You can include a branch name with the tree command to view the commands in that branch:
tree user
-- user -- [radius] --*name (36)
|- server (64)
|- secret
|- secondary-server (64)
|- secondary-secret
...
|- [tacacs+] --*name (36)
|- server (64)
|- tertiary-server (64)
...
|- [ldap] --*name (36)
|- server (64)
|- tertiary-server (64)
|- port(1,65535)
...
You can include a branch and sub branch name with the tree command to view the commands in that sub branch:
tree user local
-- [local] --*name (36)
|- status

998
tree
||||+-
type
passwd
ldap-server (36)
radius-server (36)
tacacs+-server (36)
...
If you enter the tree command from inside the configuration tree the command displays the tree for the
current command:
config user ldap
tree
-- [ldap] --*name (36)
|- server (64)
|- cnid (21)
|- dn (512)
|- port (1,65535)
|- type
...
The tree command output includes information about field limits. These apply in both the CLI and the webbased manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. For
example (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number in
parentheses is one more than the maximum number of characters permitted.
In the following example, the FQDN can contain up to 255 characters.
config firewall address
tree
-- [address] --*name
(64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn
(256)
|- country
(3)
|- cache-ttl
(0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface(36)
|- color(0,32)
+- [tags] --*name(64)

999
Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims
in full any covenants,
representations,and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
1000
CLI Reference
for FortiOS
5.4
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortigate CLI Reference Manual 5.4

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fortigate CLI Reference Manual 5.4

Transféré par

Droits d'auteur :

Formats disponibles

#

ENDUSER LICENSE AGREEMENT

Updated for FortiOS 5.4.1.

December 16, 2015

New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4

How this guide is organized

How this guide is organized

Availability of commands and options

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

CLI Reference for FortiOS 5.4

Managing Firmware with the FortiGate BIOS

Accessing the BIOS

Managing Firmware with the FortiGate BIOS

view system information

format the boot device

load firmware and reboot (see )

Accessing the BIOS

Navigating the menu

Configure TFTP parameters

CLI Reference for FortiOS 5.4

Managing Firmware with the FortiGate BIOS

Configuring TFTP parameters

Selecting the VLAN (if VLANs are used)

Choose port and whether to use DHCP

TFTP and filename

remote TFTP server IP address.

Enter [Q] to return to the main menu.

Initiating TFTP firmware transfer

CLI Reference for FortiOS 5.4

Managing Firmware with the FortiGate BIOS

Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

Booting the backup firmware

CLI Reference for FortiOS 5.4

Booting the backup firmware

CLI Reference for FortiOS 5.4

CLI Reference for FortiOS 5.4

Email from address.

Destination email address 1.

Destination email address 2.

Destination email address 3.

Interval between each email.

Enable/disable IPS Logs.

Enable/disable logging of firewall authentication

Enable/disable IPsec errors logs.

Enable/disable FortiGuard update logs.

Enable/disable PPP errors logs.

Enable/disable logging of SSL-VPN

Enable/disable antivirus logs.

Enable/disable web filter logging.

Enable/disable logging of configuration changes.

Enable/disable logging of violation traffic.

Enable/disable logging of administrator

Enable/disable FortiGuard license expiration

Enable/disable logging of disk usage warning.

CLI Reference for FortiOS 5.4

Enable/disable warning of FortiCloud log quota.

Enable/disable Fortinet Advanced Mezzanine

Enable/disable FIPS and Common Criteria errors.

Number of days to end alert email prior to

Percentage at which to send alert email prior to

Emergency alert interval in minutes.