#

FortiOS - CLI Reference
VERSION 5.4.0
FORTINET DOCUMENT LIBRARY

[Link]

FORTINET VIDEO GUIDE

[Link]

FORTINET BLOG

[Link]

CUSTOMER SERVICE & SUPPORT

[Link]

[Link]

FORTIGATE COOKBOOK

[Link]

FORTINET TRAINING SERVICES

[Link]

FORTIGUARD CENTER

[Link]

END USER LICENSE AGREEMENT

[Link]

FEEDBACK

Email: techdocs@[Link]

December-16-15

FortiOS - CLI Reference

01-540-99686-20151216
Change Log

Change Log

Date Change Description

December 16, 2015 New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4 3

Fortinet Technologies Inc.
 How this guide is organized Introduction

Introduction

This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGate
unit boot-up.

config describes the commands for each configuration branch of the FortiOS CLI. The command branches and
commands are in alphabetical order. The information in this section has been extracted and formatted from
FortiOS source code. The extracted information includes the command syntax, command descriptions (extracted
from CLI help) and default values. This is the first version of this content produced in this way. You can send
comments about this content to techdoc@[Link].

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an error
message if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to
verify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.

Hardware configuration

For example, some AMC module commands are only available when an AMC module is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes
commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

CLI Reference for FortiOS 5.4 4

Fortinet Technologies Inc.
 Managing Firmware with the FortiGate BIOS Accessing the BIOS

Managing Firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-
based manager or by using the CLI execute restore command. From the console, you can also interrupt the
FortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system information

l format the boot device
l load firmware and reboot (see )
l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )

Accessing the BIOS

The BIOS menu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,
“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOS
menu appears. If you are too late, the boot-up process continues as usual.

Navigating the menu

The main BIOS menu looks like this:
[C]: Configure TFTP parameters
[R]: Review TFTP paramters
[T]: Initiate TFTP firmware transfer
[F]: Format boot device
[Q]: Quit menu and continue to boot
[I]: System Information
[B]: Boot with backup firmare and set as default
[Q]: Quit menu and continue to boot
[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the “Enter” line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.

CLI Reference for FortiOS 5.4 5

Fortinet Technologies Inc.
 Loading firmware Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.

Configuring TFTP parameters

Starting from the main BIOS menu
[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [[Link]]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [[Link]]:
[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.
Enter remote TFTP server IP address [[Link]]:
[F]: Set firmware file name.
Enter firmware file name [[Link]]:
Enter [Q] to return to the main menu.

Initiating TFTP firmware transfer

Starting from the main BIOS menu
[T]: Initiate TFTP firmware transfer.

CLI Reference for FortiOS 5.4 6

Fortinet Technologies Inc.
Managing Firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: [Link]

Connect to tftp server [Link] ...

##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOS menu

[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press ‘Y’ or ‘y’ to boot default image.

CLI Reference for FortiOS 5.4 7

Fortinet Technologies Inc.
Booting the backup firmware config

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help) and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@[Link]

CLI Reference for FortiOS 5.4 8

Fortinet Technologies Inc.
alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set mailto2 <string>
set mailto3 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end

CLI Reference for FortiOS 5.4 9

Fortinet Technologies Inc.
Description
Configuration Description Default Value

username Email from address. (Empty)

mailto1 Destination email address 1. (Empty)

mailto2 Destination email address 2. (Empty)

mailto3 Destination email address 3. (Empty)

filter-mode Filter mode. category

email-interval Interval between each email. 5

IPS-logs Enable/disable IPS Logs. disable

firewall-authentication- Enable/disable logging of firewall authentication disable

failure-logs failures.

HA-logs Enable/disable HA Logs. disable

IPsec-errors-logs Enable/disable IPsec errors logs. disable

FDS-update-logs Enable/disable FortiGuard update logs. disable

PPP-errors-logs Enable/disable PPP errors logs. disable

sslvpn-authentication- Enable/disable logging of SSL-VPN disable

errors-logs authentication error.

antivirus-logs Enable/disable antivirus logs. disable

webfilter-logs Enable/disable web filter logging. disable

configuration-changes- Enable/disable logging of configuration changes. disable

logs

violation-traffic-logs Enable/disable logging of violation traffic. disable

admin-login-logs Enable/disable logging of administrator disable

login/logouts.

FDS-license-expiring- Enable/disable FortiGuard license expiration disable

warning warning.

log-disk-usage-warning Enable/disable logging of disk usage warning. disable

CLI Reference for FortiOS 5.4 10

Fortinet Technologies Inc.
fortiguard-log-quota- Enable/disable warning of FortiCloud log quota. disable
warning

amc-interface-bypass- Enable/disable Fortinet Advanced Mezzanine disable

mode Card (AMC) interface bypass mode.

FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable

FDS-license-expiring- Number of days to end alert email prior to 15

days FortiGuard license expiration (1 - 100 days).

local-disk-usage Percentage at which to send alert email prior to 75

disk usage exceeding this threshold (1 - 99
percent).

emergency-interval Emergency alert interval in minutes. 1

alert-interval Alert alert interval in minutes. 2

critical-interval Critical alert interval in minutes. 3

error-interval Error alert interval in minutes. 5

warning-interval Warning alert interval in minutes. 10

notification-interval Notification alert interval in minutes. 20

information-interval Information alert interval in minutes. 30

debug-interval Debug alert interval in minutes. 60

severity Lowest severity level to log. alert

CLI Reference for FortiOS 5.4 11

Fortinet Technologies Inc.
antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end

CLI Reference for FortiOS 5.4 12

Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Mode to use for heuristics. disable

CLI Reference for FortiOS 5.4 13

Fortinet Technologies Inc.
antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config imap
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config pop3
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
CLI Reference for FortiOS 5.4 14
Fortinet Technologies Inc.
 set emulator {enable | disable}
set executables {default | virus}
end
config smtp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config mapi
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config nntp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config smb
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config nac-quar
edit <name_str>
set infected {none | quar-src-ip | quar-interface}
set expiry <user>
set log {enable | disable}
end
set av-virus-log {enable | disable}
set av-block-log {enable | disable}
set scan-mode {quick | full}
end

CLI Reference for FortiOS 5.4 15

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

inspection-mode Inspection mode. flow-based

ftgd-analytics Submit suspicious or supposedly clean files to disable

FortiSandbox.

analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10

analytics-wl-filetype Do not submit files matching this file-pattern table 0

to the FortiSandbox.

analytics-bl-filetype Only submit files matching this file-pattern table 0

to the FortiSandbox.

analytics-db Use signature database from FortiSandbox to disable

supplement the AV signature databases.

mobile-malware-db Use mobile malware signature database. enable

http HTTP. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

ftp FTP. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

imap IMAP. Details below

CLI Reference for FortiOS 5.4 16

Fortinet Technologies Inc.
Configuration Default Value
options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

pop3 POP3. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

smtp SMTP. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

mapi MAPI. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

nntp NNTP. Details below

Configuration Default Value

options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

smb SMB. Details below

CLI Reference for FortiOS 5.4 17

Fortinet Technologies Inc.
Configuration Default Value
options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

nac-quar Quarantine settings. Details below

Configuration Default Value

infected none
expiry 5m
log disable

av-virus-log Enable/disable logging for antivirus scanning. enable

av-block-log Enable/disable logging for antivirus file blocking. enable

scan-mode Choose between full scan mode and quick scan full
mode.

CLI Reference for FortiOS 5.4 18

Fortinet Technologies Inc.
antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | p
op3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end

CLI Reference for FortiOS 5.4 19

Fortinet Technologies Inc.
Description
Configuration Description Default Value

agelimit Age limit for quarantined files. 0

maxfilesize Maximum file size to quarantine. 0

quarantine-quota Quarantine quota. 0

drop-infected Ignore infected files from a protocol. (Empty)

store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s https ftps mapi

drop-blocked Drop blocked files from a protocol. (Empty)

store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s ftps mapi

drop-heuristic Ignore heuristically caught files from a protocol. (Empty)

store-heuristic Quarantine heuristically caught files from a imap smtp pop3 http ftp
protocol. nntp imaps smtps
pop3s https ftps mapi

lowspace Action when the disk is almost full. ovrw-old

destination Quarantine destination: disk/FortiAnalyzer. disk

CLI Reference for FortiOS 5.4 20

Fortinet Technologies Inc.
antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end

CLI Reference for FortiOS 5.4 21

Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-db Select AV database to be used for AV scanning. extended

grayware Enable/disable detection of grayware. disable

CLI Reference for FortiOS 5.4 22

Fortinet Technologies Inc.
application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end

CLI Reference for FortiOS 5.4 23

Fortinet Technologies Inc.
Description
Configuration Description Default Value

tag Signature tag. (Empty)

name Application name. (Empty)

id Application ID. 0

comment Comment. (Empty)

signature Signature text. (Empty)

category Application category ID. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

CLI Reference for FortiOS 5.4 24

Fortinet Technologies Inc.
application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set technology <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
CLI Reference for FortiOS 5.4 25
Fortinet Technologies Inc.
 set log {disable | enable}
set log-packet {disable | enable}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
set session-ttl <integer>
set shaper <string>
set shaper-reverse <string>
set per-ip-shaper <string>
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
end

CLI Reference for FortiOS 5.4 26

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name List name. (Empty)

comment comments (Empty)

replacemsg-group Replacement message group. (Empty)

other-application-action Action for other applications. pass

app-replacemsg Enable/disable replacement messages for enable

blocked applications.

other-application-log Enable/disable logging of other applications. disable

unknown-application- Action for unknown applications. pass

action

unknown-application- Enable/disable logging of unknown applications. disable

log

p2p-black-list Action for p2p black list. (Empty)

deep-app-inspection Enable/disable deep application inspection. disable

options Options. allow-dns

entries Application list entries. (Empty)

CLI Reference for FortiOS 5.4 27

Fortinet Technologies Inc.
application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set category <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4 28

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Application name. (Empty)

id Application ID. 0

category Application category ID. 0

sub-category Application sub-category ID. 0

popularity Application popularity. 0

risk Application risk. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

parameter Application parameter name. (Empty)

metadata Meta data. (Empty)

CLI Reference for FortiOS 5.4 29

Fortinet Technologies Inc.
application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 30

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Rule ID. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 31

Fortinet Technologies Inc.
certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 32

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. global

source CA certificate source. user

trusted Enable/disable trusted CA. enable

scep-url URL of SCEP server. (Empty)

auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days- Days to send update before auto-update 0

warning (0=disabled).

source-ip Source IP for communications to SCEP server. [Link]

CLI Reference for FortiOS 5.4 33

Fortinet Technologies Inc.
certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 34

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. global

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA [Link]

(HTTP/SCEP) server.

CLI Reference for FortiOS 5.4 35

Fortinet Technologies Inc.
certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

CLI Reference for FortiOS 5.4 36

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

password Password. (Empty)

comments Comment. (Empty)

private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)

scep-url URL of SCEP server. (Empty)

range Certificate range. global

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired, 0

0=disabled.

auto-regenerate-days- Days to send warning before auto-regeneration, 0

warning 0=disabled.

scep-password SCEP server challenge password for auto- (Empty)

regeneration.

ca-identifier CA identifier of the CA server for signing via (Empty)

SCEP.

name-encoding Name encoding for auto-regeneration. printable

source-ip Source IP for communications to SCEP server. [Link]

ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn

CLI Reference for FortiOS 5.4 37

Fortinet Technologies Inc.
dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end

CLI Reference for FortiOS 5.4 38

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Configure file patterns used by DLP blocking. (Empty)

CLI Reference for FortiOS 5.4 39

Fortinet Technologies Inc.
dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end

CLI Reference for FortiOS 5.4 40

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DLP Server. (Empty)

server-type DLP Server. samba

server Server location (can be IP or IPv6 address). (Empty)

period Select periodic server checking. none

vdom Select source on management or current VDOM. mgmt

scan-subdirectories Enable/disable scanning of subdirectories. enable

scan-on-creation Enable/disable force scan of server to happen enable

when document source is created or edited.

remove-deleted Enable/disable removing chunks of files deleted enable

from the server.

keep-modified Enable/disable retaining old chunks of modified enable

files.

username Login username. (Empty)

password Login password. (Empty)

file-path File path on server. (Empty)

file-pattern File patterns to fingerprint (wildcard). *

sensitivity DLP fingerprint sensitivity defined for these files. (Empty)

tod-hour Time of day to run scans (hour part, 24 hour 1

clock).

tod-min Time of day to run scans (min). 0

weekday Day of week to run scans. sunday

date Date within a month to run scans. 1

CLI Reference for FortiOS 5.4 41

Fortinet Technologies Inc.
dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4 42

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DLP Sensitivity Levels. (Empty)

CLI Reference for FortiOS 5.4 43

Fortinet Technologies Inc.
dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq
| msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | a
im | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim |
icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
end

CLI Reference for FortiOS 5.4 44

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

filter Configure DLP filters. (Empty)

dlp-log Enable/disable logging for data leak prevention. enable

nac-quar-log Enable/disable logging for NAC quarantine disable

creation.

flow-based Enable/disable flow-based data leak prevention. disable

options options

full-archive-proto Protocols to always content archive. (Empty)

summary-proto Protocols to always log summary. (Empty)

CLI Reference for FortiOS 5.4 45

Fortinet Technologies Inc.
dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end

CLI Reference for FortiOS 5.4 46

Fortinet Technologies Inc.
Description
Configuration Description Default Value

storage-device Storage name. (Empty)

size Maximum total size of files within the storage 16

(MB).

db-mode Method of maintaining database size. stop-adding

cache-mem-percent Maximum percentage of available memory 2

allocated to caching (1 - 15%).

chunk-size Maximum fingerprint chunk size. **Changing will 2800

flush the entire database**.

CLI Reference for FortiOS 5.4 47

Fortinet Technologies Inc.
dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
set comment <var-string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | monitor}
set log {enable | disable}
end
end
set log-all-url {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end

CLI Reference for FortiOS 5.4 48

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

urlfilter URL filter settings. Details below

Configuration Default Value

urlfilter-table 0

ftgd-dns FortiGuard DNS Filter settings. Details below

Configuration Default Value

options (Empty)
filters (Empty)

log-all-url Enable/disable log all URLs visited. disable

block-action Action to take for blocked domains. redirect

redirect-portal IP address of the SDNS portal. [Link]

block-botnet Enable/disable block of botnet C&C. disable

CLI Reference for FortiOS 5.4 49

Fortinet Technologies Inc.
dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end

CLI Reference for FortiOS 5.4 50

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries DNS URL filter. (Empty)

CLI Reference for FortiOS 5.4 51

Fortinet Technologies Inc.
endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end

CLI Reference for FortiOS 5.4 52

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Endpoint client ID. 0

ftcl-uid Endpoint FortiClient UID. (Empty)

src-ip Endpoint client IP address. [Link]

src-mac Endpoint client MAC address. [Link]

info Endpoint client information. (Empty)

ad-groups Endpoint client AD logon groups. (Empty)

CLI Reference for FortiOS 5.4 53

Fortinet Technologies Inc.
endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 54

Fortinet Technologies Inc.
Description
Configuration Description Default Value

peer-name Peer name. (Empty)

peer-ip Peer connecting IP. [Link]

CLI Reference for FortiOS 5.4 55

Fortinet Technologies Inc.
endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set view-profile-details {enable | disable}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set scan-download-file {enable | disable}
set sandbox-scan {enable | disable}
set sandbox-address <string>
set wait-sandbox-result {enable | disable}
set use-sandbox-signature {enable | disable}
set block-malicious-website {enable | disable}
set block-attack-channel {enable | disable}
set av-scheduled-scan {enable | disable}
set av-scan-type {quick | full | custom}
set av-scan-folder <string>
set av-scan-schedule {daily | weekly | monthly}
set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | fr
iday | saturday}
set av-scan-day-of-month <integer>
set av-scan-time <user>
config av-scan-exclusions
edit <name_str>
set id <integer>
set type {file | folder}
set name <string>
end
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set monitor-unknown-application {enable | disable}
set install-ca-certificate {enable | disable}
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-schedule {daily | weekly | monthly}
set forticlient-vuln-scan-on-registration {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
CLI Reference for FortiOS 5.4 56
Fortinet Technologies Inc.
 set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set disable-unregister-option {enable | disable}
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-server <string>
set forticlient-log-ssl-upload {enable | disable}
set forticlient-log-upload-schedule {hourly | daily}
set forticlient-update-from-fmg {enable | disable}
config forticlient-update-server
edit <name_str>
set name <string>
end
set forticlient-update-failover-to-fdn {enable | disable}
set forticlient-settings-lock {enable | disable}
set forticlient-settings-lock-passwd <password>
set auto-vpn-when-off-net {enable | disable}
set auto-vpn-name <user>
set client-log-when-on-net {enable | disable}
set forticlient-ad {enable | disable}
set fsso-ma {enable | disable}
set fsso-ma-server <string>
set fsso-ma-psk <password>
set allow-personal-vpn {enable | disable}
set disable-user-disconnect {enable | disable}
set vpn-before-logon {enable | disable}
set vpn-captive-portal {enable | disable}
set forticlient-ui-options {av | wf | af | vpn | vs}
set forticlient-advanced-cfg {enable | disable}
set forticlient-advanced-cfg-buffer <var-string>
config extra-buffer-entries
edit <name_str>
set id <integer>
set buffer <var-string>
end
end
config forticlient-android-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
CLI Reference for FortiOS 5.4 57
Fortinet Technologies Inc.
 set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
end
config forticlient-ios-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set vpn-configuration-name <string>
set vpn-configuration-content <var-string>
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set distribute-configuration-profile {enable | disable}
set configuration-name <string>
set configuration-content <var-string>
end
set description <var-string>
config src-addr
edit <name_str>
set name <string>
end
config device-groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config user-groups
edit <name_str>
set name <string>
end
config on-net-addr
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
end

CLI Reference for FortiOS 5.4 58

Fortinet Technologies Inc.
Description
Configuration Description Default Value

profile-name Profile name. (Empty)

forticlient-winmac- FortiClient settings for Windows/Mac platform. Details below

settings

Configuration Default Value

view-profile-details enable
forticlient-av enable
av-realtime-protection enable
scan-download-file enable
sandbox-scan disable
sandbox-address (Empty)
wait-sandbox-result disable
use-sandbox-signature disable
block-malicious-website disable
block-attack-channel disable
av-scheduled-scan disable
av-scan-type quick
av-scan-folder (Empty)
av-scan-schedule daily
av-scan-day-of-week sunday
av-scan-day-of-month 0
av-scan-time 00:00
av-scan-exclusions (Empty)
forticlient-application-firewall disable
forticlient-application-firewall-list (Empty)
monitor-unknown-application disable
install-ca-certificate disable
forticlient-wf enable
forticlient-wf-profile default
disable-wf-when-protected enable
forticlient-vuln-scan disable
forticlient-vuln-scan-schedule monthly
forticlient-vuln-scan-on-registration enable
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)
disable-unregister-option disable
forticlient-log-upload disable
forticlient-log-upload-server (Empty)
CLI Reference for FortiOS 5.4 59
Fortinet Technologies Inc.
forticlient-log-ssl-upload enable
forticlient-log-upload-schedule daily
forticlient-update-from-fmg disable
forticlient-update-server (Empty)
forticlient-update-failover-to-fdn enable
forticlient-settings-lock disable
forticlient-settings-lock-passwd (Empty)
auto-vpn-when-off-net disable
auto-vpn-name (Empty)
client-log-when-on-net disable
forticlient-ad disable
fsso-ma disable
fsso-ma-server (Empty)
fsso-ma-psk (Empty)
allow-personal-vpn enable
disable-user-disconnect disable
vpn-before-logon disable
vpn-captive-portal disable
forticlient-ui-options av wf vpn
forticlient-advanced-cfg disable
forticlient-advanced-cfg-buffer (Empty)
extra-buffer-entries (Empty)

forticlient-android- FortiClient settings for Android platform. Details below

settings

Configuration Default Value

forticlient-wf disable
forticlient-wf-profile (Empty)
disable-wf-when-protected enable
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)

forticlient-ios-settings FortiClient settings for iOS platform. Details below

CLI Reference for FortiOS 5.4 60

Fortinet Technologies Inc.
Configuration Default Value
forticlient-wf disable
forticlient-wf-profile (Empty)
disable-wf-when-protected enable
client-vpn-provisioning disable
client-vpn-settings (Empty)
distribute-configuration-profile disable
configuration-name (Empty)
configuration-content (Empty)

description Description. (Empty)

src-addr Source addresses. (Empty)

device-groups Device groups. (Empty)

users Users. (Empty)

user-groups User groups. (Empty)

on-net-addr Addresses for on-net detection. (Empty)

replacemsg-override- Specify endpoint control replacement message (Empty)

group override group.

CLI Reference for FortiOS 5.4 61

Fortinet Technologies Inc.
endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end

CLI Reference for FortiOS 5.4 62

Fortinet Technologies Inc.
Description
Configuration Description Default Value

uid FortiClient UID. (Empty)

vdom Registering vdom. (Empty)

ip Endpoint IP address. [Link]

mac Endpoint MAC address. [Link]

status FortiClient registration status. 1

flag FortiClient registration flag. 0

reg-fortigate Registering FortiGate SN. (Empty)

CLI Reference for FortiOS 5.4 63

Fortinet Technologies Inc.
endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
end

CLI Reference for FortiOS 5.4 64

Fortinet Technologies Inc.
Description
Configuration Description Default Value

forticlient-reg-key- Enable/disable enforcement of FortiClient disable

enforce registration key.

forticlient-reg-key FortiClient registration key. (Empty)

forticlient-reg-timeout FortiClient registration license timeout (days, min 7

= 1, max = 180, 0 = unlimited).

download-custom-link Customized URL for downloading FortiClient. (Empty)

download-location FortiClient download location. fortiguard

forticlient-keepalive- Interval between two KeepAlive messages from 60

interval FortiClient (in seconds).

forticlient-sys-update- Interval between two system update messages 720

interval from FortiClient (in minutes).

CLI Reference for FortiOS 5.4 65

Fortinet Technologies Inc.
extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end

CLI Reference for FortiOS 5.4 66

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id FortiExtender serial number. (Empty)

admin FortiExtender Administration (enable or disable). disable

ifname FortiExtender interface name. (Empty)

vdom VDOM 0

role FortiExtender work role(Primary, Secondary, none

None).

mode FortiExtender mode. standalone

dial-mode Dial mode (dial-on-demand or always-connect). always-connect

redial Number of redials allowed based on failed none

attempts.

redundant-intf Redundant interface. (Empty)

dial-status Dial status. 0

conn-status Connection status. 0

ext-name FortiExtender name. (Empty)

description Description. (Empty)

quota-limit-mb Monthly quota limit (MB). 0

billing-start-day Billing start day. 1

at-dial-script Initialization AT commands specific to the (Empty)

MODEM.

modem-passwd MODEM password. (Empty)

initiated-update Allow/disallow network initiated updates to the disable

MODEM.

modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte

ppp-username PPP username. (Empty)

CLI Reference for FortiOS 5.4 67

Fortinet Technologies Inc.
ppp-password PPP password. (Empty)

ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto

ppp-echo-request Enable/disable PPP echo request. disable

wimax-carrier WiMax carrier. (Empty)

wimax-realm WiMax realm. (Empty)

wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls

sim-pin SIM PIN. (Empty)

access-point-name Access point name(APN). (Empty)

multi-mode MODEM mode of operation(3G,LTE,etc). auto

roaming Enable/disable MODEM roaming. disable

cdma-nai NAI for CDMA MODEMS. (Empty)

aaa-shared-secret AAA shared secret. (Empty)

ha-shared-secret HA shared secret. (Empty)

primary-ha Primary HA. (Empty)

secondary-ha Secondary HA. (Empty)

cdma-aaa-spi CDMA AAA SPI. (Empty)

cdma-ha-spi CDMA HA SPI. (Empty)

CLI Reference for FortiOS 5.4 68

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

CLI Reference for FortiOS 5.4 69

Fortinet Technologies Inc.
Description
Configuration Description Default Value

bindthroughfw Enable/disable going through firewall. disable

bindtofw Enable/disable going to firewall. disable

undefinedhost Allow/block traffic for undefined hosts. block

CLI Reference for FortiOS 5.4 70

Fortinet Technologies Inc.
[Link]/table
CLI Syntax
config [Link] table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set mac <mac-address>
set name <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 71

Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Entry number. 0

ip IP address. [Link]

mac MAC address. [Link]

name Name (optional, default = no name). noname

status Enable/disable IP-mac binding. disable

CLI Reference for FortiOS 5.4 72

Fortinet Technologies Inc.
[Link]/group
CLI Syntax
config [Link] group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end

CLI Reference for FortiOS 5.4 73

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Schedule group name. (Empty)

member Schedule group member. (Empty)

color GUI icon color. 0

CLI Reference for FortiOS 5.4 74

Fortinet Technologies Inc.
[Link]/onetime
CLI Syntax
config [Link] onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end

CLI Reference for FortiOS 5.4 75

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Onetime schedule name. (Empty)

start Start time and date. 00:00 2001/01/01

end End time and date. 00:00 2001/01/01

color GUI icon color. 0

expiration-days Generate event log before schedule expires (1- 3

100 days, 0 = disable).

CLI Reference for FortiOS 5.4 76

Fortinet Technologies Inc.
[Link]/recurring
CLI Syntax
config [Link] recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end

CLI Reference for FortiOS 5.4 77

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Recurring schedule name. (Empty)

start Start time. 00:00

end End time. 00:00

day weekday sunday

color GUI icon color. 0

CLI Reference for FortiOS 5.4 78

Fortinet Technologies Inc.
[Link]/category
CLI Syntax
config [Link] category
edit <name_str>
set name <string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4 79

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Service category name. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 80

Fortinet Technologies Inc.
[Link]/custom
CLI Syntax
config [Link] custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set session-ttl <integer>
set check-reset-range {disable | strict | default}
set comment <var-string>
set color <integer>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 81

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Custom service name. (Empty)

explicit-proxy Enable/disable explicit web proxy service. disable

category Service category. (Empty)

protocol Protocol type. TCP/UDP/SCTP

iprange Start IP-End IP. [Link]

fqdn Fully qualified domain name. (Empty)

protocol-number IP protocol number. 0

icmptype ICMP type. (Empty)

icmpcode ICMP code. (Empty)

tcp-portrange Multiple TCP port ranges. (Empty)

udp-portrange Multiple UDP port ranges. (Empty)

sctp-portrange Multiple SCTP port ranges. (Empty)

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 = 0

default).

tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 = 0

default).

tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0

udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 = 0

default).

session-ttl Session TTL (300 - 604800, 0 = default). 0

check-reset-range Enable/disable RST check. default

comment Comment. (Empty)

color GUI icon color. 0

visibility Enable/disable service visibility. enable

CLI Reference for FortiOS 5.4 82

Fortinet Technologies Inc.
[Link]/group
CLI Syntax
config [Link] group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set comment <var-string>
set color <integer>
end

CLI Reference for FortiOS 5.4 83

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

member Address group member. (Empty)

explicit-proxy Enable/disable explicit web proxy service group. disable

comment Comment. (Empty)

color GUI icon color. 0

CLI Reference for FortiOS 5.4 84

Fortinet Technologies Inc.
[Link]/per-ip-shaper
CLI Syntax
config [Link] per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end

CLI Reference for FortiOS 5.4 85

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Traffic shaper name. (Empty)

max-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

max-concurrent- Maximum concurrent session (0 - 2097000). 0

session

diffserv-forward Forward (original) traffic DiffServ. disable

diffserv-reverse Reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code point 000000

value.

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

CLI Reference for FortiOS 5.4 86

Fortinet Technologies Inc.
[Link]/traffic-shaper
CLI Syntax
config [Link] traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end

CLI Reference for FortiOS 5.4 87

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Traffic shaper name. (Empty)

guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0

maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

priority Traffic priority. high

per-policy Enable/disable use a separate shaper for each disable

policy.

diffserv Enable/disable traffic DiffServ. disable

diffservcode Traffic DiffServ code point value. 000000

CLI Reference for FortiOS 5.4 88

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end

CLI Reference for FortiOS 5.4 89

Fortinet Technologies Inc.
Description
Configuration Description Default Value

proxy-connect-timeout Time limit to make an internal connection to the 30

appropriate proxy process (1 - 60 sec).

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048

negotiation.

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable

(SSL 3.0 & TLS 1.0 only).

no-matching-cipher- Bypass or drop the connection when no matching bypass

action cipher was found.

cert-cache-capacity Maximum capacity of the host certificate cache (0 200

- 500).

cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10

session-cache-capacity Obsolete. 500

session-cache-timeout Number of minutes to keep SSL session state. 20

CLI Reference for FortiOS 5.4 90

Fortinet Technologies Inc.
firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4 91

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

subnet IP address and netmask. [Link] [Link]

type Type. ipmask

start-ip Start IP. [Link]

end-ip End IP. [Link]

fqdn Fully qualified domain name. (Empty)

country Country name. (Empty)

wildcard-fqdn Wildcard FQDN. (Empty)

cache-ttl Minimal TTL of individual IP addresses in FQDN 0

cache.

wildcard IP address and wildcard netmask. [Link] [Link]

comment Comment. (Empty)

visibility Enable/disable address visibility. enable

associated-interface Associated interface name. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

allow-routing Enable/disable use of this address in the static disable

route configuration.

CLI Reference for FortiOS 5.4 92

Fortinet Technologies Inc.
firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4 93

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

type Type. ipprefix

ip6 IPv6 address prefix. ::/0

start-ip Start IP. ::

end-ip End IP. ::

visibility Enable/disable address visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 94

Fortinet Technologies Inc.
firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4 95

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

member Address group member. (Empty)

comment Comment. (Empty)

visibility Enable/disable address group visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

allow-routing Enable/disable use of this group in the static route disable

configuration.

CLI Reference for FortiOS 5.4 96

Fortinet Technologies Inc.
firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set visibility {enable | disable}
set color <integer>
set comment <var-string>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 97

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 address group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

visibility Enable/disable address group6 visibility. enable

color GUI icon color. 0

comment Comment. (Empty)

member IPv6 address group member. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 98

Fortinet Technologies Inc.
firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end

CLI Reference for FortiOS 5.4 99

Fortinet Technologies Inc.
Description
Configuration Description Default Value

groups Group name. (Empty)

portal-addr Address (or domain name) of authentication (Empty)

portal.

portal-addr6 IPv6 address (or domain name) of authentication (Empty)

portal.

identity-based-route Name of identity-based routing rule. (Empty)

CLI Reference for FortiOS 5.4 100

Fortinet Technologies Inc.
firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
set status {enable | disable}
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end

CLI Reference for FortiOS 5.4 101

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

orig-addr Original address. (Empty)

dst-addr Destination address. (Empty)

nat-ippool IP pool names for translated address. (Empty)

protocol Protocol (0 - 255). 0

orig-port Original port. 0

nat-port Translated port or port range. 0

CLI Reference for FortiOS 5.4 102

Fortinet Technologies Inc.
firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end

CLI Reference for FortiOS 5.4 103

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

src Source IP. [Link]

dst Destination IP. [Link]

netmask Network mask. [Link]

CLI Reference for FortiOS 5.4 104

Fortinet Technologies Inc.
firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4 105

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)

CLI Reference for FortiOS 5.4 106

Fortinet Technologies Inc.
firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4 107

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)

CLI Reference for FortiOS 5.4 108

Fortinet Technologies Inc.
firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dst-
advanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 109

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

type Address type. url

host Host address (Empty)

host-regex Host regular expression. (Empty)

path URL path regular expression. (Empty)

category FortiGuard category ID. (Empty)

method HTTP methods. (Empty)

ua User agent. (Empty)

header-name HTTP header. (Empty)

header HTTP header regular expression. (Empty)

case-sensitivity Case sensitivity in pattern. disable

header-group HTTP header group. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

visibility Enable/disable address visibility. disable

CLI Reference for FortiOS 5.4 110

Fortinet Technologies Inc.
firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 111

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

type Address group type. src

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

member Address group members. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

visibility Enable/disable address visibility. disable

CLI Reference for FortiOS 5.4 112

Fortinet Technologies Inc.
firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set policyid <integer>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set status {enable | disable}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
set schedule <string>
CLI Reference for FortiOS 5.4 113
Fortinet Technologies Inc.
 set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
set disclaimer {disable | domain | policy | user}
set replacemsg-override-group <string>
end
set webproxy-forward-server <string>
set webproxy-profile <string>
set transparent {enable | disable}
set webcache {enable | disable}
set webcache-https {disable | any | enable}
set disclaimer {disable | domain | policy | user}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set replacemsg-override-group <string>
set logtraffic-start {enable | disable}
config tags
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 114
Fortinet Technologies Inc.
 set name <string>
end
set label <string>
set global-label <string>
set scan-botnet-connections {disable | block | monitor}
set comments <var-string>
end

CLI Reference for FortiOS 5.4 115

Fortinet Technologies Inc.
Description
Configuration Description Default Value

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

policyid Policy ID. 0

proxy Explicit proxy type. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. [srcaddr or srcaddr6(web (Empty)

proxy only) must be set].

dstaddr Destination address name. [dstaddr or (Empty)

dstaddr6(web proxy only) must be set].

service Service name. (Empty)

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable

match.

service-negate Enable/disable negated service match. disable

action Policy action. deny

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

logtraffic Enable/disable policy log traffic. utm

srcaddr6 IPv6 source address (web proxy only). [srcaddr6 (Empty)

or srcaddr must be set].

dstaddr6 IPv6 destination address (web proxy only). (Empty)

[dstaddr6 or dstaddr must be set].

identity-based Enable/disable identity-based policy. disable

ip-based Enable/disable IP-based authentication. disable

active-auth-method Active authentication method. basic

CLI Reference for FortiOS 5.4 116

Fortinet Technologies Inc.
sso-auth-method SSO authentication method. none

require-tfa Enable/disable requirement of 2-factor disable

authentication.

web-auth-cookie Enable/disable Web authentication cookie. disable

transaction-based Enable/disable transaction based authentication. disable

identity-based-policy Identity-based policy. (Empty)

webproxy-forward- Web proxy forward server. (Empty)

server

webproxy-profile Web proxy profile. (Empty)

transparent Use IP address of client to connect to server. disable

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

disclaimer Web proxy disclaimer setting. disable

utm-status Enable AV/web/IPS protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

CLI Reference for FortiOS 5.4 117

Fortinet Technologies Inc.
profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

replacemsg-override- Specify authentication replacement message (Empty)

group override group.

logtraffic-start Enable/disable policy log traffic start. disable

tags Applied object tags. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 118

Fortinet Technologies Inc.
firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end

CLI Reference for FortiOS 5.4 119

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Description/comments. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 120

Fortinet Technologies Inc.
firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4 121

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv4

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter profile. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

CLI Reference for FortiOS 5.4 122

Fortinet Technologies Inc.
dlp-sensor DLP sensor. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

label Label. (Empty)

CLI Reference for FortiOS 5.4 123

Fortinet Technologies Inc.
firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4 124

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv6

interface Interface name. (Empty)

srcaddr6 IPv6 source address name. (Empty)

dstaddr6 IPv6 destination address name. (Empty)

service6 Service name. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter profile. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

CLI Reference for FortiOS 5.4 125

Fortinet Technologies Inc.
dlp-sensor DLP sensor. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

label Label. (Empty)

CLI Reference for FortiOS 5.4 126

Fortinet Technologies Inc.
firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end

CLI Reference for FortiOS 5.4 127

Fortinet Technologies Inc.
Description
Configuration Description Default Value

transid IP translation ID. 0

type IP translation type. SCTP

startip Start IP. [Link]

endip End IP. [Link]

map-startip Mapped start IP. [Link]

CLI Reference for FortiOS 5.4 128

Fortinet Technologies Inc.
firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 129

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IP pool name. (Empty)

type IP pool type. overload

startip Start IP. [Link]

endip End IP. [Link]

source-startip Source start IP. [Link]

source-endip Source end IP. [Link]

block-size Block size. 128

num-blocks-per-user Number of blocks per user (1 - 128). 8

permit-any-host Enable/disable full cone. disable

arp-reply Enable/disable ARP reply. enable

arp-intf ARP reply interface. Any if unset. (Empty)

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 130

Fortinet Technologies Inc.
firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 131

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 pool name. (Empty)

startip Start IP. ::

endip End IP. ::

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 132

Fortinet Technologies Inc.
firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end

CLI Reference for FortiOS 5.4 133

Fortinet Technologies Inc.
Description
Configuration Description Default Value

hop-opt Block packets with Hop-by-Hop Options header. disable

dest-opt Block packets with Destination Options header. disable

hdopt-type Block specific Hop-by-Hop and/or Destination (Empty)

Option types (maximum 7 types, each between 0
and 255).

routing Block packets with Routing header. enable

routing-type Block specific Routing header types (maximum 7 0

types, each between 0 and 255).

fragment Block packets with Fragment header. disable

auth Block packets with Authentication header. disable

no-next Block packets with No Next header. disable

CLI Reference for FortiOS 5.4 134

Fortinet Technologies Inc.
firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end

CLI Reference for FortiOS 5.4 135

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Monitor name. (Empty)

type Monitor type. (Empty)

interval Detect interval. 10

timeout Detect request timeout. 2

retry Number of detect tries before bring server down. 3

port Service port. 0

http-get HTTP get URL string. (Empty)

http-match String for matching HTTP-get response. (Empty)

http-max-redirects The maximum number of HTTP redirects to be 0

allowed.

CLI Reference for FortiOS 5.4 136

Fortinet Technologies Inc.
firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set policyid <integer>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set auto-asic-offload {enable | disable}
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 137

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid User defined local in policy ID. 0

ha-mgmt-intf-only Enable/disable dedication of HA management disable

interface only for local-in policy.

intf Source interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Local-In policy action. deny

service Service name. (Empty)

schedule Schedule name. (Empty)

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

status Enable/disable policy status. enable

CLI Reference for FortiOS 5.4 138

Fortinet Technologies Inc.
firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set policyid <integer>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 139

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid User defined local in policy ID. 0

intf Source interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Local-In policy action. deny

service Service name. (Empty)

schedule Schedule name. (Empty)

status Enable/disable policy status. enable

CLI Reference for FortiOS 5.4 140

Fortinet Technologies Inc.
firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 141

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Multicast address name. (Empty)

type type multicastrange

subnet Broadcast address and subnet. [Link] [Link]

start-ip Start IP. [Link]

end-ip End IP. [Link]

comment Comment. (Empty)

visibility Enable/disable multicast address visibility. enable

associated-interface Associated interface name. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 142

Fortinet Technologies Inc.
firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 143

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 multicast address name. (Empty)

ip6 IPv6 address prefix. ::/0

comment Comment. (Empty)

visibility Enable/disable multicast address visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 144

Fortinet Technologies Inc.
firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 145

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable policy log traffic. disable

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

snat Enable/disable NAT source address. disable

snat-ip NAT source address. [Link]

dnat NAT destination address. [Link]

action Policy action. accept

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

CLI Reference for FortiOS 5.4 146

Fortinet Technologies Inc.
firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 147

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Policy ID. 0

status Enable/disable multicast IPv6 policy status. enable

logtraffic Enable/disable multicast IPv6 policy log traffic. disable

srcintf IPv6 source interface name. (Empty)

dstintf IPv6 destination interface name. (Empty)

srcaddr IPv6 source address name. (Empty)

dstaddr IPv6 destination address name. (Empty)

action Policy action. accept

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

CLI Reference for FortiOS 5.4 148

Fortinet Technologies Inc.
firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set schedule <string>
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
CLI Reference for FortiOS 5.4 149
Fortinet Technologies Inc.
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set capture-packet {enable | disable}
set auto-asic-offload {enable | disable}
set wanopt {enable | disable}
set wanopt-detection {active | passive | off}
set wanopt-passive-opt {default | transparent | non-transparent}
set wanopt-profile <string>
set wanopt-peer <string>
set webcache {enable | disable}
set webcache-https {disable | ssl-server | any | enable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set permit-any-host {enable | disable}
set permit-stun-host {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set session-ttl <integer>
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set wccp {enable | disable}
set ntlm {enable | disable}
set ntlm-guest {enable | disable}
config ntlm-enabled-browsers
edit <name_str>
set user-agent-string <string>
end
set fsso {enable | disable}
set wsso {enable | disable}
set rsso {enable | disable}
set fsso-agent-for-ntlm <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 150
Fortinet Technologies Inc.
 set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field_id <string>
end
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set scan-botnet-connections {disable | block | monitor}
set dsri {enable | disable}
end

CLI Reference for FortiOS 5.4 151

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

name Policy name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

rtp-nat Enable/disable use of this policy for RTP NAT. disable

rtp-addr RTP NAT address name. (Empty)

action Policy action. deny

send-deny-packet Enable/disable return of deny-packet. disable

firewall-session-dirty Packet session management. check-all

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

schedule-timeout Enable/disable schedule timeout. disable

service Service name. (Empty)

utm-status Enable AV/web/IPS protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

dnsfilter-profile DNS filter profile. (Empty)

CLI Reference for FortiOS 5.4 152

Fortinet Technologies Inc.
spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

logtraffic Enable/disable policy log traffic. utm

logtraffic-start Enable/disable policy log traffic start. disable

capture-packet Enable/disable capture packets. disable

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

wanopt Enable/disable WAN optimization. disable

wanopt-detection WAN optimization auto-detection mode. active

wanopt-passive-opt WAN optimization passive mode options. This default

option decides what IP address will be used to
connect server.

wanopt-profile WAN optimization profile. (Empty)

wanopt-peer WAN optimization peer. (Empty)

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Traffic shaper. (Empty)

CLI Reference for FortiOS 5.4 153

Fortinet Technologies Inc.
per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable

permit-any-host Enable/disable permit any host in. disable

permit-stun-host Enable/disable permit stun host in. disable

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy IP pool. disable

poolname Policy IP pool names. (Empty)

session-ttl Session TTL. 0

vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255

inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

wccp Enable/disable Web Cache Coordination Protocol disable

(WCCP).

ntlm Enable/disable NTLM authentication. disable

ntlm-guest Enable/disable guest user for NTLM disable

authentication.

ntlm-enabled-browsers User agent strings for NTLM enabled browsers. (Empty)

fsso Enable/disable Fortinet Single Sign-On. disable

wsso Enable/disable WiFi Single Sign-On. enable

rsso Enable/disable RADIUS Single Sign-On. disable

fsso-agent-for-ntlm Specify FSSO agent for NTLM authentication. (Empty)

groups User authentication groups. (Empty)

CLI Reference for FortiOS 5.4 154

Fortinet Technologies Inc.
users User name. (Empty)

devices Devices or device groups. (Empty)

auth-path Enable/disable authentication-based routing. disable

disclaimer Enable/disable user authentication disclaimer. disable

vpntunnel Policy VPN tunnel. (Empty)

natip NAT address. [Link] [Link]

match-vip Enable/disable match DNATed packet. disable

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code point 000000

value.

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

auth-cert HTTPS server certificate for policy authentication. (Empty)

auth-redirect-addr HTTP-to-HTTPS redirect address for firewall (Empty)

authentication.

redirect-url URL redirection after disclaimer/authentication. (Empty)

identity-based-route Name of identity-based routing rule. (Empty)

block-notification Enable/disable block notification. disable

custom-log-fields Log custom fields. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 155

Fortinet Technologies Inc.
replacemsg-override- Specify authentication replacement message (Empty)
group override group.

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable

match.

service-negate Enable/disable negated service match. disable

timeout-send-rst Enable/disable sending of RST packet upon TCP disable

session expiration.

captive-portal-exempt Enable/disable exemption of captive portal. disable

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

dsri Enable/disable DSRI. disable

CLI Reference for FortiOS 5.4 156

Fortinet Technologies Inc.
firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set permit-any-host {enable | disable}
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 157

Fortinet Technologies Inc.
Description
Configuration Description Default Value

permit-any-host Enable/disable permit any host in. disable

policyid Policy ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

status Policy status. enable

schedule Schedule name. (Empty)

service Service name. (Empty)

logtraffic Enable/disable traffic log. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per IP traffic shaper. (Empty)

fixedport Enable/disable policy fixed port. disable

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 158

Fortinet Technologies Inc.
firewall/policy6
CLI Syntax
config firewall policy6
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set schedule <string>
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
CLI Reference for FortiOS 5.4 159
Fortinet Technologies Inc.
set auto-asic-offload {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set send-deny-packet {enable | disable}
set vpntunnel <string>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set rsso {enable | disable}
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
CLI Reference for FortiOS 5.4 160
Fortinet Technologies Inc.
 end
set dsri {enable | disable}
end

CLI Reference for FortiOS 5.4 161

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

name Policy name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

firewall-session-dirty Packet session management. check-all

status Enable/disable policy status. enable

vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255

schedule Schedule name. (Empty)

service Service name. (Empty)

utm-status Enable AV/web/ips protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

CLI Reference for FortiOS 5.4 162

Fortinet Technologies Inc.
application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

logtraffic Enable/disable policy log traffic. utm

logtraffic-start Enable/disable policy log traffic start. disable

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Traffic shaper. (Empty)

per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy IP pool. disable

poolname Policy IP pool names. (Empty)

inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

send-deny-packet Enable/disable return of deny-packet. disable

vpntunnel Policy VPN tunnel. (Empty)

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

CLI Reference for FortiOS 5.4 163

Fortinet Technologies Inc.
diffservcode-forward Forward (original) Traffic DiffServ code point 000000
value.

diffservcode-rev Reverse (reply) Traffic DiffServ code point value. 000000

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

rsso Enable/disable RADIUS Single Sign-On. disable

tags Applied object tags. (Empty)

replacemsg-override- Specify authentication replacement message (Empty)

group override group.

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable

match.

service-negate Enable/disable negated service match. disable

groups User authentication groups. (Empty)

users User name. (Empty)

devices Devices or device groups. (Empty)

timeout-send-rst Enable/disable sending of RST packet upon TCP disable

session expiration.

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)

dsri Enable/disable DSRI. disable

CLI Reference for FortiOS 5.4 164

Fortinet Technologies Inc.
firewall/policy64
CLI Syntax
config firewall policy64
edit <name_str>
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set permit-any-host {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 165

Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

service Service name. (Empty)

logtraffic Enable/disable policy log traffic. disable

permit-any-host Enable/disable permit any host in. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per-IP traffic shaper. (Empty)

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy64 IP pool. disable

poolname Policy IP pool names. (Empty)

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 166

Fortinet Technologies Inc.
firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
end

CLI Reference for FortiOS 5.4 167

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile group name. (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

dnsfilter-profile DNS filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

CLI Reference for FortiOS 5.4 168

Fortinet Technologies Inc.
firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config imap
edit <name_str>
CLI Reference for FortiOS 5.4 169
Fortinet Technologies Inc.
 set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config mapi
edit <name_str>
set ports <integer>
set status {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config pop3
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config smtp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set server-busy {enable | disable}
end
config nntp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
CLI Reference for FortiOS 5.4 170
Fortinet Technologies Inc.
 end
config dns
edit <name_str>
set ports <integer>
set status {enable | disable}
end
config mail-signature
edit <name_str>
set status {disable | enable}
set signature <string>
end
set rpc-over-http {enable | disable}
end

CLI Reference for FortiOS 5.4 171

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

oversize-log Enable/disable log antivirus oversize file blocking. disable

switching-protocols-log Enable/disable log HTTP/HTTPS switching disable

protocols.

http HTTP. Details below

Configuration Default Value

ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
range-block disable
post-lang (Empty)
fortinet-bar disable
fortinet-bar-port 8011
streaming-content-bypass enable
switching-protocols bypass
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable
block-page-status-code 200
retry-count 0

ftp FTP. Details below

CLI Reference for FortiOS 5.4 172

Fortinet Technologies Inc.
Configuration Default Value
ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

imap IMAP. Details below

Configuration Default Value

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

mapi MAPI Details below

Configuration Default Value

ports (Empty)
status enable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

pop3 POP3. Details below

CLI Reference for FortiOS 5.4 173

Fortinet Technologies Inc.
Configuration Default Value
ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

smtp SMTP. Details below

Configuration Default Value

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable
server-busy disable

nntp NNTP. Details below

Configuration Default Value

ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

dns DNS. Details below

Configuration Default Value

ports (Empty)
status enable

mail-signature Mail signature. Details below

CLI Reference for FortiOS 5.4 174

Fortinet Technologies Inc.
Configuration Default Value
status disable
signature (Empty)

rpc-over-http Enable/disable inspection of RPC over HTTP. enable

CLI Reference for FortiOS 5.4 175

Fortinet Technologies Inc.
firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
CLI Reference for FortiOS 5.4 176
Fortinet Technologies Inc.
 set name <string>
end
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
end

CLI Reference for FortiOS 5.4 177

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Shaping policy ID. 0

status Enable/disable traffic shaping policy. enable

ip-version IP version. 4

srcaddr Source address. (Empty)

dstaddr Destination address. (Empty)

srcaddr6 IPv6 source address. (Empty)

dstaddr6 IPv6 destination address. (Empty)

service Service name. (Empty)

users User name. (Empty)

groups User authentication groups. (Empty)

application Application ID list. (Empty)

app-category Application category ID list. (Empty)

url-category URL category ID list. (Empty)

dstintf Destination interface list. (Empty)

traffic-shaper Forward traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per IP shaper. (Empty)

CLI Reference for FortiOS 5.4 178

Fortinet Technologies Inc.
firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set ipv6 {enable | disable}
set non-ip {enable | disable}
set interface <string>
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
set scan-botnet-connections {disable | block | monitor}
set max-packet-count <integer>
end

CLI Reference for FortiOS 5.4 179

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Sniffer ID. 0

status Enable/disable sniffer status. enable

logtraffic Enable/disable sniffer log traffic. utm

ipv6 Enable/disable sniffer for IPv6 packets. disable

non-ip Enable/disable sniffer for non-IP packets. disable

interface Interface name. (Empty)

host Host list (IP or IP/mask or IP range). (Empty)

port Port list. (Empty)

protocol IP protocol list. (Empty)

vlan VLAN list. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

CLI Reference for FortiOS 5.4 180

Fortinet Technologies Inc.
spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

dlp-sensor DLP sensor. (Empty)

ips-dos-status Enable/disable IPS DoS anomaly detection. disable

anomaly Configure anomaly. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

max-packet-count Maximum packet count. 4000

CLI Reference for FortiOS 5.4 181

Fortinet Technologies Inc.
firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0}
set ssl-max-version {ssl-3.0 | tls-1.0}
set ssl-send-empty-frags {enable | disable}
set url-rewrite {enable | disable}
end

CLI Reference for FortiOS 5.4 182

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Server name. (Empty)

ip Server IP address. [Link]

port Server service port. 0

ssl-mode SSL/TLS mode for encryption & decryption of full

traffic.

add-header-x- Enable/disable add X-Forwarded-Proto header to enable

forwarded-proto forwarded requests.

mapped-port Mapped server service port. 0

ssl-cert Name of certificate for SSL connections to this (Empty)

server.

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048

negotiation.

ssl-algorithm Relative strength of encryption algorithms high

accepted in negotiation.

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-min-version Lowest SSL/TLS version to negotiate. ssl-3.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.0

ssl-send-empty-frags Enable/disable send empty fragments to avoid enable

attack on CBC IV.

url-rewrite Enable/disable rewrite URL. disable

CLI Reference for FortiOS 5.4 183

Fortinet Technologies Inc.
firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
set comment <var-string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config imaps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config pop3s
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
CLI Reference for FortiOS 5.4 184
Fortinet Technologies Inc.
 end
config smtps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ssh
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
end

CLI Reference for FortiOS 5.4 185

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

ssl ssl Details below

Configuration Default Value

inspect-all disable
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

https https Details below

Configuration Default Value

ports (Empty)
status deep-inspection
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

ftps ftps Details below

Configuration Default Value

ports (Empty)
status deep-inspection
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

imaps imaps Details below

Configuration Default Value

ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

CLI Reference for FortiOS 5.4 186

Fortinet Technologies Inc.
pop3s pop3s Details below

Configuration Default Value

ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

smtps smtps Details below

Configuration Default Value

ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

ssh ssh Details below

Configuration Default Value

ports (Empty)
status deep-inspection
inspect-all disable
block (Empty)
log (Empty)

whitelist Enable/disable exempt servers by FortiGuard disable

whitelist.

ssl-exempt Servers to exempt from SSL inspection. (Empty)

server-cert-mode Re-sign or replace the server's certificate. re-sign

use-ssl-server Enable/disable to use SSL server table for SSL disable

offloading.

caname CA certificate used by SSL Inspection. Fortinet_CA_SSL

untrusted-caname Untrusted CA certificate used by SSL Inspection. Fortinet_CA_Untrusted

certname Certificate containing the key to use when re- Fortinet_SSL

signing server certificates for SSL inspection.

CLI Reference for FortiOS 5.4 187

Fortinet Technologies Inc.
server-cert Certificate used by SSL Inspection to replace Fortinet_SSL
server certificate.

ssl-server SSL servers. (Empty)

ssl-invalid-server-cert- Enable/disable SSL server certificate validation disable

log logging.

rpc-over-https Enable/disable inspection of RPC over HTTPS. enable

CLI Reference for FortiOS 5.4 188

Fortinet Technologies Inc.
firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set action {accept | deny}
set srcintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set schedule <string>
set ttl <user>
end

CLI Reference for FortiOS 5.4 189

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status status enable

action Action. deny

srcintf Source interface name. (Empty)

srcaddr Source address name. (Empty)

service Service name. (Empty)

schedule Schedule name. (Empty)

ttl TTL range. (Empty)

CLI Reference for FortiOS 5.4 190

Fortinet Technologies Inc.
firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set arp-reply {disable | enable}
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
CLI Reference for FortiOS 5.4 191
Fortinet Technologies Inc.
 set monitor <string>
set client-ip <user>
end
set http-cookie-domain-from-host {disable | enable}
set http-cookie-domain <string>
set http-cookie-path <string>
set http-cookie-generation <integer>
set http-cookie-age <integer>
set http-cookie-share {disable | same-ip}
set https-cookie-secure {disable | enable}
set http-multiplex {enable | disable}
set http-ip-header {enable | disable}
set http-ip-header-name <string>
set outlook-web-access {disable | enable}
set weblogic-server {disable | enable}
set websphere-server {disable | enable}
set ssl-mode {half | full}
set ssl-certificate <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low | custom}
config ssl-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128-
GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITH-
AES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITH-
CAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256-
CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBC-
SHA | TLS-RSA-WITH-DES-CBC-SHA}
CLI Reference for FortiOS 5.4 192
Fortinet Technologies Inc.
SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-send-empty-frags {enable | disable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
set ssl-http-location-conversion {enable | disable}
set ssl-http-match-host {enable | disable}
set monitor <string>
set max-embryonic-connections <integer>
set color <integer>
end

CLI Reference for FortiOS 5.4 193

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Virtual IP name. (Empty)

id Custom defined ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

comment Comment. (Empty)

type VIP type: static NAT, load balance., server load static-nat
balance

dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL in 0

DNS response, default = 0).

ldb-method Load balance method. static

src-filter Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

extip Start external IP - end external IP. [Link]

mappedip Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

mapped-addr Mapped address. (Empty)

extintf External interface. (Empty)

arp-reply Enable/disable ARP reply. enable

server-type Server type. (Empty)

persistence Persistence. none

nat-source-vip Enable/disable force NAT as VIP when server disable

goes out.

portforward Enable/disable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

CLI Reference for FortiOS 5.4 194

Fortinet Technologies Inc.
gratuitous-arp-interval Interval between sending gratuitous ARPs 0
(seconds, 0 to disable).

srcintf-filter Source interface filter. (Empty)

portmapping-type Port mapping type. 1-to-1

realservers Real servers. (Empty)

http-cookie-domain- Enable/disable use of HTTP cookie domain from disable

from-host host field in HTTP.

http-cookie-domain HTTP cookie domain. (Empty)

http-cookie-path HTTP cookie path. (Empty)

http-cookie-generation Generation of HTTP cookie to be accepted. 0

Changing invalidates all existing cookies.

http-cookie-age Number of minutes the web browser should keep 60

cookie (0 = forever).

http-cookie-share Share HTTP cookies across different virtual same-ip

servers.

https-cookie-secure Enable/disable verification of cookie inserted into disable

HTTPS is marked as secure.

http-multiplex Enable/disable multiplex HTTP disable

requests/responses over a single TCP
connection.

http-ip-header Add additional HTTP header containing client's disable

original IP address.

http-ip-header-name Name of HTTP header containing client's IP (Empty)

address (X-Forwarded-For is used if empty).

outlook-web-access Enable/disable adding HTTP header indicating disable

SSL offload for Outlook Web Access server.

weblogic-server Enable/disable adding HTTP header indicating disable

SSL offload for WebLogic server.

websphere-server Enable/disable adding HTTP header indicating disable

SSL offload for WebSphere server.

CLI Reference for FortiOS 5.4 195

Fortinet Technologies Inc.
ssl-mode SSL/TLS mode for encryption & decryption of half
traffic.

ssl-certificate Name of Certificate to offer in every SSL (Empty)

connection.

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048

negotiation.

ssl-algorithm Relative strength of encryption algorithms high

accepted in negotiation.

ssl-cipher-suites SSL/TLS cipher suites ordered by priority. (Empty)

ssl-pfs SSL Perfect Forward Secrecy. allow

ssl-min-version Lowest SSL/TLS version to negotiate. tls-1.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.2

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable

(SSL 3.0 & TLS 1.0 only).

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-client-session-state- Control Client to FortiGate SSL session state both

type preservation.

ssl-client-session-state- Number of minutes to keep client to FortiGate 30

timeout SSL session state.

ssl-client-session-state- Maximum number of client to FortiGate SSL 1000

max session states to keep.

ssl-server-session- Control FortiGate to server SSL session state both

state-type preservation.

ssl-server-session- Number of minutes to keep FortiGate to Server 60

state-timeout SSL session state.

ssl-server-session- Maximum number of FortiGate to Server SSL 100

state-max session states to keep.

ssl-http-location- Enable/disable location conversion on HTTP disable

conversion response header.

CLI Reference for FortiOS 5.4 196

Fortinet Technologies Inc.
ssl-http-match-host Enable/disable HTTP host matching for location disable
conversion.

monitor Health monitors. (Empty)

max-embryonic- Maximum number of incomplete connections. 1000

connections

color GUI icon color. 0

CLI Reference for FortiOS 5.4 197

Fortinet Technologies Inc.
firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 198

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP46 name. (Empty)

id Custom defined id. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

comment Comment. (Empty)

src-filter Source IP filter (x.x.x.x/x). (Empty)

extip Start-external-IP [-end-external-IP]. [Link]

mappedip Start-mapped-IP [-end mapped-IP]. ::

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 199

Fortinet Technologies Inc.
firewall/vip6
CLI Syntax
config firewall vip6
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 200

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Virtual ip6 name. (Empty)

id Custom defined ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

comment Comment. (Empty)

type VIP type: static NAT. static-nat

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start external IP - end external IP. ::

mappedip Start mapped IP -end mapped IP. ::

arp-reply Enable/disable ARP reply. enable

portforward Enable/disable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 201

Fortinet Technologies Inc.
firewall/vip64
CLI Syntax
config firewall vip64
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 202

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP64 name. (Empty)

id Custom defined id. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

comment Comment. (Empty)

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start-external-IP [-End-external-IP]. ::

mappedip Start-mapped-IP [-End-mapped-IP]. [Link]

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 203

Fortinet Technologies Inc.
firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set interface <string>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 204

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

interface interface (Empty)

color GUI icon color. 0

comments Comment. (Empty)

member VIP group member. (Empty)

CLI Reference for FortiOS 5.4 205

Fortinet Technologies Inc.
firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 206

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP46 group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP46 group member. (Empty)

CLI Reference for FortiOS 5.4 207

Fortinet Technologies Inc.
firewall/vipgrp6
CLI Syntax
config firewall vipgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 208

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 VIP group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP group6 member. (Empty)

CLI Reference for FortiOS 5.4 209

Fortinet Technologies Inc.
firewall/vipgrp64
CLI Syntax
config firewall vipgrp64
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 210

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP64 group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP64 group member. (Empty)

CLI Reference for FortiOS 5.4 211

Fortinet Technologies Inc.
ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set status {enable | disable}
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end

CLI Reference for FortiOS 5.4 212

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable explicit ftp proxy. disable

incoming-port Accept incoming FTP requests on ports other 21

than port 21.

incoming-ip accept incoming ftp requests from this ip. An [Link]

interface must have this IP address.

outgoing-ip outgoing FTP requests will leave this ip. An (Empty)

interface must have this IP address.

sec-default-action Default action to allow or deny when no ftp-proxy deny

firewall policy exists.

CLI Reference for FortiOS 5.4 213

Fortinet Technologies Inc.
gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end

CLI Reference for FortiOS 5.4 214

Fortinet Technologies Inc.
Description
Configuration Description Default Value

preferences Preferences. "c2lkY2FyZQlGRkZGR

kYJMDAwMDAwCW1v
bm9zcGFjZQkxMHB0C
Tk5OTkJMAphZG1pbgl
GRkZGRkYJMDAw
MDAwCW1vbm9zcGFj
ZQkxMHB0CTUwMAk
wCg=="

CLI Reference for FortiOS 5.4 215

Fortinet Technologies Inc.
icap/profile
CLI Syntax
config icap profile
edit <name_str>
set replacemsg-group <string>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end

CLI Reference for FortiOS 5.4 216

Fortinet Technologies Inc.
Description
Configuration Description Default Value

replacemsg-group Replacement message group. (Empty)

name ICAP profile name. (Empty)

request Enable/disable control of an HTTP request disable

passing tolerance to ICAP server.

response Enable/disable control of an HTTP response disable

passing to ICAP server.

streaming-content- Enable/disable control over streaming content disable

bypass being sent to ICAP server or bypassed.

request-server ICAP server to use for an HTTP request. (Empty)

response-server ICAP server to use for an HTTP response. (Empty)

request-failure Action to take if the ICAP server cannot be error

contacted when processing an HTTP request.

response-failure Action to take if the ICAP server cannot be error

contacted when processing an HTTP response.

request-path Path component of the ICAP URI that identifies (Empty)

the HTTP request processing service.

response-path Path component of the ICAP URI that identifies (Empty)

the HTTP response processing service.

methods The allowed HTTP methods that will be sent to delete get head options
ICAP server for further processing. post put trace other

CLI Reference for FortiOS 5.4 217

Fortinet Technologies Inc.
icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-version {4 | 6}
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end

CLI Reference for FortiOS 5.4 218

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Server name. (Empty)

ip-version IP version. 4

ip-address IPv4 address of the ICAP server. [Link]

ip6-address IPv6 address of the ICAP server. ::

port ICAP server port. 1344

max-connections Maximum number of concurrent connections to 100

ICAP server.

CLI Reference for FortiOS 5.4 219

Fortinet Technologies Inc.
ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set signature <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set comment <string>
end

CLI Reference for FortiOS 5.4 220

Fortinet Technologies Inc.
Description
Configuration Description Default Value

tag Signature tag. (Empty)

signature Signature text. (Empty)

sig-name Signature name. (Empty)

rule-id Signature ID. 0

severity severity (Empty)

location Vulnerable location. (Empty)

os Vulnerable operating systems. (Empty)

application Vulnerable applications. (Empty)

protocol Vulnerable service. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 221

Fortinet Technologies Inc.
ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end

CLI Reference for FortiOS 5.4 222

Fortinet Technologies Inc.
Description
Configuration Description Default Value

version Internal category version. 0

CLI Reference for FortiOS 5.4 223

Fortinet Technologies Inc.
ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end

CLI Reference for FortiOS 5.4 224

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Decoder name. (Empty)

parameter IPS group parameters. (Empty)

CLI Reference for FortiOS 5.4 225

Fortinet Technologies Inc.
ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end

CLI Reference for FortiOS 5.4 226

Fortinet Technologies Inc.
Description
Configuration Description Default Value

fail-open Enable/disable IPS fail open option. enable

database IPS database selection. extended

traffic-submit Enable/disable submit attack characteristics to disable

FortiGuard Service.

anomaly-mode Blocking mode for rate-based anomaly. continuous

session-limit-mode Counter mode for session-limit anomaly. heuristic

intelligent-mode Enable/disable intelligent scan mode. enable

socket-size IPS socket buffer size. 128

engine-count Number of engines (0: use recommended 0

setting).

algorithm Signature matching algorithm. engine-pick

sync-session-ttl Enable/disable use of kernel session TTL for IPS disable

sessions.

np-accel-mode Network Processor acceleration mode. basic

ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other disable

than CPU 0

cp-accel-mode Content Processor acceleration mode. advanced

skype-client-public- Comma-separated client external IP address for (Empty)

ipaddr decrypting Skype protocol.

default-app-cat-mask Default enabled application category mask. 1844674407370955161

5

deep-app-insp-timeout Timeout for Deep application inspection (1 - 0

2147483647 sec., 0 = use recommended setting).

deep-app-insp-db-limit Limit on number of entries in deep application 0

inspection database (1 - 2147483647, 0 = use
recommended setting)

CLI Reference for FortiOS 5.4 227

Fortinet Technologies Inc.
exclude-signatures Excluded signatures. industrial

CLI Reference for FortiOS 5.4 228

Fortinet Technologies Inc.
ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set application <user>
set service <user>
set rule-id <integer>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4 229

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Rule name. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass

group Group. (Empty)

severity Severity. (Empty)

location Vulnerable location. (Empty)

os Vulnerable operation systems. (Empty)

application Vulnerable applications. (Empty)

service Vulnerable service. (Empty)

rule-id Rule ID. 0

rev Revision. 0

date Date. 0

metadata Meta data. (Empty)

CLI Reference for FortiOS 5.4 230

Fortinet Technologies Inc.
ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 231

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Rule ID. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 232

Fortinet Technologies Inc.
ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
set application <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
CLI Reference for FortiOS 5.4 233
Fortinet Technologies Inc.
 set os <user>
set application <user>
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset | default}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
end
config override
edit <name_str>
set rule-id <integer>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end

CLI Reference for FortiOS 5.4 234

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Sensor name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

block-malicious-url Enable/disable malicious URL blocking. disable

entries IPS sensor filter. (Empty)

filter IPS sensor filter. (Empty)

override IPS override rule. (Empty)

CLI Reference for FortiOS 5.4 235

Fortinet Technologies Inc.
ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end

CLI Reference for FortiOS 5.4 236

Fortinet Technologies Inc.
Description
Configuration Description Default Value

packet-log-history Number of packets to be recorded before alert (1 1

- 255).

packet-log-post-attack Number of packets to be recorded after attack (0 0

- 255).

packet-log-memory Maximum memory can be used by packet log (64 256

- 8192 kB).

ips-packet-quota IPS packet quota. 0

CLI Reference for FortiOS 5.4 237

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 238

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoE enable

messages.

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authentication enable

messages.

pattern Enable/disable log pattern update messages. enable

CLI Reference for FortiOS 5.4 239

Fortinet Technologies Inc.
sslvpn-log-auth Enable/disable log SSL user authentication. enable

sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server health enable

monitoring messages.

wan-opt Enable/disable log WAN optimization messages. enable

wireless-activity Enable/disable log wireless activity. enable

cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable

minutes.

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 240

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set source-ip <ipv4-address>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4 241

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable local disk log. disable

ips-archive Enable/disable IPS packet archive. enable

max-log-file-size Maximum log file size in MB before rolling. 20

max-policy-packet- Maximum size of policy sniffer in MB (0 = 10

capture-size unlimited).

roll-schedule Frequency to check log file for rolling. daily

roll-day Days of week to roll logs. sunday

roll-time Time to roll logs (hh:mm). 00:00

diskfull Policy to apply when disk is full. overwrite

log-quota Disk log quota (MB). 0

dlp-archive-quota DLP archive quota (MB). 0

report-quota Report quota (MB). 0

maximum-log-age Delete log files older than (days). 7

upload Enable/disable upload of log files upon rolling. disable

upload-destination Server type. ftp-server

uploadip IP address of log uploading server. [Link]

uploadport Port of the log uploading server. 21

source-ip Source IP address of the disk log uploading. [Link]

uploaduser User account in the uploading server. (Empty)

uploadpass Password of the user account in the uploading (Empty)

server.

uploaddir Log file uploading remote directory. (Empty)

CLI Reference for FortiOS 5.4 242

Fortinet Technologies Inc.
uploadtype Types of log files that need to be uploaded. traffic event virus
webfilter IPS spamfilter
dlp-archive anomaly
voip dlp app-ctrl waf
netscan gtp

uploadzip Enable/disable compression of uploaded logs. disable

uploadsched Scheduled upload (disable = upload when disable

rolling).

uploadtime Time of scheduled upload. 0

upload-delete-files Delete log files after uploading (default=enable). enable

upload-ssl-conn Enable/disable SSL communication when default

uploading.

full-first-warning- Log full first warning threshold (1 - 98, default = 75

threshold 75).

full-second-warning- Log full second warning threshold (2 - 99, default 90

threshold = 90).

full-final-warning- Log full final warning threshold (3 - 100, default = 95

threshold 95).

CLI Reference for FortiOS 5.4 243

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 244

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 245

Fortinet Technologies Inc.
[Link]/override-filter
CLI Syntax
config [Link] override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 246

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 247

Fortinet Technologies Inc.
[Link]/override-setting
CLI Syntax
config [Link] override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 248

Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override FortiAnalyzer settings or disable

use the global settings.

use-management- Enable/disable use of management VDOM IP disable

vdom address as source IP for logs sent to
FortiAnalyzer.

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high

with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10

status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5

period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5

period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. (Empty)

faz-type Hidden setting index of FortiAnalyzer. 4

source-ip Source IPv4 or IPv6 address used to (Empty)

communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

CLI Reference for FortiOS 5.4 249

Fortinet Technologies Inc.
upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 250

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 251

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high

with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10

status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5

period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5

period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log1

faz-type Hidden setting index of FortiAnalyzer. 1

source-ip Source IPv4 or IPv6 address used to (Empty)

communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 252

Fortinet Technologies Inc.
log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 253

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 254

Fortinet Technologies Inc.
log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 255

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high

with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10

status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5

period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5

period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log2

faz-type Hidden setting index of FortiAnalyzer. 2

source-ip Source IPv4 or IPv6 address used to (Empty)

communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 256

Fortinet Technologies Inc.
log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 257

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 258

Fortinet Technologies Inc.
log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 259

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high

with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10

status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5

period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5

period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log3

faz-type Hidden setting index of FortiAnalyzer. 3

source-ip Source IPv4 or IPv6 address used to (Empty)

communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 260

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 261

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 262

Fortinet Technologies Inc.
[Link]/override-filter
CLI Syntax
config [Link] override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 263

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 264

Fortinet Technologies Inc.
[Link]/override-setting
CLI Syntax
config [Link] override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
end

CLI Reference for FortiOS 5.4 265

Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override FortiGuard settings or disable

use the global settings.

status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiCloud.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00

CLI Reference for FortiOS 5.4 266

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set enc-algorithm {default | high | low | disable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 267

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and then realtime

upload to FortiCloud.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00

enc-algorithm Enable/disable sending of FortiCloud log data high

with SSL encryption.

source-ip Source IP address used to connect FortiCloud. [Link]

CLI Reference for FortiOS 5.4 268

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 269

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoE enable

messages.

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authentication enable

messages.

pattern Enable/disable log pattern update messages. enable

sslvpn-log-auth Enable/disable log SSL user authentication. enable

CLI Reference for FortiOS 5.4 270

Fortinet Technologies Inc.
sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server health enable

monitoring messages.

wan-opt Enable/disable log WAN optimization messages. enable

wireless-activity Enable/disable log wireless activity. enable

cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable

minutes.

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 271

Fortinet Technologies Inc.
[Link]/global-setting
CLI Syntax
config [Link] global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4 272

Fortinet Technologies Inc.
Description
Configuration Description Default Value

max-size Maximum memory buffer size for log (byte). 163840

full-first-warning- Log full first warning threshold (1 - 98, default = 75

threshold 75).

full-second-warning- Log full second warning threshold (2 - 99, default 90

threshold = 90).

full-final-warning- Log full final warning threshold (3 - 100, default = 95

threshold 95).

CLI Reference for FortiOS 5.4 273

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set diskfull {overwrite}
end

CLI Reference for FortiOS 5.4 274

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable memory buffer log. enable

diskfull Action when memory is full. overwrite

CLI Reference for FortiOS 5.4 275

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 276

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 277

Fortinet Technologies Inc.
[Link]/override-filter
CLI Syntax
config [Link] override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 278

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 279

Fortinet Technologies Inc.
[Link]/override-setting
CLI Syntax
config [Link] override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 280

Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override syslog settings. disable

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 281

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 282

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 283

Fortinet Technologies Inc.
log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 284

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 285

Fortinet Technologies Inc.
log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 286

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 287

Fortinet Technologies Inc.
log.syslogd3/filter
CLI Syntax
config log.syslogd3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 288

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 289

Fortinet Technologies Inc.
log.syslogd3/setting
CLI Syntax
config log.syslogd3 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 290

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 291

Fortinet Technologies Inc.
log.syslogd4/filter
CLI Syntax
config log.syslogd4 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 292

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 293

Fortinet Technologies Inc.
log.syslogd4/setting
CLI Syntax
config log.syslogd4 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 294

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 295

Fortinet Technologies Inc.
[Link]/filter
CLI Syntax
config [Link] filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 296

Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable

messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 297

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set status {enable | disable}
set server <string>
end

CLI Reference for FortiOS 5.4 298

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable WebTrends logging. disable

server Address of the remote WebTrends. (Empty)

CLI Reference for FortiOS 5.4 299

Fortinet Technologies Inc.
log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end

CLI Reference for FortiOS 5.4 300

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. (Empty)

name Field name. (Empty)

value Field value. (Empty)

CLI Reference for FortiOS 5.4 301

Fortinet Technologies Inc.
log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set event {enable | disable}
set system {enable | disable}
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set wireless-activity {enable | disable}
set wan-opt {enable | disable}
set endpoint {enable | disable}
set ha {enable | disable}
set compliance-check {enable | disable}
end

CLI Reference for FortiOS 5.4 302

Fortinet Technologies Inc.
Description
Configuration Description Default Value

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

vpn Enable/disable log VPN messages. enable

user Enable/disable log user activity messages. enable

router Enable/disable log router activity. enable

wireless-activity Enable/disable log wireless activity. enable

wan-opt Enable/disable log WAN optimization messages. enable

endpoint Enable/disable log for endpoint events. enable

ha Enable/disable log for ha events. enable

compliance-check Enable/disable log for PCI DSS compliance enable

check.

CLI Reference for FortiOS 5.4 303

Fortinet Technologies Inc.
log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end

CLI Reference for FortiOS 5.4 304

Fortinet Technologies Inc.
Description
Configuration Description Default Value

resolve-hosts Resolve IP addresses to hostnames on the GUI enable

using reverse DNS lookup.

resolve-apps Resolve unknown applications on the GUI using enable

remote application database.

fortiview-unscanned- Enable/disable inclusion of unscanned traffic in disable

apps FortiView application charts.

fortiview-local-traffic Enable/disable inclusion of local-in traffic in disable

FortiView realtime charts.

location GUI log location display. memory

CLI Reference for FortiOS 5.4 305

Fortinet Technologies Inc.
log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end

CLI Reference for FortiOS 5.4 306

Fortinet Technologies Inc.
Description
Configuration Description Default Value

resolve-ip Add resolved domain name into traffic log if disable

possible.

resolve-port Add resolved service name into traffic log if enable

possible.

log-user-in-upper Enable/disable collect log with user-in-upper. disable

fwpolicy-implicit-log Enable/disable collect firewall implicit policy log. disable

fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log. disable

log-invalid-packet Enable/disable collect invalid packet traffic log. disable

local-in-allow Enable/disable collect local-in-allow log. disable

local-in-deny-unicast Enable/disable collect local-in-deny-unicast log. disable

local-in-deny-broadcast Enable/disable collect local-in-deny-broadcast disable

log.

local-out Enable/disable collect local-out log. disable

daemon-log Enable/disable collect daemon log. disable

neighbor-event Enable/disable collect neighbor event log. disable

brief-traffic-format Enable/disable use of brief format for traffic log. disable

user-anonymize Enable/disable anonymize log user name. disable

fortiview-weekly-data Enable/disable FortiView weekly data. disable

CLI Reference for FortiOS 5.4 307

Fortinet Technologies Inc.
log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
set status {enable | disable}
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
set level {disable | low | medium | high | critical}
end
config application
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
end

CLI Reference for FortiOS 5.4 308

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable threat weight status. enable

level Level to score mapping. Details below

Configuration Default Value

low 5
medium 10
high 30
critical 50

blocked-connection Score level for blocked connections for threat high

weight.

failed-connection Score level for failed connections for threat low

weight.

malware-detected Score level for detected malware for threat critical

weight.

url-block-detected Score level for URL blocking for threat weight. high

botnet-connection- Score level for detected botnet connection for critical

detected threat weight.

ips IPS reputation settings. Details below

Configuration Default Value

info-severity disable
low-severity low
medium-severity medium
high-severity high
critical-severity critical

web Web-based threat weight settings. (Empty)

geolocation Geolocation-based threat weight settings. (Empty)

application Application-control based threat weight settings. (Empty)

CLI Reference for FortiOS 5.4 309

Fortinet Technologies Inc.
netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end

CLI Reference for FortiOS 5.4 310

Fortinet Technologies Inc.
Description
Configuration Description Default Value

asset-id Asset ID. 0

name Name of this asset. (Empty)

scheduled Enable/disable include asset in scheduled disable

vulnerability scan.

addr-type IP address or range. ip

start-ip IP address of asset or start of asset range. [Link]

end-ip End of asset range. [Link]

auth-windows Enable/disable authenticate on Windows hosts. disable

auth-unix Enable/disable authenticate on UNIX hosts. disable

win-username User name for Windows hosts. (Empty)

win-password Password for Windows hosts. (Empty)

unix-username User name for Unix hosts. (Empty)

unix-password Password for Unix hosts. (Empty)

CLI Reference for FortiOS 5.4 311

Fortinet Technologies Inc.
netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end

CLI Reference for FortiOS 5.4 312

Fortinet Technologies Inc.
Description
Configuration Description Default Value

scan-mode Level of vulnerability scanning to perform on quick

ports.

scheduled-pause Enable/disable set time during which scanning disable

should pause.

time Time of day to start the scan. 00:00

pause-from Time of day to pause scanning. 00:00

pause-to Time of day to resume scanning. 00:00

recurrence Frequency at which the scans should recur. weekly

day-of-week Day of the week on which to run the scan. sunday

day-of-month Day of the month on which to run the scan. 1

tcp-ports TCP ports scanned. (Empty)

udp-ports UDP ports scanned. (Empty)

tcp-scan Enable/disable TCP port scan. auto

udp-scan Enable/disable UDP port scan. auto

service-detection Enable/disable service detection. auto

os-detection Enable/disable OS detection. auto

CLI Reference for FortiOS 5.4 313

Fortinet Technologies Inc.
report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
set status {enable | disable}
end
set comments <string>
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
CLI Reference for FortiOS 5.4 314
Fortinet Technologies Inc.
 set extra-y-legend <string>
end
config category-series
edit <name_str>
set databind <string>
set font-size <integer>
end
config value-series
edit <name_str>
set databind <string>
end
set title <string>
set title-font-size <integer>
set background <string>
set color-palette <string>
set legend {enable | disable}
set legend-font-size <integer>
config column
edit <name_str>
set id <integer>
set header-value <string>
set detail-value <string>
set footer-value <string>
set detail-unit <string>
set footer-unit <string>
config mapping
edit <name_str>
set id <integer>
set op {none | greater | greater-equal | less | less-equal | equal | betwe
en}
set value-type {integer | string}
set value1 <string>
set value2 <string>
set displayname <string>
end
end
end

CLI Reference for FortiOS 5.4 315

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Chart Widget Name (Empty)

policy Used by monitor policy. 0

type Chart type. graph

period Time period. last24h

drill-down-charts Drill down charts. (Empty)

comments Comment. (Empty)

dataset Bind dataset to chart. (Empty)

category Category. misc

favorite Favorite. no

graph-type Graph type. none

style Style. auto

dimension Dimension. 3D

x-series X-series of chart. Details below

Configuration Default Value

databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle 45-degree
is-category yes
scale-unit day
scale-step 1
scale-direction decrease
scale-format YYYY-MM-DD-HH-MM
unit (Empty)

y-series Y-series of chart. Details below

CLI Reference for FortiOS 5.4 316

Fortinet Technologies Inc.
Configuration Default Value
databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle horizontal
group (Empty)
unit (Empty)
extra-y disable
extra-databind (Empty)
y-legend (Empty)
extra-y-legend (Empty)

category-series Category series of pie chart. Details below

Configuration Default Value

databind (Empty)
font-size 0

value-series Value series of pie chart. Details below

Configuration Default Value

databind (Empty)

title Chart title. (Empty)

title-font-size Font size of chart title. 0

background Chart background. (Empty)

color-palette Color palette (system will pick color automatically (Empty)

by default).

legend Enable/Disable Legend area. enable

legend-font-size Font size of legend area. 0

column Table column definition. (Empty)

CLI Reference for FortiOS 5.4 317

Fortinet Technologies Inc.
report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end

CLI Reference for FortiOS 5.4 318

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

policy Used by monitor policy. 0

query SQL query statement. (Empty)

field Fields. (Empty)

parameters Parameters. (Empty)

CLI Reference for FortiOS 5.4 319

Fortinet Technologies Inc.
report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set description <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
CLI Reference for FortiOS 5.4 320
Fortinet Technologies Inc.
 set img-src <string>
end
end
end
config body-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image | chart | misc}
set style <string>
set top-n <integer>
set hide {enable | disable}
config parameters
edit <name_str>
set id <integer>
set name <string>
set value <string>
end
set text-component {text | heading1 | heading2 | heading3}
set content <string>
set img-src <string>
set list-component {bullet | numbered}
config list
edit <name_str>
set id <integer>
set content <string>
end
set chart <string>
set chart-options {include-no-data | hide-title | show-caption}
set drill-down-items <string>
set drill-down-types <string>
set table-column-widths <string>
set table-caption-style <string>
set table-head-style <string>
set table-odd-row-style <string>
set table-even-row-style <string>
set misc-component {hline | page-break | column-break | section-start}
set column <integer>
set title <string>
end
end

CLI Reference for FortiOS 5.4 321

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report layout name. (Empty)

title Report title. (Empty)

subtitle Report subtitle. (Empty)

description Description. (Empty)

style-theme Report style theme. (Empty)

options Report layout options. include-table-of-content

auto-numbering-
heading view-chart-as-
heading

format Report format. html

schedule-type Report schedule type. daily

day Schedule days of week to generate report. sunday

time Schedule time to generate report [hh:mm]. 00:00

cutoff-option Cutoff-option is either run-time or custom. run-time

cutoff-time Custom cutoff time to generate report [hh:mm]. 00:00

email-send Enable/disable sending emails after reports are disable

generated.

email-recipients Email recipients for generated reports. (Empty)

max-pdf-report Maximum number of PDF reports to keep at one 31

time (oldest report is overwritten).

page Configure report page. Details below

CLI Reference for FortiOS 5.4 322

Fortinet Technologies Inc.
Configuration Default Value
paper a4
column-break-before (Empty)
page-break-before (Empty)
options (Empty)
header {"style":"","header-item":[]}
footer {"style":"","footer-item":[]}

body-item Configure report body item. (Empty)

CLI Reference for FortiOS 5.4 323

Fortinet Technologies Inc.
report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end

CLI Reference for FortiOS 5.4 324

Fortinet Technologies Inc.
Description
Configuration Description Default Value

pdf-report Enable/disable PDF report. enable

fortiview Enable/disable historical FortiView. enable

report-source Report log source. forward-traffic

web-browsing- Web browsing time calculation threshold (3 - 15 3

threshold min).

CLI Reference for FortiOS 5.4 325

Fortinet Technologies Inc.
report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end

CLI Reference for FortiOS 5.4 326

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report style name. (Empty)

options Report style options. (Empty)

font-family Font family. (Empty)

font-style Font style. normal

font-weight Font weight. normal

font-size Font size. (Empty)

line-height Text line height. (Empty)

fg-color Foreground color. (Empty)

bg-color Background color. (Empty)

align Alignment. (Empty)

width Width. (Empty)

height Height. (Empty)

margin-top Margin top. (Empty)

margin-right Margin right. (Empty)

margin-bottom Margin bottom. (Empty)

margin-left Margin left. (Empty)

border-top Border top. " none "

border-right Border right. " none "

border-bottom Border bottom. " none "

border-left Border left. " none "

padding-top Padding top. (Empty)

padding-right Padding right. (Empty)

CLI Reference for FortiOS 5.4 327

Fortinet Technologies Inc.
padding-bottom Padding bottom. (Empty)

padding-left Padding left. (Empty)

column-span Column span. none

column-gap Column gap. (Empty)

CLI Reference for FortiOS 5.4 328

Fortinet Technologies Inc.
report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set toc-heading2-style <string>
set toc-heading3-style <string>
set toc-heading4-style <string>
set heading1-style <string>
set heading2-style <string>
set heading3-style <string>
set heading4-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end

CLI Reference for FortiOS 5.4 329

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report theme name. (Empty)

page-orient Report page orientation. portrait

column-count Report page column count. 1

default-html-style Default HTML report style. (Empty)

default-pdf-style Default PDF report style. (Empty)

page-style Report page style. (Empty)

page-header-style Report page header style. (Empty)

page-footer-style Report page footer style. (Empty)

report-title-style Report title style. (Empty)

report-subtitle-style Report subtitle style. (Empty)

toc-title-style Table of contents title style. (Empty)

toc-heading1-style Table of contents heading style. (Empty)

toc-heading2-style Table of contents heading style. (Empty)

toc-heading3-style Table of contents heading style. (Empty)

toc-heading4-style Table of contents heading style. (Empty)

heading1-style Report heading style. (Empty)

heading2-style Report heading style. (Empty)

heading3-style Report heading style. (Empty)

heading4-style Report heading style. (Empty)

normal-text-style Normal text style. (Empty)

bullet-list-style Bullet list style. (Empty)

numbered-list-style Numbered list style. (Empty)

CLI Reference for FortiOS 5.4 330

Fortinet Technologies Inc.
image-style Image style. (Empty)

hline-style Horizontal line style. (Empty)

graph-chart-style Graph chart style. (Empty)

table-chart-style Table chart style. (Empty)

table-chart-caption- Table chart caption style. (Empty)

style

table-chart-head-style Table chart head row style. (Empty)

table-chart-odd-row- Table chart odd row style. (Empty)

style

table-chart-even-row- Table chart even row style. (Empty)

style

CLI Reference for FortiOS 5.4 331

Fortinet Technologies Inc.
router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 332

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 333

Fortinet Technologies Inc.
router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 334

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 335

Fortinet Technologies Inc.
router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end

CLI Reference for FortiOS 5.4 336

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name AS path list name. (Empty)

rule AS path list rule. (Empty)

CLI Reference for FortiOS 5.4 337

Fortinet Technologies Inc.
router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
set gateway <ipv4-address>
end

CLI Reference for FortiOS 5.4 338

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of the entry. (Empty)

device Output interface. (Empty)

gateway Gateway IP address. [Link]

CLI Reference for FortiOS 5.4 339

Fortinet Technologies Inc.
router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
set ip <ipv4-address>
set interface <string>
end
end

CLI Reference for FortiOS 5.4 340

Fortinet Technologies Inc.
Description
Configuration Description Default Value

neighbor neighbor (Empty)

CLI Reference for FortiOS 5.4 341

Fortinet Technologies Inc.
router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4 342
Fortinet Technologies Inc.
 set prefix <ipv4-classnet-any>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config aggregate-address6
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config neighbor
edit <name_str>
set ip <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set description <string>
CLI Reference for FortiOS 5.4 343
Fortinet Technologies Inc.
 set description <string>
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set interface <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
set password <password>
config conditional-advertise
edit <name_str>
set advertise-routemap <string>
set condition-routemap <string>
set condition-type {exist | non-exist}
end
end
config neighbor-group
edit <name_str>
set name <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
CLI Reference for FortiOS 5.4 344
Fortinet Technologies Inc.
 set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set description <string>
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set interface <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
CLI Reference for FortiOS 5.4 345
Fortinet Technologies Inc.
 set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
end
config neighbor-range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set max-neighbor-num <integer>
set neighbor-group <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set backdoor {enable | disable}
set route-map <string>
end
config network6
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set backdoor {enable | disable}
set route-map <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
config redistribute6
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
CLI Reference for FortiOS 5.4 346
Fortinet Technologies Inc.
 end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end

CLI Reference for FortiOS 5.4 347

Fortinet Technologies Inc.
Description
Configuration Description Default Value

as Router AS number. 0

router-id Router ID. [Link]

keepalive-timer Frequency to send keep alive requests. 60

holdtime-timer Number of seconds to mark peer as dead. 180

always-compare-med Enable/disable always compare MED. disable

bestpath-as-path- Enable/disable ignore AS path. disable

ignore

bestpath-cmp-confed- Enable/disable compare federation AS path disable

aspath length.

bestpath-cmp-routerid Enable/disable compare router ID for identical disable

EBGP paths.

bestpath-med-confed Enable/disable compare MED among disable

confederation paths.

bestpath-med-missing- Enable/disable treat missing MED as least disable

as-worst preferred.

client-to-client- Enable/disable client-to-client route reflection. enable

reflection

dampening Enable/disable route-flap dampening. disable

deterministic-med Enable/disable enforce deterministic comparison disable

of MED.

ebgp-multipath Enable/disable EBGP multi-path. disable

ibgp-multipath Enable/disable IBGP multi-path. disable

enforce-first-as Enable/disable enforce first AS for EBGP routes. enable

fast-external-failover Enable/disable reset peer BGP session if link enable

goes down.

log-neighbour-changes Enable logging of BGP neighbour's changes enable

CLI Reference for FortiOS 5.4 348

Fortinet Technologies Inc.
network-import-check Enable/disable ensure BGP network route exists enable
in IGP.

ignore-optional- Don't send unknown optional capability enable

capability notification message

cluster-id Route reflector cluster ID. [Link]

confederation-identifier Confederation identifier. 0

confederation-peers Confederation peers. (Empty)

dampening-route-map Criteria for dampening. (Empty)

dampening- Reachability half-life time for penalty (min). 15

reachability-half-life

dampening-reuse Threshold to reuse routes. 750

dampening-suppress Threshold to suppress routes. 2000

dampening-max- Maximum minutes a route can be suppressed. 60

suppress-time

dampening- Unreachability half-life time for penalty (min). 15

unreachability-half-life

default-local- Default local preference. 100

preference

scan-time Background scanner interval (sec). 60

distance-external Distance for routes external to the AS. 20

distance-internal Distance for routes internal to the AS. 200

distance-local Distance for routes local to the AS. 200

synchronization Enable/disable only advertise routes from iBGP if disable

routes present in an IGP.

graceful-restart Enable/disable BGP graceful restart capabilities. disable

graceful-restart-time Time needed for neighbors to restart (sec). 120

graceful-stalepath-time Time to hold stale paths of restarting neighbor 360

(sec).

CLI Reference for FortiOS 5.4 349

Fortinet Technologies Inc.
graceful-update-delay Route advertisement/selection delay after restart 120
(sec).

aggregate-address BGP aggregate address table. (Empty)

aggregate-address6 BGP IPv6 aggregate address table. (Empty)

neighbor BGP neighbor table. (Empty)

neighbor-group BGP neighbor group table. (Empty)

neighbor-range BGP neighbor range table. (Empty)

network BGP network table. (Empty)

network6 BGP IPv6 network table. (Empty)

redistribute BGP IPv4 redistribute table. (Empty)

redistribute6 BGP IPv6 redistribute table. (Empty)

admin-distance Administrative distance modifications. (Empty)

CLI Reference for FortiOS 5.4 350

Fortinet Technologies Inc.
router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
set match <string>
end
end

CLI Reference for FortiOS 5.4 351

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Community list name. (Empty)

type Community list type. standard

rule Community list rule. (Empty)

CLI Reference for FortiOS 5.4 352

Fortinet Technologies Inc.
router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set status {enable | disable}
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
CLI Reference for FortiOS 5.4 353
Fortinet Technologies Inc.
 set hello-multiplier-l2 <integer>
set hello-padding {enable | disable}
set lsp-interval <integer>
set lsp-retransmit-interval <integer>
set metric-l1 <integer>
set metric-l2 <integer>
set wide-metric-l1 <integer>
set wide-metric-l2 <integer>
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-send-only-l1 {enable | disable}
set auth-send-only-l2 {enable | disable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set priority-l1 <integer>
set priority-l2 <integer>
set mesh-group {enable | disable}
set mesh-group-id <integer>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set level {level-1-2 | level-1 | level-2}
end
config redistribute
edit <name_str>
set protocol <string>
set status {enable | disable}
set metric <integer>
set metric-type {external | internal}
set level {level-1-2 | level-1 | level-2}
set routemap <string>
end
end

CLI Reference for FortiOS 5.4 354

Fortinet Technologies Inc.
Description
Configuration Description Default Value

is-type IS type. level-1-2

auth-mode-l1 Level 1 authentication mode. password

auth-mode-l2 Level 2 authentication mode. password

auth-password-l1 Authentication password for level 1 PDUs. (Empty)

auth-password-l2 Authentication password for level 2 PDUs. (Empty)

auth-keychain-l1 Authentication key-chain for level 1 PDUs. (Empty)

auth-keychain-l2 Authentication key-chain for level 2 PDUs. (Empty)

auth-sendonly-l1 Enable/disable level 1 authentication send-only. disable

auth-sendonly-l2 Enable/disable level 2 authentication send-only. disable

ignore-lsp-errors Enable/disable ignoring of LSP errors with bad disable

checksums.

lsp-gen-interval-l1 Minimum interval for level 1 LSP regenerating. 30

lsp-gen-interval-l2 Minimum interval for level 2 LSP regenerating. 30

lsp-refresh-interval LSP refresh time in seconds. 900

max-lsp-lifetime Maximum LSP lifetime in seconds. 1200

spf-interval-exp-l1 Level 1 SPF calculation delay. 500 50000

spf-interval-exp-l2 Level 2 SPF calculation delay. 500 50000

dynamic-hostname Enable/disable dynamic hostname. disable

adjacency-check Enable/disable adjacency check. disable

overload-bit Enable/disable signal other routers not to use us disable

in SPF.

overload-bit-suppress Suppress overload-bit for the specific prefixes. (Empty)

overload-bit-on-startup Overload-bit only temporarily after reboot. 0

CLI Reference for FortiOS 5.4 355

Fortinet Technologies Inc.
default-originate Enable/disable control distribution of default disable
information.

metric-style Use old-style (ISO 10589) or new-style packet narrow

formats

redistribute-l1 Enable/disable redistribute level 1 routes into disable

level 2.

redistribute-l1-list Access-list for redistribute l1 to l2. (Empty)

redistribute-l2 Enable/disable redistribute level 2 routes into disable

level 1.

redistribute-l2-list Access-list for redistribute l2 to l1. (Empty)

isis-net IS-IS net configuration. (Empty)

isis-interface IS-IS interface configuration. (Empty)

summary-address IS-IS summary addresses. (Empty)

redistribute IS-IS redistribute protocols. (Empty)

CLI Reference for FortiOS 5.4 356

Fortinet Technologies Inc.
router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end

CLI Reference for FortiOS 5.4 357

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Key-chain name. (Empty)

key Key. (Empty)

CLI Reference for FortiOS 5.4 358

Fortinet Technologies Inc.
router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set igmp-state-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set passive {enable | disable}
set bfd {enable | disable}
set neighbour-filter <string>
CLI Reference for FortiOS 5.4 359
Fortinet Technologies Inc.
 set hello-interval <integer>
set hello-holdtime <integer>
set cisco-exclude-genid {enable | disable}
set dr-priority <integer>
set propagation-delay <integer>
set state-refresh-interval <integer>
set rp-candidate {enable | disable}
set rp-candidate-group <string>
set rp-candidate-priority <integer>
set rp-candidate-interval <integer>
set multicast-flow <string>
set static-group <string>
config join-group
edit <name_str>
set address <ipv4-address-any>
end
config igmp
edit <name_str>
set access-group <string>
set version {3 | 2 | 1}
set immediate-leave-group <string>
set last-member-query-interval <integer>
set last-member-query-count <integer>
set query-max-response-time <integer>
set query-interval <integer>
set query-timeout <integer>
set router-alert-check {enable | disable}
end
end
end

CLI Reference for FortiOS 5.4 360

Fortinet Technologies Inc.
Description
Configuration Description Default Value

route-threshold Generate warnings when number of multicast 2147483647

routes exceeds this number.

route-limit Maximum number of multicast routes. 2147483647

igmp-state-limit Maximum IGMP memberships (system wide). 3200

multicast-routing Enable/disable multicast routing. disable

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Value

message-interval 60
join-prune-holdtime 210
accept-register-list (Empty)
bsr-candidate disable
bsr-interface (Empty)
bsr-priority 0
bsr-hash 10
bsr-allow-quick-refresh disable
cisco-register-checksum disable
cisco-register-checksum-group (Empty)
cisco-crp-prefix disable
cisco-ignore-rp-set-priority disable
register-rp-reachability enable
register-source disable
register-source-interface (Empty)
register-source-ip [Link]
register-supression 60
null-register-retries 1
rp-register-keepalive 185
spt-threshold enable
spt-threshold-group (Empty)
ssm disable
ssm-range (Empty)
register-rate-limit 0
rp-address (Empty)

interface PIM interfaces. (Empty)

CLI Reference for FortiOS 5.4 361

Fortinet Technologies Inc.
router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
set comments <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end

CLI Reference for FortiOS 5.4 362

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

flows Multicast-flow entries. (Empty)

CLI Reference for FortiOS 5.4 363

Fortinet Technologies Inc.
router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-interval <integer>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end

CLI Reference for FortiOS 5.4 364

Fortinet Technologies Inc.
Description
Configuration Description Default Value

multicast-routing Enable/disable multicast routing. disable

interface PIM interfaces. (Empty)

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Value

register-rate-limit 0
rp-address (Empty)

CLI Reference for FortiOS 5.4 365

Fortinet Technologies Inc.
router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set distance <integer>
set rfc1583-compatible {enable | disable}
set router-id <ipv4-address-any>
set spf-timers <user>
set bfd {enable | disable}
set log-neighbour-changes {enable | disable}
set distribute-list-in <string>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
CLI Reference for FortiOS 5.4 366
Fortinet Technologies Inc.
 edit <name_str>
set name <string>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set interface <string>
set ip <ipv4-address>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set status {disable | enable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
CLI Reference for FortiOS 5.4 367
Fortinet Technologies Inc.
 set ip <ipv4-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set tag <integer>
set advertise {disable | enable}
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4 368

Fortinet Technologies Inc.
Description
Configuration Description Default Value

abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000

second.

distance-external Administrative external distance. 110

distance-inter-area Administrative inter-area distance. 110

distance-intra-area Administrative intra-area distance. 110

database-overflow Enable/disable database overflow. disable

database-overflow- Database overflow maximum LSAs. 10000

max-lsas

database-overflow- Database overflow time to recover (sec). 300

time-to-recover

default-information- Enable/disable generation of default route. disable

originate

default-information- Default information metric. 10

metric

default-information- Default information metric type. 2

metric-type

default-information- Default information route map. (Empty)

route-map

default-metric Default metric of redistribute routes. 10

distance Distance of the route. 110

rfc1583-compatible Enable/disable RFC1583 compatibility. disable

router-id Router ID. [Link]

spf-timers SPF calculation frequency. 5 10

bfd Bidirectional Forwarding Detection (BFD). disable

CLI Reference for FortiOS 5.4 369

Fortinet Technologies Inc.
log-neighbour-changes Enable logging of OSPF neighbour's changes enable

distribute-list-in Filter incoming routes. (Empty)

distribute-route-map-in Filter incoming external routes by route-map. (Empty)

restart-mode OSPF restart mode (graceful or LLS). none

restart-period Graceful restart period. 120

area OSPF area configuration. (Empty)

ospf-interface OSPF interface configuration. (Empty)

network OSPF network configuration. (Empty)

neighbor OSPF neighbor configuration are used when (Empty)

OSPF runs on non-broadcast media

passive-interface Passive interface configuration. (Empty)

summary-address IP address summary configuration. (Empty)

distribute-list Distribute list configuration. (Empty)

redistribute Redistribute configuration. (Empty)

CLI Reference for FortiOS 5.4 370

Fortinet Technologies Inc.
router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set log-neighbour-changes {enable | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set router-id <ipv4-address-any>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
end
config virtual-link
edit <name_str>
set name <string>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set interface <string>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
CLI Reference for FortiOS 5.4 371
Fortinet Technologies Inc.
 set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set status {disable | enable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
config neighbor
edit <name_str>
set ip6 <ipv6-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
end
config summary-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4 372

Fortinet Technologies Inc.
Description
Configuration Description Default Value

abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000

second.

default-information- Enable/disable generation of default route. disable

originate

log-neighbour-changes Enable logging of OSPFv3 neighbour's changes enable

default-information- Default information metric. 10

metric

default-information- Default information metric type. 2

metric-type

default-information- Default information route map. (Empty)

route-map

default-metric Default metric of redistribute routes. 20

router-id A.B.C.D, in IPv4 address format. [Link]

spf-timers SPF calculation frequency. 5 10

area OSPF6 area configuration. (Empty)

ospf6-interface OSPF6 interface configuration. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

summary-address IPv6 address summary configuration. (Empty)

CLI Reference for FortiOS 5.4 373

Fortinet Technologies Inc.
router/policy
CLI Syntax
config router policy
edit <name_str>
set seq-num <integer>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set action {deny | permit}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set start-source-port <integer>
set end-source-port <integer>
set gateway <ipv4-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 374

Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

input-device Incoming interface name. (Empty)

src Source IP and mask (x.x.x.x/x). (Empty)

srcaddr Source address name. (Empty)

src-negate Enable/disable negated source address match. disable

dst Destination IP and mask (x.x.x.x/x). (Empty)

dstaddr Destination address name. (Empty)

dst-negate Enable/disable negated destination address disable

match.

action Action of the policy route. permit

protocol Protocol number. 0

start-port Start destination port number. 1

end-port End destination port number. 65535

start-source-port Start source port number. 1

end-source-port End source port number. 65535

gateway IP address of gateway. [Link]

output-device Outgoing interface name. (Empty)

tos Type of service bit pattern. 0x00

tos-mask Type of service evaluated bits. 0x00

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 375

Fortinet Technologies Inc.
router/policy6
CLI Syntax
config router policy6
edit <name_str>
set seq-num <integer>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set gateway <ipv6-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 376

Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

input-device Incoming interface name. (Empty)

src Source IPv6 prefix. ::/0

dst Destination IPv6 prefix. ::/0

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

gateway IPv6 address of gateway. ::

output-device Outgoing interface name. (Empty)

tos Terms of service bit pattern. 0x00

tos-mask Terms of service evaluated bits. 0x00

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 377

Fortinet Technologies Inc.
router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 378

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 379

Fortinet Technologies Inc.
router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 380

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 381

Fortinet Technologies Inc.
router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set distance <integer>
set access-list <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 382
Fortinet Technologies Inc.
 set status {enable | disable}
set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
set version {1 | 2}
config interface
edit <name_str>
set name <string>
set auth-keychain <string>
set auth-mode {none | text | md5}
set auth-string <password>
set receive-version {1 | 2}
set send-version {1 | 2}
set send-version2-broadcast {disable | enable}
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 383

Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-information- Enable/disable generation of default route. disable

originate

default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'not 0

set').

recv-buffer-size Receiving buffer size. 655360

distance distance (Empty)

distribute-list Distribute list. (Empty)

neighbor neighbor (Empty)

network network (Empty)

offset-list Offset list. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

version RIP version. 2

interface RIP interface configuration. (Empty)

CLI Reference for FortiOS 5.4 384

Fortinet Technologies Inc.
router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set distance <integer>
set prefix6 <ipv6-prefix>
set access-list6 <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip6 <ipv6-address>
set interface <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list6 <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
CLI Reference for FortiOS 5.4 385
Fortinet Technologies Inc.
 set name <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
config interface
edit <name_str>
set name <string>
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 386

Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-information- Enable/disable generation of default route. disable

originate

default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'not 0

set').

distance distance (Empty)

distribute-list Distribute list. (Empty)

neighbor neighbor (Empty)

network Network. (Empty)

aggregate-address Aggregate address. (Empty)

offset-list Offset list. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

interface RIPng interface configuration. (Empty)

CLI Reference for FortiOS 5.4 387

Fortinet Technologies Inc.
router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
set community <string>
end
config set-extcommunity-soo
edit <name_str>
set community <string>
end
CLI Reference for FortiOS 5.4 388
Fortinet Technologies Inc.
 set set-ip-nexthop <ipv4-address>
set set-ip6-nexthop <ipv6-address>
set set-ip6-nexthop-local <ipv6-address>
set set-local-preference <integer>
set set-metric <integer>
set set-metric-type {1 | 2}
set set-originator-id <ipv4-address-any>
set set-origin {none | egp | igp | incomplete}
set set-tag <integer>
set set-weight <integer>
set set-flags <integer>
set match-flags <integer>
end
end

CLI Reference for FortiOS 5.4 389

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 390

Fortinet Technologies Inc.
router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end

CLI Reference for FortiOS 5.4 391

Fortinet Technologies Inc.
Description
Configuration Description Default Value

show-filter Prefix-list as filter for showing routes. (Empty)

hostname Hostname for this virtual domain router. (Empty)

CLI Reference for FortiOS 5.4 392

Fortinet Technologies Inc.
router/static
CLI Syntax
config router static
edit <name_str>
set seq-num <integer>
set dst <ipv4-classnet>
set gateway <ipv4-address>
set distance <integer>
set weight <integer>
set priority <integer>
set device <string>
set comment <var-string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end

CLI Reference for FortiOS 5.4 393

Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Entry number. 0

dst Destination IP and mask for this route. [Link] [Link]

gateway Gateway IP for this route. [Link]

distance Administrative distance (1 - 255). 10

weight Administrative weight (0 - 255). 0

priority Administrative priority (0 - 4294967295). 0

device Enable/disable gateway out interface. (Empty)

comment Comment. (Empty)

blackhole Enable/disable black hole. disable

dynamic-gateway Enable use of dynamic gateway retrieved from a disable

DHCP or PPP server.

virtual-wan-link Enable/disable egress through the virtual-wan- disable

link.

dstaddr Name of firewall address or address group. (Empty)

internet-service Application ID in the Internet service database. 0

internet-service-custom Application name in the Internet service custom (Empty)

database.

CLI Reference for FortiOS 5.4 394

Fortinet Technologies Inc.
router/static6
CLI Syntax
config router static6
edit <name_str>
set seq-num <integer>
set dst <ipv6-network>
set gateway <ipv6-address>
set device <string>
set devindex <integer>
set distance <integer>
set priority <integer>
set comment <var-string>
set blackhole {enable | disable}
end

CLI Reference for FortiOS 5.4 395

Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

dst Destination IPv6 prefix for this route. ::/0

gateway Gateway IPv6 address for this route. ::

device Gateway out interface or tunnel. (Empty)

devindex Device index (0 - 4294967295). 0

distance Administrative distance (1 - 255). 10

priority Administrative priority (0 - 4294967295). 0

comment Comment. (Empty)

blackhole Enable/disable black hole. disable

CLI Reference for FortiOS 5.4 396

Fortinet Technologies Inc.
spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end

CLI Reference for FortiOS 5.4 397

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Anti-spam black/white list entries. (Empty)

CLI Reference for FortiOS 5.4 398

Fortinet Technologies Inc.
spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set pattern <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end

CLI Reference for FortiOS 5.4 399

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter banned word. (Empty)

CLI Reference for FortiOS 5.4 400

Fortinet Technologies Inc.
spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set server <string>
set action {reject | spam}
end
end

CLI Reference for FortiOS 5.4 401

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter DNSBL and ORBL server. (Empty)

CLI Reference for FortiOS 5.4 402

Fortinet Technologies Inc.
spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end

CLI Reference for FortiOS 5.4 403

Fortinet Technologies Inc.
Description
Configuration Description Default Value

spam-submit-srv Hostname of the spam submission server. [Link]

spam-submit-force Enable/disable force insertion of a new mime enable

entity for the submission text.

spam-submit-txt2htm Enable/disable conversion of text email to HTML enable

email.

CLI Reference for FortiOS 5.4 404

Fortinet Technologies Inc.
spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end

CLI Reference for FortiOS 5.4 405

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter trusted IP addresses. (Empty)

CLI Reference for FortiOS 5.4 406

Fortinet Technologies Inc.
spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set fieldname <string>
set fieldbody <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
end
end

CLI Reference for FortiOS 5.4 407

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter mime header content. (Empty)

CLI Reference for FortiOS 5.4 408

Fortinet Technologies Inc.
spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end

CLI Reference for FortiOS 5.4 409

Fortinet Technologies Inc.
Description
Configuration Description Default Value

dns-timeout DNS query time out (1 - 30 sec). 7

CLI Reference for FortiOS 5.4 410

Fortinet Technologies Inc.
spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set flow-based {enable | disable}
set replacemsg-group <string>
set spam-log {enable | disable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config smtp
edit <name_str>
set log {enable | disable}
set action {pass | tag | discard}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set log {enable | disable}
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
set log {enable | disable}
end
config yahoo-mail
edit <name_str>
set log {enable | disable}
end
CLI Reference for FortiOS 5.4 411
Fortinet Technologies Inc.
 config gmail
edit <name_str>
set log {enable | disable}
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end

CLI Reference for FortiOS 5.4 412

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

flow-based Enable/disable flow-based spam filtering. disable

replacemsg-group Replacement message group. (Empty)

spam-log Enable/disable spam logging for email filtering. enable

spam-filtering Enable/disable spam filtering. disable

external Enable/disable external Email inspection. disable

options Options. (Empty)

imap IMAP. Details below

Configuration Default Value

log disable
action tag
tag-type subject spaminfo
tag-msg Spam

pop3 POP3. Details below

Configuration Default Value

log disable
action tag
tag-type subject spaminfo
tag-msg Spam

smtp SMTP. Details below

Configuration Default Value

log disable
action discard
tag-type subject spaminfo
tag-msg Spam
hdrip disable
local-override disable

mapi MAPI. Details below

CLI Reference for FortiOS 5.4 413

Fortinet Technologies Inc.
Configuration Default Value
log disable
action discard

msn-hotmail MSN Hotmail. Details below

Configuration Default Value

log disable

yahoo-mail Yahoo! Mail. Details below

Configuration Default Value

log disable

gmail Gmail. Details below

Configuration Default Value

log disable

spam-bword-threshold Spam banned word threshold. 10

spam-bword-table Anti-spam banned word table ID. 0

spam-bwl-table Anti-spam black/white list table ID. 0

spam-mheader-table Anti-spam MIME header table ID. 0

spam-rbl-table Anti-spam DNSBL table ID. 0

spam-iptrust-table Anti-spam IP trust table ID. 0

CLI Reference for FortiOS 5.4 414

Fortinet Technologies Inc.
[Link]/push-update
CLI Syntax
config [Link] push-update
edit <name_str>
set status {enable | disable}
set override {enable | disable}
set address <ipv4-address-any>
set port <integer>
end

CLI Reference for FortiOS 5.4 415

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable push updates. disable

override Enable/disable push update override server. disable

address Push update override server. [Link]

port Push update override port. 9443

CLI Reference for FortiOS 5.4 416

Fortinet Technologies Inc.
[Link]/schedule
CLI Syntax
config [Link] schedule
edit <name_str>
set status {enable | disable}
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

CLI Reference for FortiOS 5.4 417

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable scheduled updates. enable

frequency Update frequency. every

time Update time. 02:60

day Update day. Monday

CLI Reference for FortiOS 5.4 418

Fortinet Technologies Inc.
[Link]/tunneling
CLI Syntax
config [Link] tunneling
edit <name_str>
set status {enable | disable}
set address <string>
set port <integer>
set username <string>
set password <password>
end

CLI Reference for FortiOS 5.4 419

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable web proxy tunnelling. disable

address Web proxy IP address or FQDN. (Empty)

port Web proxy port. 0

username Web proxy username. (Empty)

password Web proxy password. (Empty)

CLI Reference for FortiOS 5.4 420

Fortinet Technologies Inc.
[Link]/server
CLI Syntax
config [Link] server
edit <name_str>
set id <integer>
set status {disable | enable}
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set dns-server3 <ipv4-address>
set wifi-ac1 <ipv4-address>
set wifi-ac2 <ipv4-address>
set wifi-ac3 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set ntp-server2 <ipv4-address>
set ntp-server3 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
set interface <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
set option1 <user>
set option2 <user>
set option3 <user>
set option4 <user>
set option5 <user>
set option6 <user>
set server-type {regular | ipsec}
CLI Reference for FortiOS 5.4 421
Fortinet Technologies Inc.
 set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
config reserved-address
edit <name_str>
set id <integer>
set ip <ipv4-address>
set mac <mac-address>
set action {assign | block | reserved}
set description <var-string>
end
end

CLI Reference for FortiOS 5.4 422

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status Enable/disable use this DHCP configuration. enable

lease-time Lease time in seconds. 604800

mac-acl-default-action MAC access control default action. assign

forticlient-on-net-status Sending FortiGate serial number as a DHCP enable

option.

dns-service DNS service option. specify

dns-server1 DNS server 1. [Link]

dns-server2 DNS server 2. [Link]

dns-server3 DNS server 3. [Link]

wifi-ac1 WiFi AC 1. [Link]

wifi-ac2 WiFi AC 2. [Link]

wifi-ac3 WiFi AC 3. [Link]

ntp-service NTP service option. specify

ntp-server1 NTP server 1. [Link]

ntp-server2 NTP server 2. [Link]

ntp-server3 NTP server 3. [Link]

domain Domain name. (Empty)

wins-server1 WINS server 1. [Link]

wins-server2 WINS server 2. [Link]

default-gateway Enable/disable default gateway. [Link]

next-server Next bootstrap server. [Link]

netmask Netmask. [Link]

CLI Reference for FortiOS 5.4 423

Fortinet Technologies Inc.
interface Interface name. (Empty)

ip-range DHCP IP range configuration. (Empty)

timezone-option Time zone settings. disable

timezone Time zone. 00

tftp-server Hostname or IP address of the TFTP server. (Empty)

filename Boot file name. (Empty)

option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

option4 Option 4. 0

option5 Option 5. 0

option6 Option 6. 0

server-type Type of DHCP service to provide. regular

ip-mode Method used to assign client IP. range

conflicted-ip-timeout Time conflicted IP is removed from the range 1800

(seconds).

ipsec-lease-hold DHCP over IPsec leases expire this many 60

seconds after tunnel down (0 to disable forced-
expiry).

auto-configuration Enable/disable auto configuration. enable

ddns-update Enable/disable DDNS update for DHCP. disable

ddns-server-ip DDNS server IP. [Link]

ddns-zone Zone of your domain name (ex. [Link]). (Empty)

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)

CLI Reference for FortiOS 5.4 424

Fortinet Technologies Inc.
ddns-key DDNS update key (base 64 encoding). 'ENC
AuAHaUUdY1NOrENe
FjxC6TXsIjntkrMvREw
MTLVsKksjKKAeHgnm
gOYHVJsx1EMp4Fsdx
XlBMGI9fs0Gob4fjHviV
670NU8ypyB+szhnVal
5VB5J/EQgo1R2WKM
='

ddns-ttl TTL. 300

vci-match Enable/disable VCI matching. disable

vci-string VCI strings. (Empty)

exclude-range DHCP exclude range configuration. (Empty)

reserved-address DHCP reserved IP address. (Empty)

CLI Reference for FortiOS 5.4 425

Fortinet Technologies Inc.
system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set status {disable | enable}
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set dns-server1 <ipv6-address>
set dns-server2 <ipv6-address>
set dns-server3 <ipv6-address>
set domain <string>
set subnet <ipv6-prefix>
set interface <string>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
end

CLI Reference for FortiOS 5.4 426

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status Enable/disable use this DHCP configuration. enable

rapid-commit Enable/disable allow/disallow rapid commit. disable

lease-time Lease time in seconds. 604800

dns-service DNS service option. specify

dns-server1 DNS server 1. ::

dns-server2 DNS server 2. ::

dns-server3 DNS server 3. ::

domain Domain name. (Empty)

subnet Subnet or subnet-id if the IP mode is delegated. ::/0

interface Interface name. (Empty)

option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

upstream-interface Interface name from where delegated information (Empty)

is provided.

ip-mode Method used to assign client IP. range

ip-range DHCP IP range configuration. (Empty)

CLI Reference for FortiOS 5.4 427

Fortinet Technologies Inc.
[Link]/admin
CLI Syntax
config [Link] admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 428

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 429

Fortinet Technologies Inc.
[Link]/alertmail
CLI Syntax
config [Link] alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 430

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 431

Fortinet Technologies Inc.
[Link]/auth
CLI Syntax
config [Link] auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 432

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 433

Fortinet Technologies Inc.
[Link]/device-detection-portal
CLI Syntax
config [Link] device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 434

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 435

Fortinet Technologies Inc.
[Link]/ec
CLI Syntax
config [Link] ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 436

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 437

Fortinet Technologies Inc.
[Link]/fortiguard-wf
CLI Syntax
config [Link] fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 438

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 439

Fortinet Technologies Inc.
[Link]/ftp
CLI Syntax
config [Link] ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 440

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 441

Fortinet Technologies Inc.
[Link]/http
CLI Syntax
config [Link] http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 442

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 443

Fortinet Technologies Inc.
[Link]/mail
CLI Syntax
config [Link] mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 444

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 445

Fortinet Technologies Inc.
[Link]/nac-quar
CLI Syntax
config [Link] nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 446

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 447

Fortinet Technologies Inc.
[Link]/nntp
CLI Syntax
config [Link] nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 448

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 449

Fortinet Technologies Inc.
[Link]/spam
CLI Syntax
config [Link] spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 450

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 451

Fortinet Technologies Inc.
[Link]/sslvpn
CLI Syntax
config [Link] sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 452

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 453

Fortinet Technologies Inc.
[Link]/traffic-quota
CLI Syntax
config [Link] traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 454

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 455

Fortinet Technologies Inc.
[Link]/utm
CLI Syntax
config [Link] utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 456

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 457

Fortinet Technologies Inc.
[Link]/webproxy
CLI Syntax
config [Link] webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 458

Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 459

Fortinet Technologies Inc.
[Link]/community
CLI Syntax
config [Link] community
edit <name_str>
set id <integer>
set name <string>
set status {enable | disable}
config hosts
edit <name_str>
set id <integer>
set source-ip <ipv4-address>
set ip <user>
set interface <string>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set ha-direct {enable | disable}
set interface <string>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end

CLI Reference for FortiOS 5.4 460

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Community ID. 0

name Community name. (Empty)

status Enable/disable this community. enable

hosts Allow hosts configuration. (Empty)

hosts6 Allow hosts configuration for IPv6. (Empty)

query-v1-status Enable/disable SNMP v1 query. enable

query-v1-port SNMP v1 query port. 161

query-v2c-status Enable/disable SNMP v2c query. enable

query-v2c-port SNMP v2c query port. 161

trap-v1-status Enable/disable SNMP v1 trap. enable

trap-v1-lport SNMP v1 trap local port. 162

trap-v1-rport SNMP v1 trap remote port. 162

trap-v2c-status Enable/disable SNMP v2c trap. enable

trap-v2c-lport SNMP v2c trap local port. 162

trap-v2c-rport SNMP v2c trap remote port. 162

CLI Reference for FortiOS 5.4 461

Fortinet Technologies Inc.
events SNMP trap events. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down

CLI Reference for FortiOS 5.4 462

Fortinet Technologies Inc.
[Link]/sysinfo
CLI Syntax
config [Link] sysinfo
edit <name_str>
set status {enable | disable}
set engine-id <string>
set description <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end

CLI Reference for FortiOS 5.4 463

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable SNMP. disable

engine-id Local SNMP engineID string (maximum 24 (Empty)

characters).

description System description. (Empty)

contact-info Contact information. (Empty)

location System location. (Empty)

trap-high-cpu-threshold CPU usage when trap is sent. 80

trap-low-memory- Memory usage when trap is sent. 80

threshold

trap-log-full-threshold Log disk usage when trap is sent. 90

CLI Reference for FortiOS 5.4 464

Fortinet Technologies Inc.
[Link]/user
CLI Syntax
config [Link] user
edit <name_str>
set name <string>
set status {enable | disable}
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ip <ipv4-address>
set source-ipv6 <ipv6-address>
set ha-direct {enable | disable}
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end

CLI Reference for FortiOS 5.4 465

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name SNMP user name. (Empty)

status Enable/disable this user. enable

trap-status Enable/disable traps for this user. enable

trap-lport SNMPv3 trap local port. 162

trap-rport SNMPv3 trap remote port. 162

queries Enable/disable queries for this user. enable

query-port SNMPv3 query port. 161

notify-hosts Hosts to send notifications (traps) to. (Empty)

notify-hosts6 IPv6 hosts to send notifications (traps) to. (Empty)

source-ip Source IP for SNMP trap. [Link]

source-ipv6 Source IPv6 for SNMP trap. ::

ha-direct Enable/disable direct management of HA cluster disable

members.

CLI Reference for FortiOS 5.4 466

Fortinet Technologies Inc.
events SNMP notifications (traps) to send. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down

security-level Security level for message authentication and no-auth-no-priv

encryption.

auth-proto Authentication protocol. sha

auth-pwd Password for authentication protocol. (Empty)

priv-proto Privacy (encryption) protocol. aes

priv-pwd Password for privacy (encryption) protocol. (Empty)

CLI Reference for FortiOS 5.4 467

Fortinet Technologies Inc.
system/accprofile
CLI Syntax

CLI Reference for FortiOS 5.4 468

Fortinet Technologies Inc.
config system accprofile
edit <name_str>
set name <string>
set scope {vdom | global}
set comments <var-string>
set mntgrp {none | read | read-write}
set admingrp {none | read | read-write}
set updategrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write | custom | w | r | rw}
set routegrp {none | read | read-write}
set fwgrp {none | read | read-write | custom | w | r | rw}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom | w | r | rw}
set wanoptgrp {none | read | read-write}
set endpoint-control-grp {none | read | read-write}
set wifi {none | read | read-write}
config fwgrp-permission
edit <name_str>
set policy {none | read | read-write}
set address {none | read | read-write}
set service {none | read | read-write}
set schedule {none | read | read-write}
set packet-capture {none | read | read-write}
set others {none | read | read-write}
end
config loggrp-permission
edit <name_str>
set config {none | read | read-write}
set data-access {none | read | read-write}
set report-access {none | read | read-write}
set threat-weight {none | read | read-write}
end
config utmgrp-permission
edit <name_str>
set antivirus {none | read | read-write}
set ips {none | read | read-write}
set webfilter {none | read | read-write}
set spamfilter {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set application-control {none | read | read-write}
set icap {none | read | read-write}
set casi {none | read | read-write}
set voip {none | read | read-write}
set waf {none | read | read-write}
set dnsfilter {none | read | read-write}
end
end

CLI Reference for FortiOS 5.4 469

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

scope Global or single VDOM access restriction. vdom

comments Comment. (Empty)

mntgrp Maintenance. none

admingrp Administrator Users. none

updategrp FortiGuard Update. none

authgrp User & Device. none

sysgrp System Configuration. none

netgrp Network Configuration. none

loggrp Log & Report. none

routegrp Router Configuration. none

fwgrp Firewall Configuration. none

vpngrp VPN Configuration. none

utmgrp Security Profile Configuration. none

wanoptgrp WAN Opt & Cache. none

endpoint-control-grp Endpoint Security. none

wifi Wireless controller. none

fwgrp-permission Custom firewall permission. Details below

Configuration Default Value

policy none
address none
service none
schedule none
packet-capture none
others none

CLI Reference for FortiOS 5.4 470

Fortinet Technologies Inc.
loggrp-permission Custom Log & Report permission. Details below

Configuration Default Value

config none
data-access none
report-access none
threat-weight none

utmgrp-permission Custom UTM permission. Details below

Configuration Default Value

antivirus none
ips none
webfilter none
spamfilter none
data-loss-prevention none
application-control none
icap none
casi none
voip none
waf none
dnsfilter none

CLI Reference for FortiOS 5.4 471

Fortinet Technologies Inc.
system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set trusthost2 <ipv4-classnet>
set trusthost3 <ipv4-classnet>
set trusthost4 <ipv4-classnet>
set trusthost5 <ipv4-classnet>
set trusthost6 <ipv4-classnet>
set trusthost7 <ipv4-classnet>
set trusthost8 <ipv4-classnet>
set trusthost9 <ipv4-classnet>
set trusthost10 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set ip6-trusthost2 <ipv6-prefix>
set ip6-trusthost3 <ipv6-prefix>
set ip6-trusthost4 <ipv6-prefix>
set ip6-trusthost5 <ipv6-prefix>
set ip6-trusthost6 <ipv6-prefix>
set ip6-trusthost7 <ipv6-prefix>
set ip6-trusthost8 <ipv6-prefix>
set ip6-trusthost9 <ipv6-prefix>
set ip6-trusthost10 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set comments <var-string>
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-public-key2 <user>
set ssh-public-key3 <user>
set ssh-certificate <string>
set schedule <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
CLI Reference for FortiOS 5.4 472
Fortinet Technologies Inc.
 config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set interface <string>
set dst-interface <string>
set tr-history-period1 <integer>
set tr-history-period2 <integer>
set tr-history-period3 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4 473
Fortinet Technologies Inc.
 edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
end

CLI Reference for FortiOS 5.4 474

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name User name. (Empty)

wildcard Enable/disable wildcard RADIUS authentication. disable

remote-auth Enable/disable remote authentication. disable

remote-group User group name used for remote auth. (Empty)

password Admin user password. ENC XXUp2ozpdysrQ

peer-auth Enable/disable peer authentication. disable

peer-group Peer group name. (Empty)

trusthost1 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost2 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost3 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost4 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost5 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost6 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost7 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost8 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost9 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

trusthost10 Admin user trust host IP, default [Link] [Link] [Link] [Link]
for all.

CLI Reference for FortiOS 5.4 475

Fortinet Technologies Inc.
ip6-trusthost1 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost2 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost3 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost4 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost5 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost6 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost7 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost8 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost9 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost10 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

accprofile Admin user access profile. (Empty)

allow-remove-admin- Enable/disable allow admin session to be enable

session removed by privileged admin users.

comments Comment. (Empty)

hidden Admin user hidden attribute. 0

vdom Virtual domains. (Empty)

is-admin Is user admin. 0

ssh-public-key1 SSH public key1. (Empty)

ssh-public-key2 SSH public key2. (Empty)

ssh-public-key3 SSH public key3. (Empty)

ssh-certificate SSH certificate. (Empty)

schedule Schedule name. (Empty)

accprofile-override Enable/disable allow access profile to be disable

overridden from remote auth server.

radius-vdom-override Enable/disable allow VDOM to be overridden disable

from RADIUS.

CLI Reference for FortiOS 5.4 476

Fortinet Technologies Inc.
password-expire Password expire time. 0000-00-00 [Link]

force-password-change Enable/disable force password change on next disable

login.

dashboard GUI custom dashboard. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)

sms-server Send SMS through FortiGuard or other external fortiguard

server.

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

guest-auth Enable/disable guest authentication. disable

guest-usergroups Select guest user groups. (Empty)

guest-lang Guest management portal language. (Empty)

history0 history0 ENC

history1 history1 ENC

login-time Record user login time. (Empty)

CLI Reference for FortiOS 5.4 477

Fortinet Technologies Inc.
system/alarm
CLI Syntax
config system alarm
edit <name_str>
set status {enable | disable}
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set threshold <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end

CLI Reference for FortiOS 5.4 478

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable alarm. disable

audible Enable/disable audible alarm. disable

sequence Sequence ID of alarms. 0

groups Alarm groups. (Empty)

CLI Reference for FortiOS 5.4 479

Fortinet Technologies Inc.
system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4 480

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface name. (Empty)

ip IP address. [Link]

mac MAC address. [Link]

CLI Reference for FortiOS 5.4 481

Fortinet Technologies Inc.
system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end

CLI Reference for FortiOS 5.4 482

Fortinet Technologies Inc.
Description
Configuration Description Default Value

auto-install-config Enable/disable auto install the config in USB disk. disable

auto-install-image Enable/disable auto install the image in USB disk. disable

default-config-file Default config file name in USB disk. fgt_system.conf

default-image-file Default image file name in USB disk. [Link]

CLI Reference for FortiOS 5.4 483

Fortinet Technologies Inc.
system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set interval <integer>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end

CLI Reference for FortiOS 5.4 484

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Auto script name. (Empty)

interval Repeat interval in seconds. 0

repeat Number of times to repeat this script (0 = infinite). 1

start Script starting mode. manual

script List of FortiOS CLI commands to repeat. (Empty)

CLI Reference for FortiOS 5.4 485

Fortinet Technologies Inc.
system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set addr-type {ipv4 | ipv6}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end

CLI Reference for FortiOS 5.4 486

Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Normal/backup management mode. normal

type Type of management server. none

schedule-config-restore Enable/disable scheduled configuration restore. enable

schedule-script-restore Enable/disable scheduled script restore. enable

allow-push- Enable/disable push configuration. enable

configuration

allow-pushd-firmware Enable/disable push firmware. enable

allow-remote-firmware- Enable/disable remote firmware upgrade. enable

upgrade

allow-monitor Enable/disable remote monitoring of device. enable

serial-number Serial number. (Empty)

fmg Address of FortiManager (IP or FQDN name). (Empty)

fmg-source-ip Source IPv4 address to use when connecting to [Link]

FortiManager.

fmg-source-ip6 Source IPv6 address to use when connecting to ::

FortiManager.

vdom Virtual domain name. root

server-list FortiGuard override server list. (Empty)

include-default-servers Enable/disable inclusion of public FortiGuard enable

servers in the override server list.

enc-algorithm Use SSL encryption. high

CLI Reference for FortiOS 5.4 487

Fortinet Technologies Inc.
system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcintf <string>
set dstintf <string>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end

CLI Reference for FortiOS 5.4 488

Fortinet Technologies Inc.
Description
Configuration Description Default Value

sync-id Sync ID. 0

peervd Peer connecting VDOM. root

peerip Peer connecting IP. [Link]

syncvd VDOM of which sessions need to be synced. (Empty)

session-sync-filter Session sync filter. Details below

Configuration Default Value

srcintf (Empty)
dstintf (Empty)
srcaddr [Link] [Link]
dstaddr [Link] [Link]
srcaddr6 ::/0
dstaddr6 ::/0
custom-service (Empty)

CLI Reference for FortiOS 5.4 489

Fortinet Technologies Inc.
system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end

CLI Reference for FortiOS 5.4 490

Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Console mode. line

baudrate Console baud rate. 9600

output Console output mode. more

login Enable/disable serial console and FortiExplorer. enable

fortiexplorer Enable/disable access for FortiExplorer. enable

CLI Reference for FortiOS 5.4 491

Fortinet Technologies Inc.
system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 492

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

filename Custom language file path. (Empty)

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 493

Fortinet Technologies Inc.
system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {[Link] | [Link] | [Link] | [Link] | [Link] | [Link]
t | [Link] | [Link] | [Link] | genericDDNS | FortiGuardDDNS}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 494

Fortinet Technologies Inc.
Description
Configuration Description Default Value

ddnsid DDNS ID. 0

ddns-server DDNS server. (Empty)

ddns-server-ip Generic DDNS server IP. [Link]

ddns-zone Zone of your domain name (ex. [Link]). (Empty)

ddns-ttl TTL. 300

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)

ddns-key DDNS update key (base 64 encoding). 'ENC

L97VaR0bKQoAAeh+O
+39Q85hAnL3Fl7t4UL1
eLfgKdgTSHZUCAnVY
M1U9oVgGyVRfy6HlP
mrFFsS9nlLExpJmd1p
wYrf7jCCjr0lx5+1WNFy
P50Fgz7fsLe43Lc='

ddns-domain Your domain name (ex. [Link]). (Empty)

ddns-username DDNS user name. (Empty)

ddns-sn DDNS Serial Number. (Empty)

ddns-password DDNS password. (Empty)

use-public-ip Enable/disable use of public IP address. disable

bound-ip Bound IP address. [Link]

monitor-interface Monitored interface. (Empty)

CLI Reference for FortiOS 5.4 495

Fortinet Technologies Inc.
system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set status {enable | disable}
set interface <string>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 496

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable dedicated management. disable

interface Dedicated management interface. (Empty)

default-gateway Default gateway for dedicated management [Link]

interface.

dhcp-server Enable/disable DHCP server on management disable

interface.

dhcp-netmask DHCP netmask. [Link]

dhcp-start-ip DHCP start IP for dedicated management. [Link]

dhcp-end-ip DHCP end IP for dedicated management. [Link]

CLI Reference for FortiOS 5.4 497

Fortinet Technologies Inc.
system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 498

Fortinet Technologies Inc.
Description
Configuration Description Default Value

primary Primary DNS IP. [Link]

secondary Secondary DNS IP. [Link]

domain Local domain name. (Empty)

ip6-primary IPv6 primary DNS IP. ::

ip6-secondary IPv6 secondary DNS IP. ::

dns-cache-limit Maximum number of entries in DNS cache. 5000

dns-cache-ttl TTL in DNS cache. 1800

cache-notfound- Enable/disable cache NOTFOUND responses disable

responses from DNS server.

source-ip Source IP for communications to DNS server. [Link]

CLI Reference for FortiOS 5.4 499

Fortinet Technologies Inc.
system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set status {enable | disable}
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
set source-ip <ipv4-address>
config dns-entry
edit <name_str>
set id <integer>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ip <ipv4-address-any>
set ipv6 <ipv6-address>
set hostname <string>
set canonical-name <string>
end
end

CLI Reference for FortiOS 5.4 500

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Zone name. (Empty)

status Enable/disable DNS zone status. enable

domain Domain name. (Empty)

allow-transfer DNS zone transfer IP address list. (Empty)

type Zone type ('master' to manage entries directly, master

'slave' to import entries from outside).

view Zone view ('public' to serve public clients, shadow

'shadow' to serve internal clients).

ip-master IP address of master DNS server to import [Link]

entries of this zone.

primary-name Domain name of the default DNS server for this dns
zone.

contact Email address of the administrator for this zone. hostmaster

You can specify only the username (e.g. admin)
or full email address (e.g. [Link]@[Link])
When using simple username, the domain of the
email will be this zone.

ttl Default time-to-live value in units of seconds for 86400

the entries of this zone (0 - 2147483647).

authoritative Enable/disable authoritative zone. enable

forwarder DNS zone forwarder IP address list. (Empty)

source-ip Source IP for forwarding to DNS server. [Link]

dns-entry DNS entry. (Empty)

CLI Reference for FortiOS 5.4 501

Fortinet Technologies Inc.
system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
set dnsfilter-profile <string>
end

CLI Reference for FortiOS 5.4 502

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DNS server name. (Empty)

mode DNS server mode. recursive

dnsfilter-profile DNS filter profile. (Empty)

CLI Reference for FortiOS 5.4 503

Fortinet Technologies Inc.
system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4 504

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Item ID. 0

ds DSCP(DiffServ) DS value (0 - 63). 0

priority DSCP based priority level. high

CLI Reference for FortiOS 5.4 505

Fortinet Technologies Inc.
system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set username <string>
set password <password>
set security {none | starttls | smtps}
end

CLI Reference for FortiOS 5.4 506

Fortinet Technologies Inc.
Description
Configuration Description Default Value

type Use FortiGuard Message service or custom custom

server.

reply-to Reply-To email address. (Empty)

server SMTP server IP address or hostname. (Empty)

port SMTP server port. 25

source-ip SMTP server source IP. [Link]

source-ip6 SMTP server source IPv6. ::

authenticate Enable/disable authentication. disable

validate-server Enable/disable validation of server certificate. disable

username SMTP server user name for authentication. (Empty)

password SMTP server user password for authentication. (Empty)

security Connection security. none

CLI Reference for FortiOS 5.4 507

Fortinet Technologies Inc.
system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set status {enable | disable}
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end

CLI Reference for FortiOS 5.4 508

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FIPS-CC mode. disable

entropy-token Enable/disable/dynamic entropy token. dynamic

error-flag Hidden CC error flag. (Empty)

error-cause Hidden CC error cause. none

self-test-period Self test period. 1440

key-generation-self-test Enable/disable self tests after key generation. disable

CLI Reference for FortiOS 5.4 509

Fortinet Technologies Inc.
system/fm
CLI Syntax
config system fm
edit <name_str>
set status {enable | disable}
set id <string>
set ip <ipv4-address>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
set ipsec {enable | disable}
end

CLI Reference for FortiOS 5.4 510

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FM. disable

id ID. (Empty)

ip IP address. [Link]

vdom VDOM. root

auto-backup Enable/disable automatic backup. disable

scheduled-config- Enable/disable scheduled configuration restore. disable

restore

ipsec Enable/disable IPsec. disable

CLI Reference for FortiOS 5.4 511

Fortinet Technologies Inc.
system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set ddns-server-ip <ipv4-address>
set ddns-server-port <integer>
end

CLI Reference for FortiOS 5.4 512

Fortinet Technologies Inc.
Description
Configuration Description Default Value

port Port used to communicate with the FortiGuard 53

servers.

service-account-id Service account ID. (Empty)

load-balance-servers Number of servers to alternate between as first 1

FortiGuard option.

antispam-force-off Enable/disable forcibly disable the service. disable

antispam-cache Enable/disable FortiGuard antispam cache. enable

antispam-cache-ttl Time-to-live for cache entries in seconds (300 - 1800

86400).

antispam-cache- Maximum percent of memory the cache is 2

mpercent allowed to use (1-15%).

antispam-license License type. 4294967295

antispam-expiration License expiration. 0

antispam-timeout Query time out (1 - 30 seconds). 7

avquery-force-off avquery-force-off

avquery-cache avquery-cache

avquery-cache-ttl avquery-cache-ttl

avquery-cache- avquery-cache-mpercent
mpercent

avquery-license avquery-license

avquery-timeout avquery-timeout

webfilter-force-off Enable/disable forcibly disable the service. disable

webfilter-cache Enable/disable FortiGuard webfilter cache. enable

webfilter-cache-ttl Time-to-live for cache entries in seconds (300 - 3600

86400).

CLI Reference for FortiOS 5.4 513

Fortinet Technologies Inc.
webfilter-license License type. 4294967295

webfilter-expiration License expiration. 0

webfilter-timeout Query time out (1 - 30 seconds). 15

sdns-server-ip IP address of the FortiDNS server. (Empty)

sdns-server-port Port used to communicate with the FortiDNS 53

servers.

source-ip Source IPv4 address used to communicate with [Link]

the FortiGuard service.

source-ip6 Source IPv6 address used to communicate with ::

the FortiGuard service.

ddns-server-ip IP address of the FortiDDNS server. [Link]

ddns-server-port Port used to communicate with the FortiDDNS 443

servers.

CLI Reference for FortiOS 5.4 514

Fortinet Technologies Inc.
system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set ip <ipv4-address-any>
set vdom <string>
set ipsec {enable | disable}
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end

CLI Reference for FortiOS 5.4 515

Fortinet Technologies Inc.
Description
Configuration Description Default Value

ip IP address. [Link]

vdom Virtual domain name. root

ipsec Enable/disable FortiManager IPsec tunnel. disable

central-management Enable/disable FortiManager central disable

management.

central-mgmt-auto- Enable/disable central management auto backup. disable

backup

central-mgmt-schedule- Enable/disable central management schedule disable

config-restore config restore.

central-mgmt-schedule- Enable/disable central management schedule disable

script-restore script restore.

CLI Reference for FortiOS 5.4 516

Fortinet Technologies Inc.
system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set status {enable | disable}
set server <ipv4-address-any>
set source-ip <ipv4-address>
set enc-algorithm {default | high | low | disable}
set email <string>
end

CLI Reference for FortiOS 5.4 517

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiSandbox. disable

server Server IP. [Link]

source-ip Source IP for communications to FortiSandbox. [Link]

enc-algorithm Enable/disable sending of FortiSandbox data with default

SSL encryption.

email Notifier email address. (Empty)

CLI Reference for FortiOS 5.4 518

Fortinet Technologies Inc.
system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set status {enable | disable}
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end

CLI Reference for FortiOS 5.4 519

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FSSO Polling Mode status. enable

listening-port Listening port to accept clients. 8000

authentication Enable/disable FSSO Agent Authentication disable

status.

auth-password Password to connect to FSSO Agent. (Empty)

CLI Reference for FortiOS 5.4 520

Fortinet Technologies Inc.
system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set description <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4 521

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Location name. (Empty)

description Description. (Empty)

country-id Country ID. (Empty)

ip-range IP range. (Empty)

CLI Reference for FortiOS 5.4 522

Fortinet Technologies Inc.
system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set interval <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
CLI Reference for FortiOS 5.4 523
Fortinet Technologies Inc.
set hostname <string>
set strong-crypto {enable | disable}
set ssh-cbc-cipher {enable | disable}
set ssh-hmac-md5 {enable | disable}
set snat-route-change {enable | disable}
set cli-audit-log {enable | disable}
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set fds-statistics {enable | disable}
set fds-statistics-period <integer>
set multicast-forward {enable | disable}
set mc-ttl-notchange {enable | disable}
set asymroute {enable | disable}
set tcp-option {enable | disable}
set phase1-rekey {enable | disable}
set lldp-transmission {enable | disable}
set explicit-proxy-auth-timeout <integer>
set sys-perf-log-interval <integer>
set check-protocol-header {loose | strict}
set vip-arp-range {unlimited | restricted}
set optimize {antivirus | session-setup | throughput}
set reset-sessionless-tcp {enable | disable}
set allow-traffic-redirect {enable | disable}
set strict-dirty-session-check {enable | disable}
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set block-session-timer <integer>
set ip-src-port-range <user>
set pre-login-banner {enable | disable}
set post-login-banner {disable | enable}
set tftp {enable | disable}
set av-failopen {pass | idledrop | off | one-shot}
set av-failopen-session {enable | disable}
set check-reset-range {strict | disable}
set vdom-admin {enable | disable}
set admin-port <integer>
set admin-sport <integer>
set admin-https-redirect {enable | disable}
set admin-ssh-password {enable | disable}
set admin-ssh-port <integer>
set admin-ssh-grace-time <integer>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <integer>
set admin-maintainer {enable | disable}
set admin-server-cert <string>
set user-server-cert <string>
set admin-https-pki-required {enable | disable}
set wifi-certificate <string>
set wifi-ca-certificate <string>
set auth-http-port <integer>
set auth-https-port <integer>
set auth-keepalive {enable | disable}
CLI Reference for FortiOS 5.4 524
Fortinet Technologies Inc.
 set auth-keepalive {enable | disable}
set policy-auth-concurrent <integer>
set auth-cert <string>
set clt-cert-req {enable | disable}
set endpoint-control-portal-port <integer>
set endpoint-control-fds-access {enable | disable}
set tp-mc-skip-policy {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <integer>
set reboot-upon-config-restore {enable | disable}
set admin-scp {enable | disable}
set registration-notification {enable | disable}
set service-expire-notification {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <integer>
set fortiextender-data-port <integer>
set fortiextender {enable | disable}
set switch-controller {disable | enable}
set switch-controller-reserved-network <ipv4-classnet>
set proxy-worker-count <integer>
set scanunit-count <integer>
set ssl-worker-count <integer>
set proxy-kxp-hardware-acceleration {disable | enable}
set proxy-cipher-hardware-acceleration {disable | enable}
set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attac
k | new-antivirus-db | new-attack-db}
set ipsec-hmac-offload {enable | disable}
set ipv6-accept-dad <integer>
set csr-ca-attribute {enable | disable}
set wimax-4g-usb {enable | disable}
set cert-chain-max <integer>
set sslvpn-max-worker-count <integer>
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set two-factor-email-expiry <integer>
set two-factor-sms-expiry <integer>
set two-factor-ftm-expiry <integer>
set per-user-bwl {enable | disable}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {disable | enable}
set wad-worker-count <integer>
set login-timestamp {enable | disable}
set miglogd-children <integer>
set special-file-23-support {disable | enable}
set log-uuid {disable | policy-only | extended}
set arp-max-entry <integer>
set ips-affinity <string>
set av-affinity <string>
set miglog-affinity <string>
set ndp-max-entry <integer>
set br-fdb-max-entry <integer>
set ipsec-asic-offload {enable | disable}
CLI Reference for FortiOS 5.4 525
Fortinet Technologies Inc.
 set ipsec-asic-offload {enable | disable}
set device-idle-timeout <integer>
set compliance-check {enable | disable}
set compliance-check-time <time>
set gui-device-latitude <string>
set gui-device-longitude <string>
set private-data-encryption {disable | enable}
set auto-auth-extension-device {enable | disable}
set gui-theme {green | red | blue | melongene}
end

CLI Reference for FortiOS 5.4 526

Fortinet Technologies Inc.
Description
Configuration Description Default Value

language GUI display language. english

gui-ipv6 Enable/disable IPv6 settings in GUI. disable

gui-certificates Enable/disable certificates configuration in GUI. enable

gui-custom-language Enable/disable custom languages in GUI. disable

gui-wireless- Enable/disable wireless open security option in disable

opensecurity GUI.

gui-display-hostname Enable/disable display of hostname on GUI login disable

page.

gui-lines-per-page Number of lines to display per page for web 50

administration.

admin-https-ssl- Allowed SSL/TLS versions for web tlsv1-1 tlsv1-2

versions administration.

admin-https-banned- Banned ciphers for web administration. rc4 low

cipher

admintimeout Idle time-out for firewall administration. 5

admin-console-timeout Idle time-out for console. 0

admin-concurrent Enable/disable admin concurrent login. enable

admin-lockout- Lockout threshold for firewall administration. 3

threshold

admin-lockout-duration Lockout duration (sec) for firewall administration. 60

refresh Statistics refresh interval in GUI. 0

interval Dead gateway detection interval. 5

failtime Fail-time for server lost. 5

daily-restart Enable/disable firewall daily reboot. disable

restart-time Daily restart time (hh:mm). 00:00

CLI Reference for FortiOS 5.4 527

Fortinet Technologies Inc.
radius-port RADIUS service port number. 1812

admin-login-max Maximum number admin users logged in at one 100

time (1 - 100).

remoteauthtimeout Remote authentication (RADIUS/LDAP) time-out. 5

ldapconntimeout LDAP connection time-out (0 - 4294967295 500

milliseconds).

batch-cmdb Enable/disable batch mode to execute in CMDB enable

server.

max-dlpstat-memory Maximum DLP stat memory (0 - 4294967295).

dst Enable/disable daylight saving time. enable

timezone Time zone. 00

ntpserver IP address/hostname of NTP Server. (Empty)

ntpsync Enable/disable synchronization with NTP Server. disable

syncinterval NTP synchronization interval. 0

traffic-priority Traffic priority type. tos

traffic-priority-level Default TOS/DSCP priority level. medium

anti-replay Anti-replay control. strict

send-pmtu-icmp Enable/disable sending of PMTU ICMP enable

destination unreachable packet.

honor-df Enable/disable honoring Don't-Fragment flag. enable

split-port Split port(s) to multiple 10Gbps ports. none

revision-image-auto- Enable/disable revision image backup disable

backup automatically when upgrading image.

revision-backup-on- Enable/disable revision config backup disable

logout automatically when logout.

management-vdom Management virtual domain name. root

hostname Firewall hostname. (Empty)

CLI Reference for FortiOS 5.4 528

Fortinet Technologies Inc.
strong-crypto Enable/disable strong crypto for HTTPS/SSH enable
access.

ssh-cbc-cipher Enable/disable CBC cipher for SSH access. enable

ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access. enable

snat-route-change Enable/disable SNAT route change. disable

cli-audit-log Enable/disable CLI audit log. disable

dh-params Minimum size of Diffie-Hellman prime for 2048

HTTPS/SSH.

fds-statistics Enable/disable FortiGuard statistics. enable

fds-statistics-period FortiGuard statistics update period (1 - 1440 min, 60

default = 60 min).

multicast-forward Enable/disable multicast forwarding. enable

mc-ttl-notchange Enable/disable no modification of multicast TTL. disable

asymroute Enable/disable asymmetric route. disable

tcp-option Enable/disable TCP option. enable

phase1-rekey Enable/disable phase1 rekey. enable

lldp-transmission Enable/disable Link Layer Discovery Protocol disable

(LLDP) transmission.

explicit-proxy-auth- Authentication timeout (sec) for idle sessions in 300

timeout explicit web proxy.

sys-perf-log-interval The interval of performance statistics logging. 5

check-protocol-header Level of checking protocol header. loose

vip-arp-range Control ARP behavior for VIP ranges. restricted

optimize Firmware optimization option. antivirus

reset-sessionless-tcp Enable/disable reset session-less TCP. disable

allow-traffic-redirect Enable/disable allow traffic redirect. enable

CLI Reference for FortiOS 5.4 529

Fortinet Technologies Inc.
strict-dirty-session- Enable/disable strict dirty-session check. enable
check

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, default = 120

120).

tcp-halfopen-timer TCP half open timeout (1 - 86400 sec, default = 10

10).

tcp-timewait-timer TCP time wait timeout (0 - 300 sec, default = 1). 1

udp-idle-timer UDP idle timeout (1 - 86400 sec, default = 180). 180

block-session-timer Block-session timeout (1-300 sec, default = 30 30

sec).

ip-src-port-range IP source port range for firewall originated traffic. 1024-25000

pre-login-banner Enable/disable pre-login-banner. disable

post-login-banner Enable/disable post-login-banner. disable

tftp Enable/disable TFTP. enable

av-failopen AV fail open option. pass

av-failopen-session Enable/disable AV fail open session option. disable

check-reset-range Drop RST packets if out-of-window. disable

vdom-admin Enable/disable multiple VDOMs mode. disable

admin-port Admin access HTTP port (1 - 65535). 80

admin-sport Admin access HTTPS port (1 - 65535). 443

admin-https-redirect Enable/disable redirection of HTTP admin traffic enable

to HTTPS.

admin-ssh-password Enable/disable password authentication for SSH enable

admin access.

admin-ssh-port Admin access SSH port (1 - 65535). 22

admin-ssh-grace-time Admin access login grace time (10 - 3600 sec). 120

admin-ssh-v1 Enable/disable SSH v1 compatibility. disable

CLI Reference for FortiOS 5.4 530

Fortinet Technologies Inc.
admin-telnet-port Admin access TELNET port (1 - 65535). 23

admin-maintainer Enable/disable login of maintainer user. enable

admin-server-cert Admin HTTPS server certificate. Fortinet_Factory

user-server-cert User HTTPS server certificate. Fortinet_Factory

admin-https-pki- Enable/disable require HTTPS login page when disable

required PKI is enabled.

wifi-certificate WiFi certificate for WPA. Fortinet_Wifi

wifi-ca-certificate WiFi CA certificate for WPA. PositiveSSL_CA

auth-http-port Authentication HTTP port (1 - 65535). 1000

auth-https-port Authentication HTTPS port (1 - 65535). 1003

auth-keepalive Enable/disable use of keep alive to extend disable

authentication.

policy-auth-concurrent Concurrent user to pass firewall authentication. 0

auth-cert HTTPS server certificate for policy authentication. Fortinet_Factory

clt-cert-req Enable/disable require client certificate for GUI disable

login.

endpoint-control-portal- Endpoint control portal port (1 - 65535). 8009

port

endpoint-control-fds- Enable/disable access to FortiGuard servers for enable

access non-compliant endpoints.

tp-mc-skip-policy Enable/disable skip policy check and allow disable

multicast through.

cfg-save Configuration file save mode for changes made automatic

using the CLI.

cfg-revert-timeout Time-out for reverting to the last saved 600

configuration.

reboot-upon-config- Enable/disable reboot of system upon restoring enable

restore configuration.

CLI Reference for FortiOS 5.4 531

Fortinet Technologies Inc.
admin-scp Enable/disable allow system configuration disable
download by SCP.

registration-notification Enable/disable allow license registration enable

notification.

service-expire- Enable/disable service expiration notification. enable

notification

wireless-controller Enable/disable wireless controller. enable

wireless-controller-port Local wireless controller port (1024 - 49150). 5246

fortiextender-data-port Fortiextender controller data port (1024 - 49150). 25246

fortiextender Enable/disable FortiExtender controller. disable

switch-controller Enable/disable switch controller feature. disable

switch-controller- Reserved network for switch-controller. [Link]

reserved-network [Link]

proxy-worker-count Proxy worker count. 16

scanunit-count Scanunit count. 39

ssl-worker-count SSL worker count (0 - 4294967295).

proxy-kxp-hardware- Enable/disable use of content processor to enable

acceleration encrypt or decrypt traffic.

proxy-cipher-hardware- Enable/disable use of content processor to enable

acceleration encrypt or decrypt traffic.

fgd-alert-subscription FortiGuard alert subscription. (Empty)

ipsec-hmac-offload Enable/disable offload HMAC to hardware for enable

IPsec VPN.

ipv6-accept-dad Enable/disable acceptance of IPv6 DAD 1

(Duplicate Address Detection). 0: Disable DAD; 1:
Enable DAD (default); 2: Enable DAD, and
disable IPv6 operation if MAC-based duplicate
link-local address has been found.

csr-ca-attribute Enable/disable CSR CA attribute. enable

CLI Reference for FortiOS 5.4 532

Fortinet Technologies Inc.
wimax-4g-usb Enable/disable WiMAX USB device. disable

cert-chain-max Maximum depth for certificate chain. 8

sslvpn-max-worker- Maximum number of worker processes for SSL- 39

count VPN.

sslvpn-kxp-hardware- Enable/disable KXP SSL-VPN hardware disable

acceleration acceleration.

sslvpn-cipher- Enable/disable SSL-VPN cipher hardware disable

hardware-acceleration acceleration.

sslvpn-plugin-version- Enable/disable SSL-VPN automatic checking of enable

check browser plug-in version.

two-factor-email-expiry Expiration time for email token (30 - 300 sec, 60

default = 60 sec).

two-factor-sms-expiry Expiration time for SMS token (30 - 300 sec, 60

default = 60 sec).

two-factor-ftm-expiry Expiration time for FortiToken mobile provision (1 72

- 168 hr, default = 72 hr).

per-user-bwl Enable/disable per-user black/white list filter. disable

virtual-server-count Number of concurrent virtual server workers. 20

virtual-server- Enable/disable use of content processor to enable

hardware-acceleration encrypt or decrypt traffic.

wad-worker-count Number of concurrent WAD workers. 20

login-timestamp Enable/disable login time recording. disable

miglogd-children Number of miglog children. 0

special-file-23-support Enable/disable support for special file 23. disable

log-uuid Universally Unique Identifier (UUID) log option. policy-only

arp-max-entry Maximum number of ARP table entries (set to 131072

131,072 or higher).

CLI Reference for FortiOS 5.4 533

Fortinet Technologies Inc.
ips-affinity Affinity setting for IPS (64-bit hexadecimal value 0
in the format of xxxxxxxxxxxxxxxx; allowed CPUs
must be less than total number of IPS engine
daemons).

av-affinity Affinity setting for AV scanning (64-bit 0

hexadecimal value in the format of
xxxxxxxxxxxxxxxx).

miglog-affinity Affinity setting for logging (64-bit hexadecimal 0

value in the format of xxxxxxxxxxxxxxxx).

ndp-max-entry Maximum number of NDP table entries (set to 0

65,536 or higher; if set to 0, kernel holds 65,536
entries).

br-fdb-max-entry Maximum number of bridge forwarding database 8192

entries (set to 8192 or higher).

ipsec-asic-offload Enable/disable ASIC offload for IPsec VPN. enable

device-idle-timeout Device idle timeout (30 - 31536000 sec, default = 300

300 sec).

compliance-check Enable/disable global PCI DSS compliance enable

check.

compliance-check-time PCI DSS compliance check time. [Link]

gui-device-latitude Physical device latitude coordinate. (Empty)

gui-device-longitude Physical device longitude coordinate. (Empty)

private-data-encryption Enable/disable private data encryption using an disable

AES 128-bit key.

auto-auth-extension- Enable/disable automatic authorization of enable

device dedicated Fortinet extension device globally.

gui-theme Color scheme to use for the administration GUI. green

CLI Reference for FortiOS 5.4 534

Fortinet Technologies Inc.
system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set auto-asic-offload {enable | disable}
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end

CLI Reference for FortiOS 5.4 535

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

interface Interface name. (Empty)

remote-gw IP address of the remote gateway. [Link]

local-gw IP address of the local gateway. [Link]

sequence-number- Enable/disable inclusion of sequence number in disable

transmission transmitted GRE packets.

sequence-number- Enable/disable validation of sequence number in disable

reception received GRE packets.

checksum-transmission Enable/disable inclusion of checksum in disable

transmitted GRE packets.

checksum-reception Enable/disable validation of checksum in disable

received GRE packets.

key-outbound Include this key in transmitted GRE packets (0 - 0

4294967295).

key-inbound Require received GRE packets contain this key (0 0

- 4294967295).

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

keepalive-interval Keepalive message interval (0 - 32767, 0 = 0

disabled).

keepalive-failtimes Number of consecutive unreturned keepalive 10

messages before GRE connection is considered
down (1 - 255).

CLI Reference for FortiOS 5.4 536

Fortinet Technologies Inc.
system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set password <password>
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set authentication {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
CLI Reference for FortiOS 5.4 537
Fortinet Technologies Inc.
 set weight <user>
set cpu-threshold <user>
set memory-threshold <user>
set http-proxy-threshold <user>
set ftp-proxy-threshold <user>
set imap-proxy-threshold <user>
set nntp-proxy-threshold <user>
set pop3-proxy-threshold <user>
set smtp-proxy-threshold <user>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set pingserver-flip-timeout <integer>
set vdom <user>
config secondary-vcluster
edit <name_str>
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set vdom <user>
end
set ha-direct {enable | disable}
end

CLI Reference for FortiOS 5.4 538

Fortinet Technologies Inc.
Description
Configuration Description Default Value

group-id Group ID (0 - 255). 0

group-name Group name. (Empty)

mode Mode. standalone

password password (Empty)

key key (Empty)

hbdev Heartbeat interfaces. "mgmt1" 50

session-sync-dev Session sync interfaces. (Empty)

route-ttl HA route TTL on master (5 - 3600 sec). 10

route-wait Route update wait time (0 - 3600 sec). 0

route-hold Wait time between route updates (0 - 3600 sec). 10

load-balance-all Enable/disable load balance. disable

sync-config Enable/disable configuration synchronization. enable

encryption Enable/disable HA message encryption. disable

authentication Enable/disable HA message authentication. disable

hb-interval Configure heartbeat interval (1 - 20 (100*ms)). 2

hb-lost-threshold Lost heartbeat threshold (1 - 60). 6

helo-holddown Configure hello state hold-down time (5 - 300 20

sec).

gratuitous-arps Enable/disable gratuitous ARPs. enable

arps Configure number of gratuitous ARPs (1 - 60). 5

arps-interval Configure gratuitous ARPs interval (1 - 20 sec). 8

session-pickup Enable/disable session pickup. disable

CLI Reference for FortiOS 5.4 539

Fortinet Technologies Inc.
session-pickup- Enable/disable pickup non-TCP sessions. disable
connectionless

session-pickup- Enable/disable pickup expectation sessions. disable

expectation

session-pickup-nat Enable/disable pickup of NATed sessions. disable

session-pickup-delay Enable/disable delay session sync by 30 disable

seconds.

session-sync-daemon- Session sync daemon process number. 1

number

link-failed-signal Enable/disable link failed signal. disable

uninterruptible-upgrade Enable/disable uninterruptible HA upgrade. enable

standalone-mgmt-vdom Enable/disable standalone management VDOM. disable

ha-mgmt-status Enable/disable HA management interface disable

reservation.

ha-mgmt-interface Reserved interface of HA management. (Empty)

ha-mgmt-interface- Gateway for reserved interface of HA [Link]

gateway management.

ha-mgmt-interface- IPv6 gateway for reserved interface of HA ::

gateway6 management.

ha-eth-type HA Ethernet type (4-digit hex). 8890

hc-eth-type HC Ethernet type (4-digit hex). 8891

l2ep-eth-type L2EP Ethernet type (4-digit hex). 8893

ha-uptime-diff-margin HA uptime difference margin (sec). 300

standalone-config-sync Enable/disable standalone config sync. disable

vcluster2 Enable/disable secondary virtual cluster. disable

vcluster-id Cluster ID. 0

override Enable/disable master HA unit overriding. disable

CLI Reference for FortiOS 5.4 540

Fortinet Technologies Inc.
priority Priority value (0 - 255). 128

override-wait-time Override wait time (0 - 3600 sec). 0

schedule Schedule. round-robin

weight Weight for weight-round-robin schedule. 40

cpu-threshold CPU threshold weight. 500

memory-threshold Memory threshold weight. 500

http-proxy-threshold HTTP proxy threshold. 500

ftp-proxy-threshold FTP proxy threshold. 500

imap-proxy-threshold IMAP proxy threshold. 500

nntp-proxy-threshold NNTP proxy threshold. 500

pop3-proxy-threshold POP3 proxy threshold. 500

smtp-proxy-threshold SMTP proxy threshold. 500

monitor Interfaces to monitor. (Empty)

pingserver-monitor- Monitor interfaces that has PING server enabled. (Empty)

interface

pingserver-failover- Threshold at which HA failover occurs upon PING 0

threshold server failure (0 - 50).

pingserver-slave-force- Enable/disable force reset of slave after PING enable

reset server failure.

pingserver-flip-timeout Minutes to wait before HA failover flip-flop. 60

vdom VDOM members. (Empty)

secondary-vcluster Secondary virtual cluster. Details below

CLI Reference for FortiOS 5.4 541

Fortinet Technologies Inc.
Configuration Default Value
vcluster-id 1
override enable
priority 128
override-wait-time 0
monitor (Empty)
pingserver-monitor-interface (Empty)
pingserver-failover-threshold 0
pingserver-slave-force-reset enable
vdom (Empty)

ha-direct Enable/disable sending of messages (logs, disable

SNMP, RADIUS) directly from ha-mgmt interface.

CLI Reference for FortiOS 5.4 542

Fortinet Technologies Inc.
system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end

CLI Reference for FortiOS 5.4 543

Fortinet Technologies Inc.
Description
Configuration Description Default Value

monitor-vlan Enable/disable monitor VLAN interfaces. disable

vlan-hb-interval Configure heartbeat interval (seconds). 5

vlan-hb-lost-threshold VLAN lost heartbeat threshold (1 - 60). 3

CLI Reference for FortiOS 5.4 544

Fortinet Technologies Inc.
system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set distance <integer>
set priority <integer>
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set username <string>
set pppoe-unnumbered-negotiate {enable | disable}
set password <password>
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
CLI Reference for FortiOS 5.4 545
Fortinet Technologies Inc.
 set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-timeout <integer>
set arpforward {enable | disable}
set ndiscforward {enable | disable}
set broadcast-forward {enable | disable}
set bfd {global | enable | disable}
set bfd-desired-min-tx <integer>
set bfd-detect-mult <integer>
set bfd-required-min-rx <integer>
set l2forward {enable | disable}
set icmp-redirect {enable | disable}
set vlanforward {enable | disable}
set stpforward {enable | disable}
set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}
set ips-sniffer-mode {enable | disable}
set ident-accept {enable | disable}
set ipmac {enable | disable}
set subst {enable | disable}
set macaddr <mac-address>
set substitute-dst-mac <mac-address>
set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000
auto | 10000full | 10000auto | 40000full}
set status {up | down}
set netbios-forward {disable | enable}
set wins-ip <ipv4-address>
set type {physical | vlan | aggregate | redundant | fortilink | tunnel | vdom-link
| loopback | switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-v
lan}
set dedicated-to {none | management}
set trust-ip-1 <ipv4-classnet-any>
set trust-ip-2 <ipv4-classnet-any>
set trust-ip-3 <ipv4-classnet-any>
set trust-ip6-1 <ipv6-prefix>
set trust-ip6-2 <ipv6-prefix>
set trust-ip6-3 <ipv6-prefix>
set mtu-override {enable | disable}
set mtu <integer>
set wccp {enable | disable}
set nst {enable | disable}
set netflow-sampler {disable | tx | rx | both}
set sflow-sampler {enable | disable}
set drop-overlapped-fragment {enable | disable}
set drop-fragment {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
set explicit-web-proxy {enable | disable}
set explicit-ftp-proxy {enable | disable}
set tcp-mss <integer>
set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp}
set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
CLI Reference for FortiOS 5.4 546
Fortinet Technologies Inc.
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
s_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tc
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm
pland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ips
ecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_f
rag | drop_tcp_no_flag | drop_tcp_fin_noack}
set inbandwidth <integer>
set outbandwidth <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set weight <integer>
set interface <string>
set external {enable | disable}
set vlanid <integer>
set forward-domain <integer>
set remote-ip <ipv4-address-any>
config member
edit <name_str>
set interface-name <string>
end
set lacp-mode {static | passive | active}
set lacp-ha-slave {enable | disable}
set lacp-speed {slow | fast}
set min-links <integer>
set min-links-down {operational | administrative}
set algorithm {L2 | L3 | L4}
set link-up-delay <integer>
set priority-override {enable | disable}
set aggregate <string>
set redundant-interface <string>
set fortilink <string>
set managed-device <string>
set devindex <integer>
set vindex <integer>
set switch <string>
set description <var-string>
set alias <string>
set security-mode {none | captive-portal | 802.1X}
set security-mac-auth-bypass {enable | disable}
set security-external-web <string>
set replacemsg-override-group <string>
set security-redirect-url <string>
set security-exempt-list <string>
config security-groups
edit <name_str>
set name <string>
end
set device-identification {enable | disable}
set device-user-identification {enable | disable}
set device-identification-active-scan {enable | disable}
set device-access-list <string>
set device-netscan {disable | enable}
set lldp-transmission {enable | disable | vdom}
CLI Reference for FortiOS 5.4 547
Fortinet Technologies Inc.
 set lldp-transmission {enable | disable | vdom}
set listen-forticlient-connection {enable | disable}
set broadcast-forticlient-discovery {enable | disable}
set endpoint-compliance {enable | disable}
set estimated-upstream-bandwidth <integer>
set estimated-downstream-bandwidth <integer>
set vrrp-virtual-mac {enable | disable}
config vrrp
edit <name_str>
set vrid <integer>
set vrgrp <integer>
set vrip <ipv4-address-any>
set priority <integer>
set adv-interval <integer>
set start-time <integer>
set preempt {enable | disable}
set vrdst <ipv4-address-any>
set status {enable | disable}
end
set role {lan | wan | dmz | undefined}
set snmp-index <integer>
set secondary-IP {enable | disable}
config secondaryip
edit <name_str>
set id <integer>
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec
| radius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
end
set auto-auth-extension-device {enable | disable}
set ap-discover {enable | disable}
config ipv6
edit <name_str>
set ip6-mode {static | dhcp | pppoe | delegated}
set ip6-dns-server-override {enable | disable}
set ip6-address <ipv6-prefix>
config ip6-extra-addr
edit <name_str>
set prefix <ipv6-prefix>
end
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
CLI Reference for FortiOS 5.4 548
Fortinet Technologies Inc.
 set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
end
end

CLI Reference for FortiOS 5.4 549

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

vdom Virtual domain name. (Empty)

cli-conn-status CLI connection status. 0

mode Addressing mode (static, DHCP, PPPoE). static

distance Distance of learned routes. 5

priority Priority of learned routes. 0

dhcp-relay-service Enable/disable use DHCP relay service. disable

dhcp-relay-ip DHCP relay IP address. (Empty)

dhcp-relay-type DHCP relay type. regular

ip IP address of interface. [Link] [Link]

allowaccess Allow management access to the interface. (Empty)

gwdetect Enable/disable detect gateway alive for first. disable

ping-serv-status PING server status. 0

detectserver Gateway's ping server for this IP. (Empty)

detectprotocol Protocols used to detect the server. ping

ha-priority HA election priority for the PING server. 1

fail-detect Enable/disable interface failed option status. disable

fail-detect-option Interface fail detect option. link-down

fail-alert-method Interface fail alert. link-down

fail-action-on-extender Action on extender when interface fail . soft-restart

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

dhcp-client-identifier DHCP client identifier. (Empty)

CLI Reference for FortiOS 5.4 550

Fortinet Technologies Inc.
ipunnumbered PPPoE unnumbered IP. [Link]

username User name. (Empty)

pppoe-unnumbered- Enable/disable PPPoE unnumbered negotiation. enable

negotiate

password Password (Empty)

idle-timeout PPPoE auto disconnect after idle timeout 0

seconds.

detected-peer-mtu MTU of detected peer (0 - 4294967295). 0

disc-retry-timeout PPPoE discovery init timeout value in sec. 1

padt-retry-timeout PPPoE terminate timeout value in sec. 1

service-name PPPoE service name. (Empty)

ac-name PPPoE AC name. (Empty)

lcp-echo-interval PPPoE LCP echo interval (sec). 5

lcp-max-echo-fails Maximum missed LCP echo messages before 3

disconnect.

defaultgw Enable/disable default gateway. enable

dns-server-override Enable/disable use DNS acquired by DHCP or enable

PPPoE.

auth-type PPP authentication type to use. auto

pptp-client Enable/disable PPTP client. disable

pptp-user PPTP user name. (Empty)

pptp-password PPTP password. (Empty)

pptp-server-ip PPTP server IP address. [Link]

pptp-auth-type PPTP authentication type. auto

pptp-timeout Idle timer in minutes (0 for disabled). 0

arpforward Enable/disable ARP forwarding. enable

CLI Reference for FortiOS 5.4 551

Fortinet Technologies Inc.
ndiscforward Enable/disable NDISC forwarding. enable

broadcast-forward Enable/disable broadcast forwarding. disable

bfd Bidirectional Forwarding Detection (BFD). global

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-required-min-rx BFD required minimal receive interval. 250

l2forward Enable/disable l2 forwarding. disable

icmp-redirect Enable/disable ICMP redirect. enable

vlanforward Enable/disable VLAN forwarding. disable

stpforward Enable/disable STP forwarding. disable

stpforward-mode Configure STP forwarding mode. rpl-all-ext-id

ips-sniffer-mode Enable/disable IPS sniffer mode. disable

ident-accept Enable/disable accept ident protocol. disable

ipmac Enable/disable IP/MAC binding status. disable

subst Enable/disable substitute MAC. disable

macaddr MAC address. [Link]

substitute-dst-mac Substitute destination MAC address. [Link]

speed Speed auto

status Interface status. up

netbios-forward Enable/disable NETBIOS forwarding. disable

wins-ip WINS server IP. [Link]

type Interface type. vlan

dedicated-to Configure interface for single purpose. none

trust-ip-1 Trusted host for dedicated management traffic [Link] [Link]

([Link]/24 for all hosts).

CLI Reference for FortiOS 5.4 552

Fortinet Technologies Inc.
trust-ip-2 Trusted host for dedicated management traffic [Link] [Link]
([Link]/24 for all hosts).

trust-ip-3 Trusted host for dedicated management traffic [Link] [Link]

([Link]/24 for all hosts).

trust-ip6-1 Trusted IPv6 host for dedicated management ::/0

traffic (::/0 for all hosts).

trust-ip6-2 Trusted IPv6 host for dedicated management ::/0

traffic (::/0 for all hosts).

trust-ip6-3 Trusted IPv6 host for dedicated management ::/0

traffic (::/0 for all hosts).

mtu-override Enable/disable use custom MTU. disable

mtu Maximum transportation unit. 1500

wccp Enable/disable WCCP protocol on this interface. disable

nst Enable/disable NST protocol on this interface. disable

netflow-sampler NetFlow measurement status. disable

sflow-sampler Enable/disable sFlow protocol. disable

drop-overlapped- Enable/disable drop overlapped fragment disable

fragment packets.

drop-fragment Enable/disable drop fragment packets. disable

scan-botnet- Enable/disable scanning of connections to Botnet disable

connections servers.

sample-rate sFlow sampler sample rate. 2000

polling-interval sFlow sampler counter polling interval. 20

sample-direction sFlow sample direction. both

explicit-web-proxy Enable/disable explicit Web proxy. disable

explicit-ftp-proxy Enable/disable explicit FTP proxy. disable

tcp-mss Maximum sending TCP packet size. 0

CLI Reference for FortiOS 5.4 553

Fortinet Technologies Inc.
mediatype Select SFP media interface type serdes-sfp

fp-anomaly Pass or drop different types of anomalies using (Empty)

Fastpath

inbandwidth Bandwidth limit for incoming traffic (0 - 16776000 0

kbps).

outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000 0

kbps).

spillover-threshold Egress Spillover threshold (0 - 16776000 kbps). 0

ingress-spillover- Ingress Spillover threshold (0 - 16776000 kbps). 0

threshold

weight Default weight for static routes (if route has no 0

weight configured).

interface Interface name. (Empty)

external Enable/disable identifying interface as connected disable

to external side.

vlanid VLAN ID. 0

forward-domain TP mode forward domain. 0

remote-ip Remote IP address of tunnel. [Link]

member Physical interfaces that belong to the (Empty)

aggregate/redundant interface.

lacp-mode LACP mode. active

lacp-ha-slave LACP HA slave. enable

lacp-speed LACP speed. slow

min-links Minimum number of aggregated ports that must 1

be up.

min-links-down Action to take when there are less than min-links operational
active members.

algorithm Frame distribution algorithm. L4

CLI Reference for FortiOS 5.4 554

Fortinet Technologies Inc.
link-up-delay Number of milliseconds to wait before 50
considering a link is up.

priority-override Enable/disable fail back to higher priority port enable

once recovered.

aggregate Aggregate interface. (Empty)

redundant-interface Redundant interface. (Empty)

fortilink FortiLink interface. (Empty)

managed-device FortiLink interface managed device. (Empty)

devindex Device Index. 0

vindex Switch control interface VLAN ID. 0

switch Contained in switch. (Empty)

description Description. (Empty)

alias Alias. (Empty)

security-mode Security mode. none

security-mac-auth- Enable/disable MAC authentication bypass. disable

bypass

security-external-web URL of external authentication web server. (Empty)

replacemsg-override- Specify replacement message override group. (Empty)

group

security-redirect-url URL redirection after disclaimer/authentication. (Empty)

security-exempt-list Name of security-exempt-list. (Empty)

security-groups Group name. (Empty)

device-identification Enable/disable passive gathering of identity disable

information about source hosts on this interface.

device-user- Enable/disable passive gathering of user identity enable

identification information about source hosts on this interface.

CLI Reference for FortiOS 5.4 555

Fortinet Technologies Inc.
device-identification- Enable/disable active gathering of identity enable
active-scan information about source hosts on this interface.

device-access-list Device access list. (Empty)

device-netscan Enable/disable inclusion of devices detected on disable

this interface in network vulnerability scans.

lldp-transmission Enable/disable Link Layer Discovery Protocol vdom

(LLDP) transmission.

listen-forticlient- Enable/disable listen for FortiClient connections. disable

connection

broadcast-forticlient- Enable/disable broadcast FortiClient discovery disable

discovery messages.

endpoint-compliance Enable/disable endpoint compliance disable

enforcement.

estimated-upstream- Estimated maximum upstream bandwidth (kbps). 0

bandwidth Used to estimate link utilization.

estimated-downstream- Estimated maximum downstream bandwidth 0

bandwidth (kbps). Used to estimate link utilization.

vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP. disable

vrrp VRRP configuration. (Empty)

role Interface role. undefined

snmp-index Permanent SNMP Index of the interface. 0

secondary-IP Enable/disable secondary IP. disable

secondaryip Second IP address of interface. (Empty)

auto-auth-extension- Enable/disable automatic authorization of disable

device dedicated Fortinet extension device on this
interface.

ap-discover Enable/disable automatic registration of unknown enable

FortiAP devices.

ipv6 IPv6 of interface. Details below

CLI Reference for FortiOS 5.4 556

Fortinet Technologies Inc.
Configuration Default Value
ip6-mode static
ip6-dns-server-override enable
ip6-address ::/0
ip6-extra-addr (Empty)
ip6-allowaccess (Empty)
ip6-send-adv disable
ip6-manage-flag disable
ip6-other-flag disable
ip6-max-interval 600
ip6-min-interval 198
ip6-link-mtu 0
ip6-reachable-time 0
ip6-retrans-time 0
ip6-default-life 1800
ip6-hop-limit 0
autoconf disable
ip6-upstream-interface (Empty)
ip6-subnet ::/0
ip6-prefix-list (Empty)
ip6-delegated-prefix-list (Empty)
dhcp6-relay-service disable
dhcp6-relay-type regular
dhcp6-relay-ip (Empty)
dhcp6-client-options dns
dhcp6-prefix-delegation disable

CLI Reference for FortiOS 5.4 557

Fortinet Technologies Inc.
system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 558

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPIP Tunnel name. (Empty)

interface Interface name. (Empty)

remote-gw IP address of the remote gateway. [Link]

local-gw Enable/disable IP address of the local gateway. [Link]

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 559

Fortinet Technologies Inc.
system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 560

Fortinet Technologies Inc.
Description
Configuration Description Default Value

address DNS server IP address. [Link]

status Enable/disable this server for queries. enable

CLI Reference for FortiOS 5.4 561

Fortinet Technologies Inc.
system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set interface <string>
set ipv6 <ipv6-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4 562

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface name. (Empty)

ipv6 IPv6 address. ::

mac MAC address. [Link]

CLI Reference for FortiOS 5.4 563

Fortinet Technologies Inc.
system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 564

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

source Local IPv6 address of tunnel. ::

destination Remote IPv6 address of tunnel. ::

interface Interface name. (Empty)

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 565

Fortinet Technologies Inc.
system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
set srcintf <string>
config server
edit <name_str>
set address <string>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set ha-priority <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 566

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Link monitor name. (Empty)

srcintf Interface where the monitor traffic is sent. (Empty)

server Server address(es). (Empty)

protocol Protocols used to detect the server. ping

port Port number to poll. 80

gateway-ip Gateway IP used to PING the server. [Link]

source-ip Source IP used in packet to the server. [Link]

http-get HTTP GET URL string. /

http-match Response value from detected server in http-get. (Empty)

interval Detection interval. 5

timeout Detect request timeout. 1

failtime Number of retry attempts before bringing server 5

down.

recoverytime Number of retry attempts before bringing server 5

up.

security-mode Twamp controller security mode. none

password Twamp controller password in authentication (Empty)

mode

packet-size Packet size of a twamp test session, 64

ha-priority HA election priority (1 - 50). 1

update-cascade- Enable/disable update cascade interface. enable

interface

update-static-route Enable/disable update static route. enable

status Enable/disable Link monitor administrative status. enable

CLI Reference for FortiOS 5.4 567

Fortinet Technologies Inc.
system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set mac <mac-address>
set interface <string>
set reply-substitute <mac-address>
end

CLI Reference for FortiOS 5.4 568

Fortinet Technologies Inc.
Description
Configuration Description Default Value

mac MAC address. [Link]

interface Interface name. (Empty)

reply-substitute New MAC for reply traffic. [Link]

CLI Reference for FortiOS 5.4 569

Fortinet Technologies Inc.
system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set status {enable | disable}
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end

CLI Reference for FortiOS 5.4 570

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FGFM tunnel. enable

allow-config-restore Enable/disable allow config restore. enable

allow-push- Enable/disable push configuration. enable

configuration

allow-push-firmware Enable/disable push firmware. enable

allow-collect-statistics Enable/disable collection of run time statistics. enable

authorized-manager- Enable/disable restriction of authorized manager enable

only only.

serial-number Serial number. (Empty)

CLI Reference for FortiOS 5.4 571

Fortinet Technologies Inc.
system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set status {disable | enable}
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
set interface <string>
set prefix <ipv4-classnet>
end
end

CLI Reference for FortiOS 5.4 572

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

status Enable/disable this mobile tunnel. enable

roaming-interface Roaming interface name. (Empty)

home-agent IP address of the NEMO HA. [Link]

home-address Home IP address. [Link]

renew-interval Time before lifetime expiraton to send NMMO HA 60

re-registration.

lifetime NMMO HA registration request lifetime. 65535

reg-interval NMMO HA registration interval. 5

reg-retry NMMO HA registration maximal retries. 3

n-mhae-spi NEMO authentication spi. 256

n-mhae-key-type NEMO authentication key type. ascii

n-mhae-key NEMO authentication key. 'ENC

AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='

hash-algorithm Hash Algorithm. hmac-md5

tunnel-mode NEMO tunnnel mode. gre

network NEMO network configuration. (Empty)

CLI Reference for FortiOS 5.4 573

Fortinet Technologies Inc.
system/nat64
CLI Syntax
config system nat64
edit <name_str>
set status {enable | disable}
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end

CLI Reference for FortiOS 5.4 574

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable NAT64. disable

nat64-prefix NAT64 prefix must be ::/96. [Link]/96

always-synthesize- Enable/disable AAAA record synthesis. enable

aaaa-record

generate-ipv6- Enable/disable IPv6 fragment header generation. disable

fragment-header

CLI Reference for FortiOS 5.4 575

Fortinet Technologies Inc.
system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

CLI Reference for FortiOS 5.4 576

Fortinet Technologies Inc.
Description
Configuration Description Default Value

collector-ip Collector IP. [Link]

collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. [Link]

active-flow-timeout Timeout to report active flows (min). 30

inactive-flow-timeout Timeout for periodic report of finished flows (sec). 15

template-tx-timeout Timeout for periodic template flowset 30

transmission (min).

template-tx-counter Counter of flowset records before resending a 20

template flowset record.

CLI Reference for FortiOS 5.4 577

Fortinet Technologies Inc.
system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end

CLI Reference for FortiOS 5.4 578

Fortinet Technologies Inc.
Description
Configuration Description Default Value

destination-visibility Enable/disable logging of destination visibility. enable

source-location Enable/disable logging of source geographical enable

location visibility.

destination-hostname- Enable/disable logging of destination hostname enable

visibility visibility.

hostname-ttl TTL of hostname table entries. 86400

hostname-limit Limit of hostname table entries. 5000

destination-location Enable/disable logging of destination enable

geographical location visibility.

CLI Reference for FortiOS 5.4 579

Fortinet Technologies Inc.
system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set authentication {enable | disable}
set key <password>
set key-id <integer>
end
set source-ip <ipv4-address>
set server-mode {enable | disable}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 580

Fortinet Technologies Inc.
Description
Configuration Description Default Value

ntpsync Enable/disable synchronization with NTP Server. disable

type FortiGuard or custom NTP Server. fortiguard

syncinterval NTP synchronization interval. 1

ntpserver NTP Server. (Empty)

source-ip Source IP for communications to NTP server. [Link]

server-mode Enable/disable NTP Server Mode. disable

interface List of interfaces with NTP server mode enabled. (Empty)

CLI Reference for FortiOS 5.4 581

Fortinet Technologies Inc.
system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4 582

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tag name. (Empty)

CLI Reference for FortiOS 5.4 583

Fortinet Technologies Inc.
system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set status {enable | disable}
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end

CLI Reference for FortiOS 5.4 584

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable password policy. disable

apply-to Apply password policy to. admin-password

minimum-length Minimum password length. 8

min-lower-case-letter Minimum number of lowercase characters in 0

password.

min-upper-case-letter Minimum number of uppercase characters in 0

password.

min-non-alphanumeric Minimum number of non-alphanumeric 0

characters in password.

min-number Minimum number of numeric characters in 0

password.

change-4-characters Enable/disable changing at least 4 characters for disable

new password.

expire-status Enable/disable password expiration. disable

expire-day Number of days after which admin users' 90

password will expire.

reuse-password Enable/disable reuse of password. enable

CLI Reference for FortiOS 5.4 585

Fortinet Technologies Inc.
system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
set security-mode {none | authentication}
set password <password>
set timeout <integer>
end

CLI Reference for FortiOS 5.4 586

Fortinet Technologies Inc.
Description
Configuration Description Default Value

port Port number to response. 8008

http-probe-value Value to respond to the monitoring server. OK

ttl-mode Mode for TWAMP packet TTL modification. retain

mode SLA response mode. none

security-mode Twamp respondor security mode. none

password Twamp respondor password in authentication (Empty)

mode

timeout An inactivity timer for a twamp test session. 300

CLI Reference for FortiOS 5.4 587

Fortinet Technologies Inc.
system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 588

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface acting proxy-ARP. (Empty)

ip IP address or start IP to be proxied. [Link]

end-ip End IP of IP range to be proxied. [Link]

CLI Reference for FortiOS 5.4 589

Fortinet Technologies Inc.
system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set comment <var-string>
set group-type {default | utm | auth | ec}
config mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
CLI Reference for FortiOS 5.4 590
Fortinet Technologies Inc.
config spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
CLI Reference for FortiOS 5.4 591
Fortinet Technologies Inc.
 set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config custom-message
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
end

CLI Reference for FortiOS 5.4 592

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Group name. (Empty)

comment Comment. (Empty)

group-type Group type. default

mail Replacement message table entries. (Empty)

http Replacement message table entries. (Empty)

webproxy Replacement message table entries. (Empty)

ftp Replacement message table entries. (Empty)

nntp Replacement message table entries. (Empty)

fortiguard-wf Replacement message table entries. (Empty)

spam Replacement message table entries. (Empty)

alertmail Replacement message table entries. (Empty)

admin Replacement message table entries. (Empty)

auth Replacement message table entries. (Empty)

sslvpn Replacement message table entries. (Empty)

ec Replacement message table entries. (Empty)

device-detection-portal Replacement message table entries. (Empty)

nac-quar Replacement message table entries. (Empty)

traffic-quota Replacement message table entries. (Empty)

utm Replacement message table entries. (Empty)

custom-message Replacement message table entries. (Empty)

CLI Reference for FortiOS 5.4 593

Fortinet Technologies Inc.
system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end

CLI Reference for FortiOS 5.4 594

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Image name. (Empty)

image-type Image type. (Empty)

image-base64 Image data. (null)

CLI Reference for FortiOS 5.4 595

Fortinet Technologies Inc.
system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end

CLI Reference for FortiOS 5.4 596

Fortinet Technologies Inc.
Description
Configuration Description Default Value

session Maximum number of sessions. 0

ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. 0

ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. 0

dialup-tunnel Maximum number of dial-up tunnels. 0

firewall-policy Maximum number of firewall policies. 0

firewall-address Maximum number of firewall addresses. 0

firewall-addrgrp Maximum number of firewall address groups. 0

custom-service Maximum number of firewall custom services. 0

service-group Maximum number of firewall service groups. 0

onetime-schedule Maximum number of firewall one-time schedules. 0

recurring-schedule Maximum number of firewall recurring schedules. 0

user Maximum number of local users. 0

user-group Maximum number of user groups. 0

sslvpn Maximum number of SSL-VPN. 0

proxy Maximum number of concurrent explicit proxy 0

users.

log-disk-quota Log disk quota in MB. 0

CLI Reference for FortiOS 5.4 597

Fortinet Technologies Inc.
system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set protocol <integer>
set port <integer>
end

CLI Reference for FortiOS 5.4 598

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Session helper ID. 0

name Helper name. (Empty)

protocol Protocol number. 0

port Protocol port. 0

CLI Reference for FortiOS 5.4 599

Fortinet Technologies Inc.
system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set timeout <user>
end
end

CLI Reference for FortiOS 5.4 600

Fortinet Technologies Inc.
Description
Configuration Description Default Value

default Default timeout. 3600

port Session TTL port. (Empty)

CLI Reference for FortiOS 5.4 601

Fortinet Technologies Inc.
system/settings
CLI Syntax
config system settings
edit <name_str>
set comments <var-string>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set gateway <ipv4-address>
set ip <ipv4-classnet-host>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd {enable | disable}
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set status {enable | disable}
CLI Reference for FortiOS 5.4 602
Fortinet Technologies Inc.
set sip-tcp-port <integer>
set sip-udp-port <integer>
set sip-ssl-port <integer>
set sccp-port <integer>
set multicast-forward {enable | disable}
set multicast-ttl-notchange {enable | disable}
set multicast-skip-policy {enable | disable}
set allow-subnet-overlap {enable | disable}
set deny-tcp-with-icmp {enable | disable}
set ecmp-max-paths <integer>
set discovered-device-timeout <integer>
set email-portal-check-dns {disable | enable}
set default-voip-alg-mode {proxy-based | kernel-helper-based}
set gui-icap {enable | disable}
set gui-nat46-64 {enable | disable}
set gui-implicit-policy {enable | disable}
set gui-dns-database {enable | disable}
set gui-load-balance {enable | disable}
set gui-multicast-policy {enable | disable}
set gui-dos-policy {enable | disable}
set gui-object-colors {enable | disable}
set gui-replacement-message-groups {enable | disable}
set gui-voip-profile {enable | disable}
set gui-ap-profile {enable | disable}
set gui-dynamic-profile-display {enable | disable}
set gui-ipsec-manual-key {enable | disable}
set gui-local-in-policy {enable | disable}
set gui-local-reports {enable | disable}
set gui-wanopt-cache {enable | disable}
set gui-explicit-proxy {enable | disable}
set gui-dynamic-routing {enable | disable}
set gui-dlp {enable | disable}
set gui-sslvpn-personal-bookmarks {enable | disable}
set gui-sslvpn-realms {enable | disable}
set gui-policy-based-ipsec {enable | disable}
set gui-threat-weight {enable | disable}
set gui-multiple-utm-profiles {enable | disable}
set gui-spamfilter {enable | disable}
set gui-application-control {enable | disable}
set gui-casi {enable | disable}
set gui-ips {enable | disable}
set gui-endpoint-control {enable | disable}
set gui-dhcp-advanced {enable | disable}
set gui-vpn {enable | disable}
set gui-wireless-controller {enable | disable}
set gui-switch-controller {enable | disable}
set gui-fortiap-split-tunneling {enable | disable}
set gui-webfilter-advanced {enable | disable}
set gui-traffic-shaping {enable | disable}
set gui-wan-load-balancing {enable | disable}
set gui-antivirus {enable | disable}
set gui-webfilter {enable | disable}
set gui-dnsfilter {enable | disable}
CLI Reference for FortiOS 5.4 603
Fortinet Technologies Inc.
 set gui-dnsfilter {enable | disable}
set gui-waf-profile {enable | disable}
set gui-fortiextender-controller {enable | disable}
set gui-advanced-policy {enable | disable}
set gui-allow-unnamed-policy {enable | disable}
set gui-email-collection {enable | disable}
set gui-domain-ip-reputation {enable | disable}
set compliance-check {enable | disable}
set ike-session-resume {enable | disable}
set ike-quick-crash-detect {enable | disable}
end

CLI Reference for FortiOS 5.4 604

Fortinet Technologies Inc.
Description
Configuration Description Default Value

comments VDOM comments. (Empty)

opmode Firewall operation mode. nat

inspection-mode Inspection mode. proxy

http-external-dest HTTP service external inspection destination. fortiweb

firewall-session-dirty Packet session management. check-all

manageip IP address and netmask. (Empty)

gateway Default gateway IP address. [Link]

ip IP address and netmask. [Link] [Link]

manageip6 Management IPv6 address prefix for transparent ::/0

mode.

gateway6 Default gateway IPv6 address. ::

ip6 IPv6 address prefix for NAT mode. ::/0

device Interface. (Empty)

bfd Enable/disable Bi-directional Forwarding disable

Detection (BFD) on all interfaces.

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-required-min-rx BFD required minimal receive interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-dont-enforce-src- Enable/disable verify source port of BFD Packets. disable

port

utf8-spam-tagging Convert spam tags to UTF-8 for better non-ASCII enable

character support.

wccp-cache-engine Enable/disable WCCP cache engine. disable

vpn-stats-log Enable/disable periodic VPN log statistics. ipsec pptp l2tp ssl

CLI Reference for FortiOS 5.4 605

Fortinet Technologies Inc.
vpn-stats-period Period to send VPN log statistics (sec). 600

v4-ecmp-mode IPv4 ECMP mode. source-ip-based

mac-ttl Bridge MAC address expiration time (sec). 300

fw-session-hairpin Check every cross. disable

snat-hairpin-traffic Enable/disable SNAT hairpin traffic. enable

dhcp-proxy Enable/disable DHCP Proxy. disable

dhcp-server-ip DHCP Server IP address. (Empty)

dhcp6-server-ip DHCPv6 server IP address. (Empty)

central-nat Enable/disable central NAT. disable

gui-default-policy- Default columns to display for firewall policy list (Empty)

columns on GUI.

lldp-transmission Enable/disable Link Layer Discovery Protocol global

(LLDP) transmission.

asymroute Enable/disable asymmetric route. disable

asymroute-icmp Enable/disable asymmetric ICMP route. disable

tcp-session-without-syn Enable/disable creation of TCP session without disable

SYN flag.

ses-denied-traffic Enable/disable insertion of denied traffic into disable

session table.

strict-src-check Enable/disable strict source verification. disable

asymroute6 Enable/disable asymmetric IPv6 route. disable

asymroute6-icmp Enable/disable asymmetric ICMPv6 route. disable

sip-helper Enable/disable helper to add dynamic SIP firewall enable

allow rule.

sip-nat-trace Enable/disable adding original IP if NATed. enable

status Enable/disable this VDOM. enable

CLI Reference for FortiOS 5.4 606

Fortinet Technologies Inc.
sip-tcp-port TCP port the SIP proxy will monitor for SIP traffic. 5060

sip-udp-port UDP port the SIP proxy will monitor for SIP traffic. 5060

sip-ssl-port TCP SSL port the SIP proxy will monitor for SIP 5061
traffic.

sccp-port TCP port the SCCP proxy will monitor for SCCP 2000
traffic.

multicast-forward Enable/disable multicast forwarding. enable

multicast-ttl-notchange Enable/disable modification of multicast TTL. disable

multicast-skip-policy Enable/disable skip policy check and allow disable

multicast through.

allow-subnet-overlap Enable/disable allow one interface subnet overlap disable

with other interfaces.

deny-tcp-with-icmp Enable/disable deny TCP with ICMP. disable

ecmp-max-paths Maximum number of ECMP next-hops. 10

discovered-device- Discard discovered devices after N days of 28

timeout inactivity.

email-portal-check-dns Enable/disable DNS to validate domain names enable

used in the email address collection captive
portal.

default-voip-alg-mode Default ALG mode for VoIP traffic (when no VoIP proxy-based
profile on firewall policy).

gui-icap Enable/disable ICAP settings in GUI. disable

gui-nat46-64 Enable/disable NAT46 and NAT64 settings in disable

GUI.

gui-implicit-policy Enable/disable implicit firewall policies in GUI. enable

gui-dns-database Enable/disable DNS database in GUI. disable

gui-load-balance Enable/disable load balance in GUI. disable

gui-multicast-policy Enable/disable multicast firewall policies in GUI. disable

CLI Reference for FortiOS 5.4 607

Fortinet Technologies Inc.
gui-dos-policy Enable/disable DoS policy display in GUI. enable

gui-object-colors Enable/disable object colors in GUI. enable

gui-replacement- Enable/disable replacement message groups in disable

message-groups GUI.

gui-voip-profile Enable/disable VoIP profiles in GUI. disable

gui-ap-profile Enable/disable AP profiles in GUI. enable

gui-dynamic-profile- Enable/disable dynamic profiles in GUI. disable

display

gui-ipsec-manual-key Enable/disable IPsec manual Key configuration in disable

GUI.

gui-local-in-policy Enable/disable Local-In policies in GUI. disable

gui-local-reports Enable/disable local reports in the GUI. disable

gui-wanopt-cache Enable/disable WAN Opt & Cache configuration disable

in GUI.

gui-explicit-proxy Enable/disable explicit proxy configuration in GUI. disable

gui-dynamic-routing Enable/disable dynamic routing menus in GUI. enable

gui-dlp Enable/disable DLP settings in GUI. disable

gui-sslvpn-personal- Enable/disable SSL-VPN personal bookmark disable

bookmarks management in GUI.

gui-sslvpn-realms Enable/disable SSL-VPN custom login pages in disable

GUI.

gui-policy-based-ipsec Enable/disable policy-based IPsec VPN. disable

gui-threat-weight Enable/disable threat weight feature in GUI. enable

gui-multiple-utm- Enable/disable multiple UTM profiles in GUI. enable

profiles

gui-spamfilter Enable/disable spamfilter profiles in GUI. disable

gui-application-control Enable/disable application control profiles in GUI. enable

CLI Reference for FortiOS 5.4 608

Fortinet Technologies Inc.
gui-casi Enable/disable CASI profiles in GUI. enable

gui-ips Enable/disable IPS sensors in GUI. enable

gui-endpoint-control Enable/disable endpoint control in GUI. enable

gui-dhcp-advanced Enable/disable advanced DHCP configuration in enable

GUI.

gui-vpn Enable/disable VPN tunnels in GUI. enable

gui-wireless-controller Enable/disable wireless controller in GUI. enable

gui-switch-controller Enable/disable switch controller in GUI. enable

gui-fortiap-split- Enable/disable FortiAP split tunneling in GUI. disable

tunneling

gui-webfilter-advanced Enable/disable advanced web filter configuration disable

in GUI.

gui-traffic-shaping Enable/disable traffic shaping in GUI. enable

gui-wan-load-balancing Enable/disable WAN link load balancing in GUI. enable

gui-antivirus Enable/disable AntiVirus profile display in GUI. enable

gui-webfilter Enable/disable WebFilter profile display in GUI. enable

gui-dnsfilter Enable/disable DNS Filter profile display in GUI. enable

gui-waf-profile Enable/disable Web Application Firewall Profile disable

display in GUI.

gui-fortiextender- Enable/disable FortiExtender controller in GUI. disable

controller

gui-advanced-policy Enable/disable advanced policy configuration in disable

GUI.

gui-allow-unnamed- Enable/disable relaxation of requirement for disable

policy policy to have a name when created in GUI.

gui-email-collection Enable/disable email collection feature. disable

gui-domain-ip- Enable/disable Domain and IP Reputation disable

reputation feature.

CLI Reference for FortiOS 5.4 609

Fortinet Technologies Inc.
compliance-check Enable/disable PCI DSS compliance check. disable

ike-session-resume Enable/disable IKEv2 session resumption (RFC disable

5723).

ike-quick-crash-detect Enable/disable IKEv2 quick crash detection (RFC disable

6290).

CLI Reference for FortiOS 5.4 610

Fortinet Technologies Inc.
system/sflow
CLI Syntax
config system sflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 611

Fortinet Technologies Inc.
Description
Configuration Description Default Value

collector-ip Collector IP. [Link]

collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. [Link]

CLI Reference for FortiOS 5.4 612

Fortinet Technologies Inc.
system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 613

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

source Source IP address of tunnel. [Link]

destination Destination IP address of tunnel. [Link]

ip6 IPv6 address of tunnel. ::/0

interface Interface name. (Empty)

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 614

Fortinet Technologies Inc.
system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end

CLI Reference for FortiOS 5.4 615

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of SMS server. (Empty)

mail-server Email-to-SMS server domain name. (Empty)

CLI Reference for FortiOS 5.4 616

Fortinet Technologies Inc.
system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end

CLI Reference for FortiOS 5.4 617

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Storage name. default_n

partition Label of underlying partition. <unknown>

media-type Media of underlying disk. ?

device Partition device. ?

size Partition size. 0

CLI Reference for FortiOS 5.4 618

Fortinet Technologies Inc.
system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
set interface-name <string>
end
config member
edit <name_str>
set interface-name <string>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end

CLI Reference for FortiOS 5.4 619

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Interface name. (Empty)

vdom VDOM. (Empty)

span-dest-port Span destination port. (Empty)

span-source-port Span source ports. (Empty)

member Interfaces compose the virtual switch. (Empty)

type Type. switch

intra-switch-policy Enable/disable policies between the members of implicit

the switch interface.

span Enable/disable span port. disable

span-direction SPAN direction. both

CLI Reference for FortiOS 5.4 620

Fortinet Technologies Inc.
system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4 621

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Item ID. 0

tos IP ToS value (0 - 15). 0

priority ToS based priority level. high

CLI Reference for FortiOS 5.4 622

Fortinet Technologies Inc.
system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set vcluster-id <integer>
set temporary <integer>
end

CLI Reference for FortiOS 5.4 623

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM name. (Empty)

vcluster-id Virtual cluster ID (0 - 4294967295). 0

temporary Temporary. 0

CLI Reference for FortiOS 5.4 624

Fortinet Technologies Inc.
system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 625

Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-dns Enable/disable DNS per VDOM. disable

primary VDOM primary DNS IP. [Link]

secondary VDOM secondary DNS IP. [Link]

ip6-primary VDOM IPv6 primary DNS IP. ::

ip6-secondary VDOM IPv6 Secondary DNS IP. ::

source-ip Source IP for communications to DNS server. [Link]

CLI Reference for FortiOS 5.4 626

Fortinet Technologies Inc.
system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end

CLI Reference for FortiOS 5.4 627

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM link name. (Empty)

vcluster Virtual cluster. vcluster1

type Type. ppp

CLI Reference for FortiOS 5.4 628

Fortinet Technologies Inc.
system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 629

Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-netflow Enable/disable NetFlow per VDOM. disable

collector-ip Collector IP. [Link]

collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. [Link]

CLI Reference for FortiOS 5.4 630

Fortinet Technologies Inc.
system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set description <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end

CLI Reference for FortiOS 5.4 631

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM name. (Empty)

description Description. (Empty)

snmp-index Permanent SNMP Index of the virtual domain. 0

session Maximum number (guaranteed number) of 00

sessions.

ipsec-phase1 Maximum number (guaranteed number) of VPN 00

IPsec phase1 tunnels.

ipsec-phase2 Maximum number (guaranteed number) of VPN 00

IPsec phase2 tunnels.

dialup-tunnel Maximum number (guaranteed number) of dial- 00

up tunnels.

firewall-policy Maximum number (guaranteed number) of 00

firewall policies.

firewall-address Maximum number (guaranteed number) of 00

firewall addresses.

firewall-addrgrp Maximum number (guaranteed number) of 00

firewall address groups.

custom-service Maximum number (guaranteed number) of 00

firewall custom services.

service-group Maximum number (guaranteed number) of 00

firewall service groups.

onetime-schedule Maximum number (guaranteed number) of 00

firewall one-time schedules.

recurring-schedule Maximum number (guaranteed number) of 00

firewall recurring schedules.

user Maximum number (guaranteed number) of local 00

users.

CLI Reference for FortiOS 5.4 632

Fortinet Technologies Inc.
user-group Maximum number (guaranteed number) of user 00
groups.

sslvpn Maximum number (guaranteed number) of SSL- 00

VPN.

proxy Maximum number (guaranteed number) of 00

concurrent proxy users.

log-disk-quota Log disk quota in MB. 00

CLI Reference for FortiOS 5.4 633

Fortinet Technologies Inc.
system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set status {enable | disable}
set radius-server-vdom <string>
end

CLI Reference for FortiOS 5.4 634

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of virtual domain for server settings. (Empty)

status Enable/disable or disable the entry. disable

radius-server-vdom Virtual domain of dynamic profile radius server to (Empty)

use for dynamic profile traffic in the current vdom.

CLI Reference for FortiOS 5.4 635

Fortinet Technologies Inc.
system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 636

Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-sflow Enable/disable sFlow per VDOM. disable

collector-ip Collector IP. [Link]

collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. [Link]

CLI Reference for FortiOS 5.4 637

Fortinet Technologies Inc.
system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set status {disable | enable}
set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-
ip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set seq-num <integer>
set interface <string>
set gateway <ipv4-address>
set weight <integer>
set priority <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
set status {disable | enable}
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
CLI Reference for FortiOS 5.4 638
Fortinet Technologies Inc.
 edit <name_str>
set name <string>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
set protocol <integer>
set start-port <integer>
set end-port <integer>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
config priority-members
edit <name_str>
set seq-num <integer>
end
end
end

CLI Reference for FortiOS 5.4 639

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable using the virtual-wan-link settings. disable

load-balance-mode Load balance mode among virtual WAN link source-ip-based

members.

fail-detect Enable/disable fail detection. disable

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

members Members belong to the virtual-wan-link. (Empty)

health-check Health check. (Empty)

service Service to be distributed. (Empty)

CLI Reference for FortiOS 5.4 640

Fortinet Technologies Inc.
system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
set interface-name <string>
end
set wildcard-vlan {enable | disable}
end

CLI Reference for FortiOS 5.4 641

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name virtual-wire-pair name. (Empty)

member Interfaces belong to the port pair. (Empty)

wildcard-vlan Enable/disable wildcard VLAN. disable

CLI Reference for FortiOS 5.4 642

Fortinet Technologies Inc.
system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set authentication {enable | disable}
set password <password>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set priority <integer>
set protocol <integer>
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end

CLI Reference for FortiOS 5.4 643

Fortinet Technologies Inc.
Description
Configuration Description Default Value

service-id Service ID. (Empty)

router-id IP address which is known by all web cache [Link]

servers.

cache-id IP address which is known by all routers. [Link]

group-address IP multicast address. [Link]

server-list Addresses of potential cache servers. (Empty)

router-list Addresses of potential routers. (Empty)

ports-defined Match method. (Empty)

ports Service ports. (Empty)

authentication Enable/disable MD5 authentication. disable

password Password of MD5 authentication. (Empty)

forward-method Method traffic is forwarded to cache servers. GRE

cache-engine-method Method traffic is forwarded to route or returned to GRE

cache engine.

service-type Service type auto/standard/dynamic. auto

primary-hash Hash method. dst-ip

priority Service priority. 0

protocol Service protocol. 0

assignment-weight Cache server hash weight. 0

assignment-bucket- Hash table bucket format. cisco-implementation

format

return-method Method traffic is returned back to firewall. GRE

assignment-method Assignment method preference. HASH

CLI Reference for FortiOS 5.4 644

Fortinet Technologies Inc.
system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 645

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Zone name. (Empty)

intrazone Intra-zone traffic. deny

interface Interfaces belong to the zone. (Empty)

CLI Reference for FortiOS 5.4 646

Fortinet Technologies Inc.
user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end

CLI Reference for FortiOS 5.4 647

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

server-name FSSO agent name. (Empty)

polling-id FSSO polling ID. 0

CLI Reference for FortiOS 5.4 648

Fortinet Technologies Inc.
user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set mac <mac-address>
set user <string>
set master-device <string>
set comment <var-string>
set avatar <var-string>
set type {ipad | iphone | gaming-console | blackberry-phone | blackberry-playbook
| linux-pc | mac | windows-pc | android-phone | android-tablet | media-streaming | win
dows-phone | windows-tablet | fortinet-device | ip-phone | router-nat-device | printer
| other-network-device}
end

CLI Reference for FortiOS 5.4 649

Fortinet Technologies Inc.
Description
Configuration Description Default Value

alias Device alias. (Empty)

mac Device MAC address(es). [Link]

user User name. (Empty)

master-device Master device (optional). (Empty)

comment Comment. (Empty)

avatar Image file for avatar (maximum 4K base64 (Empty)

encoded).

type Device type. other-network-device

CLI Reference for FortiOS 5.4 650

Fortinet Technologies Inc.
user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
set action {accept | deny}
end
end

CLI Reference for FortiOS 5.4 651

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device access list name. (Empty)

default-action Allow or block unknown devices. accept

device-list Device list. (Empty)

CLI Reference for FortiOS 5.4 652

Fortinet Technologies Inc.
user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4 653

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device category name. (Empty)

desc Device category description. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 654

Fortinet Technologies Inc.
user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4 655

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device group name. (Empty)

member Device group member. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 656

Fortinet Technologies Inc.
user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set comments <var-string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end

CLI Reference for FortiOS 5.4 657

Fortinet Technologies Inc.
Description
Configuration Description Default Value

serial-number Serial number. (Empty)

status Status active

seed Token seed. (Empty)

comments Comment. (Empty)

license Mobile token license. (Empty)

activation-code Mobile token user activation-code. (Empty)

activation-expire Mobile token user activation-code expire time. 0

CLI Reference for FortiOS 5.4 658

Fortinet Technologies Inc.
user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set password <password>
set server2 <string>
set port2 <integer>
set password2 <password>
set server3 <string>
set port3 <integer>
set password3 <password>
set server4 <string>
set port4 <integer>
set password4 <password>
set server5 <string>
set port5 <integer>
set password5 <password>
set ldap-server <string>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 659

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

server Address of the 1st FSSO agent. (Empty)

port Port of the 1st FSSO agent. 8000

password Password of the 1st FSSO agent. (Empty)

server2 Address of the 2nd FSSO agent. (Empty)

port2 Port of the 2nd FSSO agent. 8000

password2 Password of the 2nd FSSO agent. (Empty)

server3 Address of the 3rd FSSO agent. (Empty)

port3 Port of the 3rd FSSO agent. 8000

password3 Password of the 3rd FSSO agent. (Empty)

server4 Address of the 4th FSSO agent. (Empty)

port4 Port of the 4th FSSO agent. 8000

password4 Password of the 4th FSSO agent. (Empty)

server5 Address of the 5th FSSO agent. (Empty)

port5 Port of the 5th FSSO agent. 8000

password5 Password of the 5th FSSO agent. (Empty)

ldap-server LDAP server to get group information. (Empty)

source-ip Source IP for communications to FSSO agent. [Link]

CLI Reference for FortiOS 5.4 660

Fortinet Technologies Inc.
user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set password <password>
set ldap-server <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 661

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Active Directory server ID. 0

status Enable/disable poll Active Directory status. enable

server Active Directory server name/IP address. (Empty)

default-domain Default domain in this server. (Empty)

port Port of the Active Directory server. 0

user Active Directory server user account. (Empty)

password Password to connect to Active Directory server. (Empty)

ldap-server LDAP Server NAME for group name and users. (Empty)

logon-history hours to keep as an active logon. 0 means 8

keeping forever

polling-frequency Polling frequency (1 - 30 s). 10

adgrp LDAP Group Info. (Empty)

CLI Reference for FortiOS 5.4 662

Fortinet Technologies Inc.
user/group
CLI Syntax

CLI Reference for FortiOS 5.4 663

Fortinet Technologies Inc.
config user group
edit <name_str>
set name <string>
set group-type {firewall | sslvpn | fsso-service | directory-service | active-dire
ctory | rsso | guest}
set authtimeout <integer>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
set http-digest-realm <string>
set sso-attribute-value <string>
config member
edit <name_str>
set name <string>
end
config match
edit <name_str>
set id <integer>
set server-name <string>
set group-name <string>
end
set user-id {email | auto-generate | specify}
set password {auto-generate | specify | disable}
set user-name {disable | enable}
set sponsor {optional | mandatory | disabled}
set company {optional | mandatory | disabled}
set email {disable | enable}
set mobile-phone {disable | enable}
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set expire-type {immediately | first-successful-login}
set expire <integer>
set max-accounts <integer>
set multiple-guest-add {disable | enable}
config guest
edit <name_str>
set user-id <string>
set name <string>
set group <string>
set password <password>
set mobile-phone <string>
set sponsor <string>
set company <string>
set email <string>
set expiration <user>
set comment <var-string>
end
end

CLI Reference for FortiOS 5.4 664

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Group name. (Empty)

group-type Type of user group. firewall

authtimeout Authentication timeout. 0

auth-concurrent- Enable/disable concurrent authentication disable

override override.

auth-concurrent-value Maximum number of concurrent authenticated 0

connections per user (0 - 100).

http-digest-realm Realm attribute for MD5-digest authentication. (Empty)

sso-attribute-value Single Sign On Attribute Value. (Empty)

member Group members. (Empty)

match Group matches. (Empty)

user-id User ID. email

password Password. auto-generate

user-name Enable/disable user name. disable

sponsor Sponsor. optional

company Company. optional

email Enable/disable email address. enable

mobile-phone Enable/disable mobile phone. disable

sms-server Send SMS through FortiGuard or other external fortiguard

server.

sms-custom-server SMS server. (Empty)

expire-type Point at which expiration count down begins. immediately

expire Expiration (1 - 31536000 sec). 14400

CLI Reference for FortiOS 5.4 665

Fortinet Technologies Inc.
max-accounts Maximum number of guest accounts that can be 0
created for this group (0 = unlimited).

multiple-guest-add Enable/disable addition of multiple guests. disable

guest Guest User. (Empty)

CLI Reference for FortiOS 5.4 666

Fortinet Technologies Inc.
user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set source-ip <ipv4-address>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set username <string>
set password <password>
set group-member-check {user-attr | group-object}
set group-object-filter <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end

CLI Reference for FortiOS 5.4 667

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name LDAP server entry name. (Empty)

server {<name_str|ip_str>} LDAP server CN domain (Empty)

name or IP.

secondary-server {<name_str|ip_str>} secondary LDAP server CN (Empty)

domain name or IP.

tertiary-server {<name_str|ip_str>} tertiary LDAP server CN (Empty)

domain name or IP.

source-ip Source IP for communications to LDAP server. [Link]

cnid Common Name Identifier (default = "cn"). cn

dn Distinguished Name. (Empty)

type Type of LDAP binding. simple

username Username (full DN) for initial binding. (Empty)

password Password for initial binding. (Empty)

group-member-check Group-member checking options. user-attr

group-object-filter Filter used for group searching. (&

(objectcategory=group)
(member=*))

secure SSL connection. disable

ca-cert CA certificate name. (Empty)

port Port number of the LDAP server (default = 389). 389

password-expiry- Enable/disable password expiry warnings. disable

warning

password-renewal Enable/disable online password renewal. disable

member-attr Name of attribute from which to get group memberOf

membership.

CLI Reference for FortiOS 5.4 668

Fortinet Technologies Inc.
search-type Search type. (Empty)

CLI Reference for FortiOS 5.4 669

Fortinet Technologies Inc.
user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set status {enable | disable}
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set ldap-server <string>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end

CLI Reference for FortiOS 5.4 670

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name User name. (Empty)

status Enable/disable user. enable

type Authentication type. (Empty)

passwd User password. (Empty)

ldap-server LDAP server name. (Empty)

radius-server RADIUS server name. (Empty)

tacacs+-server TACACS+ server name. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)

sms-server Send SMS through FortiGuard or other external fortiguard

server.

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

passwd-policy Password policy. (Empty)

passwd-time Password last update time. 0000-00-00 [Link]

authtimeout Authentication timeout. 0

workstation Name of remote user workstation. (Empty)

auth-concurrent- Enable/disable concurrent authentication disable

override override.

auth-concurrent-value Maximum number of concurrent authenticated 0

connections per user.

CLI Reference for FortiOS 5.4 671

Fortinet Technologies Inc.
user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end

CLI Reference for FortiOS 5.4 672

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Password policy name. (Empty)

expire-days Number of days password will expire. 180

warn-days Number of days to warn before password 15

expires.

CLI Reference for FortiOS 5.4 673

Fortinet Technologies Inc.
user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end

CLI Reference for FortiOS 5.4 674

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Peer name. (Empty)

mandatory-ca-verify Enable/disable mandatory CA verify. disable

ca Peer certificate CA (CA name in local). (Empty)

subject Peer certificate name constraints. (Empty)

cn Peer certificate common name. (Empty)

cn-type Peer certificate common name type. string

ldap-server LDAP server for access rights check. (Empty)

ldap-username Username for LDAP server bind. (Empty)

ldap-password Password for LDAP server bind. (Empty)

ldap-mode Peer LDAP mode. password

ocsp-override-server OSCP server. (Empty)

two-factor Enable/disable 2-factor authentication (certificate disable

+ password).

passwd User password. (Empty)

CLI Reference for FortiOS 5.4 675

Fortinet Technologies Inc.
user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 676

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Peer group name. (Empty)

member Peer group members. (Empty)

CLI Reference for FortiOS 5.4 677

Fortinet Technologies Inc.
user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end

CLI Reference for FortiOS 5.4 678

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name POP3 server entry name. (Empty)

server {<name_str|ip_str>} server domain name or IP. (Empty)

port POP3 service port number. 0

secure SSL connection. starttls

CLI Reference for FortiOS 5.4 679

Fortinet Technologies Inc.
user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-server <string>
set secondary-secret <password>
set tertiary-server <string>
set tertiary-secret <password>
set timeout <integer>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set source-ip <ipv4-address>
set username-case-sensitive {enable | disable}
set password-renewal {enable | disable}
set rsso {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-
AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-
Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
ermination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-St
ate | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | F
ramed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time |
Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
CLI Reference for FortiOS 5.4 680
Fortinet Technologies Inc.
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Mult
i-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-L
AT-Port}
set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NA
S-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Fram
ed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Servi
ce | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | F
ramed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Actio
n | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-
Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-
Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octe
ts | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-
Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | A
cct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
set sso-attribute-key <string>
set sso-attribute-value-override {enable | disable}
set rsso-context-timeout <integer>
set rsso-log-period <integer>
set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | ac
counting-event | endpoint-block | radiusd-other | none}
set rsso-flush-ip-session {enable | disable}
config accounting-server
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set secret <password>
set port <integer>
set source-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4 681

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name RADIUS server entry name. (Empty)

server {<name_str|ip_str>} primary server CN domain (Empty)

name or IP.

secret Secret key to access the primary server. (Empty)

secondary-server {<name_str|ip_str>} secondary RADIUS CN (Empty)

domain name or IP.

secondary-secret Secret key to access the secondary server. (Empty)

tertiary-server {<name_str|ip_str>} tertiary RADIUS CN domain (Empty)

name or IP.

tertiary-secret Secret key to access the tertiary server. (Empty)

timeout Authentication time-out. 5

all-usergroup Enable/disable automatically include this RADIUS disable

server to all user groups.

use-management- Enable/disable using management VDOM to disable

vdom send requests.

nas-ip NAS IP address and called station ID. [Link]

acct-interim-interval Number of seconds between each accouting 0

interim update message (600 - 86400 sec).

radius-coa Enable/Disable RADIUS CoA. disable

radius-port RADIUS service port number. 0

h3c-compatibility Enable/disable H3C compatibility. disable

auth-type Authentication Protocol. auto

source-ip Source IP for communications to RADIUS server. [Link]

username-case- Enable/disable username case sensitive. disable

sensitive

CLI Reference for FortiOS 5.4 682

Fortinet Technologies Inc.
password-renewal Enable/disable password renewal. disable

rsso Enable/disable RADIUS based single sign on disable

feature.

rsso-radius-server-port UDP port to listen on for RADIUS accounting 1813

packets.

rsso-radius-response Enable/disable sending RADIUS response disable

packets.

rsso-validate-request- Enable/disable validating RADIUS request shared disable

secret secret.

rsso-secret RADIUS shared secret for responses / validating (Empty)

requests.

rsso-endpoint-attribute RADIUS Attribute used to hold End Point name. Calling-Station-Id

rsso-endpoint-block- RADIUS Attribute used to hold endpoint to block. (Empty)

attribute

sso-attribute RADIUS Attribute used to match the single sign Class

on group value.

sso-attribute-key Key prefix for single-sign-on group value in the (Empty)

sso-attribute.

sso-attribute-value- Enable/disable override old attribute value with enable

override new value for the same endpoint.

rsso-context-timeout Timeout value for RADIUS server database 28800

entries (0 = infinite).

rsso-log-period Minimum time period to use for event logs. 0

rsso-log-flags Events to log. protocol-error profile-

missing accounting-
stop-missed
accounting-event
endpoint-block radiusd-
other

rsso-flush-ip-session Enable/disable flush user IP sessions on RADIUS disable

accounting stop.

CLI Reference for FortiOS 5.4 683

Fortinet Technologies Inc.
accounting-server Additional accounting servers. (Empty)

CLI Reference for FortiOS 5.4 684

Fortinet Technologies Inc.
user/security-exempt-list
CLI Syntax
config user security-exempt-list
edit <name_str>
set name <string>
set description <string>
config rule
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end
end

CLI Reference for FortiOS 5.4 685

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of the exempt list. (Empty)

description Description. (Empty)

rule Exempt rules. (Empty)

CLI Reference for FortiOS 5.4 686

Fortinet Technologies Inc.
user/setting
CLI Syntax
config user setting
edit <name_str>
set auth-type {http | https | ftp | telnet}
set auth-cert <string>
set auth-ca-cert <string>
set auth-secure-http {enable | disable}
set auth-http-basic {enable | disable}
set auth-multi-group {enable | disable}
set auth-timeout <integer>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
set auth-portal-timeout <integer>
set radius-ses-timeout-act {hard-timeout | ignore-timeout}
set auth-blackout-time <integer>
set auth-invalid-max <integer>
set auth-lockout-threshold <integer>
set auth-lockout-duration <integer>
config auth-ports
edit <name_str>
set id <integer>
set type {http | https | ftp | telnet}
set port <integer>
end
end

CLI Reference for FortiOS 5.4 687

Fortinet Technologies Inc.
Description
Configuration Description Default Value

auth-type Allowed firewall policy authentication methods. http https ftp telnet

auth-cert HTTPS server certificate for policy authentication. (Empty)

auth-ca-cert HTTPS CA certificate for policy authentication. (Empty)

auth-secure-http Enable/disable use of HTTPS for HTTP disable

authentication.

auth-http-basic Enable/disable use of HTTP BASIC for HTTP disable

authentication.

auth-multi-group Enable/disable retrieval of groups to which a user enable

belongs.

auth-timeout Firewall user authentication time-out. 5

auth-timeout-type Authenticated policy expiration behavior. idle-timeout

auth-portal-timeout Firewall captive portal authentication time-out (1 - 3

30 min, default - 3).

radius-ses-timeout-act RADIUS session timeout behavior. hard-timeout

auth-blackout-time Authentication blackout time (0 - 3600 s). 0

auth-invalid-max Number of invalid auth tries allowed before 5

blackout.

auth-lockout-threshold Maximum number of failed login attempts before 3

lockout (1 - 10).

auth-lockout-duration Lockout period in seconds after too many login 0

failures.

auth-ports Authentication port table. (Empty)

CLI Reference for FortiOS 5.4 688

Fortinet Technologies Inc.
user/tacacs+
CLI Syntax
config user tacacs+
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set port <integer>
set key <password>
set secondary-key <password>
set tertiary-key <password>
set authen-type {mschap | chap | pap | ascii | auto}
set authorization {enable | disable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 689

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name TACACS+ server entry name. (Empty)

server {<name_str|ip_str>} server CN domain name or (Empty)

IP.

secondary-server {<name_str|ip_str>} secondary server CN domain (Empty)

name or IP.

tertiary-server {<name_str|ip_str>} tertiary server CN domain (Empty)

name or IP.

port Port number of the TACACS+ server. 49

key Key to access the server. (Empty)

secondary-key Key to access the secondary server. (Empty)

tertiary-key Key to access the tertiary server. (Empty)

authen-type Authentication type to use. auto

authorization Enable/disable TACACS+ authorization. disable

source-ip source IP for communications to TACACS+ [Link]

server.

CLI Reference for FortiOS 5.4 690

Fortinet Technologies Inc.
voip/profile
CLI Syntax
config voip profile
edit <name_str>
set name <string>
set comment <var-string>
config sip
edit <name_str>
set status {disable | enable}
set rtp {disable | enable}
set open-register-pinhole {disable | enable}
set open-contact-pinhole {disable | enable}
set strict-register {disable | enable}
set register-rate <integer>
set invite-rate <integer>
set max-dialogs <integer>
set max-line-length <integer>
set block-long-lines {disable | enable}
set block-unknown {disable | enable}
set call-keepalive <integer>
set block-ack {disable | enable}
set block-bye {disable | enable}
set block-cancel {disable | enable}
set block-info {disable | enable}
set block-invite {disable | enable}
set block-message {disable | enable}
set block-notify {disable | enable}
set block-options {disable | enable}
set block-prack {disable | enable}
set block-publish {disable | enable}
set block-refer {disable | enable}
set block-register {disable | enable}
set block-subscribe {disable | enable}
set block-update {disable | enable}
set register-contact-trace {disable | enable}
set open-via-pinhole {disable | enable}
set open-record-route-pinhole {disable | enable}
set rfc2543-branch {disable | enable}
set log-violations {disable | enable}
set log-call-summary {disable | enable}
set nat-trace {disable | enable}
set subscribe-rate <integer>
set message-rate <integer>
set notify-rate <integer>
set refer-rate <integer>
set update-rate <integer>
set options-rate <integer>
set ack-rate <integer>
set prack-rate <integer>
CLI Reference for FortiOS 5.4 691
Fortinet Technologies Inc.
 set info-rate <integer>
set publish-rate <integer>
set bye-rate <integer>
set cancel-rate <integer>
set preserve-override {disable | enable}
set no-sdp-fixup {disable | enable}
set contact-fixup {disable | enable}
set max-idle-dialogs <integer>
set block-geo-red-options {disable | enable}
set hosted-nat-traversal {disable | enable}
set hnt-restrict-source-ip {disable | enable}
set max-body-length <integer>
set unknown-header {discard | pass | respond}
set malformed-request-line {discard | pass | respond}
set malformed-header-via {discard | pass | respond}
set malformed-header-from {discard | pass | respond}
set malformed-header-to {discard | pass | respond}
set malformed-header-call-id {discard | pass | respond}
set malformed-header-cseq {discard | pass | respond}
set malformed-header-rack {discard | pass | respond}
set malformed-header-rseq {discard | pass | respond}
set malformed-header-contact {discard | pass | respond}
set malformed-header-record-route {discard | pass | respond}
set malformed-header-route {discard | pass | respond}
set malformed-header-expires {discard | pass | respond}
set malformed-header-content-type {discard | pass | respond}
set malformed-header-content-length {discard | pass | respond}
set malformed-header-max-forwards {discard | pass | respond}
set malformed-header-allow {discard | pass | respond}
set malformed-header-p-asserted-identity {discard | pass | respond}
set malformed-header-sdp-v {discard | pass | respond}
set malformed-header-sdp-o {discard | pass | respond}
set malformed-header-sdp-s {discard | pass | respond}
set malformed-header-sdp-i {discard | pass | respond}
set malformed-header-sdp-c {discard | pass | respond}
set malformed-header-sdp-b {discard | pass | respond}
set malformed-header-sdp-z {discard | pass | respond}
set malformed-header-sdp-k {discard | pass | respond}
set malformed-header-sdp-a {discard | pass | respond}
set malformed-header-sdp-t {discard | pass | respond}
set malformed-header-sdp-r {discard | pass | respond}
set malformed-header-sdp-m {discard | pass | respond}
set provisional-invite-expiry-time <integer>
set ips-rtp {disable | enable}
set ssl-mode {off | full}
set ssl-send-empty-frags {enable | disable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-algorithm {high | medium | low}
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-client-certificate <string>
set ssl-server-certificate <string>
CLI Reference for FortiOS 5.4 692
Fortinet Technologies Inc.
 set ssl-server-certificate <string>
set ssl-auth-client <string>
set ssl-auth-server <string>
end
config sccp
edit <name_str>
set status {disable | enable}
set block-mcast {disable | enable}
set verify-header {disable | enable}
set log-call-summary {disable | enable}
set log-violations {disable | enable}
set max-calls <integer>
end
end

CLI Reference for FortiOS 5.4 693

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

sip SIP. Details below

Configuration Default Value

status enable
rtp enable
open-register-pinhole enable
open-contact-pinhole enable
strict-register disable
register-rate 0
invite-rate 0
max-dialogs 0
max-line-length 998
block-long-lines enable
block-unknown enable
call-keepalive 0
block-ack disable
block-bye disable
block-cancel disable
block-info disable
block-invite disable
block-message disable
block-notify disable
block-options disable
block-prack disable
block-publish disable
block-refer disable
block-register disable
block-subscribe disable
block-update disable
register-contact-trace disable
open-via-pinhole disable
open-record-route-pinhole enable
rfc2543-branch disable
log-violations disable
log-call-summary enable
nat-trace enable
subscribe-rate 0

CLI Reference for FortiOS 5.4 694

Fortinet Technologies Inc.
message-rate 0
notify-rate 0
refer-rate 0
update-rate 0
options-rate 0
ack-rate 0
prack-rate 0
info-rate 0
publish-rate 0
bye-rate 0
cancel-rate 0
preserve-override disable
no-sdp-fixup disable
contact-fixup enable
max-idle-dialogs 0
block-geo-red-options disable
hosted-nat-traversal disable
hnt-restrict-source-ip disable
max-body-length 0
unknown-header pass
malformed-request-line pass
malformed-header-via pass
malformed-header-from pass
malformed-header-to pass
malformed-header-call-id pass
malformed-header-cseq pass
malformed-header-rack pass
malformed-header-rseq pass
malformed-header-contact pass
malformed-header-record-route pass
malformed-header-route pass
malformed-header-expires pass
malformed-header-content-type pass
malformed-header-content-length pass
malformed-header-max-forwards pass
malformed-header-allow pass
malformed-header-p-asserted-identity pass
malformed-header-sdp-v pass
malformed-header-sdp-o pass
malformed-header-sdp-s pass
malformed-header-sdp-i pass
malformed-header-sdp-c pass
malformed-header-sdp-b pass
malformed-header-sdp-z pass

CLI Reference for FortiOS 5.4 695

Fortinet Technologies Inc.
malformed-header-sdp-k pass
malformed-header-sdp-a pass
malformed-header-sdp-t pass
malformed-header-sdp-r pass
malformed-header-sdp-m pass
provisional-invite-expiry-time 210
ips-rtp enable
ssl-mode off
ssl-send-empty-frags enable
ssl-client-renegotiation allow
ssl-algorithm high
ssl-pfs allow
ssl-min-version tls-1.0
ssl-max-version tls-1.2
ssl-client-certificate (Empty)
ssl-server-certificate (Empty)
ssl-auth-client (Empty)
ssl-auth-server (Empty)

sccp SCCP. Details below

Configuration Default Value

status enable
block-mcast disable
verify-header disable
log-call-summary disable
log-violations disable
max-calls 0

CLI Reference for FortiOS 5.4 696

Fortinet Technologies Inc.
[Link]/ca
CLI Syntax
config [Link] ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 697

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. vdom

source CA certificate source. user

trusted Enable/disable trusted CA. enable

scep-url URL of SCEP server. (Empty)

auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days- Days to send update before auto-update 0

warning (0=disabled).

source-ip Source IP for communications to SCEP server. [Link]

CLI Reference for FortiOS 5.4 698

Fortinet Technologies Inc.
[Link]/crl
CLI Syntax
config [Link] crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 699

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. vdom

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA [Link]

(HTTP/SCEP) server.

CLI Reference for FortiOS 5.4 700

Fortinet Technologies Inc.
[Link]/local
CLI Syntax
config [Link] local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

CLI Reference for FortiOS 5.4 701

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

password Password. (Empty)

comments Comment. (Empty)

private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)

scep-url URL of SCEP server. (Empty)

range Certificate range. vdom

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired, 0

0=disabled.

auto-regenerate-days- Days to send warning before auto-regeneration, 0

warning 0=disabled.

scep-password SCEP server challenge password for auto- (Empty)

regeneration.

ca-identifier CA identifier of the CA server for signing via (Empty)

SCEP.

name-encoding Name encoding for auto-regeneration. printable

source-ip Source IP for communications to SCEP server. [Link]

ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn

CLI Reference for FortiOS 5.4 702

Fortinet Technologies Inc.
[Link]/ocsp-server
CLI Syntax
config [Link] ocsp-server
edit <name_str>
set name <string>
set url <string>
set cert <string>
set secondary-url <string>
set secondary-cert <string>
set unavail-action {revoke | ignore}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 703

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name OCSP server entry name. (Empty)

url URL to OCSP server. (Empty)

cert OCSP server certificate. (Empty)

secondary-url URL to secondary OCSP server. (Empty)

secondary-cert Secondary OCSP server certificate. (Empty)

unavail-action Action when server is unavailable. revoke

source-ip Enable/disable source IP for communications to [Link]

OCSP server.

CLI Reference for FortiOS 5.4 704

Fortinet Technologies Inc.
[Link]/remote
CLI Syntax
config [Link] remote
edit <name_str>
set name <string>
set remote <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
end

CLI Reference for FortiOS 5.4 705

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

remote Remote certificate. (Empty)

range Remote certificate range. vdom

source Remote certificate source. user

CLI Reference for FortiOS 5.4 706

Fortinet Technologies Inc.
[Link]/setting
CLI Syntax
config [Link] setting
edit <name_str>
set ocsp-status {enable | disable}
set ocsp-default-server <string>
set check-ca-cert {enable | disable}
set strict-crl-check {enable | disable}
set strict-ocsp-check {enable | disable}
end

CLI Reference for FortiOS 5.4 707

Fortinet Technologies Inc.
Description
Configuration Description Default Value

ocsp-status OCSP status. disable

ocsp-default-server Default OCSP server. (Empty)

check-ca-cert Enable/disable check CA certificate. enable

strict-crl-check Enable/disable check CRL in strict mode. disable

strict-ocsp-check Enable/disable check OCSP in strict mode. disable

CLI Reference for FortiOS 5.4 708

Fortinet Technologies Inc.
[Link]/concentrator
CLI Syntax
config [Link] concentrator
edit <name_str>
set name <string>
set src-check {disable | enable}
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 709

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Concentrator name. (Empty)

src-check Enable/disable use of source selector when disable

choosing appropriate tunnel.

member Concentrator members. (Empty)

CLI Reference for FortiOS 5.4 710

Fortinet Technologies Inc.
[Link]/forticlient
CLI Syntax
config [Link] forticlient
edit <name_str>
set realm <string>
set usergroupname <string>
set phase2name <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 711

Fortinet Technologies Inc.
Description
Configuration Description Default Value

realm FortiClient realm name. (Empty)

usergroupname User group name. (Empty)

phase2name Tunnel (phase2) name. (Empty)

status Enable/disable realm status. enable

CLI Reference for FortiOS 5.4 712

Fortinet Technologies Inc.
[Link]/manualkey
CLI Syntax
config [Link] manualkey
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set authentication {null | md5 | sha1 | sha256 | sha384 | sha512}
set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 |
aria256 | seed}
set authkey <user>
set enckey <user>
set localspi <user>
set remotespi <user>
set npu-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 713

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec tunnel name. (Empty)

interface Interface name. (Empty)

remote-gw Peer gateway. [Link]

local-gw Local gateway. [Link]

authentication Authentication algorithm. null

encryption Encryption algorithm. null

authkey Authentication key. -

enckey Encryption key. -

localspi Local SPI. 0x100

remotespi Remote SPI. 0x100

npu-offload Enable/disable offloading NPU. enable

CLI Reference for FortiOS 5.4 714

Fortinet Technologies Inc.
[Link]/manualkey-interface
CLI Syntax
config [Link] manualkey-interface
edit <name_str>
set name <string>
set interface <string>
set ip-version {4 | 6}
set addr-type {4 | 6}
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set local-gw <ipv4-address-any>
set local-gw6 <ipv6-address>
set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512}
set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | ar
ia256 | seed}
set auth-key <user>
set enc-key <user>
set local-spi <user>
set remote-spi <user>
set npu-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 715

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec tunnel name. (Empty)

interface Interface name. (Empty)

ip-version IP version to use for VPN interface. 4

addr-type IP version to use for IP packets. 4

remote-gw Remote IPv4 address of VPN gateway. [Link]

remote-gw6 Remote IPv6 address of VPN gateway. ::

local-gw Local IPv4 address of VPN gateway. [Link]

local-gw6 Local IPv6 address of VPN gateway. ::

auth-alg Authentication algorithm. null

enc-alg Encryption algorithm. null

auth-key Authentication key. -

enc-key Encryption key. -

local-spi Local SPI. 0x100

remote-spi Remote SPI. 0x100

npu-offload Enable/disable offloading NPU. enable

CLI Reference for FortiOS 5.4 716

Fortinet Technologies Inc.
[Link]/phase1
CLI Syntax
config [Link] phase1
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ike-version {1 | 2}
set remote-gw <ipv4-address>
set local-gw <ipv4-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set usrgrp <string>
set peer <string>
set peergrp <string>
set autoconfig {disable | client | gateway}
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set mode-cfg-ip-version {4 | 6}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-start-ip <ipv6-address>
set ipv6-end-ip <ipv6-address>
set ipv6-prefix <integer>
set ipv6-dns-server1 <ipv6-address>
CLI Reference for FortiOS 5.4 717
Fortinet Technologies Inc.
 set ipv6-dns-server2 <ipv6-address>
set ipv6-dns-server3 <ipv6-address>
config ipv6-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
set ipv6-split-include <string>
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
set address <string>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set distance <integer>
set priority <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
set comments <var-string>
set npu-offload {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
CLI Reference for FortiOS 5.4 718
Fortinet Technologies Inc.
 set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

CLI Reference for FortiOS 5.4 719

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec remote gateway name. (Empty)

type Remote gateway type (static, dialup, or DDNS). static

interface Local outgoing interface. (Empty)

ike-version IKE protocol version (IKEv1 or IKEv2). 1

remote-gw Remote VPN gateway. [Link]

local-gw Local VPN gateway. [Link]

remotegw-ddns Domain name of remote gateway (eg. (Empty)

[Link]).

keylife Phase1 keylife. 86400

certificate Certificate name for signature. (Empty)

authmethod Authentication method. psk

mode Mode. main

peertype Peer type. any

peerid Peer ID. (Empty)

usrgrp User group. (Empty)

peer Accept this peer certificate. (Empty)

peergrp Accept this peer certificate group. (Empty)

autoconfig Auto-configuration type.

mode-cfg Enable/disable configuration method. disable

assign-ip Enable/disable assignment of IP to IPsec enable

interface via configuration method.

mode-cfg-ip-version IP addressing to use for configuration method. 4

assign-ip-from Method by which the IP address will be assigned. range

CLI Reference for FortiOS 5.4 720

Fortinet Technologies Inc.
ipv4-start-ip Start of IPv4 range. [Link]

ipv4-end-ip End of IPv4 range. [Link]

ipv4-netmask IPv4 Netmask. [Link]

dns-mode DNS server mode. manual

ipv4-dns-server1 IPv4 DNS server 1. [Link]

ipv4-dns-server2 IPv4 DNS server 2. [Link]

ipv4-dns-server3 IPv4 DNS server 3. [Link]

ipv4-wins-server1 WINS server 1. [Link]

ipv4-wins-server2 WINS server 2. [Link]

ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)

ipv4-split-include IPv4 split-include subnets. (Empty)

split-include-service Split-include services. (Empty)

ipv6-start-ip Start of IPv6 range. ::

ipv6-end-ip End of IPv6 range. ::

ipv6-prefix IPv6 prefix. 128

ipv6-dns-server1 IPv6 DNS server 1. ::

ipv6-dns-server2 IPv6 DNS server 2. ::

ipv6-dns-server3 IPv6 DNS server 3. ::

ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)

ipv6-split-include IPv6 split-include subnets. (Empty)

unity-support Enable/disable support for Cisco UNITY enable

Configuration Method extensions.

domain Instruct unity clients about the default DNS (Empty)

domain.

banner Message that unity client should display after (Empty)

connecting.

CLI Reference for FortiOS 5.4 721

Fortinet Technologies Inc.
include-local-lan Enable/disable allow local LAN access on unity disable
clients.

save-password Enable/disable saving XAuth username and disable

password on VPN clients.

client-auto-negotiate Enable/disable allowing the VPN client to bring up disable

the tunnel when there is no traffic.

client-keep-alive Enable/disable allowing the VPN client to keep disable

the tunnel up when there is no traffic.

backup-gateway Instruct unity clients about the backup gateway (Empty)

address(es).

proposal Phase1 proposal. aes128-sha256

aes256-sha256 3des-
sha256 aes128-sha1
aes256-sha1 3des-
sha1

add-route Enable/disable control addition of a route to peer disable

destination selector.

exchange-interface-ip Enable/disable exchange of IPsec interface IP disable

address.

add-gw-route Enable/disable automatically add a route to the disable

remote gateway.

psksecret Pre-shared secret for PSK authentication. (Empty)

keepalive NAT-T keep alive interval. 10

distance Distance for routes added by IKE (1 - 255). 15

priority Priority for routes added by IKE (0 - 0

4294967295).

localid Local ID. (Empty)

localid-type Local ID type. auto

auto-negotiate Enable/disable automatic initiation of IKE SA enable

negotiation.

CLI Reference for FortiOS 5.4 722

Fortinet Technologies Inc.
negotiate-timeout IKE SA negotiation timeout in seconds. 30

fragmentation Enable/disable fragment IKE message on re- enable

transmission.

dpd Dead Peer Detection mode. on-demand

dpd-retrycount Number of DPD retry attempts. 3

dpd-retryinterval DPD retry interval. 20

forticlient-enforcement Enable/disable FortiClient enforcement. disable

comments Comment. (Empty)

npu-offload Enable/disable offloading NPU. enable

send-cert-chain Enable/disable sending certificate chain. enable

dhgrp DH group. 14 5

suite-b Use Suite-B. disable

eap Enable/disable IKEv2 EAP authentication. disable

eap-identity IKEv2 EAP peer identity type. use-id-payload

acct-verify Enable/disable verification of RADIUS accounting disable

record.

wizard-type GUI VPN Wizard Type. custom

xauthtype XAuth type. disable

reauth Enable/disable re-authentication upon IKE SA disable

lifetime expiration.

authusr XAuth user name. (Empty)

authpasswd XAuth password (max 35 characters). (Empty)

authusrgrp Authentication user group. (Empty)

mesh-selector-type Add selectors containing subsets of the disable

configuration depending on traffic.

idle-timeout Enable/disable IPsec tunnel idle timeout. disable

CLI Reference for FortiOS 5.4 723

Fortinet Technologies Inc.
idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15

ha-sync-esp-seqno Enable/disable sequence number jump ahead for enable

IPsec HA.

nattraversal Enable/disable NAT traversal. enable

esn Extended sequence number (ESN) negotiation. disable

CLI Reference for FortiOS 5.4 724

Fortinet Technologies Inc.
[Link]/phase1-interface
CLI Syntax
config [Link] phase1-interface
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ip-version {4 | 6}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set local-gw6 <ipv6-address>
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set default-gw <ipv4-address>
set default-gw-priority <integer>
set usrgrp <string>
set peer <string>
set peergrp <string>
set monitor <string>
set monitor-hold-down-type {immediate | delay | time}
set monitor-hold-down-delay <integer>
set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday |
thursday | friday | saturday}
set monitor-hold-down-time <user>
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set mode-cfg-ip-version {4 | 6}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
CLI Reference for FortiOS 5.4 725
Fortinet Technologies Inc.
 set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-start-ip <ipv6-address>
set ipv6-end-ip <ipv6-address>
set ipv6-prefix <integer>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-dns-server3 <ipv6-address>
config ipv6-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
set ipv6-split-include <string>
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
set address <string>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set distance <integer>
set priority <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
CLI Reference for FortiOS 5.4 726
Fortinet Technologies Inc.
 set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
set comments <var-string>
set npu-offload {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set auto-discovery-sender {enable | disable}
set auto-discovery-receiver {enable | disable}
set auto-discovery-forwarder {enable | disable}
set auto-discovery-psk {enable | disable}
set encapsulation {none | gre | vxlan}
set encapsulation-address {ike | ipv4 | ipv6}
set encap-local-gw4 <ipv4-address>
set encap-local-gw6 <ipv6-address>
set encap-remote-gw4 <ipv4-address>
set encap-remote-gw6 <ipv6-address>
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

CLI Reference for FortiOS 5.4 727

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec remote gateway name. (Empty)

type Remote gateway type (static, dialup, or DDNS). static

interface Local outgoing interface. (Empty)

ip-version IP version to use for VPN interface. 4

ike-version IKE protocol version (IKEv1 or IKEv2). 1

local-gw Local IPv4 address of VPN. [Link]

local-gw6 Local IPv6 address of VPN. ::

remote-gw Remote IPv4 address of VPN gateway. [Link]

remote-gw6 Remote IPv6 address of VPN. ::

remotegw-ddns Domain name of remote gateway (eg. (Empty)

[Link]).

keylife Phase1 keylife. 86400

certificate Certificate name for signature. (Empty)

authmethod Authentication method. psk

mode Mode. main

peertype Peer type. any

peerid Peer ID. (Empty)

default-gw IPv4 address of default route gateway to use for [Link]

traffic exiting the interface.

default-gw-priority Priority for default gateway route. 0

usrgrp User group. (Empty)

peer Accept this peer certificate. (Empty)

peergrp Accept this peer certificate group. (Empty)

CLI Reference for FortiOS 5.4 728

Fortinet Technologies Inc.
monitor IPsec interface to backup. (Empty)

monitor-hold-down-type Control recovery time when primary re- immediate

establishes.

monitor-hold-down- Number of seconds to wait before recovery once 0

delay primary re-establishes.

monitor-hold-down- Day of the week to recover once primary re- sunday

weekday establishes.

monitor-hold-down-time Time of day to recover once primary re- 00:00

establishes.

mode-cfg Enable/disable configuration method. disable

assign-ip Enable/disable assignment of IP to IPsec enable

interface via configuration method.

mode-cfg-ip-version IP addressing to use for configuration method. 4

assign-ip-from Method by which the IP address will be assigned. range

ipv4-start-ip Start of IPv4 range. [Link]

ipv4-end-ip End of IPv4 range. [Link]

ipv4-netmask IPv4 Netmask. [Link]

dns-mode DNS server mode. manual

ipv4-dns-server1 IPv4 DNS server 1. [Link]

ipv4-dns-server2 IPv4 DNS server 2. [Link]

ipv4-dns-server3 IPv4 DNS server 3. [Link]

ipv4-wins-server1 WINS server 1. [Link]

ipv4-wins-server2 WINS server 2. [Link]

ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)

ipv4-split-include IPv4 split-include subnets. (Empty)

split-include-service Split-include services. (Empty)

CLI Reference for FortiOS 5.4 729

Fortinet Technologies Inc.
ipv6-start-ip Start of IPv6 range. ::

ipv6-end-ip End of IPv6 range. ::

ipv6-prefix IPv6 prefix. 128

ipv6-dns-server1 IPv6 DNS server 1. ::

ipv6-dns-server2 IPv6 DNS server 2. ::

ipv6-dns-server3 IPv6 DNS server 3. ::

ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)

ipv6-split-include IPv6 split-include subnets. (Empty)

unity-support Enable/disable support for Cisco UNITY enable

Configuration Method extensions.

domain Instruct unity clients about the default DNS (Empty)

domain.

banner Message that unity client should display after (Empty)

connecting.

include-local-lan Enable/disable allow local LAN access on unity disable

clients.

save-password Enable/disable saving XAuth username and disable

password on VPN clients.

client-auto-negotiate Enable/disable allowing the VPN client to bring up disable

the tunnel when there is no traffic.

client-keep-alive Enable/disable allowing the VPN client to keep disable

the tunnel up when there is no traffic.

backup-gateway Instruct unity clients about the backup gateway (Empty)

address(es).

proposal Phase1 proposal. aes128-sha256

aes256-sha256 3des-
sha256 aes128-sha1
aes256-sha1 3des-
sha1

CLI Reference for FortiOS 5.4 730

Fortinet Technologies Inc.
add-route Enable/disable control addition of a route to peer enable
destination selector.

exchange-interface-ip Enable/disable exchange of IPsec interface IP disable

address.

add-gw-route Enable/disable automatically add a route to the disable

remote gateway.

psksecret Pre-shared secret for PSK authentication. (Empty)

keepalive NAT-T keep alive interval. 10

distance Distance for routes added by IKE (1 - 255). 15

priority Priority for routes added by IKE (0 - 0

4294967295).

localid Local ID. (Empty)

localid-type Local ID type. auto

auto-negotiate Enable/disable automatic initiation of IKE SA enable

negotiation.

negotiate-timeout IKE SA negotiation timeout in seconds. 30

fragmentation Enable/disable fragment IKE message on re- enable

transmission.

dpd Dead Peer Detection mode. on-demand

dpd-retrycount Number of DPD retry attempts. 3

dpd-retryinterval DPD retry interval. 20

forticlient-enforcement Enable/disable FortiClient enforcement. disable

comments Comment. (Empty)

npu-offload Enable/disable offloading NPU. enable

send-cert-chain Enable/disable sending certificate chain. enable

dhgrp DH group. 14 5

suite-b Use Suite-B. disable

CLI Reference for FortiOS 5.4 731

Fortinet Technologies Inc.
eap Enable/disable IKEv2 EAP authentication. disable

eap-identity IKEv2 EAP peer identity type. use-id-payload

acct-verify Enable/disable verification of RADIUS accounting disable

record.

wizard-type GUI VPN Wizard Type. custom

xauthtype XAuth type. disable

reauth Enable/disable re-authentication upon IKE SA disable

lifetime expiration.

authusr XAuth user name. (Empty)

authpasswd XAuth password (max 35 characters). (Empty)

authusrgrp Authentication user group. (Empty)

mesh-selector-type Add selectors containing subsets of the disable

configuration depending on traffic.

idle-timeout Enable/disable IPsec tunnel idle timeout. disable

idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15

ha-sync-esp-seqno Enable/disable sequence number jump ahead for enable

IPsec HA.

auto-discovery-sender Enable/disable sending auto-discovery short-cut disable

messages.

auto-discovery-receiver Enable/disable accepting auto-discovery short-cut disable

messages.

auto-discovery- Enable/disable forwarding auto-discovery short- disable

forwarder cut messages.

auto-discovery-psk Enable/disable use of pre-shared secrets for disable

authentication of auto-discovery tunnels.

encapsulation Enable/disable GRE/VXLAN encapsulation. none

encapsulation-address Source for GRE/VXLAN tunnel address. ike

encap-local-gw4 Local IPv4 address of GRE/VXLAN tunnel. [Link]

CLI Reference for FortiOS 5.4 732

Fortinet Technologies Inc.
encap-local-gw6 Local IPv6 address of GRE/VXLAN tunnel. ::

encap-remote-gw4 Remote IPv4 address of GRE/VXLAN tunnel. [Link]

encap-remote-gw6 Remote IPv6 address of GRE/VXLAN tunnel. ::

nattraversal Enable/disable NAT traversal. enable

esn Extended sequence number (ESN) negotiation. disable

CLI Reference for FortiOS 5.4 733

Fortinet Technologies Inc.
[Link]/phase2
CLI Syntax
config [Link] phase2
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set use-natip {enable | disable}
set selector-match {exact | subset | auto}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4 734
Fortinet Technologies Inc.
 set dst-start-ip6 <ipv6-address>
set dst-end-ip <ipv4-address-any>
set dst-end-ip6 <ipv6-address>
set dst-subnet <ipv4-classnet-any>
set dst-subnet6 <ipv6-prefix>
set dst-port <integer>
end

CLI Reference for FortiOS 5.4 735

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec tunnel name. (Empty)

phase1name IKE phase1 name. (Empty)

dhcp-ipsec Enable/disable DHCP-IPsec. disable

use-natip Enable/disable source NAT selector fix-up. enable

selector-match Match type to use when comparing selectors. auto

proposal Phase2 proposal. aes128-sha1 aes256-

sha1 3des-sha1
aes128-sha256
aes256-sha256 3des-
sha256

pfs Enable/disable PFS feature. enable

dhgrp Phase2 DH group. 14 5

replay Enable/disable replay detection. enable

keepalive Enable/disable keep alive. disable

auto-negotiate Enable/disable IPsec SA auto-negotiation. disable

add-route Enable/disable automatic route addition. phase1

keylifeseconds Phase2 keylife in time. 43200

keylifekbs Phase2 keylife in traffic (kbps). 5120

keylife-type Keylife type. seconds

single-source Enable/disable single source IP restriction. disable

route-overlap Action for overlapping routes. use-new

encapsulation ESP encapsulation mode. tunnel-mode

l2tp Enable/disable L2TP over IPsec. disable

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 736

Fortinet Technologies Inc.
protocol Quick mode protocol selector (1 - 255 or 0 for all). 0

src-name Local proxy ID name. (Empty)

src-name6 Local proxy ID name. (Empty)

src-addr-type Local proxy ID type. subnet

src-start-ip Local proxy ID start. [Link]

src-start-ip6 Local proxy ID IPv6 start. ::

src-end-ip Local proxy ID end. [Link]

src-end-ip6 Local proxy ID IPv6 end. ::

src-subnet Local proxy ID subnet. [Link] [Link]

src-subnet6 Local proxy ID IPv6 subnet. ::/0

src-port Quick mode source port (1 - 65535 or 0 for all). 0

dst-name Remote proxy ID name. (Empty)

dst-name6 Remote proxy ID name. (Empty)

dst-addr-type Remote proxy ID type. subnet

dst-start-ip Remote proxy ID IPv4 start. [Link]

dst-start-ip6 Remote proxy ID IPv6 start. ::

dst-end-ip Remote proxy ID IPv4 end. [Link]

dst-end-ip6 Remote proxy ID IPv6 end. ::

dst-subnet Remote proxy ID IPv4 subnet. [Link] [Link]

dst-subnet6 Remote proxy ID IPv6 subnet. ::/0

dst-port Quick mode destination port (1 - 65535 or 0 for 0

all).

CLI Reference for FortiOS 5.4 737

Fortinet Technologies Inc.
[Link]/phase2-interface
CLI Syntax
config [Link] phase2-interface
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set auto-discovery-sender {phase1 | enable | disable}
set auto-discovery-forwarder {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4 738
Fortinet Technologies Inc.
 set dst-start-ip6 <ipv6-address>
set dst-end-ip <ipv4-address-any>
set dst-end-ip6 <ipv6-address>
set dst-subnet <ipv4-classnet-any>
set dst-subnet6 <ipv6-prefix>
set dst-port <integer>
end

CLI Reference for FortiOS 5.4 739

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPsec tunnel name. (Empty)

phase1name IKE phase1 name. (Empty)

dhcp-ipsec Enable/disable DHCP-IPsec. disable

proposal Phase2 proposal. aes128-sha1 aes256-

sha1 3des-sha1
aes128-sha256
aes256-sha256 3des-
sha256

pfs Enable/disable PFS feature. enable

dhgrp Phase2 DH group. 14 5

replay Enable/disable replay detection. enable

keepalive Enable/disable keep alive. disable

auto-negotiate Enable/disable IPsec SA auto-negotiation. disable

add-route Enable/disable automatic route addition. phase1

auto-discovery-sender Enable/disable sending short-cut messages. phase1

auto-discovery- Enable/disable forwarding short-cut messages. phase1

forwarder

keylifeseconds Phase2 keylife in time. 43200

keylifekbs Phase2 keylife in traffic (kbps). 5120

keylife-type Keylife type. seconds

single-source Enable/disable single source IP restriction. disable

route-overlap Action for overlapping routes. use-new

encapsulation ESP encapsulation mode. tunnel-mode

l2tp Enable/disable L2TP over IPsec. disable

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 740

Fortinet Technologies Inc.
protocol Quick mode protocol selector (1 - 255 or 0 for all). 0

src-name Local proxy ID name. (Empty)

src-name6 Local proxy ID name. (Empty)

src-addr-type Local proxy ID type. subnet

src-start-ip Local proxy ID start. [Link]

src-start-ip6 Local proxy ID IPv6 start. ::

src-end-ip Local proxy ID end. [Link]

src-end-ip6 Local proxy ID IPv6 end. ::

src-subnet Local proxy ID subnet. [Link] [Link]

src-subnet6 Local proxy ID IPv6 subnet. ::/0

src-port Quick mode source port (1 - 65535 or 0 for all). 0

dst-name Remote proxy ID name. (Empty)

dst-name6 Remote proxy ID name. (Empty)

dst-addr-type Remote proxy ID type. subnet

dst-start-ip Remote proxy ID IPv4 start. [Link]

dst-start-ip6 Remote proxy ID IPv6 start. ::

dst-end-ip Remote proxy ID IPv4 end. [Link]

dst-end-ip6 Remote proxy ID IPv6 end. ::

dst-subnet Remote proxy ID IPv4 subnet. [Link] [Link]

dst-subnet6 Remote proxy ID IPv6 subnet. ::/0

dst-port Quick mode destination port (1 - 65535 or 0 for 0

all).

CLI Reference for FortiOS 5.4 741

Fortinet Technologies Inc.
[Link]/host-check-software
CLI Syntax
config [Link] host-check-software
edit <name_str>
set name <string>
set type {av | fw}
set version <string>
set guid <user>
config check-item-list
edit <name_str>
set id <integer>
set action {require | deny}
set type {file | registry | process}
set target <string>
set version <string>
config md5s
edit <name_str>
set id <string>
end
end
end

CLI Reference for FortiOS 5.4 742

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

type Type. av

version Version. (Empty)

guid Globally unique ID. "00000000-0000-0000-

0000-000000000000"

check-item-list Check item list. (Empty)

CLI Reference for FortiOS 5.4 743

Fortinet Technologies Inc.
[Link]/portal
CLI Syntax
config [Link] portal
edit <name_str>
set name <string>
set tunnel-mode {enable | disable}
set ip-mode {range | user-group}
set auto-connect {enable | disable}
set keep-alive {enable | disable}
set save-password {enable | disable}
config ip-pools
edit <name_str>
set name <string>
end
set exclusive-routing {enable | disable}
set service-restriction {enable | disable}
set split-tunneling {enable | disable}
config split-tunneling-routing-address
edit <name_str>
set name <string>
end
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-tunnel-mode {enable | disable}
config ipv6-pools
edit <name_str>
set name <string>
end
set ipv6-exclusive-routing {enable | disable}
set ipv6-service-restriction {enable | disable}
set ipv6-split-tunneling {enable | disable}
config ipv6-split-tunneling-routing-address
edit <name_str>
set name <string>
end
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set web-mode {enable | disable}
set display-bookmark {enable | disable}
set user-bookmark {enable | disable}
set user-group-bookmark {enable | disable}
config bookmark-group
edit <name_str>
set name <string>
config bookmarks
CLI Reference for FortiOS 5.4 744
Fortinet Technologies Inc.
 edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | te
lnet | vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwer
ty | sv-se-qwerty | failsafe}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
set display-connection-tools {enable | disable}
set display-history {enable | disable}
set display-status {enable | disable}
set heading <string>
set redir-url <var-string>
set theme {blue | green | red | melongene}
set custom-lang <string>
set host-check {none | av | fw | av-fw | custom}
set host-check-interval <integer>
config host-check-policy
edit <name_str>
set name <string>
end
set limit-user-logins {enable | disable}
set mac-addr-check {enable | disable}
set mac-addr-action {allow | deny}
config mac-addr-check-rule
edit <name_str>
set name <string>
set mac-addr-mask <integer>
config mac-addr-list
edit <name_str>
set addr <mac-address>
end
end
CLI Reference for FortiOS 5.4 745
Fortinet Technologies Inc.
 end
set os-check {enable | disable}
config os-check-list
edit <name_str>
set name <string>
set action {deny | allow | check-up-to-date}
set tolerance <integer>
set latest-patch-level <user>
end
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <string>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
end

CLI Reference for FortiOS 5.4 746

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Portal name. (Empty)

tunnel-mode Enable/disable SSL VPN tunnel mode. disable

ip-mode IP mode is range or by user group. range

auto-connect Enable/disable automatic connect by client when disable

system is up.

keep-alive Enable/disable automatic re-connect by client. disable

save-password Enable/disable save of user password by client. disable

ip-pools Tunnel IP pools. (Empty)

exclusive-routing Enable/disable all traffic go through tunnel only. disable

service-restriction Enable/disable tunnel service restriction. disable

split-tunneling Enable/disable split tunneling. enable

split-tunneling-routing- Split tunnelling address range for client routing. (Empty)

address

dns-server1 DNS server 1. [Link]

dns-server2 DNS server 2. [Link]

wins-server1 WINS server 1. [Link]

wins-server2 WINS server 2. [Link]

ipv6-tunnel-mode Enable/disable SSL VPN IPV6 tunnel mode. disable

ipv6-pools Tunnel IP pools. (Empty)

ipv6-exclusive-routing Enable/disable all IPv6 traffic go through tunnel disable

only.

ipv6-service-restriction Enable/disable IPv6 tunnel service restriction. disable

ipv6-split-tunneling Enable/disable IPv6 split tunneling. enable

CLI Reference for FortiOS 5.4 747

Fortinet Technologies Inc.
ipv6-split-tunneling- IPv6 split tunnelling address range for client (Empty)
routing-address routing.

ipv6-dns-server1 IPv6 DNS server 1. ::

ipv6-dns-server2 IPv6 DNS server 2. ::

ipv6-wins-server1 IPv6 WINS server 1. ::

ipv6-wins-server2 IPv6 WINS server 2. ::

web-mode Enable/disable SSL VPN web mode. disable

display-bookmark Enable/disable displaying of bookmark widget. enable

user-bookmark Enable/disable user defined bookmark. enable

user-group-bookmark Enable/disable user group defined bookmark. enable

bookmark-group Portal bookmark group. (Empty)

display-connection- Enable/disable displaying of connection tools enable

tools widget.

display-history Enable/disable displaying of user login history enable

widget.

display-status Enable/disable display of status widget. enable

heading Portal heading message. SSL-VPN Portal

redir-url Client login redirect URL. (Empty)

theme Color scheme for the portal. blue

custom-lang Custom portal language. (Empty)

host-check Configure host check settings. none

host-check-interval Periodic host check interval. 0

host-check-policy Host check policy. (Empty)

limit-user-logins Enable/disable allow users to have only one disable

active SSL VPN connection at a time.

mac-addr-check Client MAC address check. disable

CLI Reference for FortiOS 5.4 748

Fortinet Technologies Inc.
mac-addr-action Client MAC address action. allow

mac-addr-check-rule Client MAC address check rule. (Empty)

os-check Enable/disable SSL VPN OS check. disable

os-check-list SSL VPN OS checks. (Empty)

virtual-desktop Enable/disable SSL VPN virtual desktop. disable

virtual-desktop-app-list Virtual desktop application list. (Empty)

virtual-desktop- Enable/disable sharing of clipboard in virtual disable

clipboard-share desktop.

virtual-desktop- Enable/disable switch to virtual desktop. enable

desktop-switch

virtual-desktop-logout- Enable/disable logout when browser is close in disable

when-browser-close virtual desktop.

virtual-desktop- Enable/disable network share access in virtual disable

network-share-access desktop.

virtual-desktop-printing Enable/disable printing in virtual desktop. disable

virtual-desktop- Enable/disable access to removable media in disable

removable-media- virtual desktop.
access

skip-check-for- Skip check for unsupported OS. enable

unsupported-os

skip-check-for- Skip check for unsupported browsers. enable

unsupported-browser

CLI Reference for FortiOS 5.4 749

Fortinet Technologies Inc.
[Link]/realm
CLI Syntax
config [Link] realm
edit <name_str>
set url-path <string>
set max-concurrent-user <integer>
set login-page <var-string>
set virtual-host <var-string>
end

CLI Reference for FortiOS 5.4 750

Fortinet Technologies Inc.
Description
Configuration Description Default Value

url-path URL path to access SSL-VPN login page. (Empty)

max-concurrent-user Maximum concurrent users (0 - 65535, 0 for 0

unlimited).

login-page Replacement HTML for SSL-VPN login page. (Empty)

virtual-host Virtual host name for realm. (Empty)

CLI Reference for FortiOS 5.4 751

Fortinet Technologies Inc.
[Link]/user-bookmark
CLI Syntax
config [Link] user-bookmark
edit <name_str>
set name <string>
set custom-lang <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet
| vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty |
sv-se-qwerty | failsafe}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end

CLI Reference for FortiOS 5.4 752

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name User and group name. (Empty)

custom-lang Personal language. (Empty)

bookmarks Bookmark table. (Empty)

CLI Reference for FortiOS 5.4 753

Fortinet Technologies Inc.
[Link]/virtual-desktop-app-list
CLI Syntax
config [Link] virtual-desktop-app-list
edit <name_str>
set name <string>
set action {allow | block}
config apps
edit <name_str>
set name <string>
config md5s
edit <name_str>
set id <string>
end
end
end

CLI Reference for FortiOS 5.4 754

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Application list name. (Empty)

action Action. allow

apps Applications. (Empty)

CLI Reference for FortiOS 5.4 755

Fortinet Technologies Inc.
[Link]/settings
CLI Syntax
config [Link] settings
edit <name_str>
set reqclientcert {enable | disable}
set sslv2 {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set tlsv1-1 {enable | disable}
set tlsv1-2 {enable | disable}
set ssl-big-buffer {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set https-redirect {enable | disable}
set ssl-client-renegotiation {disable | enable}
set force-two-factor-auth {enable | disable}
set unsafe-legacy-renegotiation {enable | disable}
set servercert <string>
set algorithm {default | high | low}
set idle-timeout <integer>
set auth-timeout <integer>
config tunnel-ip-pools
edit <name_str>
set name <string>
end
config tunnel-ipv6-pools
edit <name_str>
set name <string>
end
set dns-suffix <var-string>
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set route-source-interface {enable | disable}
set url-obscuration {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set deflate-compression-level <integer>
set deflate-min-data-size <integer>
set port <integer>
set port-precedence {enable | disable}
set auto-tunnel-static-route {enable | disable}
set header-x-forwarded-for {pass | add | remove}
config source-interface
edit <name_str>
CLI Reference for FortiOS 5.4 756
Fortinet Technologies Inc.
 set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
set default-portal <string>
config authentication-rule
edit <name_str>
set id <integer>
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set portal <string>
set realm <string>
set client-cert {enable | disable}
set cipher {any | high | medium}
set auth {any | local | radius | tacacs+ | ldap}
end
set dtls-tunnel {enable | disable}
set check-referer {enable | disable}
end

CLI Reference for FortiOS 5.4 757

Fortinet Technologies Inc.
Description
Configuration Description Default Value

reqclientcert Enable/disable require client certificate. disable

sslv2 Enable/disable SSLv2. disable

sslv3 Enable/disable SSLv3. disable

tlsv1-0 Enable/disable TLSv1.0. disable

tlsv1-1 Enable/disable TLSv1.1. enable

tlsv1-2 Enable/disable TLSv1.2. enable

ssl-big-buffer Enable/disable big SSLv3 buffer. disable

ssl-insert-empty- Enable/disable insertion of empty fragment. enable

fragment

https-redirect Enable/disable redirect of port 80 to SSL-VPN disable

port.

ssl-client-renegotiation Allow/block client renegotiation by server. disable

force-two-factor-auth Enable/disable force two-factor authentication. disable

unsafe-legacy- Enable/disable unsafe legacy re-negotiation. disable

renegotiation

servercert Server certificate. Fortinet_Factory

algorithm Allow algorithms. high

idle-timeout SSL VPN disconnects if idle for specified time. 300

auth-timeout Forced re-authentication after timeout. 28800

tunnel-ip-pools Tunnel IP pools. (Empty)

tunnel-ipv6-pools Tunnel IPv6 pools. (Empty)

dns-suffix DNS suffix. (Empty)

dns-server1 DNS server 1. [Link]

dns-server2 DNS server 2. [Link]

CLI Reference for FortiOS 5.4 758

Fortinet Technologies Inc.
wins-server1 WINS server 1. [Link]

wins-server2 WINS server 2. [Link]

ipv6-dns-server1 IPv6 DNS server 1. ::

ipv6-dns-server2 IPv6 DNS server 2. ::

ipv6-wins-server1 IPv6 WINS server 1. ::

ipv6-wins-server2 IPv6 WINS server 2. ::

route-source-interface Enable/disable bind client side outgoing interface. disable

url-obscuration Enable/disable URL obscuration. disable

http-compression Enable/disable support HTTP compression. disable

http-only-cookie Enable/disable support HTTP only cookie. enable

deflate-compression- Compression level (0~9). 6

level

deflate-min-data-size Minimum size to start compression (200 - 65535). 300

port SSL VPN access HTTPS port (1 - 65535). 10443

port-precedence Enable/disable SSLVPN port precedence over enable

admin GUI HTTPS port.

auto-tunnel-static-route Enable/disable auto create static route for tunnel enable

IP addresses.

header-x-forwarded-for Action when HTTP x-forwarded-for header to add

forwarded requests.

source-interface SSL VPN source interface of incoming traffic. (Empty)

source-address Source address of incoming traffic. (Empty)

source-address-negate Enable/disable negated source address match. disable

source-address6 IPv6 source address of incoming traffic. (Empty)

source-address6- Enable/disable negated source IPv6 address disable

negate match.

CLI Reference for FortiOS 5.4 759

Fortinet Technologies Inc.
default-portal Default SSL VPN portal. (Empty)

authentication-rule Authentication rule for SSL VPN. (Empty)

dtls-tunnel Enable/disable DTLS tunnel. enable

check-referer Enable/disable verification of referer field in HTTP disable

request header.

CLI Reference for FortiOS 5.4 760

Fortinet Technologies Inc.
vpn/l2tp
CLI Syntax
config vpn l2tp
edit <name_str>
set eip <ipv4-address>
set sip <ipv4-address>
set status {enable | disable}
set usrgrp <string>
end

CLI Reference for FortiOS 5.4 761

Fortinet Technologies Inc.
Description
Configuration Description Default Value

eip End IP. [Link]

sip Start IP. [Link]

status Enable/disable FortiGate as a L2TP gateway. disable

usrgrp User group. (Empty)

CLI Reference for FortiOS 5.4 762

Fortinet Technologies Inc.
vpn/pptp
CLI Syntax
config vpn pptp
edit <name_str>
set status {enable | disable}
set ip-mode {range | usrgrp}
set eip <ipv4-address>
set sip <ipv4-address>
set local-ip <ipv4-address>
set usrgrp <string>
end

CLI Reference for FortiOS 5.4 763

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiGate as a PPTP gateway. disable

ip-mode IP assignment mode for PPTP client. range

eip End IP. [Link]

sip Start IP. [Link]

local-ip Local IP to be used for peer's remote IP. [Link]

usrgrp User group. (Empty)

CLI Reference for FortiOS 5.4 764

Fortinet Technologies Inc.
waf/main-class
CLI Syntax
config waf main-class
edit <name_str>
set name <string>
set id <integer>
end

CLI Reference for FortiOS 5.4 765

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Main signature class name. (Empty)

id Main signature class ID. 0

CLI Reference for FortiOS 5.4 766

Fortinet Technologies Inc.
waf/profile
CLI Syntax
config waf profile
edit <name_str>
set name <string>
set external {disable | enable}
config signature
edit <name_str>
config main-class
edit <name_str>
set id <integer>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
end
config disabled-sub-class
edit <name_str>
set id <integer>
end
config disabled-signature
edit <name_str>
set id <integer>
end
set credit-card-detection-threshold <integer>
config custom-signature
edit <name_str>
set name <string>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
set direction {request | response}
set case-sensitivity {disable | enable}
set pattern <string>
set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req
-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hd
r | resp-status}
end
end
config constraint
edit <name_str>
config header-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
CLI Reference for FortiOS 5.4 767
Fortinet Technologies Inc.
 end
config content-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config line-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config url-param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config version
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config method
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config hostname
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
CLI Reference for FortiOS 5.4 768
Fortinet Technologies Inc.
 set severity {high | medium | low}
end
config malformed
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-cookie
edit <name_str>
set status {enable | disable}
set max-cookie <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-header-line
edit <name_str>
set status {enable | disable}
set max-header-line <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-url-param
edit <name_str>
set status {enable | disable}
set max-url-param <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-range-segment
edit <name_str>
set status {enable | disable}
set max-range-segment <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config exception
edit <name_str>
set id <integer>
set pattern <string>
set regex {enable | disable}
set address <string>
set header-length {enable | disable}
set content-length {enable | disable}
set param-length {enable | disable}
set line-length {enable | disable}
set url-param-length {enable | disable}
set version {enable | disable}
CLI Reference for FortiOS 5.4 769
Fortinet Technologies Inc.
 set version {enable | disable}
set method {enable | disable}
set hostname {enable | disable}
set malformed {enable | disable}
set max-cookie {enable | disable}
set max-header-line {enable | disable}
set max-url-param {enable | disable}
set max-range-segment {enable | disable}
end
end
config method
edit <name_str>
set status {enable | disable}
set log {enable | disable}
set severity {high | medium | low}
set default-allowed-methods {get | post | put | head | connect | trace | optio
ns | delete | others}
config method-policy
edit <name_str>
set id <integer>
set pattern <string>
set regex {enable | disable}
set address <string>
set allowed-methods {get | post | put | head | connect | trace | options |
delete | others}
end
end
config address-list
edit <name_str>
set status {enable | disable}
set blocked-log {enable | disable}
set severity {high | medium | low}
config trusted-address
edit <name_str>
set name <string>
end
config blocked-address
edit <name_str>
set name <string>
end
end
config url-access
edit <name_str>
set id <integer>
set address <string>
set action {bypass | permit | block}
set log {enable | disable}
set severity {high | medium | low}
config access-pattern
edit <name_str>
set id <integer>
set srcaddr <string>
set pattern <string>
CLI Reference for FortiOS 5.4 770
Fortinet Technologies Inc.
 set pattern <string>
set regex {enable | disable}
set negate {enable | disable}
end
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4 771

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name WAF Profile name. (Empty)

external Disable/Enable external HTTP Inspection. disable

signature WAF signatures. Details below

Configuration Default Value

main-class (Empty)
disabled-sub-class (Empty)
disabled-signature (Empty)
credit-card-detection-threshold 3
custom-signature (Empty)

constraint WAF HTTP protocol restrictions. Details below

CLI Reference for FortiOS 5.4 772

Fortinet Technologies Inc.
Configuration Default Value
{"status":"disable","length":8192,"action":"allow","log":"disable",
header-length
"severity":"medium"}
{"status":"disable","length":67108864,"action":"allow","log":"disa
content-length
ble","severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
param-length
"severity":"medium"}
{"status":"disable","length":1024,"action":"allow","log":"disable",
line-length
"severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
url-param-length
"severity":"medium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
version
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
method
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
hostname
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
malformed
dium"}
{"status":"disable","max-
max-cookie
cookie":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-header-
max-header-line
line":32,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-url-
max-url-param
param":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-range-
max-range-segment
segment":5,"action":"allow","log":"disable","severity":"medium"}
exception (Empty)

method Method restriction. Details below

Configuration Default Value

status disable
log disable
severity medium
default-allowed-methods (Empty)
method-policy (Empty)

address-list Black address list and white address list. Details below

CLI Reference for FortiOS 5.4 773

Fortinet Technologies Inc.
Configuration Default Value
status disable
blocked-log disable
severity medium
trusted-address (Empty)
blocked-address (Empty)

url-access URL access list (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 774

Fortinet Technologies Inc.
waf/signature
CLI Syntax
config waf signature
edit <name_str>
set desc <string>
set id <integer>
end

CLI Reference for FortiOS 5.4 775

Fortinet Technologies Inc.
Description
Configuration Description Default Value

desc Signature description. (Empty)

id Signature ID. 0

CLI Reference for FortiOS 5.4 776

Fortinet Technologies Inc.
waf/sub-class
CLI Syntax
config waf sub-class
edit <name_str>
set name <string>
set id <integer>
end

CLI Reference for FortiOS 5.4 777

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Signature subclass name. (Empty)

id Signature subclass ID. 0

CLI Reference for FortiOS 5.4 778

Fortinet Technologies Inc.
wanopt/auth-group
CLI Syntax
config wanopt auth-group
edit <name_str>
set name <string>
set auth-method {cert | psk}
set psk <password>
set cert <string>
set peer-accept {any | defined | one}
set peer <string>
end

CLI Reference for FortiOS 5.4 779

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Auth-group name. (Empty)

auth-method Group authentication method. cert

psk Pre-shared secret for PSK authentication. (Empty)

cert Name of certificate to identify this host. (Empty)

peer-accept Peer acceptance method. any

peer Peer host ID. (Empty)

CLI Reference for FortiOS 5.4 780

Fortinet Technologies Inc.
wanopt/peer
CLI Syntax
config wanopt peer
edit <name_str>
set peer-host-id <string>
set ip <ipv4-address-any>
end

CLI Reference for FortiOS 5.4 781

Fortinet Technologies Inc.
Description
Configuration Description Default Value

peer-host-id Peer host ID. (Empty)

ip Peer IP address. [Link]

CLI Reference for FortiOS 5.4 782

Fortinet Technologies Inc.
wanopt/profile
CLI Syntax
config wanopt profile
edit <name_str>
set name <string>
set transparent {enable | disable}
set comments <var-string>
set auth-group <string>
config http
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
set ssl {enable | disable}
set ssl-port <integer>
set unknown-http-version {reject | tunnel | best-effort}
set tunnel-non-http {enable | disable}
end
config cifs
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config mapi
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config ftp
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
CLI Reference for FortiOS 5.4 783
Fortinet Technologies Inc.
 set port <integer>
end
config tcp
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set byte-caching-opt {mem-only | mem-disk}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <user>
set ssl {enable | disable}
set ssl-port <integer>
end
end

CLI Reference for FortiOS 5.4 784

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

transparent Enable/disable transparent mode. enable

comments Comment. (Empty)

auth-group Peer authentication group. (Empty)

http HTTP protocol settings. Details below

Configuration Default Value

status disable
secure-tunnel disable
byte-caching enable
prefer-chunking fix
tunnel-sharing private
log-traffic enable
port 80
ssl disable
ssl-port 443
unknown-http-version tunnel
tunnel-non-http disable

cifs CIFS protocol settings. Details below

Configuration Default Value

status disable
secure-tunnel disable
byte-caching enable
prefer-chunking fix
tunnel-sharing private
log-traffic enable
port 445

mapi MAPI protocol settings. Details below

CLI Reference for FortiOS 5.4 785

Fortinet Technologies Inc.
Configuration Default Value
status disable
secure-tunnel disable
byte-caching enable
tunnel-sharing private
log-traffic enable
port 135

ftp FTP protocol settings. Details below

Configuration Default Value

status disable
secure-tunnel disable
byte-caching enable
prefer-chunking fix
tunnel-sharing private
log-traffic enable
port 21

tcp TCP protocol settings. Details below

Configuration Default Value

status disable
secure-tunnel disable
byte-caching disable
byte-caching-opt mem-only
tunnel-sharing private
log-traffic enable
port 1-65535
ssl disable
ssl-port 443 990 995 465 993

CLI Reference for FortiOS 5.4 786

Fortinet Technologies Inc.
wanopt/settings
CLI Syntax
config wanopt settings
edit <name_str>
set host-id <string>
set tunnel-ssl-algorithm {high | medium | low}
set auto-detect-algorithm {simple | diff-req-resp}
end

CLI Reference for FortiOS 5.4 787

Fortinet Technologies Inc.
Description
Configuration Description Default Value

host-id Host identity. default-id

tunnel-ssl-algorithm Relative strength of encryption algorithms high

accepted in tunnel negotiation.

auto-detect-algorithm Auto detection algorithms used in tunnel simple

negotiation.

CLI Reference for FortiOS 5.4 788

Fortinet Technologies Inc.
wanopt/storage
CLI Syntax
config wanopt storage
edit <name_str>
set name <string>
set size <integer>
set webcache-storage-percentage <integer>
set webcache-storage-size <user>
set wan-optimization-cache-storage-size <user>
end

CLI Reference for FortiOS 5.4 789

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Storage name. (Empty)

size Maximum total size of files within the storage 1024

(MB).

webcache-storage- Percentage of storage available for Web cache. 50

percentage The rest is used for WAN optimization

webcache-storage-size Web cache storage size. (Empty)

wan-optimization- WAN optimization cache storage size. (Empty)

cache-storage-size

CLI Reference for FortiOS 5.4 790

Fortinet Technologies Inc.
wanopt/webcache
CLI Syntax
config wanopt webcache
edit <name_str>
set max-object-size <integer>
set neg-resp-time <integer>
set fresh-factor <integer>
set max-ttl <integer>
set min-ttl <integer>
set default-ttl <integer>
set ignore-ims {enable | disable}
set ignore-conditional {enable | disable}
set ignore-pnc {enable | disable}
set ignore-ie-reload {enable | disable}
set cache-expired {enable | disable}
set cache-cookie {enable | disable}
set reval-pnc {enable | disable}
set always-revalidate {enable | disable}
set cache-by-default {enable | disable}
set host-validate {enable | disable}
set external {enable | disable}
end

CLI Reference for FortiOS 5.4 791

Fortinet Technologies Inc.
Description
Configuration Description Default Value

max-object-size Maximum cacheable object size in kB, the 512000

maximum is 2147483 (2GB).

neg-resp-time Duration of negative responses cache. 0

fresh-factor Fresh factor percentage (1 - 100 percent). 100

max-ttl Maximum TTL in minutes (default = 7200 (5 7200

days); maximum = 5256000 (100 years)).

min-ttl Minimum TTL in minutes (default = 5; maximum 5

= 5256000 (100 years)).

default-ttl Default TTL minutes (default = 1440 (1 day); 1440

maximum = 5256000 (100 years)).

ignore-ims Enable/disable ignore if-modified-since. disable

ignore-conditional Enable/disable ignore HTTP 1.1 conditionals. disable

ignore-pnc Enable/disable ignore pragma-no-cache. disable

ignore-ie-reload Enable/disable ignore IE reload. enable

cache-expired Enable/disable cache expired objects. disable

cache-cookie Enable/disable caching of HTTP response with disable

Set-Cookie header.

reval-pnc Enable/disable re-validation of pragma-no-cache. disable

always-revalidate Enable/disable re-validation of requested cached disable

object with content server before serving it to
client.

cache-by-default Enable/disable caching of content lacking explicit disable

caching policy from server.

host-validate Enable/disable validating "Host:" with original disable

server IP.

external Enable/disable external cache. disable

CLI Reference for FortiOS 5.4 792

Fortinet Technologies Inc.
web-proxy/debug-url
CLI Syntax
config web-proxy debug-url
edit <name_str>
set name <string>
set url-pattern <string>
set status {enable | disable}
set exact {enable | disable}
end

CLI Reference for FortiOS 5.4 793

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Debug URL name. (Empty)

url-pattern URL exemption pattern. (Empty)

status Enable/disable this URL exemption. enable

exact Enable/disable match exact path. enable

CLI Reference for FortiOS 5.4 794

Fortinet Technologies Inc.
web-proxy/explicit
CLI Syntax
config web-proxy explicit
edit <name_str>
set status {enable | disable}
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <integer>
set https-incoming-port <integer>
set ftp-incoming-port <integer>
set socks-incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set ipv6-status {enable | disable}
set incoming-ip6 <ipv6-address>
set outgoing-ip6 <ipv6-address>
set strict-guest {enable | disable}
set pref-dns-result {ipv4 | ipv6}
set unknown-http-version {reject | best-effort}
set realm <string>
set sec-default-action {accept | deny}
set https-replacement-message {enable | disable}
set message-upon-server-error {enable | disable}
set pac-file-server-status {enable | disable}
set pac-file-server-port <integer>
set pac-file-name <string>
set pac-file-data <user>
set pac-file-url <user>
set ssl-algorithm {high | medium | low}
end

CLI Reference for FortiOS 5.4 795

Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable explicit Web proxy. disable

ftp-over-http Enable/disable FTP-over-HTTP. disable

socks Enable/disable SOCKS proxy. disable

http-incoming-port Accept incoming HTTP requests on ports other 8080

than port 80.

https-incoming-port Accept incoming HTTPS requests on this port. 0

ftp-incoming-port Accept incoming FTP-over-HTTP requests on this 0

port.

socks-incoming-port Accept incoming SOCKS proxy requests on this 0

port.

incoming-ip Accept incoming HTTP requests from this IP. An [Link]

interface must have this IP address.

outgoing-ip Outgoing HTTP requests will leave this IP. An (Empty)

interface must have this IP address.

ipv6-status Enable/disable IPv6 destination in policy. disable

incoming-ip6 Accept incoming HTTP requests from this IP. An ::

interface must have this IP address.

outgoing-ip6 Outgoing HTTP requests will leave this IP. An (Empty)

interface must have this IP address.

strict-guest Enable/disable strict guest user check in explicit disable

proxy.

pref-dns-result IPv4 or IPv6 DNS result preference. ipv4

unknown-http-version Unknown HTTP version handling. reject

realm Authentication realm. default

sec-default-action Default action to allow or deny when no web- deny

proxy firewall policy exists.

CLI Reference for FortiOS 5.4 796

Fortinet Technologies Inc.
https-replacement- Default action to enable or disable return enable
message replacement message for HTTPS requests.

message-upon-server- Enable/disable return of replacement message enable

error upon server error detection.

pac-file-server-status Enable/disable PAC file server. disable

pac-file-server-port PAC file server listening port. 0

pac-file-name PAC file name. [Link]

pac-file-data PAC file contents. (Empty)

pac-file-url PAC file access URL. (Empty)

ssl-algorithm Relative strength of encryption algorithms high

accepted in HTTPS deep-scan.

CLI Reference for FortiOS 5.4 797

Fortinet Technologies Inc.
web-proxy/forward-server
CLI Syntax
config web-proxy forward-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set fqdn <string>
set addr-type {ip | fqdn}
set port <integer>
set healthcheck {disable | enable}
set monitor <string>
set server-down-option {block | pass}
set comment <string>
end

CLI Reference for FortiOS 5.4 798

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Server name. (Empty)

ip Forward server IP. [Link]

fqdn Forward server FQDN. (Empty)

addr-type Address type. ip

port Forward server port. 3128

healthcheck Enable/disable forward server health checking. disable

monitor Forward health checking URL. [Link]

server-down-option Action when forward server is down. block

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 799

Fortinet Technologies Inc.
web-proxy/forward-server-group
CLI Syntax
config web-proxy forward-server-group
edit <name_str>
set name <string>
set affinity {enable | disable}
set ldb-method {weighted | least-session}
set group-down-option {block | pass}
config server-list
edit <name_str>
set name <string>
set weight <integer>
end
end

CLI Reference for FortiOS 5.4 800

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Forward server group name. (Empty)

affinity Enable/disable affinity. enable

ldb-method Load balance method. weighted

group-down-option Action when group is down. block

server-list Forward server list. (Empty)

CLI Reference for FortiOS 5.4 801

Fortinet Technologies Inc.
web-proxy/global
CLI Syntax
config web-proxy global
edit <name_str>
set proxy-fqdn <string>
set max-request-length <integer>
set max-message-length <integer>
set strict-web-check {enable | disable}
set forward-proxy-auth {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {reject | tunnel | best-effort}
set forward-server-affinity-timeout <integer>
set max-waf-body-cache-length <integer>
set webproxy-profile <string>
end

CLI Reference for FortiOS 5.4 802

Fortinet Technologies Inc.
Description
Configuration Description Default Value

proxy-fqdn Proxy FQDN. [Link]

max-request-length Maximum length of HTTP request line (1kB units 4

(1024 Bytes)).

max-message-length Maximum length of HTTP message not including 32

body (1kB units (1024 Bytes)).

strict-web-check Enable/disable strict web check. disable

forward-proxy-auth Enable/disable forward proxy authentication. disable

tunnel-non-http Enable/disable non-HTTP tunnel. enable

unknown-http-version Unknown HTTP version handling. best-effort

forward-server-affinity- Timeout of the forward server affinity (6 - 60 min, 30

timeout default = 30 min).

max-waf-body-cache- Maximum length of HTTP message (1kB units 100

length (1024 Bytes)) processed by Web Application
Firewall.

webproxy-profile Web proxy profile using when none matched (Empty)

policy.

CLI Reference for FortiOS 5.4 803

Fortinet Technologies Inc.
web-proxy/profile
CLI Syntax
config web-proxy profile
edit <name_str>
set name <string>
set header-client-ip {pass | add | remove}
set header-via-request {pass | add | remove}
set header-via-response {pass | add | remove}
set header-x-forwarded-for {pass | add | remove}
set header-front-end-https {pass | add | remove}
config headers
edit <name_str>
set id <integer>
set name <string>
set action {add-to-request | add-to-response | remove-from-request | remove-fr
om-response}
set content <string>
end
end

CLI Reference for FortiOS 5.4 804

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

header-client-ip Action when HTTP client-IP header to forwarded pass

requests.

header-via-request Action when HTTP via header to forwarded pass

requests.

header-via-response Action when HTTP via header to forwarded pass

responses.

header-x-forwarded-for Action when HTTP x-forwarded-for header to pass

forwarded requests.

header-front-end-https Action when HTTP front-end-HTTPS header to pass

forwarded requests.

headers Configure HTTP forwarded requests headers. (Empty)

CLI Reference for FortiOS 5.4 805

Fortinet Technologies Inc.
web-proxy/url-match
CLI Syntax
config web-proxy url-match
edit <name_str>
set name <string>
set status {enable | disable}
set url-pattern <string>
set forward-server <string>
set cache-exemption {enable | disable}
set comment <var-string>
end

CLI Reference for FortiOS 5.4 806

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Configure URL name. (Empty)

status Enable/disable per URL pattern web proxy enable

forwarding and cache exemptions.

url-pattern URL pattern. (Empty)

forward-server Forward server name. (Empty)

cache-exemption Enable/disable cache exemption for this URL disable

pattern.

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 807

Fortinet Technologies Inc.
webfilter/content
CLI Syntax
config webfilter content
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set name <string>
set pattern-type {wildcard | regexp}
set status {enable | disable}
set lang {western | simch | trach | japanese | korean | french | thai | spanis
h | cyrillic}
set score <integer>
set action {block | exempt}
end
end

CLI Reference for FortiOS 5.4 808

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Configure web filter banned word. (Empty)

CLI Reference for FortiOS 5.4 809

Fortinet Technologies Inc.
webfilter/content-header
CLI Syntax
config webfilter content-header
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set pattern <string>
set action {block | allow | exempt}
set category <user>
end
end

CLI Reference for FortiOS 5.4 810

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Configure content types used by web filter. (Empty)

CLI Reference for FortiOS 5.4 811

Fortinet Technologies Inc.
webfilter/cookie-ovrd
CLI Syntax
config webfilter cookie-ovrd
edit <name_str>
set auth-epoch <integer>
set redir-host <string>
set redir-port <integer>
set cookie-name <string>
end

CLI Reference for FortiOS 5.4 812

Fortinet Technologies Inc.
Description
Configuration Description Default Value

auth-epoch Current authentication epoch - changing this 0

value will invalidate all currently issued override
cookies.

redir-host Domain name or IP of host that will be used to (Empty)

validate override authentication cookies.

redir-port TCP port that will be used on "redir-host" to 20080

validate override authentication cookies.

cookie-name Name to use for override authentication cookies. wfovrdZnkHSb2CESh

CLI Reference for FortiOS 5.4 813

Fortinet Technologies Inc.
webfilter/fortiguard
CLI Syntax
config webfilter fortiguard
edit <name_str>
set cache-mode {ttl | db-ver}
set cache-prefix-match {enable | disable}
set cache-mem-percent <integer>
set ovrd-auth-port-http <integer>
set ovrd-auth-port-https <integer>
set ovrd-auth-port-warning <integer>
set ovrd-auth-https {enable | disable}
set warn-auth-https {enable | disable}
set close-ports {enable | disable}
set request-packet-size-limit <integer>
set ovrd-auth-port <integer>
end

CLI Reference for FortiOS 5.4 814

Fortinet Technologies Inc.
Description
Configuration Description Default Value

cache-mode Cache entry expiration mode. ttl

cache-prefix-match Enable/disable prefix matching in the cache. enable

cache-mem-percent Maximum percentage of available memory 2

allocated to caching (1 - 15%).

ovrd-auth-port-http Port to use for FortiGuard Web Filter HTTP 8008

override authentication

ovrd-auth-port-https Port to use for FortiGuard Web Filter HTTPS 8010

override authentication.

ovrd-auth-port-warning Port to use for FortiGuard Web Filter Warning 8020

override authentication.

ovrd-auth-https Enable/disable use of HTTPS for override enable

authentication.

warn-auth-https Enable/disable use of HTTPS for warning and enable

authentication.

close-ports Close ports used for HTTP/HTTPS override disable

authentication and disable user overrides.

request-packet-size- Limit size of URL request packets sent to 0

limit FortiGuard server (0 for default).

ovrd-auth-port Port to use for FortiGuard Web Filter override 8008

authentication.

CLI Reference for FortiOS 5.4 815

Fortinet Technologies Inc.
webfilter/ftgd-local-cat
CLI Syntax
config webfilter ftgd-local-cat
edit <name_str>
set id <integer>
set desc <string>
end

CLI Reference for FortiOS 5.4 816

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Local category ID. 0

desc Local category description. (Empty)

CLI Reference for FortiOS 5.4 817

Fortinet Technologies Inc.
webfilter/ftgd-local-rating
CLI Syntax
config webfilter ftgd-local-rating
edit <name_str>
set url <string>
set status {enable | disable}
set rating <user>
end

CLI Reference for FortiOS 5.4 818

Fortinet Technologies Inc.
Description
Configuration Description Default Value

url URL to rate locally. (Empty)

status Enable/disable local rating. enable

rating Local rating.

CLI Reference for FortiOS 5.4 819

Fortinet Technologies Inc.
webfilter/ftgd-warning
CLI Syntax
config webfilter ftgd-warning
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set expires <user>
set rating <integer>
end

CLI Reference for FortiOS 5.4 820

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Specify the override rule ID. 0

status Enable/disable override rule. disable

scope Specify the scope of the override rule. user

ip Specify the IP address for which the override [Link]

applies.

user Specify the username for which the override (Empty)

applies.

user-group Specify the user group for which the override (Empty)
applies.

old-profile Specify the web-filter profile for which the (Empty)

override applies.

expires Specify when the override expires. 1969/12/31 [Link]

rating Ratings associated with the overridden filter. 0

CLI Reference for FortiOS 5.4 821

Fortinet Technologies Inc.
webfilter/ips-urlfilter-cache-setting
CLI Syntax
config webfilter ips-urlfilter-cache-setting
edit <name_str>
set dns-retry-interval <integer>
set extended-ttl <integer>
end

CLI Reference for FortiOS 5.4 822

Fortinet Technologies Inc.
Description
Configuration Description Default Value

dns-retry-interval Retry interval. Refresh DNS faster than TTL to 0

capture multiple IPs for hosts. 0 means use DNS
server's TTL only.

extended-ttl Extend time to live beyond reported by DNS. 0 0

means use DNS server's TTL

CLI Reference for FortiOS 5.4 823

Fortinet Technologies Inc.
webfilter/ips-urlfilter-setting
CLI Syntax
config webfilter ips-urlfilter-setting
edit <name_str>
set device <string>
set distance <integer>
set gateway <ipv4-address>
end

CLI Reference for FortiOS 5.4 824

Fortinet Technologies Inc.
Description
Configuration Description Default Value

device Enable/disable gateway out interface. (Empty)

distance Administrative distance (1 - 255). 1

gateway Gateway IP for this route. [Link]

CLI Reference for FortiOS 5.4 825

Fortinet Technologies Inc.
webfilter/override
CLI Syntax
config webfilter override
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end

CLI Reference for FortiOS 5.4 826

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Specify the override rule ID. 0

status Enable/disable override rule. disable

scope Specify the scope of the override rule. user

ip Specify the IP address for which the override [Link]

applies.

user Specify the username for which the override (Empty)

applies.

user-group Specify the user group for which the override (Empty)
applies.

old-profile Specify the web-filter profile for which the (Empty)

override applies.

new-profile Specify the new web-filter profile to apply (Empty)

override.

ip6 Specify the IPv6 address for which the override ::

applies.

expires Specify when the override expires. 1969/12/31 [Link]

initiator Initiating user of override (not settable). (Empty)

CLI Reference for FortiOS 5.4 827

Fortinet Technologies Inc.
webfilter/override-user
CLI Syntax
config webfilter override-user
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end

CLI Reference for FortiOS 5.4 828

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Specify the override rule ID. 0

status Enable/disable override rule. disable

scope Specify the scope of the override rule. user

ip Specify the IP address for which the override [Link]

applies.

user Specify the username for which the override (Empty)

applies.

user-group Specify the user group for which the override (Empty)
applies.

old-profile Specify the web-filter profile for which the (Empty)

override applies.

new-profile Specify the new web-filter profile to apply (Empty)

override.

ip6 Specify the IPv6 address for which the override ::

applies.

expires Specify when the override expires. 1969/12/31 [Link]

initiator Initiating user of override (not settable). (Empty)

CLI Reference for FortiOS 5.4 829

Fortinet Technologies Inc.
webfilter/profile
CLI Syntax
config webfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based | dns}
set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invali
d-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-url-
scan | per-user-bwl}
set https-replacemsg {enable | disable}
set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override |
contenttype-check-override}
set post-action {normal | comfort | block}
config override
edit <name_str>
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | browser | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <user>
set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Addr
ess | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmas
k | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Log
in-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-R
oute | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Terminati
on-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Lo
gin-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-Ap
pleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-In
put-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time
| Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sessio
n-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
config ovrd-user-group
edit <name_str>
set name <string>
end
config profile
edit <name_str>
set name <string>
end
end
config web
edit <name_str>
set bword-threshold <integer>
set bword-table <integer>
set urlfilter-table <integer>
set content-header-list <integer>
set blacklist {enable | disable}
CLI Reference for FortiOS 5.4 830
Fortinet Technologies Inc.
 set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | ex
empt-dlp | exempt-rangeblock | extended-log-others}
set safe-search {url | header}
set youtube-edu-filter-id <string>
set log-search {enable | disable}
config keyword-match
edit <name_str>
set pattern <string>
end
end
config ftgd-wf
edit <name_str>
set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip
| redir-block | connect-request-bypass | ftgd-disable}
set category-override <user>
set exempt-quota <user>
set ovrd <user>
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | authenticate | monitor | warning}
set warn-duration <user>
config auth-usr-grp
edit <name_str>
set name <string>
end
set log {enable | disable}
set override-replacemsg <string>
set warning-prompt {per-domain | per-category}
set warning-duration-type {session | timeout}
end
config quota
edit <name_str>
set id <integer>
set category <user>
set type {time | traffic}
set unit {B | KB | MB | GB}
set value <integer>
set duration <user>
set override-replacemsg <string>
end
set max-quota-timeout <integer>
set rate-image-urls {disable | enable}
set rate-javascript-urls {disable | enable}
set rate-css-urls {disable | enable}
set rate-crl-urls {disable | enable}
end
set wisp {enable | disable}
set log-all-url {enable | disable}
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-command-block-log {enable | disable}
CLI Reference for FortiOS 5.4 831
Fortinet Technologies Inc.
 set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-url-log {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
end

CLI Reference for FortiOS 5.4 832

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

inspection-mode Web filtering inspection mode. proxy

options Options. (Empty)

https-replacemsg Enable replacement message display for non- enable

deep SSL inspection.

ovrd-perm Override permit option. (Empty)

post-action Action for HTTP POST requests. normal

override Web Filter override settings. Details below

Configuration Default Value

ovrd-cookie deny
ovrd-scope user
profile-type list
ovrd-dur-mode constant
ovrd-dur 15m
profile-attribute Login-LAT-Service
ovrd-user-group (Empty)
profile (Empty)

web Web settings. Details below

Configuration Default Value

bword-threshold 10
bword-table 0
urlfilter-table 0
content-header-list 0
blacklist disable
whitelist (Empty)
safe-search (Empty)
youtube-edu-filter-id (Empty)
log-search disable
keyword-match (Empty)

CLI Reference for FortiOS 5.4 833

Fortinet Technologies Inc.
ftgd-wf FortiGuard Web Filter settings. Details below

Configuration Default Value

options ftgd-disable
category-override
exempt-quota 17
ovrd
filters (Empty)
quota (Empty)
max-quota-timeout 300
rate-image-urls enable
rate-javascript-urls enable
rate-css-urls enable
rate-crl-urls enable

wisp Enable/disable web proxy WISP. disable

log-all-url Enable/disable log all URLs visited. disable

web-content-log Enable/disable logging for web filter content enable

blocking.

web-filter-activex-log Enable/disable logging for web script filtering on enable

ActiveX.

web-filter-command- Enable/disable logging for web filtering on enable

block-log command blocking.

web-filter-cookie-log Enable/disable logging for web script filtering on enable

cookies.

web-filter-applet-log Enable/disable logging for web script filtering on enable

Java applets.

web-filter-jscript-log Enable/disable logging for web script filtering on enable

JScripts.

web-filter-js-log Enable/disable logging for web script filtering on enable

Java scripts.

web-filter-vbs-log Enable/disable logging for web script filtering on enable

VB scripts.

web-filter-unknown-log Enable/disable logging for web script filtering on enable

unknown scripts.

CLI Reference for FortiOS 5.4 834

Fortinet Technologies Inc.
web-filter-referer-log Enable/disable logging of web filter referrer block. enable

web-filter-cookie- Enable/disable logging of web filter cookie block. enable

removal-log

web-url-log Enable/disable logging for URL filtering. enable

web-invalid-domain-log Enable/disable logging for web filtering of invalid enable

domain name.

web-ftgd-err-log Enable/disable logging for FortiGuard Web Filter enable

rating errors.

web-ftgd-quota-usage Enable/disable logging for FortiGuard Web Filter enable

quota usage each day.

CLI Reference for FortiOS 5.4 835

Fortinet Technologies Inc.
webfilter/search-engine
CLI Syntax
config webfilter search-engine
edit <name_str>
set name <string>
set hostname <string>
set url <string>
set query <string>
set safesearch {disable | url | header}
set charset {utf-8 | gb2312}
set safesearch-str <string>
end

CLI Reference for FortiOS 5.4 836

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Search engine name. (Empty)

hostname Hostname regular expression. (Empty)

url URL regular expression. (Empty)

query Query string (must end with an equals character). (Empty)

safesearch Safe search enable. disable

charset Search engine charset. utf-8

safesearch-str Safe search parameter. (Empty)

CLI Reference for FortiOS 5.4 837

Fortinet Technologies Inc.
webfilter/urlfilter
CLI Syntax
config webfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
set one-arm-ips-urlfilter {enable | disable}
set ip-addr-block {enable | disable}
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {exempt | block | allow | monitor}
set status {enable | disable}
set exempt {av | filepattern | web-content | activex-java-cookie | dlp | forti
guard | range-block | pass | all}
set web-proxy-profile <string>
set referrer-host <string>
end
end

CLI Reference for FortiOS 5.4 838

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

one-arm-ips-urlfilter Enable/disable DNS resolver for one-arm IPS disable

URL filter operation.

ip-addr-block Enable/disable block URLs when hostname disable

appears as an IP address.

entries Web filter/URL filter. (Empty)

CLI Reference for FortiOS 5.4 839

Fortinet Technologies Inc.
wireless-controller/ap-status
CLI Syntax
config wireless-controller ap-status
edit <name_str>
set id <integer>
set bssid <mac-address>
set ssid <string>
set status {rogue | accepted | suppressed}
end

CLI Reference for FortiOS 5.4 840

Fortinet Technologies Inc.
Description
Configuration Description Default Value

id AP ID. 0

bssid AP's BSSID. [Link]

ssid AP's SSID. (Empty)

status AP status. rogue

CLI Reference for FortiOS 5.4 841

Fortinet Technologies Inc.
wireless-controller/global
CLI Syntax
config wireless-controller global
edit <name_str>
set name <string>
set location <string>
set max-retransmit <integer>
set data-ethernet-II {enable | disable}
set mesh-eth-type <integer>
set discovery-mc-addr <ipv4-address-multicast>
set max-clients <integer>
set rogue-scan-mac-adjacency <integer>
set ap-log-server {enable | disable}
set ap-log-server-ip <ipv4-address>
set ap-log-server-port <integer>
end

CLI Reference for FortiOS 5.4 842

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

location Location. (Empty)

max-retransmit Maximum # of retransmissions for tunnel packet. 3

data-ethernet-II Enable/disable ethernet frame type with 802.3 disable

data tunnel mode.

mesh-eth-type Ethernet type for wireless backhaul tunnel packet. 8755

discovery-mc-addr Discovery multicast address. [Link]

max-clients Maximum number of stations supported by the 0

AC.

rogue-scan-mac- Range of numerical difference between AP's 7

adjacency Ethernet MAC and AP's BSSID, given the
identical OUI (default = 7).

ap-log-server Enable/disable AP log server. disable

ap-log-server-ip AP log server IP address. [Link]

ap-log-server-port AP log server port. 0

CLI Reference for FortiOS 5.4 843

Fortinet Technologies Inc.
wireless-controller/setting
CLI Syntax
config wireless-controller setting
edit <name_str>
set account-id <string>
set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ |
BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG |
SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | I
D | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO
| MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG
| PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES |
LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ |
VE | VN | YE | ZW | JP | AU | CA}
end

CLI Reference for FortiOS 5.4 844

Fortinet Technologies Inc.
Description
Configuration Description Default Value

account-id FortiCloud customer account ID. (Empty)

country Country. US

CLI Reference for FortiOS 5.4 845

Fortinet Technologies Inc.
wireless-controller/timers
CLI Syntax
config wireless-controller timers
edit <name_str>
set echo-interval <integer>
set discovery-interval <integer>
set client-idle-timeout <integer>
set rogue-ap-log <integer>
set fake-ap-log <integer>
set darrp-optimize <integer>
set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturda
y}
config darrp-time
edit <name_str>
set time <string>
end
set sta-stats-interval <integer>
set vap-stats-interval <integer>
set radio-stats-interval <integer>
set sta-capability-interval <integer>
set sta-locate-timer <integer>
end

CLI Reference for FortiOS 5.4 846

Fortinet Technologies Inc.
Description
Configuration Description Default Value

echo-interval Interval before WTP sends Echo Request after 30

joining AC (1 - 255, default = 30 sec).

discovery-interval Interval between Discovery Request (2 - 180 sec, 5

default = 5 sec).

client-idle-timeout Wireless station idle timeout (0 no client-idle 300

check, 20 - 3600 sec, default = 300 sec).

rogue-ap-log Rogue AP periodic log reporting interval (default 0

= 0 min).

fake-ap-log Fake AP periodic log reporting interval (default = 1

1 min).

darrp-optimize DARRP optimization interval (default = 1800 sec). 1800

darrp-day Weekday on which DARRP optimization is (Empty)

executed.

darrp-time Time at which DARRP optimization is executed (Empty)

(Up to 8 time points).

sta-stats-interval WTP interval for which station statistics are sent 1

(1 - 255, default = 1 sec).

vap-stats-interval WTP interval for which vap statistics are sent (1 - 15

255, default = 15 sec).

radio-stats-interval WTP interval for which radio statistics are sent (1 15

- 255, default = 15 sec).

sta-capability-interval WTP interval for which station capability 30

information is sent (1 - 255, default = 30 sec).

sta-locate-timer Interval at which the WTP flushes the station 1800

presence (default = 1800 sec).

CLI Reference for FortiOS 5.4 847

Fortinet Technologies Inc.
wireless-controller/vap
CLI Syntax
config wireless-controller vap
edit <name_str>
set name <string>
set vdom <string>
set fast-roaming {enable | disable}
set external-fast-roaming {enable | disable}
set mesh-backhaul {enable | disable}
set max-clients <integer>
set max-clients-ap <integer>
set ssid <string>
set broadcast-ssid {enable | disable}
set security-obsolete-option {enable | disable}
set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal
+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-porta
l | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa
2-only-enterprise}
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
set tkip-counter-measure {enable | disable}
set external-web <string>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <string>
set auth {psk | radius | usergroup}
set encrypt {TKIP | AES | TKIP-AES}
set keyindex <integer>
set key <password>
set passphrase <password>
set radius-server <string>
set acct-interim-interval <integer>
config usergroup
edit <name_str>
set name <string>
end
set portal-message-override-group <string>
config portal-message-overrides
edit <name_str>
set auth-disclaimer-page <string>
set auth-reject-page <string>
set auth-login-page <string>
set auth-login-failed-page <string>
end
set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
config selected-usergroups
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 848
Fortinet Technologies Inc.
 end
set security-exempt-list <string>
set security-redirect-url <string>
set intra-vap-privacy {enable | disable}
set schedule <string>
set local-standalone {enable | disable}
set local-standalone-nat {enable | disable}
set ip <ipv4-classnet-host>
set local-bridging {enable | disable}
set split-tunneling {enable | disable}
set local-authentication {enable | disable}
set local-switching {enable | disable}
set vlanid <integer>
set vlan-auto {enable | disable}
set dynamic-vlan {enable | disable}
set alias <string>
set multicast-rate {0 | 6000 | 12000 | 24000}
set multicast-enhance {enable | disable}
set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp
-unknown | arp-reply | arp-poison | netbios-ns | netbios-ds | ipv6 | all-other-mc | al
l-other-bc}
set me-disable-thresh <integer>
set probe-resp-suppression {enable | disable}
set probe-resp-threshold <string>
set vlan-pooling {wtp-group | round-robin | hash | disable}
config vlan-pool
edit <name_str>
set id <integer>
set wtp-group <string>
end
set ptk-rekey {enable | disable}
set ptk-rekey-intv <integer>
set gtk-rekey {enable | disable}
set gtk-rekey-intv <integer>
set eap-reauth {enable | disable}
set eap-reauth-intv <integer>
set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-b
asic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic |
54 | 54-basic}
set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-
basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic
| 54 | 54-basic}
set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 |
mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2}
set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mc
s22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4
| mcs31/4}
set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1
| mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs
6/2 | mcs7/2 | mcs8/2 | mcs9/2}
set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3
| mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
CLI Reference for FortiOS 5.4 849
Fortinet Technologies Inc.
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
set mac-filter {enable | disable}
set mac-filter-policy-other {allow | deny}
config mac-filter-list
edit <name_str>
set id <integer>
set mac <mac-address>
set mac-filter-policy {allow | deny}
end
end

CLI Reference for FortiOS 5.4 850

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Virtual AP name. (Empty)

vdom Owning VDOM. (Empty)

fast-roaming Enable/disable fast roaming. enable

external-fast-roaming Enable/disable fast roaming with external non- disable

managed AP.

mesh-backhaul Enable/disable mesh backhaul. disable

max-clients Maximum number of STAs supported by the 0

VAP.

max-clients-ap Maximum number of STAs supported by the VAP 0

(per AP radio).

ssid IEEE 802.11 Service Set Identifier. fortinet

broadcast-ssid Enable/disable SSID broadcast in the beacon. enable

security-obsolete- Enable/disable obsolete security options. disable

option

security Wireless access security of SSID. wpa2-only-personal

pmf Protected Management Frames (PMF) support. disable

pmf-assoc-comeback- Protected Management Frames (PMF) comeback 1

timeout maximum timeout (1-20 sec).

pmf-sa-query-retry- Protected Management Frames (PMF) SA query 2

timeout retry timeout interval (1 - 5 in 100s of msec).

okc Enable/disable Opportunistic Key Caching (OKC). enable

tkip-counter-measure Enable/disable TKIP counter measure. enable

external-web URL of external authentication web server. (Empty)

radius-mac-auth Enable/disable RADIUS-based MAC disable

authentication.

CLI Reference for FortiOS 5.4 851

Fortinet Technologies Inc.
radius-mac-auth-server RADIUS-based MAC authentication server. (Empty)

auth Authentication protocol. psk

encrypt Data encryption. AES

keyindex WEP key index (1 - 4). 1

key WEP Key. (Empty)

passphrase Pre-shared key for WPA. (Empty)

radius-server WiFi RADIUS server. (Empty)

acct-interim-interval WiFi RADIUS accounting interim interval (60 - 0

86400 sec, default = 0).

usergroup Selected user group. (Empty)

portal-message- Specify captive portal replacement message (Empty)

override-group override group.

portal-message- Individual message overrides. Details below

overrides

Configuration Default Value

auth-disclaimer-page (Empty)
auth-reject-page (Empty)
auth-login-page (Empty)
auth-login-failed-page (Empty)

portal-type Captive portal type. auth

selected-usergroups Selected user group. (Empty)

security-exempt-list Security exempt list name. (Empty)

security-redirect-url URL redirection after disclaimer/authentication. (Empty)

intra-vap-privacy Enable/disable intra-SSID privacy. disable

schedule VAP schedule name. (Empty)

local-standalone Enable/disable AP local standalone. disable

local-standalone-nat Enable/disable AP local standalone NAT mode. disable

CLI Reference for FortiOS 5.4 852

Fortinet Technologies Inc.
ip IP address and subnet mask for the local [Link] [Link]
standalone NAT subnet.

local-bridging Enable/disable FortiAP local VAP-to-Ethernet disable

bridge.

split-tunneling Enable/disable split tunneling. disable

local-authentication Enable/disable AP local authentication. disable

local-switching Enable/disable FortiAP local VAP traffic enable

switching.

vlanid Optional VLAN ID. 0

vlan-auto Enable/disable automatic management of SSID disable

VLAN interface.

dynamic-vlan Enable/disable dynamic VLAN assignment. disable

alias Alias. (Empty)

multicast-rate Multicast rate (kbps). 0

multicast-enhance Enable/disable multicast enhancement. disable

broadcast-suppression Suppress broadcast frames from WiFi clients. dhcp-up arp-known

me-disable-thresh Threshold of number of multicast clients to 32

disable multicast enhancement.

probe-resp- Enable/disable probe response suppression. disable

suppression

probe-resp-threshold Threshold at which FortiAP responds to probe -80

requests (signal level must be no lower than this
value).

vlan-pooling Enable/disable VLAN pooling. disable

vlan-pool VLAN pool. (Empty)

ptk-rekey Enable/disable PTK rekey for WPA-Enterprise disable

security.

ptk-rekey-intv PTK rekey interval interval (1800 - 864000 sec, 86400

default = 86400).

CLI Reference for FortiOS 5.4 853

Fortinet Technologies Inc.
gtk-rekey Enable/disable GTK rekey for WPA security. disable

gtk-rekey-intv GTK rekey interval interval (1800 - 864000 sec, 86400

default = 86400).

eap-reauth Enable/disable EAP re-authentication for WPA- disable

Enterprise security.

eap-reauth-intv EAP re-authentication interval (1800 - 864000 86400

sec, default = 86400).

rates-11a Configure allowed data rates for 802.11a. (Empty)

rates-11bg Configure allowed data rates for 802.11b/g. (Empty)

rates-11n-ss12 Configure allowed data rates for 802.11n with 1 or (Empty)

2 spatial streams.

rates-11n-ss34 Configure allowed data rates for 802.11n with 3 or (Empty)

4 spatial streams.

rates-11ac-ss12 Configure allowed data rates for 802.11ac with 1 (Empty)

or 2 spatial streams.

rates-11ac-ss34 Configure allowed data rates for 802.11ac with 3 (Empty)

or 4 spatial streams.

mac-filter Enable/disable MAC filter status. disable

mac-filter-policy-other Deny or allow STAs whose MAC addresses are allow

not in the filter list.

mac-filter-list MAC filter list. (Empty)

CLI Reference for FortiOS 5.4 854

Fortinet Technologies Inc.
wireless-controller/vap-group
CLI Syntax
config wireless-controller vap-group
edit <name_str>
set name <string>
set comment <var-string>
config vaps
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 855

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Group Name (Empty)

comment Comment. (Empty)

vaps Selected list of SSIDs to be included in the group. (Empty)

CLI Reference for FortiOS 5.4 856

Fortinet Technologies Inc.
wireless-controller/wids-profile
CLI Syntax
config wireless-controller wids-profile
edit <name_str>
set name <string>
set comment <string>
set ap-scan {disable | enable}
set ap-bgscan-period <integer>
set ap-bgscan-intv <integer>
set ap-bgscan-duration <integer>
set ap-bgscan-idle <integer>
set ap-bgscan-report-intv <integer>
set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | frid
ay | saturday}
set ap-bgscan-disable-start <user>
set ap-bgscan-disable-end <user>
set ap-fgscan-report-intv <integer>
set ap-scan-passive {enable | disable}
set rogue-scan {enable | disable}
set ap-auto-suppress {enable | disable}
set wireless-bridge {enable | disable}
set deauth-broadcast {enable | disable}
set null-ssid-probe-resp {enable | disable}
set long-duration-attack {enable | disable}
set long-duration-thresh <integer>
set invalid-mac-oui {enable | disable}
set weak-wep-iv {enable | disable}
set auth-frame-flood {enable | disable}
set auth-flood-time <integer>
set auth-flood-thresh <integer>
set assoc-frame-flood {enable | disable}
set assoc-flood-time <integer>
set assoc-flood-thresh <integer>
set spoofed-deauth {enable | disable}
set asleap-attack {enable | disable}
set eapol-start-flood {enable | disable}
set eapol-start-thresh <integer>
set eapol-start-intv <integer>
set eapol-logoff-flood {enable | disable}
set eapol-logoff-thresh <integer>
set eapol-logoff-intv <integer>
set eapol-succ-flood {enable | disable}
set eapol-succ-thresh <integer>
set eapol-succ-intv <integer>
set eapol-fail-flood {enable | disable}
set eapol-fail-thresh <integer>
set eapol-fail-intv <integer>
set eapol-pre-succ-flood {enable | disable}
set eapol-pre-succ-thresh <integer>
CLI Reference for FortiOS 5.4 857
Fortinet Technologies Inc.
 set eapol-pre-succ-intv <integer>
set eapol-pre-fail-flood {enable | disable}
set eapol-pre-fail-thresh <integer>
set eapol-pre-fail-intv <integer>
set deauth-unknown-src-thresh <integer>
end

CLI Reference for FortiOS 5.4 858

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name WIDS profile name. (Empty)

comment Comment. (Empty)

ap-scan Enable/disable AP scan. disable

ap-bgscan-period Interval between two rounds of scanning (60 - 600

3600 sec).

ap-bgscan-intv Interval between two scanning channels (1 - 600 1

sec).

ap-bgscan-duration Listening time on a scanning channel (10 - 1000 20

msec).

ap-bgscan-idle Channel idle time before scanning channel (0 - 0

1000 msec).

ap-bgscan-report-intv Interval between two background scan reports 30

(15 - 600 sec).

ap-bgscan-disable-day Weekday on which background scan is disabled. (Empty)

ap-bgscan-disable-start Start time at which background scan is disabled. 00:00

ap-bgscan-disable-end End time at which background scan is disabled. 00:00

ap-fgscan-report-intv Interval between two foreground scan reports (15 15

- 600 sec)

ap-scan-passive Enable/disable passive scan on all channels. disable

rogue-scan Enable/disable rogue AP on-wire scan. disable

ap-auto-suppress Enable/disable on-wire rogue AP auto-suppress. disable

wireless-bridge Enable/disable wireless bridge detection. disable

deauth-broadcast Enable/disable broadcasting de-authentication disable

detection.

null-ssid-probe-resp Enable/disable null SSID probe response disable

detection.

CLI Reference for FortiOS 5.4 859

Fortinet Technologies Inc.
long-duration-attack Enable/disable long duration attack detection disable
based on user configured threshold.

long-duration-thresh Threshold value (usec) for long duration attack 8200

detection.

invalid-mac-oui Enable/disable invalid MAC OUI detection. disable

weak-wep-iv Enable/disable weak WEP IV (Initialization disable

Vector) detection.

auth-frame-flood Enable/disable authentication frame flooding disable

detection.

auth-flood-time Number of seconds after which an STA is 10

considered not connected.

auth-flood-thresh The threshold value for authentication flooding. 30

assoc-frame-flood Enable/disable association frame flooding disable

detection.

assoc-flood-time Number of seconds after which an STA is 10

considered not connected.

assoc-flood-thresh The threshold value for association flooding. 30

spoofed-deauth Enable/disable spoofed de-authentication disable

detection.

asleap-attack Enable/disable asleap attack detection. disable

eapol-start-flood Enable/disable EAPOL-Start flooding (to AP) disable

detection.

eapol-start-thresh The threshold value for EAPOL-Start flooding in 10

specified interval.

eapol-start-intv The detection interval for EAPOL-Start flooding in 1

sec.

eapol-logoff-flood Enable/disable EAPOL-Logoff flooding (to AP) disable

detection.

eapol-logoff-thresh The threshold value for EAPOL-Logoff flooding in 10

specified interval.

CLI Reference for FortiOS 5.4 860

Fortinet Technologies Inc.
eapol-logoff-intv The detection interval for EAPOL-Logoff flooding 1
in sec.

eapol-succ-flood Enable/disable EAPOL-Success flooding (to AP) disable

detection.

eapol-succ-thresh The threshold value for EAPOL-Success flooding 10

in specified interval.

eapol-succ-intv The detection interval for EAPOL-Success 1

flooding in sec.

eapol-fail-flood Enable/disable EAPOL-Failure flooding (to AP) disable

detection.

eapol-fail-thresh The threshold value for EAPOL-Failure flooding 10

in specified interval.

eapol-fail-intv The detection interval for EAPOL-Failure flooding 1

in sec.

eapol-pre-succ-flood Enable/disable premature EAPOL-Success disable

flooding (to STA) detection.

eapol-pre-succ-thresh The threshold value for premature EAPOL- 10

Success flooding in specified interval.

eapol-pre-succ-intv The detection interval for premature EAPOL- 1

Success flooding in sec.

eapol-pre-fail-flood Enable/disable premature EAPOL-Failure disable

flooding (to STA) detection.

eapol-pre-fail-thresh The threshold value for premature EAPOL- 10

Failure flooding in specified interval.

eapol-pre-fail-intv The detection interval for premature EAPOL- 1

Failure flooding in sec.

deauth-unknown-src- Threshold value per second to deauth unknown 10

thresh src for DoS attack(0: no limit).

CLI Reference for FortiOS 5.4 861

Fortinet Technologies Inc.
wireless-controller/wtp
CLI Syntax
config wireless-controller wtp
edit <name_str>
set wtp-id <string>
set index <integer>
set admin {discovered | disable | enable}
set name <string>
set location <string>
set wtp-mode {normal | remote}
set wtp-profile <string>
set override-led-state {enable | disable}
set led-state {enable | disable}
set override-wan-port-mode {enable | disable}
set wan-port-mode {wan-lan | wan-only}
set override-ip-fragment {enable | disable}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set override-split-tunnel {enable | disable}
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set override-lan {enable | disable}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set override-allowaccess {enable | disable}
CLI Reference for FortiOS 5.4 862
Fortinet Technologies Inc.
 set allowaccess {telnet | http}
set override-login-passwd-change {enable | disable}
set login-passwd-change {yes | default | no}
set login-passwd <password>
config radio-1
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
CLI Reference for FortiOS 5.4 863
Fortinet Technologies Inc.
 edit <name_str>
set chan <string>
end
end
set image-download {enable | disable}
set mesh-bridge-enable {default | enable | disable}
set coordinate-enable {enable | disable}
set coordinate-x <string>
set coordinate-y <string>
end

CLI Reference for FortiOS 5.4 864

Fortinet Technologies Inc.
Description
Configuration Description Default Value

wtp-id WTP ID. (Empty)

index Index (0 - 4294967295). 0

admin Admin status. enable

name WTP name. (Empty)

location WTP location. (Empty)

wtp-mode WTP mode. normal

wtp-profile WTP profile name. (Empty)

override-led-state Enable/disable override of LED state. disable

led-state Enable/disable use of LEDs on WTP. enable

override-wan-port- Enable/disable override of wan-port-mode. disable

mode

wan-port-mode Enable/disable use of WAN port as LAN port. wan-only

override-ip-fragment Enable/disable override of IP fragment disable

prevention.

ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunnelled tcp-mss-adjust

control and data packets.

tun-mtu-uplink Uplink tunnel MTU. 0

tun-mtu-downlink Downlink tunnel MTU. 0

override-split-tunnel Enable/disable override of split tunneling. disable

split-tunneling-acl- Enable/disable split tunneling ACL local AP disable

local-ap-subnet subnet.

split-tunneling-acl Split tunneling ACL filter list. (Empty)

override-lan Enable/disable override of WTP LAN port. disable

lan WTP LAN port mapping. Details below

CLI Reference for FortiOS 5.4 865

Fortinet Technologies Inc.
Configuration Default Value
port-mode offline
port-ssid (Empty)
port1-mode offline
port1-ssid (Empty)
port2-mode offline
port2-ssid (Empty)
port3-mode offline
port3-ssid (Empty)
port4-mode offline
port4-ssid (Empty)
port5-mode offline
port5-ssid (Empty)
port6-mode offline
port6-ssid (Empty)
port7-mode offline
port7-ssid (Empty)
port8-mode offline
port8-ssid (Empty)

override-allowaccess Enable/disable override of management access disable

to managed AP.

allowaccess Allow management access to managed AP. (Empty)

override-login-passwd- Enable/disable override of login password of disable

change managed AP.

login-passwd-change Configuration options for login password of no

managed AP.

login-passwd Login password of managed AP. (Empty)

radio-1 Radio 1. Details below

CLI Reference for FortiOS 5.4 866

Fortinet Technologies Inc.
Configuration Default Value
radio-id 0
override-band disable
band (Empty)
override-analysis disable
spectrum-analysis disable
override-txpower disable
auto-power-level disable
auto-power-high 17
auto-power-low 10
power-level 100
override-vaps disable
vap-all enable
vaps (Empty)
override-channel disable
channel (Empty)

radio-2 Radio 2. Details below

Configuration Default Value

radio-id 1
override-band disable
band (Empty)
override-analysis disable
spectrum-analysis disable
override-txpower disable
auto-power-level disable
auto-power-high 17
auto-power-low 10
power-level 100
override-vaps disable
vap-all enable
vaps (Empty)
override-channel disable
channel (Empty)

image-download Enable/disable WTP image download. enable

mesh-bridge-enable Enable/disable mesh Ethernet bridge when WTP default

is configured as a mesh branch/leaf AP.

coordinate-enable Enable/disable WTP coordinates. disable

coordinate-x X axis coordinate. 0

CLI Reference for FortiOS 5.4 867

Fortinet Technologies Inc.
coordinate-y Y axis coordinate. 0

CLI Reference for FortiOS 5.4 868

Fortinet Technologies Inc.
wireless-controller/wtp-profile
CLI Syntax
config wireless-controller wtp-profile
edit <name_str>
set name <string>
set comment <var-string>
config platform
edit <name_str>
set type {FWF | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C | 2
8C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321C |
S323C | S311C | S313C}
end
set wan-port-mode {wan-lan | wan-only}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set led-state {enable | disable}
set dtls-policy {clear-text | dtls-enabled}
set dtls-in-kernel {enable | disable}
set max-clients <integer>
set handoff-rssi <integer>
set handoff-sta-thresh <integer>
set handoff-roaming {enable | disable}
config deny-mac-list
edit <name_str>
set id <integer>
set mac <mac-address>
end
set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | B
Z | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG
| SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
CLI Reference for FortiOS 5.4 869
Fortinet Technologies Inc.
| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU |
MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA |
PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | E
S | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ
| VE | VN | YE | ZW | JP | AU | CA}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set allowaccess {telnet | http}
set login-passwd-change {yes | default | no}
set login-passwd <password>
set lldp {enable | disable}
config radio-1
edit <name_str>
set radio-id <integer>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set spectrum-analysis {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
set max-clients <integer>
set max-distance <integer>
CLI Reference for FortiOS 5.4 870
Fortinet Technologies Inc.
 set max-distance <integer>
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set radio-id <integer>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set spectrum-analysis {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
set max-clients <integer>
set max-distance <integer>
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
CLI Reference for FortiOS 5.4 871
Fortinet Technologies Inc.
 edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config lbs
edit <name_str>
set ekahau-blink-mode {enable | disable}
set ekahau-tag <mac-address>
set erc-server-ip <ipv4-address-any>
set erc-server-port <integer>
set aeroscout {enable | disable}
set aeroscout-server-ip <ipv4-address-any>
set aeroscout-server-port <integer>
set aeroscout-mu-factor <integer>
set aeroscout-mu-timeout <integer>
set fortipresence {enable | disable}
set fortipresence-server <ipv4-address-any>
set fortipresence-port <integer>
set fortipresence-secret <password>
set fortipresence-project <string>
set fortipresence-frequency <integer>
set fortipresence-rogue {enable | disable}
set fortipresence-unassoc {enable | disable}
set station-locate {enable | disable}
end
end

CLI Reference for FortiOS 5.4 872

Fortinet Technologies Inc.
Description
Configuration Description Default Value

name WTP profile name. (Empty)

comment Comment. (Empty)

platform WTP platform. Details below

Configuration Default Value

type 220B

wan-port-mode Enable/disable use of WAN port as LAN port. wan-only

lan WTP LAN port mapping. Details below

Configuration Default Value

port-mode offline
port-ssid (Empty)
port1-mode offline
port1-ssid (Empty)
port2-mode offline
port2-ssid (Empty)
port3-mode offline
port3-ssid (Empty)
port4-mode offline
port4-ssid (Empty)
port5-mode offline
port5-ssid (Empty)
port6-mode offline
port6-ssid (Empty)
port7-mode offline
port7-ssid (Empty)
port8-mode offline
port8-ssid (Empty)

led-state Enable/disable use of LEDs on WTP. enable

dtls-policy WTP data channel DTLS policy. clear-text

dtls-in-kernel Enable/disable data channel DTLS in kernel. disable

max-clients Maximum number of STAs supported by the 0

WTP.

CLI Reference for FortiOS 5.4 873

Fortinet Technologies Inc.
handoff-rssi Minimum RSSI value for handoff. 25

handoff-sta-thresh Threshold value for AP handoff. 30

handoff-roaming Enable/disable handoff when a client is roaming. enable

deny-mac-list Deny MAC filter list. (Empty)

ap-country AP country code. NA

ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneled tcp-mss-adjust

control and data packets.

tun-mtu-uplink Uplink tunnel MTU. 0

tun-mtu-downlink Downlink tunnel MTU. 0

split-tunneling-acl- Enable/disable split tunneling ACL local AP disable

local-ap-subnet subnet.

split-tunneling-acl Split tunneling ACL filter list. (Empty)

allowaccess Allow management access to managed AP. (Empty)

login-passwd-change Configuration options for login password of no

managed AP.

login-passwd Login password of managed AP. (Empty)

lldp Enable/disable LLDP. disable

radio-1 Radio 1. Details below

CLI Reference for FortiOS 5.4 874

Fortinet Technologies Inc.
Configuration Default Value
radio-id 0
mode ap
band (Empty)
protection-mode disable
powersave-optimize (Empty)
amsdu enable
coexistence enable
short-guard-interval disable
channel-bonding 20MHz
auto-power-level disable
auto-power-high 17
auto-power-low 10
power-level 100
dtim 1
beacon-interval 100
rts-threshold 2346
frag-threshold 2346
ap-sniffer-bufsize 16
ap-sniffer-chan 36
ap-sniffer-addr [Link]
ap-sniffer-mgmt-beacon enable
ap-sniffer-mgmt-probe enable
ap-sniffer-mgmt-other enable
ap-sniffer-ctl enable
ap-sniffer-data enable
spectrum-analysis disable
wids-profile (Empty)
darrp disable
max-clients 0
max-distance 0
frequency-handoff disable
ap-handoff disable
vap-all enable
vaps (Empty)
channel (Empty)

radio-2 Radio 2. Details below

CLI Reference for FortiOS 5.4 875

Fortinet Technologies Inc.
Configuration Default Value
radio-id 1
mode ap
band (Empty)
protection-mode disable
powersave-optimize (Empty)
amsdu enable
coexistence enable
short-guard-interval disable
channel-bonding 20MHz
auto-power-level disable
auto-power-high 17
auto-power-low 10
power-level 100
dtim 1
beacon-interval 100
rts-threshold 2346
frag-threshold 2346
ap-sniffer-bufsize 16
ap-sniffer-chan 6
ap-sniffer-addr [Link]
ap-sniffer-mgmt-beacon enable
ap-sniffer-mgmt-probe enable
ap-sniffer-mgmt-other enable
ap-sniffer-ctl enable
ap-sniffer-data enable
spectrum-analysis disable
wids-profile (Empty)
darrp disable
max-clients 0
max-distance 0
frequency-handoff disable
ap-handoff disable
vap-all enable
vaps (Empty)
channel (Empty)

lbs Location based service. Details below

CLI Reference for FortiOS 5.4 876

Fortinet Technologies Inc.
Configuration Default Value
ekahau-blink-mode disable
ekahau-tag [Link]
erc-server-ip [Link]
erc-server-port 8569
aeroscout disable
aeroscout-server-ip [Link]
aeroscout-server-port 0
aeroscout-mu-factor 20
aeroscout-mu-timeout 5
fortipresence disable
fortipresence-server [Link]
fortipresence-port 3000
fortipresence-secret fortinet
fortipresence-project fortipresence
fortipresence-frequency 30
fortipresence-rogue disable
fortipresence-unassoc disable
station-locate disable

CLI Reference for FortiOS 5.4 877

Fortinet Technologies Inc.
execute backup

execute

The execute commands perform immediate operations on the FortiGate unit, including:

l Maintenance operations, such as back up and restore the system configuration, reset the configuration to factory
settings, update antivirus and attack definitions, view and delete log messages, set the date and time.
l Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnose
network problems.
l Generate certificate requests and install certificates for VPN authentication.

backup

Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USB
disk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysis
and Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.

When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup file
depends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin can restore the configuration from this file.

When you back up the system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator
account can restore the configuration from this file.

Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config management-station <comment_str>
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup config usb <filename_str> [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]
| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_
password_str>]
execute backup config-with-forticlient-info usb [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup full-config usb <filename_str> [<backup_password_str>]
execute backup full-config usb-mode <filename_str> [<backup_password_str>]
execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>
execute backup {disk | memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]

CLI Reference for FortiOS 5.4 878

Fortinet Technologies Inc.
backup execute

execute backup {disk | memory} alllogs tftp <server_ipv4>

execute backup {disk | memory} alllogs usb
execute backup {disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]
> <username_str> <password_str> {traffic | event | ids | virus | webfilter | spam
| dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log tftp <server_ipv4> {traffic | event | ids | virus
| webfilter | spam | dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log usb {traffic | event | ids | virus | webfilter
| spam | dlp | voip | app-ctrl | netscan}
Variable Description

config flash <comment> Back up the system configuration to the flash disk.
Optionally, include a comment.

config ftp <filename_str> <server_

Back up the system configuration to an FTP server.
ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str>
Optionally, you can specify a password to protect the
[<password_str>]] [<backup_
saved data.
password_str>]

config management-station Back up the system configuration to a configured

<comment_str> management station. If you are adding a comment, do
not add spaces, underscore characters (_), or quotation
marks (“ “) or any other punctuation marks.

The comment you enter displays in both the portal

website and FortiGate web-based manager (System >
Maintenance > Revision).

config tftp <filename_str> Back up the system configuration to a file on a TFTP

<server_ipv4> [<backup_password_ server. Optionally, you can specify a password to protect
str>] the saved data.

config usb <filename_str> Back up the system configuration to a file on a USB disk.
[<backup_password_str>] Optionally, you can specify a password to protect the
saved data.

Back up the system configuration to a USB disk (Global

config usb-mode [<backup_password_
admin only). Optionally, you can specify a password to
str>]
protect the saved data.

config-with-forticlient-info ftp Back up the system configuration to a file on an FTP

<filename_str> <server_ipv4[:port_ server. Optionally, you can specify a password to protect
int] | server_fqdn[:port_int]> the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]

config-with-forticlient-info tftp Back up the system configuration to a file on a TFTP

<filename_str> <server_ipv4> server. Optionally, you can specify a password to protect
[<backup_password_str>] the saved data.

CLI Reference for FortiOS 5.4 879

Fortinet Technologies Inc.
execute backup

Variable Description

config-with-forticlient-info usb Back up the system configuration to a file on a USB disk.

[<backup_password_str>] Optionally, you can specify a password to protect the
saved data.

Back up the system configuration to a USB disk (Global

config-with-forticlient-info usb-
admin only). Optionally, you can specify a password to
mode [<backup_password_str>]
protect the saved data.

full-config ftp <filename_str> Back up the full system configuration to a file on an FTP
<server_ipv4[:port_int] | server_ server. You can optionally specify a password to protect
fqdn[:port_int]> [<username_str> the saved data.
[<password_str>]] [<backup_
password_str>]

full-config tftp <filename_str> Back up the full system configuration to a file on a TFTP
<server_ipv4> [<backup_password_ server. You can optionally specify a password to protect
str>] the saved data.

full-config usb <filename_str> Back up the full system configuration to a file on a USB
[<backup_password_str>] disk. You can optionally specify a password to protect
the saved data.

Back up the full system configuration to a file on a USB

full-config usb-mode <filename_
disk (Global admin only). You can optionally specify a
str> [<backup_password_str>]
password to protect the saved data.

ipsuserdefsig ftp <filename_str> Backup IPS user-defined signatures to a file on an FTP

<server_ipv4[:port_int] | server_ server.
fqdn[:port_int]> [<username_str>
[<password_str>]]

ipsuserdefsig tftp tftp <filename_ Back up IPS user-defined signatures to a file on a TFTP
str> <server_ipv4> server.

{disk | memory} alllogs ftp Back up either all memory or all hard disk log files for this
<server_ipv4[:port_int] | server_ VDOM to an FTP server. The disk option is available on
fqdn[:port_int]> [<username_str> FortiGate models that log to a hard disk.
<password_str>]
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>

Back up either all memory or all hard disk log files for this
VDOM to a TFTP server. he disk option is available on
{disk | memory} alllogs tftp FortiGate models that log to a hard disk.
<server_ipv4>
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>

CLI Reference for FortiOS 5.4 880

Fortinet Technologies Inc.
batch execute

Variable Description

{disk | memory} alllogs usb Back up either all memory or all hard disk log files for this
VDOM to a USB disk. he disk option is available on
FortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>

{disk | memory} log ftp <server_

Back up the specified type of log file from either hard
ipv4[:port_int] | server_fqdn
disk or memory to an FTP server.
[:port_int]> <username_str>
<password_str> {traffic | event
The disk option is available on FortiGate models that log
| ids | virus | webfilter | spam
to a hard disk.
| dlp | voip | app-ctrl | netscan}

{disk | memory} log tftp <server_ Back up the specified type of log file from either hard
ipv4> {traffic | event | ids disk or memory to a TFTP server.
| virus | webfilter | spam | dlp
| voip | app-ctrl | netscan} The disk option is available on FortiGate models that log
to a hard disk.

Back up the specified type of log file from either hard

{disk | memory} log usb
disk or memory to a USB disk.
{traffic | event | ids | virus
| webfilter | spam | dlp | voip
The disk option is available on FortiGate models that log
| app-ctrl | netscan}
to a hard disk.

Example
This example shows how to backup the FortiGate unit system configuration to a file named [Link] on a
TFTP server at IP address [Link].
execute backup config tftp [Link] [Link]

batch

Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)
access control group.

Syntax
execute batch [<cmd_cue>]
where <cmd_cue> is one of:

end — exit session and run the batch commands

lastlog — read the result of the last batch commands

start — start batch mode

status — batch mode status reporting if batch mode is running or stopped

CLI Reference for FortiOS 5.4 881

Fortinet Technologies Inc.
 execute bypass-mode

Example
To start batch mode:
execute batch start
Enter batch mode...

To enter commands to run in batch mode:

config system global
set refresh 5
end
To execute the batch commands:
execute batch end
Exit and run batch commands...

bypass-mode

Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is available
in transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypass
mode is disabled.

Syntax
execute bypass-mode {enable | disable}

carrier-license

Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on a
FortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.

Contact Fortinet Support for more information about this command.

Syntax
execute carrier-license <license_key>
Variable Description

<license_key> Enter the FortiOS Carrier license key supplied by Fortinet.

central-mgmt

Update Central Management Service account information. Also used receive configuration file updates from an
attached FortiManager unit.

Syntax
execute central-mgmt set-mgmt-id <management_id>

CLI Reference for FortiOS 5.4 882

Fortinet Technologies Inc.
 cfg reload execute

execute central-mgmt register-device <fmg-serial-number> <fmg-register-password> <fgt-

user-name> <fgt-password>
execute central-mgmt unregister-device <fmg-serial-number>
set-mgmt-id is used to change or initially set the management ID, or your account number for Central
Management Services. This account ID must be set for the service to be enabled.

register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.
You must also specify the administrator name and password that the FortiManager unit uses to log on to the
FortiGate unit.

unregister-device removes the FortiGate unit from the specified FortiManager unit’s device list.
update is used to update your Central Management Service contract with your new management account ID.
This command is to be used if there are any changes to your management service account.

Example
If you are registering with the Central Management Service for the first time, and your account number is 123456,
you would enter the following:
execute central-mgmt set-mgmt-id 123456

cfg reload

Use this command to restore the saved configuration when the configuration change mode is manual or
revert. This command has no effect if the mode is automatic, the default. The set cfg-save command
in system global sets the configuration change mode.

When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.

In the default configuration change mode, automatic, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. You set the timeout in system global using the set cfg-revert-timeout command.

Syntax
execute cfg reload

Example
This is sample output from the command when successful:
# execute cfg reload
configs reloaded. system will [Link] is sample output from the command when not in
runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.

CLI Reference for FortiOS 5.4 883

Fortinet Technologies Inc.
 execute cfg save

cfg save

Use this command to save configuration changes when the configuration change mode is manual or revert. If
the mode is automatic, the default, all changes are added to the saved configuration as you make them and
this command has no effect. The set cfg-save command in system global sets the configuration change
mode.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are reverted automatically if
the administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. To change the timeout from the default of 600 seconds, go to system global and use the
set cfg-revert-timeout command.

Syntax
execute cfg save

Example
This is sample output from the command:
# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# execute cfg save
no config to be saved.

clear system arp table

Clear all the entries in the arp table.

Syntax
execute clear system arp table

cli check-template-status

Reports the status of the secure copy protocol (SCP) script template.

Syntax
execute cli check-template-status

CLI Reference for FortiOS 5.4 884

Fortinet Technologies Inc.
 cli status-msg-only execute

cli status-msg-only

Enable or disable displaying standardized CLI error output messages. If executed, this command stops other
debug messages from displaying in the current CLI session. This command is used for compatibility with
FortiManager.

Syntax
execute cli status-msg-only [enable | disable]
Variable Description Default

Enable or disable standardized CLI error output messages.

status-msg-only
Entering the command without enable or disable disables enable
[enable | disable]
displaying standardized output.

client-reputation

Use these commands to retrieve or remove client reputation information.

Syntax

To erase all client reputation data

execute client-reputation erase

To retrieve client reputation host count

execute client-reputation host-count <rows>

To retrieve client reputation host details

execute client-reputation host detail <host>

To retrieve client reputation host summary

execute client-reputation host summary <host>

To purge old data

execute client-reputation purge

To view the top n records

execute client-reputation <n | all>

date

Get or set the system date.

CLI Reference for FortiOS 5.4 885

Fortinet Technologies Inc.
execute disk

Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd, where

yyyy is the year and can be 2001 to 2037

mm is the month and can be 01 to 12

dd is the day of the month and can be 01 to 31

If you do not specify a date, the command returns the current system date. Shortened values, such as ‘06’
instead of ‘2006’ for the year or ‘1’ instead of ‘01’ for month or day, are not valid.

Example
This example sets the date to 17 September 2004:
execute date 2004-09-17

disk

Use this command to list and format hard disks installed in FortiGate units or individual partitions on these hard
disks.

Syntax
execute disk format <partition1_ref_int> [...<partitionn_ref_int>]
execute disk list
execute disk scan <ref_int>
Variable Description

Format the referenced disk partitions or disks. Separate

reference numbers with spaces.
format If you enter a partition reference number the disk partition is
formatted. If you enter a disk reference number the entire disk
and all of its partitions are formatted.

List the disks and partitions and the reference number for each
list
one.

scan Scan a disk or partition and repair errors.

<ref_int> Disk (device) or partition reference number.

The execute disk format command formats the specified partitions or disks and then reboots the system if
a reboot is required.

In most cases you need to format the entire disk only if there is a problem with the partition. Formatting the
partition removes all data from the partition. Formatting the disk removes all data from the entire disk and creates
a single partition on the disk.

CLI Reference for FortiOS 5.4 886

Fortinet Technologies Inc.
 disk raid execute

Examples
Use the following command to list the disks and partitions.
execute disk list

Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sda
partition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3
In this example, there is only one partition and its reference number is 3.

Enter the following command to format the partition.

execute disk format 3
After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.

disk raid

Use this command to view information about and change the raid settings on FortiGate units that support RAID.

Syntax
execute disk raid disable
execute disk raid enable {Raid-0 | Raid-1 | Raid-5}
execute disk raid rebuild
execute disk raid status
Variable Description

disable Disable raid for the FortiGate unit.

enable {Raid-0 | Raid-1

Change the RAID level on the FortiGate unit.
| Raid-5}

Rebuild RAID on the FortiGate unit at the same RAID level. You can only
rebuild execute this command if a RAID error has been detected. Changing the
RAID level takes a while and deletes all data on the disk array.

status Display information about the RAID disk array in the FortiGate unit.

Examples
Use the following command to display information about the RAID disk array in a FortiGate-82C.
execute disk raid status
RAID Level: Raid-1
RAID Status: OK
RAID Size: 1000GB

Disk 1: OK Used 1000GB

Disk 2: OK Used 1000GB
Disk 3: OK Used 1000GB
Disk 4: Unavailable Not-Used 0GB

CLI Reference for FortiOS 5.4 887

Fortinet Technologies Inc.
 execute disk scan

disk scan

Use this command to run a disk check operation.

Syntax
execute disk scan <ref_int>
where n is the partition "ref:" number for the disk, shown by execute disk list.

The operation requires the FortiGate unit to reboot. The command responds:

Example
# execute disk scan 3
scan requested for: 3/Internal (device=/dev/sda3)
This action requires the unit to reboot.
Do you want to continue? (y/n)

dhcp lease-clear

Clear all DHCP address leases.

Syntax
For IPv4:
execute dhcp lease-clear
For IPv6
execute dhcp6 lease-clear

dhcp lease-list

Display DHCP leases on a given interface

Syntax
For IPv4:
execute dhcp lease-list [interface_name]
For IPv6:
execute dhcp6 lease-list [interface_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includes
all leases issued by DHCP servers on the FortiGate unit.

If there are no DHCP leases in user on the FortiGate unit, an error will be returned.

CLI Reference for FortiOS 5.4 888

Fortinet Technologies Inc.
 disconnect-admin-session execute

disconnect-admin-session

Disconnect an administrator who is logged in.

Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators
by using the following command:
execute disconnect-admin-session ?
The list of logged-in administrators looks like this:
Connected:
INDEX   USERNAME TYPE      FROM               TIME
0       admin        WEB [Link]      Mon Aug 14 [Link] 2006
1       admin2       CLI ssh([Link]) Mon Aug 14 [Link] 2006

Example
This example shows how to disconnect the logged administrator admin2 from the above list.
execute disconnect-admin-session 1

enter

Use this command to go from global commands to a specific virtual domain (VDOM).

Only available when virtual domains are enabled and you are in config global.

After you enter the VDOM, the prompt will not change from “(global)”. However you will be in the VDOM with
all the commands that are normally available in VDOMs.

Syntax
execute enter <vdom>
Use “?” to see a list of available VDOMs.

erase-disk

Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restore
the image from a TFTP server after erasing.

Syntax
execute erase-disk <disk_name>
The <disk_name> for the boot device is boot.

CLI Reference for FortiOS 5.4 889

Fortinet Technologies Inc.
 execute factoryreset

factoryreset

Reset the FortiGate configuration to factory default settings.

Syntax
execute factoryreset [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.

Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGate
configuration and reverts the system to its original configuration, including resetting interface addresses.

factoryreset2

Reset the FortiGate configuration to factory default settings except VDOM and interface settings.

Syntax
execute factoryreset2 [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.

formatlogdisk

Format the FortiGate hard disk to enhance performance for logging.

Syntax
execute formatlogdisk

In addition to deleting logs, this operation will erase all other data on the
disk, including system configuration, quarantine files, and databases for
antivirus and IPS.

forticarrier-license

Use this command to perform a FortiCarrier license upgrade.

Syntax
execute forticarrier-license <activation-code>

forticlient

Use these commands to manage FortiClient licensing.

CLI Reference for FortiOS 5.4 890

Fortinet Technologies Inc.
 FortiClient-NAC execute

Syntax

To view FortiClient license information

execute forticlient info

To show current FortiClient count

execute forticlient list <connection_type>
where <connection_type> is one of:

0 - IPsec

1 - SSLVPN

2 - NAC (Endpoint Security)

3 - WAN optimization

4 - Test

To upgrade FortiClient licenses

execute forticlient upgrade <license_key_str>

FortiClient-NAC

Use the following command to load a FortiClient license onto a FortiGate unit.

Syntax
execute FortiClient-NAC update-registration-license <code>
where <code> is the FortiClient registration license key/activation code.

fortiguard-log

Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.

Syntax

To create a FortiCloud account

execute fortiguard-log create-account

To perform FortiCloud certification

execute fortiguard-log certification

To retrieve the FortiCloud agreement

execute fortiguard-log agreement

CLI Reference for FortiOS 5.4 891

Fortinet Technologies Inc.
 execute fortitoken

To test connection to a FortiCloud account

execute fortiguard-log try <account-id> <password>

To join FortiCloud
execute fortiguard-log join

To log in to a FortiCloud account

execute fortiguard-log login <account-id> <password>

To update the FortiGuard Analysis and Management Service contract

execute fortiguard-log update

fortitoken

Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factor
authentication of administrator and user account logons. The device generates a random six-digit code that you
enter during the logon process along with user name and password.

Before they can be used to authenticate account logins, FortiToken devices must be activated with the
FortiGuard service. When successfully activated, the status of the FortiToken device will change from New to
Active.

Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual for
new FortiToken units to require synchronization before being put into service. Synchronization is accomplished by
entering two sequential codes provided by the FortiToken.

Syntax

To activate one or more FortiToken devices

execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]

To import FortiToken OTP seeds

execute fortitoken import <seeds_file> <seeds_file_preshared_key>

To synchronize a FortiToken device

execute fortitoken sync <serial_number> <code> <next code>

To import a set of FortiToken serial numbers

execute fortitoken import-sn-file <ftk-sn>
FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specified
FortiToken device.

CLI Reference for FortiOS 5.4 892

Fortinet Technologies Inc.
 fortitoken-mobile execute

fortitoken-mobile

Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used in
two-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digit
code to the mobile device by email or SMS that the user enters during the logon process along with user name
and password.

Syntax

To import the FortiToken Mobile card serial number

execute fortitoken-mobile import <activation_code>

To poll a FortiToken Mobile token state

execute fortitoken-mobile poll

To provision a FortiToken Mobile token

execute fortitoken-mobile provision <token_serial_number>

fsso refresh

Use this command to manually refresh user group information from Directory Service servers connected to the
FortiGate unit using the Fortinet Single Sign On (FSSO) agent.

Syntax
execute fsso refresh

ha disconnect

Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial number
of the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask to
this interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. After
the unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiate
and may select a new primary unit.

To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of the
disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to [Link].
The interface specified in the command is set to the IP address and netmask that you specify in the command. In
addition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can use
SSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.

Syntax
execute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>
<address_ipv4mask>

CLI Reference for FortiOS 5.4 893

Fortinet Technologies Inc.
execute ha ignore-hardware-revision

Variable Description

cluster-member-
The serial number of the cluster unit to be disconnected.
serial_str

The name of the interface to configure. The command

interface_str configures the IP address and netmask for this interface and also
enables all management access for this interface.

Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internal
interface of the disconnected unit is set to IP address [Link] and netmask [Link].
execute ha disconnect FGT5002803033050 internal [Link] [Link]

ha ignore-hardware-revision

Use this command to set ignore-hardware-revision status.

Syntax

To view ignore-hardware-revision status

execute ha ignore-hardware-revision status

To set ignore-hardware-revision status

execute ha ignore-hardware-revision {enable | disable}

ha manage

Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in the
cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinate
unit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primary
unit CLI, or the CLI of another subordinate unit.

You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to the
configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.

Syntax
execute ha manage <cluster-index>

CLI Reference for FortiOS 5.4 894

Fortinet Technologies Inc.
ha synchronize execute

Variable Description

The cluster index is assigned by the FortiGate Clustering

Protocol according to cluster unit serial number. The cluster unit
with the highest serial number has a cluster index of 0. The
cluster unit with the second highest serial number has a cluster
cluster-index index of 1 and so on.

Enter ? to list the cluster indexes of the cluster units that you can
log into. The list does not show the unit that you are already
logged into.

Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example you
have already logged into the primary unit. The primary unit has serial number FGT3082103000056. The
subordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execute ha manage ?
<id>    please input slave cluster index.
<0>     Subsidary unit FGT3012803021709
<1>     Subsidary unit FGT3082103021989
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLI
prompt changes to the host name of this unit. To return to the primary unit, type exit.

From the subordinate unit you can also use the execute ha manage command to log into the primary unit or
into another subordinate unit. Enter the following command:
execute ha manage ?
<id>    please input slave cluster index.
<1>     Subsidary unit FGT3082103021989
<2>     Subsidary unit FGT3082103000056
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.
The CLI prompt changes to the host name of this unit.

ha synchronize

Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.

Syntax
execute ha synchronize {start | stop}
Variable Description

start Start synchronizing the cluster configuration.

stop Stop the cluster from completing synchronizing its configuration.

CLI Reference for FortiOS 5.4 895

Fortinet Technologies Inc.
 execute interface dhcpclient-renew

interface dhcpclient-renew

Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP
connection on the specified port, there is no output.

Syntax
execute interface dhcpclient-renew <port>

Example
This is the output for renewing the DHCP client on port1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1

interface pppoe-reconnect

Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE
connection on the specified port, there is no output.

Syntax
execute interface pppoe-reconnect <port>

log backup

Use this command to back up all logs, index files, and report databases. The files are compressed and combined
into a TAR archive.

Syntax
execute log backup <file name>
where <file name> is the name of the backup file to create.

log client-reputation-report

Use these commands to control client-reputation log actions.

Syntax

To accept a host so that it has its own baselines

execute log client-reputation-report accept <policy-id> <host>

CLI Reference for FortiOS 5.4 896

Fortinet Technologies Inc.
log client-reputation-report execute

To clear all auto-profile data

execute log client-reputation-report clear

To ignore a host, removing it from the abnormal list

execute log client-reputation-report ignore <policy-id> <host>

To refresh the data of one option result

execute log client-reputation-report refresh <policy-id> <option> <action>
<option> is one of bandwidth, session, failconn, geo, or app

<action> is one of data, baseline, or data_baseline (both data and baseline)

To get baseline/average information of one option

execute log client-reputation-report result baseline <policy-id> <option>
<option> is one of bandwidth, session, or failconn

To get hourly data of a host visiting a country or using an application

execute log client-reputation-report result details {hourly | total} <policy-id>
<option> <name> <host>
<option> is geo or app

<name> is the name of the country or application

To list abnormal hosts of one or all options

execute log client-reputation-report result list <policy-id> <option>
<option> is geo, app, or all

To list periodical data of one host of one option

execute log client-reputation-report result period <policy-id> <option> <host>
<periods>
<option> is one of bandwidth, session, failconn, geo, or app

<periods> is number of periods to list

To list the top 10 abnormal hosts of one option

execute log client-reputation-report result top10 <policy-id> <option>
<option> is one of bandwidth, session, failconn, geo, or app

To run reports immediately

execute log client-reputation-report run <policy-id>

CLI Reference for FortiOS 5.4 897

Fortinet Technologies Inc.
 execute log convert-oldlogs

log convert-oldlogs

Use this command to convert old compact logs to the new format. This command is available only if you have
upgraded from an earlier version of FortiOS and have old compact logs on your system.

Syntax
execute log convert-oldlogs

log delete-all

Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If your
FortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted to
confirm the command.

Syntax
execute log delete-all

log delete-oldlogs

Use this command to delete old compact logs. This command is available only if you have upgraded from an
earlier version of FortiOS and have old compact logs on your system.

Syntax
execute log delete-oldlogs

log detail

Display UTM-related log entries for traffic log entries in this VDOM.

Syntax
execute log detail <category> <utm-ref>
where <category> is one of:

2: utm-virus

3: utm-webfilter

4: utm-ips

5: utm-spam

9: utm-dlp

10: utm-app-ctrl

CLI Reference for FortiOS 5.4 898

Fortinet Technologies Inc.
 log display execute

You can obtain <utm-ref> from the execute log display output.

log display

Use this command to display log messages for this VDOM that you have selected with the execute log
filter command.

Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do
this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the
commands
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the command
execute log filter reset

log downgrade-log

Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.

Syntax
execute log downgrade-log

log filter

Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category on
one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of
log messages. For traffic logs, you can filter log messages by source or destination IP address.

Commands are cumulative. If you omit a required variable, the command displays the current setting.

Use as many execute log filter commands as you need to define the log messages that you want to
view.

Syntax
execute log filter category <category_name>
execute log filter device {disk | memory}
execute log filter dump
execute log filter field <name> <value> [<value2>,...<valuen>] [not]
execute log filter ha-member <unitsn_str>
execute log filter reset [all | field]
execute log filter rolled_number <number>
execute log filter sortby <field> [max-sort-lines]
execute log filter start-line <line_number>

CLI Reference for FortiOS 5.4 899

Fortinet Technologies Inc.
 execute log fortianalyzer test-connectivity

execute log filter view-lines <count>

Variable Description Default

Enter the type of log you want to select. To

category see a list of available categories, enter event
<category_name>
execute log filter category

device {disk
Device where the logs are stored. disk
| memory}

No
dump Display current filter settings.
default.

Enter execute log filter field to

field <name> view the list of field names.
<value> No
Press Enter after <name> to view information
[<value2>,...<value default.
about value parameters for that field.
n>] [not]
not inverts the field value condition.

ha-member Select logs from the specified HA cluster

<unitsn_str> member. Enter the serial number of the unit.

Execute this command to reset all filter

No
reset [all | field] settings. You can use field option to reset only
default.
filter field settings.

rolled_number Select logs from rolled log file. 0 selects

0
<number> current log file.

sortby <field> No
Sort logs by specified field.
[max-sort-lines] default.

start-line <line_
Select logs starting at specified line number. 1
number>

view-lines <count> Set lines per view. Range: 5 to 1000 10

log fortianalyzer test-connectivity

Use this command to test the connection to the FortiAnalyzer unit. This command is available only when
FortiAnalyzer is configured.

Syntax
execute log fortianalyzer test-connectivity

Example
When FortiAnalyzer is connected, the output looks like this:
FortiAnalyzer Host Name: FortiAnalyzer-800B

CLI Reference for FortiOS 5.4 900

Fortinet Technologies Inc.
 log list execute

FortiGate Device ID: FG50B3G06500085

Registration: registered
Connection: allow
Disk Space (Used/Allocated): 468/1003 MB
Total Free Space: 467088 MB
Log: Tx & Rx
Report: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Error

log list

You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,
size and timestamp.

Syntax
execute log list <category>
To see a list of available categories, enter

execute log list

Example
The output looks like this:
elog 8704 Fri March 6 [Link] 2009
elog.1 1536 Thu March 5 [Link] 2009
elog.2 35840 Wed March 4 [Link] 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event log file(s) found.

log rebuild-sqldb

Use this command to rebuild the SQL database from log files.

If run in the VDOM context, only this VDOM’s SQL database is rebuilt. If run in the global context, the SQL
database is rebuilt for all VDOMs.

If SQL logging is disabled, this command is unavailable.

Syntax
execute log rebuild-sqldb

log recreate-sqldb

Use this command to recreate SQL log database.

CLI Reference for FortiOS 5.4 901

Fortinet Technologies Inc.
 execute log-report reset

If SQL logging is disabled, this command is unavailable.

Syntax
execute log recreate-sqldb

log-report reset

Use this command to delete all logs, archives and user configured report templates.

Syntax
execute log-report reset

log restore

Use this command to restore up all logs, index files, and report databases from a backup file created with the "log
backup" on page 27 command.

This command will wipe out all existing logs and report database for the vdom. It is only available for debug
firmware builds.

It is recommended to kill reportd and miglogd prior to running this command.

kill -3 1
killall miglogd
killall reportd

Syntax
execute log restore <file name>
where <file name> is the name of the backup file to use.

log roll

Use this command to roll all log files.

Syntax
execute log roll

log shift-time

Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. You
can load a log set generated previously to do demos or testing without needing to regenerate data.

CLI Reference for FortiOS 5.4 902

Fortinet Technologies Inc.
log upload-progress execute

Syntax
execute log shift-time <number of hours>

log upload-progress

Use this command to display the progress of the latest log upload.

Syntax
execute log upload-progress

modem dial

Dial the modem.

The dial command dials the accounts configured in config system modem until it makes a connection or it
has made the maximum configured number of redial attempts.

This command can be used if the modem is in Standalone mode.

Syntax
execute modem dial

modem hangup

Hang up the modem.

This command can be used if the modem is in Standalone mode.

Syntax
execute modem hangup

modem trigger

This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its current
state. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modem
should not be connected but is, this command will cause the modem to disconnect.

Syntax
execute modem trigger

CLI Reference for FortiOS 5.4 903

Fortinet Technologies Inc.
 execute mrouter clear

mrouter clear

Clear multicast routes, RP-sets, IGMP membership records or routing statistics.

Syntax
Clear IGMP memberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}
execute mrouter clear igmp-interface <interface-name>
Clear multicast routes:
execute mrouter clear <route-type> {<group-address> {<source-address>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):
execute mrouter clear sparse-mode-bsr
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}
Variable Description

Enter the name of the interface on which you want to clear IGMP
<interface-name>
memberships.

Optionally enter a group address to limit the command to a

<group-address>
particular group.

Enter one of:

dense-routes - clear only PIM dense routes

<route-type>
multicast-routes - clear all types of multicast routes
sparse-routes - clear only sparse routes

Optionally, enter a source address to limit the command to a

<source-address> particular source address. You must also specify
group-address.

netscan

Use this command to start and stop the network vulnerability scanner and perform related functions.

Syntax
execute netscan import
execute netscan list
execute netscan start scan
execute netscan status
execute netscan stop

CLI Reference for FortiOS 5.4 904

Fortinet Technologies Inc.
pbx execute

Variable Description

import Import hosts discovered on the last asset discovery scan.

list List the hosts discovered on the last asset discover scan.

start scan Start configured vulnerability scan.

status Display the status of the current network vulnerability scan.

stop Stop the current network vulnerability scan.

pbx

Use this command to view active channels and to delete, list or upload music files for when music is playing while
a caller is on hold.

Syntax
execute pbx active-call <list>
execute pbx extension <list>
execute pbx ftgd-voice-pkg {sip-trunk}
execute pbx music-on-hold {delete | list | upload}
execute pbx prompt upload ftp <[Link]> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload tftp <[Link]> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload usb <[Link]> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx restore-default-prompts
execute pbx sip-trunk list
Variables Description

Enter to display a list of the active calls being processed by the

active-call <list>
FortiGate Voice unit.

Enter to display the status of all extensions with SIP phones that
extension <list>
have connected to the FortiGate Voice unit.

ftgd-voice-pkg
Enter to retrieve FortiGuard voice package sip trunk information.
{sip-trunk}

Enter to either delete, list or upload music on hold files. You can
music-on-hold
upload music on hold files using FTP, TFTP, or from a USB drive
{delete | list | upload}
plugged into the FortiGate Voice unit.

CLI Reference for FortiOS 5.4 905

Fortinet Technologies Inc.
execute pbx

Variables Description

prompt upload ftp Upload new pbx voice prompt files using FTP. The voice prompt
<[Link]> <ftp_ files should be added to a tar file and zipped. This file would
server_address> usually have the extension tgz. You must include the filename,
[:port] [<username>] FTP server address (domain name of IPv4 address) and if
[password>] required the username and password for the server.

prompt upload tftp

Upload new pbx voice prompt files using TFTP. The voice
<[Link]> <ftp_
prompt files should be added to a tar file and zipped. This file
server_address>
would usually have the extension tgz. You must include the
[:port] [<username>]
filename and TFTP server IP address.
[password>]

prompt upload usb

Upload new pbx voice prompt files from a USB drive plugged into
<[Link]> <ftp_
the FortiGate Voice unit. The voice prompt files should be added
server_address>
to a tar file and zipped. This file would usually have the extension
[:port] [<username>]
tgz. You must include the filename.
[password>]

Restore default English voicemail and other PBX system

restore-default-
prompts. Use this command if you have changed the default
prompts
prompts and want to restore the default settings.

Enter to display the status of all SIP trunks that have been added
sip-trunk list
to the FortiGate Voice configuration.

Example command output

Enter the following command to view active calls:
execute pbx active-call

Call-From    Call-To    Durationed
6016         6006       [Link]
Enter the following command to display the status of all extensions
execute pbx extension list
Extension Host Dialplan
6052 Unregister company-default
6051 Unregister company-default
6050 Unregister company-default
6022 Unregister company-default
6021/6021 [Link] company-default
6020 Unregister company-default
Enter the following command to display the status of all SIP trunks
execute pbx sip-trunk list
Name Host Username Account-Type State
Provider_1 [Link]  +5555555 Static           N/A

CLI Reference for FortiOS 5.4 906

Fortinet Technologies Inc.
 ping execute

ping

Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and another
network device.

Syntax
execute ping {<address_ipv4> | <host-name_str>}
<host-name_str> should be an IP address, or a fully qualified domain name.

Example
This example shows how to ping a host with the IP address [Link].
#execute ping [Link]

PING [Link] ([Link]): 56 data bytes

64 bytes from [Link]: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from [Link]: icmp_seq=1 ttl=128 time=0.2 ms
64 bytes from [Link]: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from [Link]: icmp_seq=3 ttl=128 time=0.2 ms
64 bytes from [Link]: icmp_seq=4 ttl=128 time=0.2 ms
--- [Link] ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms

ping-options, ping6-options

Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGate
unit and another network device.

Syntax
execute ping-options data-size <bytes>
execute ping-options df-bit {yes | no}
execute ping-options pattern <2-byte_hex>
execute ping-options repeat-count <repeats>
execute ping-options source {auto | <source-intf_ip>}
execute ping-options timeout <seconds>
execute ping-options tos <service_type>
execute ping-options ttl <hops>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings
Variable Description Default

data-size
Specify the datagram size in bytes. 56
<bytes>

CLI Reference for FortiOS 5.4 907

Fortinet Technologies Inc.
execute ping-options, ping6-options

Variable Description Default

Set df-bit to yes to prevent the ICMP packet

df-bit {yes | no} from being fragmented. Set df-bit to no to no
allow the ICMP packet to be fragmented.

Used to fill in the optional data buffer at the end of

the ICMP packet. The size of the buffer is
pattern <2- specified using the data_size parameter. This No
byte_hex> allows you to send out packets of different sizes default.
for testing the effect of packet size on the
connection.

repeat-count
Specify how many times to repeat ping. 5
<repeats>

Specify the FortiGate interface from which to send

the ping. If you specify auto, the FortiGate unit
source
selects the source address and interface based on
{auto |
the route to the <host-name_str> or <host_ auto
<source-intf_
ip>. Specifying the IP address of a FortiGate
ip>}
interface tests connections to different network
segments from the specified interface.

timeout Specify, in seconds, how long to wait until ping

2
<seconds> times out.

Set the ToS (Type of Service) field in the packet

header to provide an indication of the quality of
service wanted.

tos <service_ lowdelay = minimize delay

0
type>
throughput = maximize throughput

reliability = maximize reliability

lowcost = minimize cost

Specify the time to live. Time to live is the number

ttl <hops> of hops the ping packet should be allowed to make 64
before being discarded or returned.

validate-reply
Select yes to validate reply data. no
{yes | no}

No
view-settings Display the current ping-option settings.
default.

Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address [Link].

CLI Reference for FortiOS 5.4 908

Fortinet Technologies Inc.
 ping6 execute

execute ping-options source [Link]

ping6

Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6
capable network device.

Syntax
execute ping6 {<address_ipv6> | <host-name_str>}

Example
This example shows how to ping a host with the IPv6 address [Link].
execute ping6 [Link]

policy-packet-capture delete-all

Use this command to delete captured packets.

Syntax
execute policy-packet-capture delete-all
You will be asked to confirm that you want delete the packets.

reboot

Restart the FortiGate unit.

Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.

Syntax
execute reboot <comment “comment_string”>
<comment “comment_string”> allows you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.

Example
This example shows the reboot command with a message included.
execute reboot comment “December monthly maintenance”

CLI Reference for FortiOS 5.4 909

Fortinet Technologies Inc.
 execute report

report

Use these commands to manage reports.

Syntax

To flash report caches:

execute report flash-cache

To recreate the report database:

execute report recreate-db

To generate a report:
execute report run [<layout_name>["start-time" "end-time"]]
The start and end times have the format yyyy-mm-dd hh:mm:ss

report-config reset

Use this command to reset report templates to the factory default. Logs are not deleted.

If SQL logging is disabled, this command is unavailable.

Syntax
execute report-config reset

restore

Use this command to

l restore the configuration from a file

l change the FortiGate firmware
l change the FortiGate backup firmware
l restore an IPS custom signature file
When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content of
the backup file depends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin account can restore the configuration from this file.

A backup file from a regular administrator account contains the global settings and the settings for the VDOM to
which the administrator belongs. Only a regular administrator account can restore the configuration from this file.

CLI Reference for FortiOS 5.4 910

Fortinet Technologies Inc.
restore execute

Syntax
execute restore av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore av tftp <filename_str> <server_ipv4[:port_int]>
execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>] [<backup_password_str>]
execute restore config management-station {normal | template | script} <rev_int>
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore config usb <filename_str> [<backup_password_str>]
execute restore config usb-mode [<backup_password_str>]
execute restore forticlient tftp <filename_str> <server_ipv4>
execute restore image flash <revision>
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore image usb <filename_str>
execute restore ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]
> [<username_str> <password_str>]
execute restore ips tftp <filename_str> <server_ipv4>
execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> <password_str>]
execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
execute restore secondary-image usb <filename_str>
execute restore src-vis <src-vis-pkgfile>
execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>
execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>
Variable Description

av ftp <filename_
str> <server_ipv4
[:port_int] | server_ Download the antivirus database file from an FTP server to the
fqdn[:port_int]> FortiGate unit.
[<username_str>
<password_str>]

av tftp <filename_
Download the antivirus database file from a TFTP server to the
str> <server_ipv4
FortiGate unit.
[:port_int]>

config flash Restore the specified revision of the system configuration from
<revision> the flash disk.

CLI Reference for FortiOS 5.4 911

Fortinet Technologies Inc.
execute restore

Variable Description

config ftp
<filename_str>
<server_ipv4[:port_ Restore the system configuration from an FTP server. The new
int] | server_fqdn configuration replaces the existing configuration, including
[:port_int]> administrator accounts and passwords.
[<username_str> If the backup file was created with a password, you must specify
<password_str>] the password.
[<backup_
password_str>]

config Restore the system configuration from the central management

management- server. The new configuration replaces the existing
station {normal configuration, including administrator accounts and passwords.
| template | script} rev_int is the revision number of the saved configuration to
<rev_int> restore. Enter 0 for the most recent revision.

config tftp Restore the system configuration from a file on a TFTP server.
<filename_str> The new configuration replaces the existing configuration,
<server_ipv4> including administrator accounts and passwords.
[<backup_ If the backup file was created with a password, you must specify
password_str>] the password.

Restore the system configuration from a file on a USB disk. The

config usb new configuration replaces the existing configuration, including
<filename_str> administrator accounts and passwords.
[<backup_
password_str>] If the backup file was created with a password, you must specify
the password.

Restore the system configuration from a USB disk. The new

configuration replaces the existing configuration, including
config usb-mode administrator accounts and passwords. When the USB drive is
[<backup_ removed, the FortiGate unit needs to reboot and revert to the
password_str>] unit’s existing configuration.

If the backup file was created with a password, you must specify
the password.

Download the FortiClient image from a TFTP server to the

forticlient tftp
FortiGate unit. The filename must have the format:
<filename_str>
FortiClientSetup_versionmajor. [Link].
<server_ipv4>
For example, [Link].

image flash
Restore specified firmware image from flash disk.
<revision>

CLI Reference for FortiOS 5.4 912

Fortinet Technologies Inc.
restore execute

Variable Description

image ftp
<filename_str>
<server_ipv4[:port_ Download a firmware image from an FTP server to the FortiGate
int] | server_fqdn unit. The FortiGate unit reboots, loading the new firmware.
[:port_int]> This command is not available in multiple VDOM mode.
[<username_str>
<password_str>]

Download a firmware image from the central management

image
station. This is available if you have configured a FortiManager
management-
unit as a central management server. This is also available if
station <version_
your account with FortiGuard Analysis and Management Service
int>
allows you to upload firmware images.

image tftp Download a firmware image from a TFTP server to the FortiGate
<filename_str> unit. The FortiGate unit reboots, loading the new firmware.
<server_ipv4> This command is not available in multiple VDOM mode.

image usb Download a firmware image from a USB disk to the FortiGate
<filename_str> unit. The FortiGate unit reboots, loading the new firmware.

ips ftp <filename_

str> <server_ipv4
[:port_int] | server_ Download the IPS database file from an FTP server to the
fqdn[:port_int]> FortiGate unit.
[<username_str>
<password_str>]

ips tftp <filename_ Download the IPS database file from a TFTP server to the
str> <server_ipv4> FortiGate unit.

ipsuserdefsig ftp
<filename_str>
<server_ipv4[:port_
Restore IPS custom signature file from an FTP server. The file
int] | server_fqdn
will overwrite the existing IPS custom signature file.
[:port_int]>
[<username_str>
<password_str>]

ipsuserdefsig tftp
Restore an IPS custom signature file from a TFTP server. The
<filename_str>
file will overwrite the existing IPS custom signature file.
<server_ipv4>

CLI Reference for FortiOS 5.4 913

Fortinet Technologies Inc.
 execute revision

Variable Description

secondary-image ftp
<filename_str>
<server_ipv4[:port_ Download a firmware image from an FTP server as the backup
int] | server_fqdn firmware of the FortiGate unit. Available on models that support
[:port_int]> backup firmware images.
[<username_str>
<password_str>]

secondary-image Download a firmware image from a TFTP server as the backup

tftp <filename_str> firmware of the FortiGate unit. Available on models that support
<server_ipv4> backup firmware images.

Download a firmware image from a USB disk as the backup

secondary-image firmware of the FortiGate unit. The unit restarts when the upload
usb <filename_str> is complete. Available on models that support backup firmware
images.

src-vis <src-vis-
Download source visibility signature package.
pkgfile>

vcm {ftp | tftp}

<filename_str> Restore VCM engine/plugin from an ftp or tftp server.
<server_ipv4>

vmlicense {ftp | tftp}

<filename_str> Restore VM license (VM version of product only).
<server_ipv4>

Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart the
FortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is [Link].
execute restore config tftp backupconfig [Link]

revision

Use these commands to manage configuration and firmware image files on the local disk.

Syntax

To delete a configuration file

execute revision delete config <revision>

To delete a firmware image file

execute revision delete image <revision>

CLI Reference for FortiOS 5.4 914

Fortinet Technologies Inc.
 router clear bfd session execute

To list the configuration files

execute revision list config

To delete a firmware image file

execute revision list image

router clear bfd session

Use this command to clear bi-directional forwarding session.

Syntax
execute router clear bfd session <src_ip> <dst_ip> <interface>
Variable Description

<src_ip> Select the source IP address of the session.

<dst_ip> Select the destination IP address of the session.

<interface> Select the interface for the session.

router clear bgp

Use this command to clear BGP peer connections.

Syntax
execute router clear bgp all [soft] [in | out]
execute router clear bgp as <as_number> [soft] [in | out]
execute router clear bgp dampening {ip_address | ip/netmask}
execute router clear bgp external {in prefix-filter} [soft] [in | out]
execute router clear bgp flap-statistics {ip_address | ip/netmask}
execute router clear bgp ip <ip_address> [soft] [in | out]
Variable Description

all Clear all BGP peer connections.

as <as_number> Clear BGP peer connections by AS number.

dampening {ip_
address | Clear route flap dampening information for peer or network.
ip/netmask}

external {in prefix-

Clear all external peers.
filter}

CLI Reference for FortiOS 5.4 915

Fortinet Technologies Inc.
 execute router clear ospf process

Variable Description

ip <ip_address> Clear BGP peer connections by IP address.

peer-group Clear all members of a BGP peer-group.

[in | out] Optionally limit clear operation to inbound only or outbound only.

flap-statistics {ip_
address | Clear flap statistics for peer or network.
ip/netmask}

Do a soft reset that changes the configuration but does not

soft
disturb existing sessions.

router clear ospf process

Use this command to clear and restart the OSPF router.

Syntax
IPv4:
execute router clear ospf process
IPv6:
execute router clear ospf6 process

router restart

Use this command to restart the routing software.

Syntax
execute router restart

send-fds-statistics

Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval to
expire.

Syntax
execute send-fds-statistics

CLI Reference for FortiOS 5.4 916

Fortinet Technologies Inc.
 set system session filter execute

set system session filter

Use these commands to define the session filter for get system session commands.

Syntax

To clear the filter settings

execute set system session filter clear
{all|dport|dst|duration|expire|policy|proto|sport|src|vd}

To specify destination port

execute set system session filter dport <port_range>

To specify destination IP address

execute set system session filter dst <ip_range>

To specify duration
execute set system session filter duration <duration_range>

To specify expiry
execute set system session filter expire <expire_range>

To list the filter settings

execute set system session filter list

To invert a filter setting

execute set system session filter negate
{dport|dst|duration|expire|policy|proto|sport|src|vd}

To specify firewall policy ID

execute set system session filter policy <policy_range>

To specify protocol
execute set system session filter proto <protocol_range>

To specify source port

execute set system session filter sport <port_range>

To specify source IP address

execute set system session filter src <ip_range>

CLI Reference for FortiOS 5.4 917

Fortinet Technologies Inc.
 execute set-next-reboot

To specify virtual domain

execute set system session filter vd <vdom_index>
Variable Description

<duration_range> The start and end times, separated by a space.

<expire_range> The start and end times, separated by a space.

<ip_range> The start and end IP addresses, separated by a space.

<policy_range> The start and end policy numbers, separated by a space.

<port_range> The start and end port numbers, separated by a space.

<protocol_range> The start and end protocol numbers, separated by a space.

<vdom_index> The VDOM index number. -1 means all VDOMs.

set-next-reboot

Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Available
on models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primary
partition.

VDOM administrators do not have permission to run this command. It must be executed by a super administrator.

Syntax
execute set-next-reboot {primary | secondary}

sfp-mode-sgmii

Change the SFP mode for an NP2 card to SGMII. By default when an AMC card is inserted the SFP mode is set
to SERDES mode by default.

If a configured NP2 card is removed and re-inserted, the SFP mode goes back to the default.

In these situations, the sfpmode-sgmii command will change the SFP mode from SERDES to SGMII for the
interface specified.

Syntax
execute sfpmode-sgmii <interface>
<interface> is the NP2 interface where you are changing the SFP mode.

shutdown

Shut down the FortiGate unit now. You will be prompted to confirm this command.

CLI Reference for FortiOS 5.4 918

Fortinet Technologies Inc.
ssh execute

Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.

Syntax
execute shutdown [comment <comment_string>]
comment is optional but you can use it to add a message that will appear in the event log message that records
the shutdown. The comment message of the does not appear on the Alert Message console. If the message is
more than one word it must be enclosed in quotes.

Example
This example shows the reboot command with a message included.
execute shutdown comment “emergency facility shutdown”
An event log message similar to the following is recorded:
2009-09-08 [Link] critical admin 41986 ssh([Link]) shutdown User admin shutdown
the device from ssh([Link]). The reason is 'emergency facility shutdown'

ssh

Use this command to establish an ssh session with another system.

Syntax
execute ssh <destination> [<port>]
<destination> - the destination in the form user@ip or user@host.

[<port>] - optional TCP port number

Example
execute ssh admin@[Link]
To end an ssh session, type exit:
FGT-6028030112 # exit
Connection to [Link] closed.
FGT-8002805000 #

sync-session

Use this command to force a session synchronization.

Syntax
execute sync-session

CLI Reference for FortiOS 5.4 919

Fortinet Technologies Inc.
 execute system custom-language import

system custom-language import

Use this command to import a custom language file from a TFTP server.

The web-based manager provides a downloadable template file. Go to System > Config > Advanced.

Syntax
execute system custom-language import <lang_name> <file_name> <tftp_server_ip>
<lang_name> - language name

<file_name> - the language file name

<tftp_server_ip> the TFTP server IP address

system fortisandbox test-connectivity

Use this command to query FortiSandbox connection status.

Syntax
execute fortisandbox test-connectivity

tac report

Use this command to create a debug report to send to Fortinet Support. Normally you would only use this
command if requested to by Fortinet Support.

Syntax
execute tac report

telnet

Use telnet client. You can use this tool to test network connectivity.

Syntax
execute telnet <telnet_ipv4>
<telnet_ipv4> is the address to connect with.

Type exit to close the telnet session.

time

Get or set the system time.

CLI Reference for FortiOS 5.4 920

Fortinet Technologies Inc.
 traceroute execute

Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where

hh is the hour and can be 00 to 23

mm is the minutes and can be 00 to 59

ss is the seconds and can be 00 to 59

If you do not specify a time, the command returns the current system time.

You are allowed to shorten numbers to only one digit when setting the time. For example both [Link] and [Link]
are allowed.

Example
This example sets the system time to [Link]
execute time [Link]

traceroute

Test the connection between the FortiGate unit and another network device, and display information about the
network hops between the device and the FortiGate unit.

Syntax
execute traceroute {<ip_address> | <host-name>}

Example
This example shows how to test the connection with [Link] In this example the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute [Link]
traceroute to [Link] ([Link]), 30 hops max, 38 byte packets
1 [Link] ([Link]) 0.324 ms 0.427 ms 0.360 ms
 2  * * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote host-
named locations with traceroute.

tracert6

Test the connection between the FortiGate unit and another network device using IPv6 protocol, and display
information about the network hops between the device and the FortiGate unit.

Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]
[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]

CLI Reference for FortiOS 5.4 921

Fortinet Technologies Inc.
execute update-av

Variable Description

-F Set Don’t Fragment bit.

-d Enable debugging.

-n Do not resolve numeric address to domain name.

-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.

-i <interface> Select interface to use for tracert.

Set the max time-to-live (max number of hops) used in outgoing

-m <max_ttl> probe packets.

-s <src_addr> Set the source IP address to use in outgoing probe packets.

-q <nprobes> Set the number probes per hop.

Set the time in seconds to wait for response to a probe. Default

-w <waittime> is 5.

-z <sendwait> Set the time in milliseconds to pause between probes.

host Enter the IP address or FQDN to probe.

<paddatalen> Set the packet size to use when probing.

update-av

Use this command to manually initiate the virus definitions and engines update. To update both virus and attack
definitions, use the execute update-now command.

Syntax
execute update-av

update-geo-ip

Use this command to obtain an update to the IP geography database from FortiGuard.

Syntax
execute update-geo-ip

update-ips

Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engine
update. To update both virus and attack definitions, use the execute update-now command.

CLI Reference for FortiOS 5.4 922

Fortinet Technologies Inc.
 update-list execute

Syntax
execute update-ips

update-list

Use this command to download an updated FortiGuard server list.

Syntax
execute update-list

update-now

Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virus
or attack definitions, use the execute update-av or execute update-ids command respectively.

Syntax
execute update-now

update-src-vis

Use this command to trigger an FDS update of the source visibility signature package.

Syntax
execute update-src-vis

upd-vd-license

Use this command to enter a Virtual Domain (VDOM) license key.

If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet to
increase the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximum
of 10 VDOMs.

Available on FortiGate models that can be licensed for more than 10 VDOMs.

Syntax
execute upd-vd-license <license_key>
Variable Description

The license key is a 32-character string supplied by Fortinet.

<license_key> Fortinet requires your unit serial number to generate the license
key.

CLI Reference for FortiOS 5.4 923

Fortinet Technologies Inc.
execute upload

upload

Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, or
USB sources.

Syntax

To upload configuration files:

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>
execute upload config usb <filename_str> <comment>

To upload firmware image files:

execute upload image ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute upload image tftp <filename_str> <comment> <server_ipv4>
execute upload image usb <filename_str> <comment>

To upload report image files:

execute upload report-img ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute upload report-img tftp <filename_str> <server_ipv4>
Variable Description

<comment> Comment string.

<filename_str> Filename to upload.

<server_fqdn[:port_
Server fully qualified domain name and optional port.
int]>

<server_ipv4[:port_
Server IP address and optional port number.
int]>

<username_str> Username required on server.

<password_str> Password required on server.

<backup_password_
Password for backup file.
str>

usb-device

Use these commands to manage FortiExplorer IOS devices.

CLI Reference for FortiOS 5.4 924

Fortinet Technologies Inc.
 usb-disk execute

Syntax

List connected FortiExplorer IOS devices

execute usb-device list

Disconnect FortiExplorer IOS devices

execute usb-device disconnect

usb-disk

Use these commands to manage your USB disks.

Syntax
execute usb-disk delete <filename>
execute usb-disk format
execute usb-disk list
execute usb-disk rename <old_name> <new_name>
Variable Description

delete <filename> Delete the named file from the USB disk.

format Format the USB disk.

list List the files on the USB disk.

rename <old_
name> <new_ Rename a file on the USB disk.
name>

vpn certificate ca

Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CA
certificate from the FortiGate unit to a TFTP server.

Before using this command you must obtain a CA certificate issued by a CA.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

CLI Reference for FortiOS 5.4 925

Fortinet Technologies Inc.
 execute vpn certificate crl

Syntax
execute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file-name_str> <tftp_ip>
Variable Description

Import the CA certificate from a TFTP server to the FortiGate

import
unit.

Export or copy the CA certificate from the FortiGate unit to a file

export
on the TFTP server. Type ? for a list of certificates.

<certificate-name_
Enter the name of the CA certificate.
str>

<file-name_str> Enter the file name on the TFTP server.

<tftp_ip> Enter the TFTP server address.

auto Retrieve a CA certificate from a SCEP server.

Import the CA certificate to the FortiGate unit from a file on a

tftp
TFTP server (local administrator PC).

<ca_server_url> Enter the URL of the CA certificate server.

<ca_identifier_str> CA identifier on CA certificate server (optional).

Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP
server with the address [Link].
execute vpn certificate ca import trust_ca [Link]

vpn certificate crl

Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update configuration.

In order to use the command execute vpn certificate crl, the authentication servers must already be configured.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

CLI Reference for FortiOS 5.4 926

Fortinet Technologies Inc.
 vpn certificate local export execute

Syntax
execute vpn certificate crl import auto <crl-name>
Variable Description

Import the CRL from the configured LDAP, HTTP, or SCEP

import
authentication server to the FortiGate unit.

<crl-name> Enter the name of the CRL.

Trigger an auto-update of the CRL from the configured LDAP,

auto
HTTP, or SCEP authentication server.

vpn certificate local export

Use this command to export a local certificate from the FortiGate unit to a TFTP server.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

Syntax
execute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_
ip>
Variable Description

Export or copy the local certificate from the FortiGate unit to a

export
file on the TFTP server. Type ? for a list of certificates.

Enter the name of the local certificate.

<certificate-name_
To view a list of the local certificates, you can enter:
str>
execute vpn certificate local export tftp ?

<file-name_str> Enter the file name on the TFTP server.

<tftp_ip> Enter the TFTP server address.

Example
Use the following command to export the local certificate request generated in the above example from the
FortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the

CLI Reference for FortiOS 5.4 927

Fortinet Technologies Inc.
 execute vpn certificate local generate

TFTP server address [Link].

execute vpn certificate local export branch_cert testcert [Link]

vpn certificate local generate

Use this command to generate a local certificate.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.

When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. The
public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the vpn certificate local command to install it
on the FortiGate unit.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

Syntax

To generate the default CA certificate used by SSL Inspection

execute vpn certificate local generate default-ssl-ca

To generate the default server key used by SSL Inspection

execute vpn certificate local generate default-ssl-serv-key

To generate an elliptical curve certificate request

execute vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name>
<subject_str> [<optional_information>]

To generate an RSA certificate request

execute vpn certificate local generate rsa <certificate-name_str> <key-length>
<subject_str> [<optional_information>]
Variable Description

Enter a name for the certificate. The name can contain numbers
<certificate-name_ (0-9), uppercase and lowercase letters (A-Z, a-z), and the special
str> characters - and _. Other special characters and spaces are not
allowed.

CLI Reference for FortiOS 5.4 928

Fortinet Technologies Inc.
vpn certificate local generate execute

Variable Description

<elliptic-curve- Enter the elliptic curve name: secp256rl, secp384rl, or

name> secp521rl.

Enter 1024, 1536 or 2048 for the size in bits of the encryption
<key-length>
key.

Enter the FortiGate unit host IP address, its fully qualified

domain name, or an email address to identify the FortiGate unit
<subject_str> being certified.

An IP address or domain name is preferred. If this is impossible

(such as with a dialup client), use an e-mail address.

If you specify a host IP or domain name, use the IP address or

domain name associated with the interface on which IKE
negotiations will take place (usually the external interface of the
local FortiGate unit). If the IP address in the certificate does not
match the IP address of this interface (or if the domain name in
the certificate does not match a DNS query of the FortiGate
unit’s IP), then some implementations of IKE may reject the
connection. Enforcement of this rule varies for different IPSec
products.

Enter optional_information as required to further identify

the certificate. See Optional information variables on page 60 for
the list of optional information variables. You must enter the
optional variables in order that they are listed in the table. To
[<optional_ enter any optional variable you must enter all of the variables
information>] that come before it in the list. For example, to enter the
organization_name_str, you must first enter the
country_code_str, state_name_str, and city_name_
str. While entering optional variables, you can type ? for help
on the next required variable.

Optional information variables

Variable Description

Enter the two-character country code. Enter execute vpn

certificates local generate <name_str>
<country_code_str> country followed by a ? for a list of country codes. The country
code is case sensitive. Enter null if you do not want to specify
a country.

Enter the name of the state or province where the FortiGate unit
<state_name_str>
is located.

CLI Reference for FortiOS 5.4 929

Fortinet Technologies Inc.
 execute vpn certificate local import

Variable Description

Enter the name of the city, or town, where the person or

<city_name_str>
organization certifying the FortiGate unit resides.

<organization-name_ Enter the name of the organization that is requesting the

str> certificate for the FortiGate unit.

Enter a name that identifies the department or unit within the

<organization-unit_
organization that is requesting the certificate for the FortiGate
name_str>
unit.

<email_address_str> Enter a contact e-mail address for the FortiGate unit.

Enter the URL of the CA (SCEP) certificate server that allows

<ca_server_url>
auto-signing of the request.

<challenge_
Enter the challenge password for the SCEP certificate server.
password>

Example
Use the following command to generate a local certificate request with the name branch_cert, the domain
name [Link] and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 [Link]

vpn certificate local import

Use this command to import a local certificate to the FortiGate unit from a TFTP server.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.

Syntax
execute vpn certificate local import tftp <file-name_str> <tftp_ip>
Variable Description

<certificate-name_
Enter the name of the local certificate.
str>

CLI Reference for FortiOS 5.4 930

Fortinet Technologies Inc.
 vpn certificate remote execute

Variable Description

<file-name_str> Enter the file name on the TFTP server.

<tftp_ip> Enter the TFTP server address.

Example
Use the following command to import the signed local certificate named branch_cert to the FortiGate unit
from a TFTP server with the address [Link].
execute vpn certificate local import branch_cert [Link]

vpn certificate remote

Use this command to import a remote certificate from a TFTP server, or export a remote certificate from the
FortiGate unit to a TFTP server. The remote certificates are public certificates without a private key. They are
used as OCSP (Online Certificate Status Protocol) server certificates.

Syntax
execute vpn certificate remote import tftp <file-name_str> <tftp_ip>
execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>
<tftp_ip>
Field/variable Description

Import the remote certificate from the TFTP server to the

import
FortiGate unit.

Export or copy the remote certificate from the FortiGate unit to a

export
file on the TFTP server. Type ? for a list of certificates.

<certificate-name_
Enter the name of the public certificate.
str>

<file-name_str> Enter the file name on the TFTP server.

<tftp_ip> Enter the TFTP server address.

tftp Import/export the remote certificate via a TFTP server.

vpn ipsec tunnel down

Use this command to shut down an IPsec VPN tunnel.

Syntax
execute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]
where:

CLI Reference for FortiOS 5.4 931

Fortinet Technologies Inc.
 execute vpn ipsec tunnel up

<phase2> is the phase 2 name

<phase1> is the phase 1 name
<phase2_serial> is the phase 2 serial number
<phase1> is required on a dial-up tunnel.

vpn ipsec tunnel up

Use this command to activate an IPsec VPN tunnel.

Syntax
execute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]
where:

<phase2> is the phase 2 name

<phase1> is the phase 1 name
<phase2_serial> is the phase 2 serial number
This command cannot activate a dial-up tunnel.

vpn sslvpn del-all

Use this command to delete all SSL VPN connections in this VDOM.

Syntax
execute vpn sslvpn del-all

vpn sslvpn del-tunnel

Use this command to delete an SSL tunnel connection.

Syntax
execute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.

vpn sslvpn del-web

Use this command to delete an active SSL VPN web connection.

Syntax
execute vpn sslvpn del-web <web_index>

CLI Reference for FortiOS 5.4 932

Fortinet Technologies Inc.
 vpn sslvpn list execute

<web_index> identifies which web connection to delete if there is more than one active connection.

vpn sslvpn list

Use this command to list current SSL VPN tunnel connections.

Syntax
execute vpn sslvpn list {web | tunnel}

webfilter quota-reset

Use this command to reset user quota.

Syntax
execute webfilter quota-reset <wf-profile> <user_ip4addr>
execute webfilter quota-reset <wf-profile> <user_name>

wireless-controller delete-wtp-image

Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physical
access points.

Syntax
execute wireless-controller delete-wtp-image

wireless-controller list-wtp-image

Use this command to list all firmware images for WLAN Termination Points (WTPs), also known as WiFi physical
access points.

Syntax
execute wireless-controller list-wtp-image

Example output
WTP Images on AC:
ImageName ImageSize(B) ImageInfo ImageMTime
[Link] 3711132 FAP22A-v4.0-build212 Mon Jun 6 [Link] 2011

CLI Reference for FortiOS 5.4 933

Fortinet Technologies Inc.
 execute wireless-controller reset-wtp

wireless-controller reset-wtp

Use this command to reset a physical access point (WTP).

If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and install
it. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGate
unit.

Syntax
execute wireless-controller reset-wtp {<serialNumber_str> | all}
where <serialNumber_str> is the FortiWiFi unit serial number.

Use the all option to reset all APs.

wireless-controller restart-acd

Use this command to restart the wireless-controller daemon.

Syntax
execute wireless-controller restart-acd

wireless-controller restart-wtpd

Use this command to restart the wireless access point daemon.

Syntax
execute wireless-controller restart-wtpd

wireless-controller upload-wtp-image

Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by this
wireless controller can download the image as needed. Use the execute wireless-controller reset-wtp command
to trigger FortiAP units to update their firmware.

Syntax
FTP:
execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_int]
> [<username_str> <password_str>]
TFTP:
execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>

CLI Reference for FortiOS 5.4 934

Fortinet Technologies Inc.
 endpoint-control app-detect get

get

The get commands retrieve information about the operation and performance of your FortiGate unit.

endpoint-control app-detect

Use this command to retrieve information about predefined application detection signatures for Endpoint NAC.

Syntax
get endpoint-control app-detect predefined-category status
get endpoint-control app-detect predefined-group status
get endpoint-control app-detect predefined-signature status
get endpoint-control app-detect predefined-vendor status

Example output (partial)

get endpoint-control app-detect predefined-category status
FG200A2907500558 # get endpoint-control app-detect predefined-category status
name: "Anti-Malware Software"
id: 1
group: 1

name: "Authentication and Authorization"

id: 2
group: 1

name: "Encryption, PKI"

id: 3
group: 1

name: "Firewalls"
id: 4
group: 1

get endpoint-control app-detect predefined-group status

FG200A2907500558 # get endpoint-control app-detect predefined-group status
name: "Security"
id: 1

name: "Multimedia"
id: 2

name: "Communication"
id: 3

name: "Critical Functions"

id: 4

CLI Reference for FortiOS 5.4 935

Fortinet Technologies Inc.
get extender modem-status

get endpoint-control app-detect predefined-signature status

FG200A2907500558 # get endpoint-control app-detect predefined-signature status
name: "Apache HTTP Server"
id: 256
category: 26
vendor: 149

name: "RealPlayer (32-bit)"

id: 1
category: 10
vendor: 68

name: "VisualSVN Server"

id: 257
category: 26
vendor: 162

name: "QQ2009"
id: 2
category: 14
vendor: 78

get endpoint-control app-detect predefined-vendor status

FG200A2907500558 # get endpoint-control app-detect predefined-vendor status
name: "Access Remote PC ([Link])"
id: 3

name: "ACD Systems, Ltd."

id: 4

name: "Adobe Systems Incorporated"

id: 5

name: "Alen Soft"

id: 6

extender modem-status

Use this command to display detailed FortiExtender modem status information.

Syntax
get extender modem-status <serno>
where <serno> is the FortiExtender serial number.

Example output
physical_port: Internal
manufacture: Sierra Wireless, Incorporated
product: AirCard 313U
model: AirCard 313U
revision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 [Link]
imsi: 310410707582825

CLI Reference for FortiOS 5.4 936

Fortinet Technologies Inc.
 extender sys-info get

pin_status: READY
service: N/A
signal_strength: 73
RSSI: -68 dBm
connection_status: connected
Profile 1: broadband
Profile 2: broadband
Profile 13: [Link]
Profile 15: broadband
NAI: [Link]
Profile: 0 Disabled
home_addr: [Link]
primary_ha: [Link]
secondary_ha: [Link]
aaa_spi: 0
ha_spi: 4
esn_imei: 012615000227604
activation_status: Activated
roaming_status: N/A
usim_status: N/A
oma_dm_version: N/A
plmn: N/A
band: B17
signal_rsrq: N/A
signal_rsrp: N/A
lte_sinr: N/A
lte_rssi: N/A
lte_rs_throughput: N/A
lte_ts_throughput: N/A
lte_physical_cellid: N/A
modem_type:
drc_cdma_evdo: N/A
current_snr: N/A
wireless_operator:
operating_mode: N/A
wireless_signal: 73
usb_wan_mac: [Link]

extender sys-info

Use this command to display detailed FortiExtender system information.

Syntax
get extender sys-info

firewall dnstranslation

Use this command to display the firewall DNS translation table.

CLI Reference for FortiOS 5.4 937

Fortinet Technologies Inc.
 get firewall iprope appctrl

Syntax
get firewall dnstranslation

firewall iprope appctrl

Use this command to list all application control signatures added to an application control list and display a
summary of the application control configuration.

Syntax
get firewall iprope appctrl {list | status}

Example output
In this example, the FortiGate unit includes one application control list that blocks the FTP application.
get firewall iprope appctrl list
app-list=app_list_1/2000 other-action=Pass
app-id=15896 list-id=2000 action=Block

get firewall iprope appctrl status

appctrl table 3 list 1 app 1 shaper 0

firewall iprope list

Use this command to list all of the FortiGate unit iprope firewall policies. Optionally include a group number in
hexidecimal format to display a single policy. Policies are listed in FortiOS format.

Syntax
get firewall iprope list [<group_number_hex>]

Example output
get firewall iprope list 0010000c

policy flag (8000000): pol_stats

flag2 (20): ep_block shapers: / per_ip=
imflag: sockport: 1011 action: redirect index: 0
schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000
chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0
npu_sensor_id=0
tunnel=
zone(1): 0 ->zone(1): 0
source(0):
dest(0):
source wildcard(0):
destination wildcard(0):
service(1):
[6:0x8:1011/(0,65535)->(80,80)]

CLI Reference for FortiOS 5.4 938

Fortinet Technologies Inc.
 firewall proute, proute6 get

nat(0):
mms: 0 0

firewall proute, proute6

Use these commands to list policy routes.

Syntax
For IPv4 policy routes:
get firewall proute
For IPv6 policy routes:
get firewall proute6

Example output
get firewall proute
list route policy info(vf=root):
iff=5 src=[Link]/[Link] tos=0x00 tos_mask=0x00 dst=[Link]/[Link] protocol=80
port=1:65535
oif=3 gwy=[Link]

firewall service custom

Use this command to view the list of custom services. If you do not specify a <service_name> the command lists
all of the pre-defined services.

Syntax
get firewall service custom
This lists the services.

To view details about all services

config firewall service custom
show full-configuration

To view details about a specific service

This example lists the configuration for the ALL_TCP service:

config firewall service custom
edit ALL_TCP
show full-configuration

Example output
This is a partial output.
get firewall service custom

CLI Reference for FortiOS 5.4 939

Fortinet Technologies Inc.
 get firewall shaper

== [ ALL ]
name: ALL
== [ ALL_TCP ]
name: ALL_TCP
== [ ALL_UDP ]
name: ALL_UDP
== [ ALL_ICMP ]
name: ALL_ICMP
== [ ALL_ICMP6 ]
name: ALL_ICMP6
== [ GRE ]
name: GRE
== [ AH ]
name: AH
== [ ESP ]
name: ESP
== [ AOL ]
name: AOL
== [ BGP ]
name: BGP
== [ DHCP ]
name: DHCP
== [ DNS ]
name: DNS
== [ FINGER ]
name: FINGER

firewall shaper

Use these command to retrieve information about traffic shapers.

Syntax

To get information about per-ip traffic shapers

get firewall shaper per-ip

To get information about shared traffic shapers

get firewall shaper traffic-shaper

grep

In many cases the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output you can use the grep command to filter
the output to only display what you are looking for. The grep command is based on the standard UNIX grep,
used for searching text output based on regular expressions.

Information about how to use grep and regular expressions is available from the Internet. For example, see
[Link]

CLI Reference for FortiOS 5.4 940

Fortinet Technologies Inc.
 gui console status get

Syntax
{get | show| diagnose} | grep <regular_expression>

Example output
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr [Link]
Use the following command to display all TCP sessions in the session list and include the session list line number
in the output
get system session list | grep -n tcp
19:tcp 1110 [Link]:1862 [Link]:30670 [Link]:1469 -
27:tcp 3599 [Link]:2061 - [Link]:22 -
38:tcp 3594 [Link]:4780 [Link]:49700 [Link]:445 -
43:tcp 3582 [Link]:4398 [Link]:49574 [Link]:48726 -
Use the following command to display all lines in HTTP replacement message commands that contain URL
(upper or lower case):
show system replacemsg http | grep -i url
set buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"
config system replacemsg http "url-block"
set buffer "<HTML><BODY>The URL you requested has been blocked. URL =
%%URL%%</BODY></HTML>"
config system replacemsg http "urlfilter-err"
.
.
.

gui console status

Display information about the CLI console.

Syntax
get gui console status

Example
The output looks like this:
Preferences:
        User: admin
                Colour scheme (RGB): text=FFFFFF, background=000000
                Font: style=monospace, size=10pt
                History buffer=50 lines, external input=disabled

CLI Reference for FortiOS 5.4 941

Fortinet Technologies Inc.
 get gui topology status

gui topology status

Display information about the topology viewer database. The topology viewer is available only if the Topology
widget has been added to a customized web-based manager menu layout.

Syntax
get gui topology status

Example output
Preferences:
        Canvas dimensions (pixels): width=780, height=800
        Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee
        Background image: type=none, placement: x=0, y=0
        Line style: thickness=2

Custom background image file: none

Topology element database:

        __FortiGate__: x=260, y=340
        Office: x=22, y=105
        ISPnet: x=222, y=129
        __Text__: x=77, y=112: "Ottawa"
        __Text__: x=276, y=139: "Internet"

hardware cpu

Use this command to display detailed information about all of the CPUs in your FortiGate unit.

Syntax
get hardware cpu

Example output
get hardware npu legacy list
No npu ports are found

620_ha_1 # get hardware cpu

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no

CLI Reference for FortiOS 5.4 942

Fortinet Technologies Inc.
hardware memory get

fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26

hardware memory

Use this command to display information about FortiGate unit memory use including the total, used, and free
memory.

Syntax
get hardware memory

Example output
get hardware memory
total: used: free: shared: buffers: cached: shm:
Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304
Swap: 0 0 0
MemTotal: 3617132 kB
MemFree: 3276396 kB
MemShared: 0 kB
Buffers: 188 kB
Cached: 136664 kB
SwapCached: 0 kB
Active: 22172 kB
Inactive: 114740 kB
HighTotal: 1703936 kB
HighFree: 1443712 kB
LowTotal: 1913196 kB
LowFree: 1832684 kB

CLI Reference for FortiOS 5.4 943

Fortinet Technologies Inc.
get hardware nic

SwapTotal: 0 kB
SwapFree: 0 kB

hardware nic

Use this command to display hardware and status information about each FortiGate interface. The hardware
information includes details such as the driver name and version and chip revision. Status information includes
transmitted and received packets, and different types of errors.

Syntax
get hardware nic <interface_name>
Variable Description

<interface_name> A FortiGate interface name such as port1, wan1, internal, etc.

Example output
get hardware nic port9
Chip_Model FA2/ISCP1B-v3/256MB
FPGA_REV_TAG 06101916
Driver Name iscp1a/b-DE
Driver Version 0.1
Driver Copyright Fortinet Inc.

Link down
Speed N/A
Duplex N/A
State up

Rx_Packets 0
Tx_Packets 0
Rx_Bytes 0
Tx_Bytes 0

Current_HWaddr [Link]
Permanent_HWaddr [Link]

Frame_Received 0
Bad Frame Received 0
Tx Frame 0
Tx Frame Drop 0
Receive IP Error 0
FIFO Error 0

Small PktBuf Left 125

Normal PktBuf Left 1021
Jumbo PktBuf Left 253
NAT Anomaly 0

CLI Reference for FortiOS 5.4 944

Fortinet Technologies Inc.
hardware npu get

hardware npu

Use this command to display information about the network processor unit (NPU) hardware installed in a
FortiGate unit. The NPUs can be built-in or on an installed AMC module.

Syntax
get hardware npu legacy {list | session <device_name_str> | setting <device_name_str>}
get hardware npu np1 {list | status}
get hardware npu np2 {list | performance <device_id_int> | status <device_id_int>}
get hardware npu np4 {list | status <device_id_int>}
get hardware npu sp {list | status}

Example output
get hardware npu np1 list
ID Interface
0 port9 port10

get hardware npu np1 status

ISCP1A 10ee:0702
RX SW Done 0 MTP 0x00000000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Total Number of Interfaces: 2
Number of Interface In-Use: 2
Interface[0] Tx done: 0
desc_size = 0x00004000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
Interface[1] Tx done: 0
desc_size = 0x00004000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
NAT Information:
head = 0x00000001 tail = 00000001
ISCP1A Performance [Top]:
Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000
PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000
PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000
CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000
IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000
TOTUP : 0x00000000 RSVD MEMU : 0x00000010
MSG Performance:
QLEN: 0x00001000(QW) HEAD: 0x00000000
Performance:
TOTMSG: 0x00000000 BADMSG: 0x00000000 TOUTMSG: 0x00000000 QUERY: 0x00000000
NULLTK: 0x00000000
NAT Performance: BYPASS (Enable) BLOCK (Disable)
IRQ : 00000001 QFTL : 00000000 DELF : 00000000 FFTL : 00000000
OVTH : 00000001 QRYF : 00000000 INSF : 00000000 INVC : 00000000
ALLO : 00000000 FREE : 00000000 ALLOF : 00000000 BPENTR: 00000000 BKENTR: 00000000
PBPENTR: 00000000 PBKENTR: 00000000 NOOP : 00000000 THROT : 00000000(0x002625a0)

CLI Reference for FortiOS 5.4 945

Fortinet Technologies Inc.
get hardware npu

SWITOT : 00000000 SWDTOT : 00000000 ITDB : 00000000 OTDB : 00000000

SPISES : 00000000 FLUSH : 00000000
APS (Disabled) information:
MODE: BOTH UDPTH 255 ICMPTH 255 APSFLAGS: 0x00000000
IPSEC Offload Status: 0x58077dcb

get hardware npu np2 list

ID PORTS
-- -----
0 amc-sw1/1
0 amc-sw1/2
0 amc-sw1/3
0 amc-sw1/4
ID PORTS
-- -----
1 amc-dw2/1
ID PORTS
-- -----
2 amc-dw2/2

get hardware npu np2 status 0

NP2 Status

ISCP2 f7750000 (Neighbor 00000000) 1a29:0703 256MB Base f8aad000 DBG 0x00000000
RX SW Done 0 MTP 0x0
desc_alloc = f7216000
desc_size = 0x2000 count = 0x100
nxt_to_u = 0x0 nxt_to_f = 0x0
Total Interfaces: 4 Total Ports: 4
Number of Interface In-Use: 4
Interface f7750100 netdev 81b1e000 0 Name amc-sw1-1
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750694, 00000000, 00000000, 00000000
Port f7750694 Id 0 Status Down ictr 4
desc = 8128c000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f7750100
Interface f7750264 netdev 81b2cc00 1 Name amc-sw1-2
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f7750748, 00000000, 00000000, 00000000
Port f7750748 Id 1 Status Down ictr 0
desc = 81287000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f7750264
Interface f77503c8 netdev 81b2c800 2 Name amc-sw1-3
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77507fc, 00000000, 00000000, 00000000
Port f77507fc Id 2 Status Down ictr 0
desc = 81286000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f77503c8
Interface f775052c netdev 81b2c400 3 Name amc-sw1-4

CLI Reference for FortiOS 5.4 946

Fortinet Technologies Inc.
 hardware status get

PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: f77508b0, 00000000, 00000000, 00000000
Port f77508b0 Id 3 Status Down ictr 0
desc = 81281000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf f775052c
NAT Information:
cmdq_qw = 0x2000 cmdq = 82160000
head = 0x1 tail = 0x1
APS (Enabled) information:
Session Install when TMM TSE OOE: Disable
Session Install when TMM TAE OOE: Disable
IPS anomaly check policy: Follow config
MSG Base = 82150000 QL = 0x1000 H = 0x0

hardware status

Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,
flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset
(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGate
unit to Fortinet Support, or confirming the features that your FortiGate model supports.

Syntax
get hardware status

Example output
Model name: Fortigate-620B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
RAM: 2020 MB
Compact Flash: 493 MB /dev/sda
Hard disk: 76618 MB /dev/sdb
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)

ips decoder status

Displays all the port settings of all the IPS decoders.

Syntax
get ips decoder status

Example output
# get ips decoder status

CLI Reference for FortiOS 5.4 947

Fortinet Technologies Inc.
 get ips rule status

decoder-name: "back_orifice"

decoder-name: "dns_decoder"
port_list: 53

decoder-name: "ftp_decoder"
port_list: 21

decoder-name: "http_decoder"

decoder-name: "im_decoder"

decoder-name: "imap_decoder"
port_list: 143
Ports are shown only for decoders with configurable port settings.

ips rule status

Displays current configuration information about IPS rules.

Syntax
get ips rule status

Example output
# get ips rule status
rule-name: "[Link]"
rule-id: 12588
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: [Link]
service: All
location: server, client
os: All
application: All

rule-name: "[Link]"
rule-id: 12805
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: [Link]
service: All
location: server, client
os: All
application: All

CLI Reference for FortiOS 5.4 948

Fortinet Technologies Inc.
 ips session get

ips session

Displays current IPS session status.

Syntax
get ips session

Example output
get ips session

SYSTEM:
memory capacity 279969792
memory used 5861008
recent pps\bps 0\0K
session in-use 0
TCP: in-use\active\total 0\0\0
UDP: in-use\active\total 0\0\0
ICMP: in-use\active\total 0\0\0

ipsec tunnel

List the current IPSec VPN tunnels and their status.

Syntax

To view details of all IPsec tunnels:

get ipsec tunnel details

To list IPsec tunnels by name:

get ipsec tunnel name

To view a summary of IPsec tunnel information:

get ipsec tunnel summary

ips view-map

Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips view
map, it means IPS is not used or enabled.

Syntax
get ips view-map <id>

CLI Reference for FortiOS 5.4 949

Fortinet Technologies Inc.
 get mgmt-data status

Example output
id : 1
id-policy-id : 0
policy-id : 2
vdom-id : 0
which : firewall
Variable Description

id IPS policy ID

id-policy-id Identity-based policy ID (0 means none)

policy-id Policy ID

vdom-id VDOM, identified by ID number

Type of policy id: firewall, firewall6, sniffer, sniffer6, interface,

which
interface6

mgmt-data status

Use this command to display information additional to that provided by get system status or

get hardware status.

Syntax
get mgmt-data status

Sample output
FG100D3G12801361 # get mgmt-data status

Model name: FortiGate-100D

CPU: 4
RAM: 1977 MB
is_ssd_available: 0
is_logdisk_mounted: 1
is_support_log_on_boot_device: 1
is_rev_support_wanopt: 1

netscan settings

Use this command to display tcp and udp ports that are scanned by the current scan mode.

Syntax
get netscan settings

CLI Reference for FortiOS 5.4 950

Fortinet Technologies Inc.
 pbx branch-office get

Example output
scan-mode : full
tcp-ports : 1-65535
udp-ports : 1-65535

pbx branch-office

Use this command to list the configured branch offices.

Syntax
get pbx branch-office

Example output
== [ Branch 15 ]
name: Branch 15
== [ Branch 12 ]
name: Branch 12

pbx dialplan

Use this command to list the configured dial plans.

Syntax
get pbx dialplan

Example output
== [ company-default ]
name: company-default
== [ inbound ]
name: inbound

pbx did

Use this command to list the configured direct inward dial (DID) numbers.

Syntax
get pbx did

Example output
== [ Operator ]
name: Operator
== [ Emergency ]
name: Emergency

CLI Reference for FortiOS 5.4 951

Fortinet Technologies Inc.
 get pbx extension

pbx extension

Use this command to list the configured extensions.

Syntax
get pbx extension

Example output
== [ 6555 ]
extension: 6555
== [ 6777 ]
extension: 6777
== [ 6111 ]
extension: 6111

pbx ftgd-voice-pkg

Use this command to display the current FortiGate Voice service package status.

Syntax
get pbx ftgd-voice-pkg status

Example output
Status: Activated
Total 1 Packages:
Package Type: B, Credit Left: 50.00, Credit Used: 0.00,
Expiration Date: 2011-01-01 [Link]

Total 1 Dids:
12345678901
Total 1 Efaxs:
12345678902
Total 0 Tollfrees:

pbx global

Use this command to display the current global pbx settings.

Syntax
get pbx global

Example output
block-blacklist : enable
country-area : USA
country-code : 1

CLI Reference for FortiOS 5.4 952

Fortinet Technologies Inc.
 pbx ringgrp get

efax-check-interval : 5
extension-pattern : 6XXX
fax-admin-email : faxad@[Link]
ftgd-voice-server : [Link]
local-area-code : 408
max-voicemail : 60
outgoing-prefix : 9
ring-timeout : 20
rtp-hold-timeout : 0
rtp-timeout : 60
voicemail-extension : *97

pbx ringgrp

Use this command to display the currently configured ring groups.

Syntax
get pbx ringgrp

Example output
== [ 6001 ]
name: 6001
== [ 6002 ]
name: 6002

pbx sip-trunk

Use this command to display the currently configured SIP trunks.

Syntax
get pbx sip-trunk

Example output
== [ __FtgdVoice_1 ]
name: __FtgdVoice_1

pbx voice-menu

Use this command to display the current voice menu and recorder extension configuration.

Syntax
get pbx voice-menu

CLI Reference for FortiOS 5.4 953

Fortinet Technologies Inc.
 get router info bfd neighbor

Example output
comment : general
password : *
press-0:
ring-group : 6001
type : ring-group
press-1:
type : voicemail
press-2:
type : directory
press-3:
type : none
press-4:
type : none
press-5:
type : none
press-6:
type : none
press-7:
type : none
press-8:
type : none
press-9:
type : none
recorder-exten : *30

router info bfd neighbor

Use this command to list state information about the neighbors in the bi-directional forwarding table.

Syntax
get router info bfd neighbour

router info bgp

Use this command to display information about the BGP configuration.

Syntax
get router info bgp <keyword>
<keyword> Description

cidr-only Show all BGP routes having non-natural network masks.

community Show all BGP routes having their COMMUNITY attribute set.

CLI Reference for FortiOS 5.4 954

Fortinet Technologies Inc.
router info bgp get

<keyword> Description

Show general information about the configured BGP

community-info communities, including the routes in each community and their
associated network addresses.

community-list Show all routes belonging to configured BGP community lists.

Display information about dampening:

dampening Type dampened-paths to show all paths that have been

{dampened-paths suppressed due to flapping.
| flap-statistics Type flap-statistics to show flap statistics related to BGP
| parameters} routes.

Type parameters to show the current dampening settings.

filter-list Show all routes matching configured AS-path lists.

Show all routes associated with inconsistent autonomous

inconsistent-as
systems of origin.

memory Show the BGP memory table.

neighbors
[<address_ipv4>
| <address_ipv4>
advertised-routes
| <address_ipv4>
Show information about connections to TCP and BGP neighbors.
received prefix-filter
| <address_ipv4>
received-routes
| <address_ipv4>
routes]

network [<address_ Show general information about the configured BGP networks,
ipv4mask>] including their network addresses and associated prefixes.

network-longer- Show general information about the BGP route that you specify
prefixes <address_ (for example, [Link]/14) and any specific routes
ipv4mask> associated with the prefix.

Show general information about BGP AS paths, including their

paths
associated network addresses.

prefix-list <name> Show all routes matching configured prefix list <name>.

Enter the regular expression to compare to the AS_PATH

quote-regexp attribute of BGP routes (for example, ^730$) and enable the use
<regexp_str> of output modifiers (for example, include, exclude, and
begin) to search the results.

CLI Reference for FortiOS 5.4 955

Fortinet Technologies Inc.
get router info bgp

<keyword> Description

Enter the regular expression to compare to the AS_PATH

regexp <regexp_str>
attribute of BGP routes (for example, ^730$).

route-map Show all routes matching configured route maps.

Show information about next-hop route scanning, including the

scan
scan interval setting.

summary Show information about BGP neighbor status.

Example output
get router info bgp memory
Memory type Alloc count Alloc bytes
=================================== ============= ===============
BGP structure : 2 1408
BGP VR structure : 2 104
BGP global structure : 1 56
BGP peer : 2 3440
BGP as list master : 1 24
Community list handler : 1 32
BGP Damp Reuse List Array : 2 4096
BGP table : 62 248
----------------------------------- ------------- ---------------
Temporary memory : 4223 96095
Hash : 7 140
Hash index : 7 28672
Hash bucket : 11 132
Thread master : 1 564
Thread : 4 144
Link list : 32 636
Link list node : 24 288
Show : 1 396
Show page : 1 4108
Show server : 1 36
Prefix IPv4 : 10 80
Route table : 4 32
Route node : 63 2772
Vector : 2180 26160
Vector index : 2180 18284
Host config : 1 2
Message of The Day : 1 100
IMI Client : 1 708
VTY master : 1 20
VTY if : 11 2640
VTY connected : 5 140
Message handler : 2 120
NSM Client Handler : 1 12428
NSM Client : 1 1268
Host : 1 64
Log information : 2 72
Context : 1 232
----------------------------------- ------------- ---------------
bgp proto specifc allocations : 9408 B

CLI Reference for FortiOS 5.4 956

Fortinet Technologies Inc.
 router info isis get

bgp generic allocations : 196333 B

bgp total allocations : 205741 B

router info isis

Use this command to display information about the FortiGate ISIS.

Syntax
get router info isis interface
get router info isis neighbor
get router info isis is-neighbor
get router info isis database
get router info isis route
get router info isis topology

router info kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.

Syntax
get router info kernel [<routing_type_int>]

router info multicast

Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.
Multicast routing is supported in the root virtual domain only.

Syntax
get router info multicast <keywords>

CLI Reference for FortiOS 5.4 957

Fortinet Technologies Inc.
get router info multicast

<keywords> Description

Show Internet Group Management Protocol (IGMP) membership

information according to one of these qualifiers:

Type groups [{<interface-name> | <group-

address>}] to show IGMP information for the multicast group
(s) associated with the specified interface or multicast group
address.
igmp Type groups-detail [{<interface-name> |
<group-address>}] to show detailed IGMP information for
the multicast group(s) associated with the specified interface or
multicast group address.

Type interface [<interface-name>] to show IGMP

information for all multicast groups associated with the specified
interface.

Show information related to dense mode operation according to

one of these qualifiers:

Type interface to show information about PIM-enabled

interfaces.

Type interface-detail to show detailed information about

PIM-enabled interfaces.

Type neighbor to show the current status of PIM neighbors.

pim dense-mode
Type neighbor-detail to show detailed information about
PIM neighbors.

Type next-hop to show information about next-hop PIM

routers.

Type table [<group-address>][<source-address>]

to show the multicast routing table entries associated with the
specified multicast group address and/or multicast source
address.

CLI Reference for FortiOS 5.4 958

Fortinet Technologies Inc.
 router info ospf get

<keywords> Description

Show information related to sparse mode operation according to

one of these qualifiers:

Type bsr-info to show Boot Strap Router (BSR) information.

Type interface to show information about PIM-enabled

interfaces.

Type interface-detail to show detailed information about

PIM-enabled interfaces.

Type neighbor to show the current status of PIM neighbors.

pim sparse-mode
Type neighbor-detail to show detailed information about
PIM neighbors.

Type next-hop to show information about next-hop PIM

routers.

Type rp-mapping to show Rendezvous Point (RP) information.

Type table [<group-address>][<source-address>]

to show the multicast routing table entries associated with the
specified multicast group address and/or multicast source
address.

table Show the multicast routing table entries associated with the
[<group-address>] specified multicast group address and/or multicast source
[<source-address>] address.

table-count
Show statistics related to the specified multicast group address
[<group-address>]
and/or multicast source address.
[<source-address>]

router info ospf

Use this command to display information about the FortiGate OSPF configuration and/or the Link-State
Advertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of all
OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the
shortest path to a destination.

Syntax
get router info ospf <keyword>
<keyword> Description

Show OSPF routing table entries that have an Area

border-routers Border Router (ABR) or Autonomous System
Boundary Router (ASBR) as a destination.

CLI Reference for FortiOS 5.4 959

Fortinet Technologies Inc.
get router info ospf

<keyword> Description

Show information from the OSPF routing database

according to the of these qualifiers.

Some qualifiers require a target that can be one of

the following values:

database <qualifier> Type adv_router <address_ipv4> to limit the

information to LSAs originating from the router at the
specified IP address.

Type self-originate <address_ipv4> to

limit the information to LSAs originating from the
FortiGate unit.

adv-
Type adv-router <address_ipv4> to show
router
ospf Advertising Router link states for the router at
<address_
the given IP address.
ipv4>

asbr-
Type asbr-summary to show information about
summary
ASBR summary LSAs.
<target>

Type brief to show the number and type of LSAs

brief
associated with each OSPF area.

external Type external to show information about external

<target> LSAs.

max-age Type max-age to show all LSAs in the MaxAge list.

network Type network to show information about network

<target> LSAs.

nssa-
Type nssa-external to show information about
external
not-so-stubby external LSAs.
<target>

opaque-
Type opaque-area <address_ipv4> to show
area
information about opaque Type 10 (area-local) LSAs
<address_
(see RFC 2370).
ipv4>

opaque-as Type opaque-as <address_ipv4> to show

<address_ information about opaque Type 11 LSAs (see RFC
ipv4> 2370), which are flooded throughout the AS.

opaque-
Type opaque-link <address_ipv4> to show
link
information about opaque Type 9 (link-local) LSAs
<address_
(see RFC 2370).
ipv4>

CLI Reference for FortiOS 5.4 960

Fortinet Technologies Inc.
 router info protocols get

<keyword> Description

router Type router to show information about router

<target> LSAs.

self- Type self-originate to show self-originated

originate LSAs.

summary Type summary to show information about summary

<target> LSAs.

Show the status of one or all FortiGate interfaces

interface [<interface_name>]
and whether OSPF is enabled on those interfaces.

Show general information about OSPF neighbors,

excluding down-status neighbors:

Type all to show information about all neighbors,

including down-status neighbors.

Type <neighbor_id> to show detailed

information about the specified neighbor only.
neighbor [all | <neighbor_id> Type detail to show detailed information about all
| detail | detail all neighbors, excluding down-status neighbors.
| interface <address_ipv4>]
Type detail all to show detailed information
about all neighbors, including down-status
neighbors.

Type interface <address_ipv4> to show

neighbor information based on the FortiGate
interface IP address that was used to establish the
neighbor’s relationship.

route Show the OSPF routing table.

Show general information about the OSPF routing

status
processes.

virtual-links Show information about OSPF virtual links.

router info protocols

Use this command to show the current states of active routing protocols. Inactive protocols are not displayed.

Syntax
get router info protocols

Routing Protocol is "rip"

Sending updates every 30 seconds with +/-50%
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set

CLI Reference for FortiOS 5.4 961

Fortinet Technologies Inc.
 get router info rip

Incoming update filter list for all interface is not set

Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Distance: (default is 120)

Routing Protocol is "ospf 0"

Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing:
Routing for Networks:
Routing Information Sources: Gateway Distance Last Update
Distance: (default is 110) Address Mask Distance List

Routing Protocol is "bgp 5"

IGP synchronization is disabled
Automatic route summarization is disabled
Default local-preference applied to incoming route is 100
Redistributing:
Neighbor(s):
Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight
  [Link] unicast

router info rip

Use this command to display information about the RIP configuration.

Syntax
get router info rip <keyword>
<keyword> Description

database Show the entries in the RIP routing database.

Show the status of the specified FortiGate unit interface

interface <interface_name> and whether RIP is enabled.
[<interface_name>] If interface is used alone it lists all the FortiGate unit interfaces
and whether RIP is enabled on each.

router info routing-table

Use this command to display the routes in the routing table.

CLI Reference for FortiOS 5.4 962

Fortinet Technologies Inc.
 router info vrrp get

Syntax
get router info routing-table <keyword>
<keyword> Description

all Show all entries in the routing table.

bgp Show the BGP routes in the routing table.

connected Show the connected routes in the routing table.

database Show the routing information database.

Show detailed information about a route in the routing table,

details [<address_
including the next-hop routers, metrics, outgoing interfaces, and
ipv4mask>]
protocol-specific information.

ospf Show the OSPF routes in the routing table.

rip Show the RIP routes in the routing table.

static Show the static routes in the routing table.

router info vrrp

Use this command to display information about the VRRP configuration.

Syntax
get router info vrrp

Example output
Interface: port1, primary IP address: [Link]
VRID: 1
vrip: [Link], priority: 100, state: BACKUP
adv_interval: 1, preempt: 1, start_time: 3
vrdst: [Link]

router info6 bgp

Use this command to display information about the BGP IPv6 configuration.

Syntax
get router info6 bgp <keyword>
<keyword> Description

community Show all BGP routes having their COMMUNITY attribute set.

CLI Reference for FortiOS 5.4 963

Fortinet Technologies Inc.
 get router info6 interface

<keyword> Description

community-list Show all routes belonging to configured BGP community lists.

Display information about dampening:

dampening Type dampened-paths to show all paths that have been

{dampened-paths suppressed due to flapping.
| flap-statistics Type flap-statistics to show flap statistics related to BGP
| parameters} routes.

Type parameters to show the current dampening settings.

filter-list Show all routes matching configured AS-path lists.

Show all routes associated with inconsistent autonomous

inconsistent-as
systems of origin.

neighbors
[<address_ Show information about connections to TCP and BGP neighbors.
ipv6mask>

network [<address_ Show general information about the configured BGP networks,
ipv6mask>] including their network addresses and associated prefixes.

network-longer- Show general information about the BGP route that you specify
prefixes <address_ (for example, [Link]/14) and any specific routes
ipv6mask> associated with the prefix.

Show general information about BGP AS paths, including their

paths
associated network addresses.

prefix-list <name> Show all routes matching configured prefix list <name>.

Enter the regular expression to compare to the AS_PATH

quote-regexp attribute of BGP routes (for example, ^730$) and enable the use
<regexp_str> of output modifiers (for example, include, exclude, and
begin) to search the results.

Enter the regular expression to compare to the AS_PATH

regexp <regexp_str>
attribute of BGP routes (for example, ^730$).

route-map Show all routes matching configured route maps.

summary Show information about BGP neighbor status.

router info6 interface

Use this command to display information about IPv6 interfaces.

CLI Reference for FortiOS 5.4 964

Fortinet Technologies Inc.
 router info6 kernel get

Syntax
get router info6 interface <interface_name>

Example output
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [administratively down/down]
[Link]
fe80::209:fff:fe04:4cfd

router info6 kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays information
about all of the routes in the kernel.

Syntax
get router info6 kernel

router info6 ospf

Use this command to display information about the OSPF IPv6 configuration.

Syntax
get router info6 ospf

router info6 protocols

Use this command to display information about the configuration of all IPv6 dynamic routing protocols.

Syntax
get router info6 protocols

router info6 rip

Use this command to display information about the RIPng configuration.

Syntax
get router info6 rip

CLI Reference for FortiOS 5.4 965

Fortinet Technologies Inc.
 get router info6 routing-table

router info6 routing-table

Use this command to display the routes in the IPv6 routing table.

Syntax
get router info6 routing-table <item>
where <item> is one of the following:

Variable Description

<ipv6_ip> Destination IPv6 address or prefix.

bgp Show BGP routing table entries.

connected Show connected routing table entries.

database Show routing information base.

ospf Show OSPF routing table entries.

rip Show RIP routing table entries.

static Show static routing table entries.

system admin list

View a list of all the current administration sessions.

Syntax
get system admin list

Example output
# get system admin list
username local  device                   remote               started
admin    sshv2  port1:[Link]:22  [Link]:4167   2006-08-09 [Link]
admin    https  port1:[Link]:443 [Link]:56365 2006-08-09 [Link]
admin    https  port1:[Link]:443 [Link]:4214   2006-08-09 [Link]
Variable Description

username Name of the admin account for this session

local The protocol this session used to connect to the FortiGate unit.

The interface, IP address, and port used by this session to

device
connect to the FortiGate unit.

CLI Reference for FortiOS 5.4 966

Fortinet Technologies Inc.
system admin status get

Variable Description

The IP address and port used by the originating computer to

remote
connect to the FortiGate unit.

started The time the current session started.

system admin status

View the status of the currently logged in admin and their session.

Syntax
get system admin status

Example
The output looks like this:
# get system admin status
username: admin
login local: sshv2
login device: port1:[Link]:22
login remote: [Link]:4167
login vdom: root
login started: 2006-08-09 [Link]
current time: 2006-08-09 [Link]
Variable Description

username Name of the admin account currently logged in.

login local The protocol used to start the current session.

The login information from the FortiGate unit including interface,

login device
IP address, and port number.

The computer the user is logging in from including the IP address

login remote
and port number.

login vdom The virtual domain the admin is current logged into.

login started The time the current session started.

current time The current time of day on the FortiGate unit

system arp

View the ARP table entries on the FortiGate unit.

This command is not available in multiple VDOM mode.

CLI Reference for FortiOS 5.4 967

Fortinet Technologies Inc.
get system auto-update

Syntax
get system arp

Example output
# get system arp
Address Age(min) Hardware Addr Interface
[Link] 0 [Link] internal
[Link] 0 [Link] internal

system auto-update

Use this command to display information about the status FortiGuard updates on the FortiGate unit.

Syntax
get system auto-update status
get system auto-update versions

Example output
get system auto-update status
FDN availability: available at Thu Apr 1 [Link] 2010

Push update: disable

Scheduled update: enable
Update daily: 8:22
Virus definitions update: enable
IPS definitions update: enable
Server override: disable
Push address override: disable
Web proxy tunneling: disable

system central-management

View information about the Central Management System configuration.

Syntax
get system central-management

Example
The output looks like this:
FG600B3908600705 # get system central-management
status : enable
type : fortimanager
auto-backup : disable
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable

CLI Reference for FortiOS 5.4 968

Fortinet Technologies Inc.
system checksum get

allow-pushd-firmware: enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
fmg : [Link]
vdom : root
authorized-manager-only: enable
serial-number : "FMG-3K2404400063"

system checksum

View the checksums for global, root, and all configurations. These checksums are used by HA to compare the
configurations of each cluster unit.

Syntax
get system checksum status

Example output
# get system checksum status
global: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15
root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fb
all: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88

system cmdb status

View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.

Syntax
get system cmdb status

Example output
# get system cmdb status
version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68
last request type: 29
last request: 78
Variable Description

version Version of the cmdb software.

owner id Process ID of the cmdbsvr daemon.

The updated index shows how many changes have been made in
update index
cmdb.

CLI Reference for FortiOS 5.4 969

Fortinet Technologies Inc.
 get system fortianalyzer-connectivity

Variable Description

config checksum The config file version used by FortiManager.

last request pid The last process to access the cmdb.

last requst type Type of the last attempted access of cmdb.

last request The number of the last attempted access of cmdb.

system fortianalyzer-connectivity

Display connection and remote disk usage information about a connected FortiAnalyzer unit.

Syntax
get fortianalyzer-connectivity status

Example output
# get system fortianalyzer-connectivity status
Status: connected
Disk Usage: 0%

system fortiguard-log-service status

Command returns information about the status of the FortiGuard Log & Analysis Service including license and
disk information.

Syntax
get system fortiguard-log-service status

Example output
# get system fortiguard-log-service status
FortiGuard Log & Analysis Service
Expire on: 20071231
Total disk quota: 1111 MB
Max daily volume: 111 MB
Current disk quota usage: n/a

system fortiguard-service status

COMMAND REPLACED. Command returns information about the status of the FortiGuard service including the
name, version late update, method used for the last update and when the update expires. This information is
shown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.

CLI Reference for FortiOS 5.4 970

Fortinet Technologies Inc.
system ha-nonsync-csum get

Syntax
get system fortiguard-service status

Example output
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine          2.002   2006-01-26 [Link] manual 2006-06-12 [Link]
Virus Definitions  6.513   2006-06-02 [Link] manual 2006-06-12 [Link]
Attack Definitions 2.299   2006-06-09 [Link] manual 2006-06-12 [Link]
IPS Attack Engine  1.015   2006-05-09 [Link] manual 2006-06-12 [Link]

system ha-nonsync-csum

FortiManager uses this command to obtain a system checksum.

Syntax
get system ha-nonsync-csum

system ha status

Use this command to display information about an HA cluster. The command displays general HA configuration
settings. The command also displays information about how the cluster unit that you have logged into is
operating in the cluster.

Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha status
command displays information about the primary unit first, and also displays the HA state of the primary unit (the
primary unit operates in the work state). However, if you log into the primary unit and then use the execute ha
manage command to log into a subordinate unit, (or if you use a console connection to log into a subordinate
unit) the get system status command displays information about this subordinate unit first, and also
displays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active cluster
and standby for an active-passive cluster.

For a virtual cluster configuration, the get system ha status command displays information about how the
cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if you
connect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,
the output of the get system ha status command shows virtual cluster 1 in the work state and virtual
cluster 2 in the standby state. The get system ha status command also displays additional information
about virtual cluster 1 and virtual cluster 2.

Syntax
get system ha status
The command display includes the following fields. For more information see the examples that follow.

Variable Description

Model The FortiGate model number.

CLI Reference for FortiOS 5.4 971

Fortinet Technologies Inc.
get system ha status

Variable Description

Mode The HA mode of the cluster: a-a or a-p.

Group The group ID of the cluster.

Debug The debug status of the cluster.

ses_pickup The status of session pickup: enable or disable.

The status of the load-balance-all field: enable or disable.

load_balance
Displayed for active-active clusters only.

The active-active load balancing schedule. Displayed for active-

schedule
active clusters only.

Master displays the device priority, host name, serial number,

and actual cluster index of the primary (or master) unit.

Slave displays the device priority, host name, serial number,

and actual cluster index of the subordinate (or slave, or backup)
unit or units.

Master The list of cluster units changes depending on how you log into
the CLI. Usually you would use SSH or telnet to log into the
Slave
primary unit CLI. In this case the primary unit would be at the top
the list followed by the other cluster units.

If you use execute ha manage or a console connection to log

into a subordinate unit CLI, and then enter get system ha
status the subordinate unit that you have logged into appears
at the top of the list of cluster units.

The number of virtual clusters. If virtual domains are not

number of vcluster enabled, the cluster has one virtual cluster. If virtual domains are
enabled the cluster has two virtual clusters.

CLI Reference for FortiOS 5.4 972

Fortinet Technologies Inc.
system ha status get

Variable Description

The HA state (hello, work, or standby) and HA heartbeat IP

address of the cluster unit that you have logged into in virtual
cluster 1. If virtual domains are not enabled, vcluster 1
displays information for the cluster. If virtual domains are
enabled, vcluster 1 displays information for virtual cluster 1.

The HA heartbeat IP address is [Link] if you are logged into a

the primary unit of virtual cluster 1 and [Link] if you are logged
into a subordinate unit of virtual cluster 1.

vcluster 1 also lists the primary unit (master) and

subordinate units (slave) in virtual cluster 1. The list includes the
operating cluster index and serial number of each cluster unit in
virtual cluster 1. The cluster unit that you have logged into is at
the top of the list.

If virtual domains are not enabled and you connect to the primary
unit CLI, the HA state of the cluster unit in virtual cluster 1 is
work. The display lists the cluster units starting with the primary
unit.

If virtual domains are not enabled and you connect to a

vcluster 1 subordinate unit CLI, the HA state of the cluster unit in virtual
cluster 1 is standby. The display lists the cluster units starting
with the subordinate unit that you have logged into.

If virtual domains are enabled and you connect to the virtual

cluster 1 primary unit CLI, the HA state of the cluster unit in
virtual cluster 1 is work. The display lists the cluster units starting
with the virtual cluster 1 primary unit.

If virtual domains are enabled and you connect to the virtual

cluster 1 subordinate unit CLI, the HA state of the cluster unit in
virtual cluster 1 is standby. The display lists the cluster units
starting with the subordinate unit that you are logged into.

In a cluster consisting of two cluster units operating without

virtual domains enabled all clustering actually takes place in
virtual cluster 1. HA is designed to work this way to support virtual
clustering. If this cluster was operating with virtual domains
enabled, adding virtual cluster 2 is similar to adding a new copy
of virtual cluster 1. Virtual cluster 2 is visible in the get system
ha status command output when you add virtual domains to
virtual cluster 2.

CLI Reference for FortiOS 5.4 973

Fortinet Technologies Inc.
get system info admin status

Variable Description

vcluster 2 only appears if virtual domains are enabled.

vcluster 2 displays the HA state (hello, work, or standby) and
HA heartbeat IP address of the cluster unit that you have logged
into in virtual cluster 2. The HA heartbeat IP address is [Link] if
you are logged into the primary unit of virtual cluster 2 and
[Link] if you are logged into a subordinate unit of virtual cluster
2.

vcluster 2 also lists the primary unit (master) and

subordinate units (slave) in virtual cluster 2. The list includes the
cluster index and serial number of each cluster unit in virtual
vcluster 2 cluster 2. The cluster unit that you have logged into is at the top
of the list.

If you connect to the virtual cluster 2 primary unit CLI, the HA

state of the cluster unit in virtual cluster 2 is work. The display
lists the cluster units starting with the virtual cluster 2 primary
unit.

If you connect to the virtual cluster 2 subordinate unit CLI, the HA

state of the cluster unit in virtual cluster 2 is standby. The
display lists the cluster units starting with the subordinate unit
that you are logged into.

system info admin status

Use this command to display administrators that are logged into the FortiGate unit.

Syntax
get system info admin status

Example
This shows sample output.
Index User name Login type From
0 admin CLI ssh([Link])
1 admin WEB [Link]
Variable Description

Index The order the administrators logged in.

User name The name of the user account logged in.

Login type Which interface was used to log in.

From The IP address this user logged in from.

CLI Reference for FortiOS 5.4 974

Fortinet Technologies Inc.
 system info admin ssh get

Related topics
"system info admin ssh" on page 106

system info admin ssh

Use this command to display information about the SSH configuration on the FortiGate unit such as:

the SSH port number

the interfaces with SSH enabled

the hostkey DSA fingerprint

the hostkey RSA fingerprint

Syntax
get system info admin ssh

Example output
# get system info admin ssh
SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
internal
SSH hostkey DSA fingerprint = [Link]
SSH hostkey RSA fingerprint = [Link]

system interface physical

Use this command to list information about the unit’s physical network interfaces.

Syntax
get system interface physical
The output looks like this:
# get system interface physical
== [onboard]
==[dmz1]
mode: static
ip: [Link] [Link]
status: down
speed: n/a
==[dmz2]
mode: static
ip: [Link] [Link]
status: down
speed: n/a
==[internal]
mode: static
ip: [Link] [Link]
status: up

CLI Reference for FortiOS 5.4 975

Fortinet Technologies Inc.
get system mgmt-csum

speed: 100
==[wan1]
mode: pppoe
ip: [Link] [Link]
status: down
speed: n/a
==[wan2]
mode: static
ip: [Link] [Link]
status: down
speed: n/a
==[modem]
mode: static
ip: [Link] [Link]
status: down
speed: n/a

system mgmt-csum

FortiManager uses this command to obtain checksum information from FortiGate units.

Syntax
get system mgmt-csum {global | vdom | all}
where

global retrieves global object checksums

vdom retrieves VDOM object checksums
all retrieves all object checksums.

system performance firewall

Use this command to display packet distribution and traffic statistics information for the FortiGate firewall.

Syntax
get system performance firewall packet-distribution
get system performance firewall statistics
Variable Description

Display a list of packet size ranges and the number of packets of

each size accepted by the firewall since the system restarted.
packet- You can use this information to learn about the packet size
distribution distribution on your network.

Note: these counts do not include packets offloaded to the NPU.

Display a list of traffic types (browsing, email, DNS etc) and the
statistics number of packets and number of payload bytes accepted by the
firewall for each type since the FortiGate unit was restarted.

CLI Reference for FortiOS 5.4 976

Fortinet Technologies Inc.
system performance status get

Example output
get system performance firewall packet-distribution
getting packet distribution statistics...
0 bytes - 63 bytes: 655283 packets
64 bytes - 127 bytes: 1678278 packets
128 bytes - 255 bytes: 58823 packets
256 bytes - 383 bytes: 70432 packets
384 bytes - 511 bytes: 1610 packets
512 bytes - 767 bytes: 3238 packets
768 bytes - 1023 bytes: 7293 packets
1024 bytes - 1279 bytes: 18865 packets
1280 bytes - 1500 bytes: 58193 packets
> 1500 bytes: 0 packets

get system performance firewall statistics

getting traffic statistics...
Browsing: 623738 packets, 484357448 bytes
DNS: 5129187383836672 packets, 182703613804544 bytes
E-Mail: 23053606 packets, 2 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 654722117362778112 packets, 674223966126080 bytes
VoIP: 16834455 packets, 10 bytes
Generic TCP: 266287972352 packets, 8521215115264 bytes
Generic UDP: 0 packets, 0 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 0 packets, 0 bytes

system performance status

Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS attacks,
and system up time.

Syntax
get system performance status

CLI Reference for FortiOS 5.4 977

Fortinet Technologies Inc.
get system performance top

Variable Description

The percentages of CPU cycles used by user, system, nice and

idle categories of processes. These categories are:

user -CPU usage of normal user-space processes

system -CPU usage of kernel

CPU states nice - CPU usage of user-space processes having other-than-

normal running priority

idle - Idle CPU cycles

Adding user, system, and nice produces the total CPU usage as
seen on the CPU widget on the web-based system status
dashboard.

Memory states The percentage of memory used.

Average network The average amount of network traffic in kbps in the last 1, 10
usage and 30 minutes.

The average number of sessions connected to the FortiGate unit

Average sessions
over the list 1, 10 and 30 minutes.

The number of viruses the FortiGate unit has caught in the last 1
Virus caught
minute.

The number of IPS attacks that have been blocked in the last 1
IPS attacks blocked
minute.

Uptime How long since the FortiGate unit has been restarted.

Example output
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 18% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 9days, 22 hours, 0 minutes

system performance top

Use this command to display the list of processes running on the FortiGate unit (similar to the Linux top
command).

You can use the following commands when get system performance top is running:

• Press Q or Ctrl+C to quit.

CLI Reference for FortiOS 5.4 978

Fortinet Technologies Inc.
 system session list get

• Press P to sort the processes by the amount of CPU that the processes are using.

• Press M to sort the processes by the amount of memory that the processes are using.

Syntax
get system performance top [<delay_int>] <max_lines_int>]]
Variable Description

The delay, in seconds, between updating the process list. The

<delay_int>
default is 5 seconds.

<max_lines_ The maximum number of processes displayed in the output. The

int> default is 20 lines.

system session list

Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if virtual
domain mode is enabled.

Syntax
get system session list

Example output
PROTO     EXPIRE  SOURCE         SOURCE-NAT   DESTINATION    DESTINATION-NAT
tcp 0 [Link]:1083 - [Link]:514 -
tcp 0 [Link]:1085 - [Link]:514 -
tcp 10 [Link]:1087 - [Link]:514 -
tcp 20 [Link]:1089 - [Link]:514 -
tcp 30 [Link]:1091 - [Link]:514 -
tcp 40 [Link]:1093 - [Link]:514 -
tcp 60 [Link]:1097 - [Link]:514 -
tcp 70 [Link]:1099 - [Link]:514 -
tcp 80 [Link]:1101 - [Link]:514 -
tcp 90 [Link]:1103 - [Link]:514 -
tcp 100 [Link]:1105 - [Link]:514 -
tcp 110 [Link]:1107 - [Link]:514 -
tcp 103 [Link]:3548 -        [Link]:22 -
tcp 3600 [Link]:3550 -        [Link]:22 -
udp 175 [Link]:1026 - [Link]:53 -
tcp 5 [Link]:1084 - [Link]:514 -
tcp 5 [Link]:1086 - [Link]:514 -
tcp 15 [Link]:1088 - [Link]:514 -
tcp 25 [Link]:1090 - [Link]:514 -
tcp 45 [Link]:1094 - [Link]:514 -
tcp 59 [Link]:1098 - [Link]:514 -
tcp 69 [Link]:1100 - [Link]:514 -
tcp 79 [Link]:1102 - [Link]:514 -
tcp 99 [Link]:1106 - [Link]:514 -
tcp 109 [Link]:1108 - [Link]:514 -
tcp 119 [Link]:1110 - [Link]:514 -

CLI Reference for FortiOS 5.4 979

Fortinet Technologies Inc.
 get system session status

Variable Description

PROTO The transfer protocol of the session.

EXPIRE How long before this session will terminate.

SOURCE The source IP address and port number.

SOURCE-NAT The source of the NAT. ‘-’ indicates there is no NAT.

DESTINATION The destination IP address and port number.

DESTINATION-NAT The destination of the NAT. ‘-’ indicates there is no NAT.

system session status

Use this command to display the number of active sessions on the FortiGate unit, or if virtual domain mode is
enabled it returns the number of active sessions on the current VDOM. In both situations it will say ‘the current
VDOM.

Syntax
get system session status

Example output
The total number of sessions for the current VDOM: 3100

system session-helper-info list

Use this command to list the FortiGate session helpers and the protocol and port number configured for each
one.

Syntax
get system sesion-helper-info list

Example output
list builtin help module:
mgcp
dcerpc
rsh
pmap
dns-tcp
dns-udp
rtsp
pptp
sip
mms
tns

CLI Reference for FortiOS 5.4 980

Fortinet Technologies Inc.
system session-info get

h245
h323
ras
tftp
ftp
list session help:
help=pmap, protocol=17 port=111
help=rtsp, protocol=6 port=8554
help=rtsp, protocol=6 port=554
help=pptp, protocol=6 port=1723
help=rtsp, protocol=6 port=7070
help=sip, protocol=17 port=5060
help=pmap, protocol=6 port=111
help=rsh, protocol=6 port=512
help=dns-udp, protocol=17 port=53
help=tftp, protocol=17 port=69
help=tns, protocol=6 port=1521
help=mgcp, protocol=17 port=2727
help=dcerpc, protocol=17 port=135
help=rsh, protocol=6 port=514
help=ras, protocol=17 port=1719
help=ftp, protocol=6 port=21
help=mgcp, protocol=17 port=2427
help=dcerpc, protocol=6 port=135
help=mms, protocol=6 port=1863
help=h323, protocol=6 port=1720

system session-info

Use this command to display session information.

Syntax
get system session-info expectation
get system session-info full-stat
get system session-info list
get system session-info statistics
get system session-info ttl
Variable Description

expectation Display expectation sessions.

Display detailed information about the FortiGate session table

full-stat including a session table and expect session table summary,
firewall error statistics, and other information.

Display detailed information about all current FortiGate sessions.

For each session the command displays the protocol number,
list
traffic shaping information, policy information, state information,
statistics and other information.

CLI Reference for FortiOS 5.4 981

Fortinet Technologies Inc.
get system source-ip

Variable Description

Display the same information as the full-stat command

statistics
except for the session table and expect session table summary.

Display the current setting of the config system session-

ttl ttl command including the overall session timeout as well as
the timeouts for specific protocols.

Example output
get system session-info statistics
misc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752
removeable=14
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000001
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

system source-ip

Use this command to list defined source-IPs.

Syntax
get system source-ip

Example output
# get sys source-ip status
The following services force their communication to use
a specific source IP address:

service=NTP source-ip=[Link]
service=DNS source-ip=[Link]
vdom=root service=RADIUS name=server-pc25 source-ip=[Link]
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=[Link]
vdom=root service=FSAE name=pc26 source-ip=[Link]
vdom=V1 service=RADIUS name=pc25-Radius source-ip=[Link]
vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=[Link]
vdom=V1 service=FSAE name=pc16 source-ip=[Link]

CLI Reference for FortiOS 5.4 982

Fortinet Technologies Inc.
 system startup-error-log get

system startup-error-log

Use this command to display information about system startup errors. This command only displays information if
an error occurs when the FortiGate unit starts up.

Syntax
get system startup-error-log

system status

Use this command to display system status information including:

FortiGate firmware version, build number and branch point

virus and attack definitions version

FortiGate unit serial number and BIOS version

log hard disk availability

host name

operation mode

virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode VDOMs and
VDOM status

current HA status

system time

the revision of the WiFi chip in a FortiWiFi unit

Syntax
get system status

Example output
Version: Fortigate-620B v4.0,build0271,100330 (MR2)
Virus-DB: 11.00643(2010-03-31 17:49)
Extended DB: 11.00643(2010-03-31 17:50)
Extreme DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00778(2010-03-31 12:55)
FortiClient application signature package: 1.167(2010-04-01 10:11)
Serial-Number: FG600B3908600705
BIOS version: 04000006
Log hard disk: Available
Hostname: 620_ha_1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable

CLI Reference for FortiOS 5.4 983

Fortinet Technologies Inc.
 get test

FIPS-CC mode: disable

Current HA mode: a-p, master
Distribution: International
Branch point: 271
Release Version Information: MR2
System time: Thu Apr 1 [Link] 2010

test

Use this command to display information about FortiGate applications and perform operations on FortiGate
applications. You can specify an application name and a test level. Enter ? to display the list of applications. The
test level performs various functions depending on the application but can include displaying memory usage,
dropping connections and restarting the application.

The test levels are different for different applications. In some cases when you enter the command and include
an application name but no test level (or an invalid test level) the command output includes a list of valid test
levels.

Syntax
get test <application_name_str> <test_level_int>

Example output
get test http
Proxy Worker 0 - http
[0:H] HTTP Proxy Test Usage
[0:H]
[0:H] 2: Drop all connections
[0:H] 22: Drop max idle connections
[0:H] 222: Drop all idle connections
[0:H] 4: Display connection stat
[0:H] 44: Display info per connection
[0:H] 444: Display connections per state
[0:H] 4444: Display per-VDOM statistics
[0:H] 44444: Display information about idle connections
[0:H] 55: Display tcp info per connection

get test http 4

HTTP Common
Current Connections 0/8032

HTTP Stat
Bytes sent 0 (kb)
Bytes received 0 (kb)
Error Count (alloc) 0
Error Count (accept) 0
Error Count (bind) 0
Error Count (connect) 0
Error Count (socket) 0
Error Count (read) 0
Error Count (write) 0
Error Count (retry) 0
Error Count (poll) 0

CLI Reference for FortiOS 5.4 984

Fortinet Technologies Inc.
user adgrp get

Error Count (scan reset) 0

Error Count (urlfilter wait) 0
Last Error 0
Web responses clean 0
Web responses scan errors 0
Web responses detected 0
Web responses infected with worms 0
Web responses infected with viruses 0
Web responses infected with susp 0
Web responses file blocked 0
Web responses file exempt 0
Web responses bannedword detected 0
Web requests oversize pass 0
Web requests oversize block 0
URL requests exempt 0
URL requests blocked 0
URL requests passed 0
URL requests submit error 0
URL requests rating error 0
URL requests rating block 0
URL requests rating allow 0
URL requests infected with worms 0
Web requests detected 0
Web requests file blocked 0
Web requests file exempt 0
POST requests clean 0
POST requests scan errors 0
POST requests infected with viruses 0
POST requests infected with susp 0
POST requests file blocked 0
POST requests bannedword detected 0
POST requests oversize pass 0
POST requests oversize block 0
Web request backlog drop 0
Web response backlog drop 0

HTTP Accounting
setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0
urlfilter=0/0/0 uf_lookupf=0
scan=0 clt=0 srv=0

user adgrp

Use this command to list Directory Service user groups.

Syntax
get user adgrp [<dsgroupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. For
example:
== [ DOCTEST/Cert Publishers ]
name: DOCTEST/Cert Publishers server-name: DSserv1
== [ DOCTEST/Developers ]
name: DOCTEST/Developers server-name: DSserv1

CLI Reference for FortiOS 5.4 985

Fortinet Technologies Inc.
 get vpn ike gateway

== [ DOCTEST/Domain Admins ]
name: DOCTEST/Domain Admins server-name: DSserv1
== [ DOCTEST/Domain Computers ]
name: DOCTEST/Domain Computers server-name: DSserv1
== [ DOCTEST/Domain Controllers ]
name: DOCTEST/Domain Controllers server-name: DSserv1
== [ DOCTEST/Domain Guests ]
name: DOCTEST/Domain Guests server-name: DSserv1
== [ DOCTEST/Domain Users ]
name: DOCTEST/Domain Users server-name: DSserv1
== [ DOCTEST/Enterprise Admins ]
name: DOCTEST/Enterprise Admins server-name: DSserv1
== [ DOCTEST/Group Policy Creator Owners ]
name: DOCTEST/Group Policy Creator Owners server-name: DSserv1
== [ DOCTEST/Schema Admins ]
name: DOCTEST/Schema Admins server-name: DSserv1
If you specify a Directory Service group name, the command returns information for only that group. For example:
name : DOCTEST/Developers
server-name : ADserv1
The server-name is the name you assigned to the Directory Service server when you configured it in the user
fsae command.

vpn ike gateway

Use this command to display information about FortiGate IPsec VPN IKE gateways.

Syntax
get vpn ike gateway [<gateway_name_str>]

vpn ipsec tunnel details

Use this command to display information about IPsec tunnels.

Syntax
get vpn ipsec tunnel details

vpn ipsec tunnel name

Use this command to display information about a specified IPsec VPN tunnel.

Syntax
get vpn ipsec tunnel name <tunnel_name_str>

CLI Reference for FortiOS 5.4 986

Fortinet Technologies Inc.
 vpn ipsec stats crypto get

vpn ipsec stats crypto

Use this command to display information about the FortiGate hardware and software crypto configuration.

Syntax
get vpn ipsec stats crypto

Example output
get vpn ipsec stats crypto

IPsec crypto devices in use:

CP6 (encrypted/decrypted):
        null:   0      0
        des:    0      0
        3des:   0      0
        aes:    0      0
CP6 (generated/validated):
        null:   0      0
        md5: 0      0
        sha1: 0      0
sha256: 0      0

SOFTWARE (encrypted/decrypted):
        null:   0      0
        des:    0      0
        3des:   0      0
        aes:    0      0
SOFTWARE (generated/validated):
        null:   0      0
        md5:    0      0
        sha1:   0      0
        sha256: 0      0

vpn ipsec stats tunnel

Use this command to view information about IPsec tunnels.

Syntax
get vpn ipsec stats tunnel

Example output
#get vpn ipsec stats tunnel
tunnels
total: 0
static/ddns: 0
dynamic: 0

CLI Reference for FortiOS 5.4 987

Fortinet Technologies Inc.
 get vpn ssl monitor

manual: 0
errors: 0
selectors
total: 0
up: 0

vpn ssl monitor

Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.

Syntax
get vpn ssl monitor

Example output

vpn status l2tp

Use this command to display information about L2TP tunnels.

Syntax
get vpn status l2tp

vpn status pptp

Use this command to display information about PPTP tunnels.

Syntax
get vpn status pptp

vpn status ssl

Use this command to display SSL VPN tunnels and to also verify that the FortiGate unit includes the CP6 or
greater FortiASIC device that supports SSL acceleration.

Syntax
get vpn status ssl hw-acceleration-status
get vpn status ssl list

CLI Reference for FortiOS 5.4 988

Fortinet Technologies Inc.
 webfilter ftgd-statistics get

Variable Description

hw-
Display whether or not the FortiGate unit contains a FortiASIC
acceleration-
device that supports SSL acceleration.
status

list Display information about all configured SSL VPN tunnels.

webfilter ftgd-statistics

Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.

Syntax
get webfilter ftgd-statistics

Example output
get webfilter ftgd-statistics

Rating Statistics:
=====================
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Wrong package type : 0
Hash table miss : 0
Unknown server : 0
Incorrect CRC : 0
Proxy request failures : 0
Request timeout : 0
Total requests : 0
Requests to FortiGuard servers : 0
Server errored responses : 0
Relayed rating : 0
Invalid profile : 0

Allowed : 0
Blocked : 0
Logged : 0
Errors : 0

Cache Statistics:
=====================
Maximum memory : 0
Memory usage : 0

Nodes : 0
Leaves : 0
Prefix nodes : 0
Exact nodes : 0

Requests : 0

CLI Reference for FortiOS 5.4 989

Fortinet Technologies Inc.
 get webfilter status

Misses : 0
Hits : 0
Prefix hits : 0
Exact hits : 0

No cache directives : 0
Add after prefix : 0
Invalid DB put : 0
DB updates : 0

Percent full : 0%
Branches : 0%
Leaves : 0%
Prefix nodes : 0%
Exact nodes : 0%

Miss rate : 0%
Hit rate : 0%
Prefix hits : 0%
Exact hits : 0%

webfilter status

Use this command to display FortiGate Web Filtering rating information.

Syntax
get webfilter status [<refresh-rate_int>]

wireless-controller client-info

Use this command to get information about WiFi clients.

Syntax
get wireless-controller client-info <vfid> <interface> <client_ip>

The output looks like this:

# get wireless-controller client-info 0 test-local [Link]
count=1
status: sta_mac=[Link] ap_sn=FP320C3X14006184, ap_name=FP320C3X14006184,
chan=6, radio_type=11N

wireless-controller rf-analysis

Use this command to show information about RF conditions at the access point.

CLI Reference for FortiOS 5.4 990

Fortinet Technologies Inc.
 wireless-controller scan get

Syntax
get wireless-controller rf-analysis [<wtp_id>]

Example output
# get wireless-controller rf-analysis
<wtp-id> wtp id

FWF60C3G11004319 (global) # get wireless-controller rf-analysis

WTP: FWF60C-WIFI0 0-[Link]:15246
channel rssi-total rf-score overlap-ap interfere-ap
1 418 1 24 26
2 109 5 0 34
3 85 7 1 34
4 64 9 0 35
5 101 6 1 35
6 307 1 8 11
7 82 7 0 16
8 69 8 1 15
9 42 10 0 15
10 53 10 0 14
11 182 1 5 6
12 43 10 0 6
13 20 10 0 5
14 8 10 0 5
Controller: FWF60C3G11004319-0
channel rssi_total
1 418
2 109
3 85
4 64
5 101
6 307
7 82
8 69
9 42
10 53
11 182
12 43
13 20
14 8

wireless-controller scan

Use this command to view the list of access points detected by wireless scanning.

Syntax
get wireless-controller scan

Example output
CMW SSID BSSID CHAN RATE S:N INT CAPS ACT LIVE AGE WIRED
UNN [Link] 64 54M 16:0 100 Es N 62576 1668 ?

CLI Reference for FortiOS 5.4 991

Fortinet Technologies Inc.
 get wireless-controller status

UNN ftiguest [Link] 157 130M 6:0 100 EPs N 98570 2554 ?

wireless-controller status

Use this command to view the numbers of wtp sessions and clients.

Syntax
get wireless-controller status

Example output
# get wireless-controller status
Wireless Controller :
wtp-session-count: 1
client-count : 1/0

wireless-controller vap-status

Use this command to view information about your SSIDs.

Syntax
get wireless-controller vap-status

Example output
# get wireless-controller vap-status
WLAN: [Link]
name : [Link]
vdom : root
ssid : [Link]
status : up
mesh backhaul : yes
ip : [Link]
mac : [Link]
station info : 0/0
WLAN: wifi
name : wifi
vdom : root
ssid : ft-mesh
status : up
mesh backhaul : yes
ip : [Link]
mac : [Link]
station info : 1/0

wireless-controller wlchanlistlic

Use this command to display a list of the channels allowed in your region, including

CLI Reference for FortiOS 5.4 992

Fortinet Technologies Inc.
wireless-controller wlchanlistlic get

the maximum permitted power for each channel

the channels permitted for each wireless type (802.11n, for example)

The list is in XML format.

Syntax
get wireless-controller wlchanlistlic

Sample output
country name: UNITED STATES2, country code:841, iso name:US
channels on 802.11A band without channel bonding:
channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11B band without channel bonding:

channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11G band without channel bonding:

channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band without channel bonding:

channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

CLI Reference for FortiOS 5.4 993

Fortinet Technologies Inc.
 get wireless-controller wtp-status

channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band with channel bonding plus:

channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band with channel bonding minus:

channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 5GHz band without channel bonding:

channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 5GHz band with channel bonding all:

channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

wireless-controller wtp-status

Syntax
get wireless-controller wtp-status

CLI Reference for FortiOS 5.4 994

Fortinet Technologies Inc.
wireless-controller wtp-status get

Example output
# get wireless-controller wtp-status
WTP: FAP22B3U11005354 0-[Link]:5246
wtp-id : FAP22B3U11005354
region-code :
name :
mesh-uplink : mesh
mesh-downlink : disabled
mesh-hop-count : 1
parent-wtp-id :
software-version :
local-ipv4-addr : [Link]
board-mac : [Link]
join-time : Mon Apr 2 [Link] 2012
connection-state : Disconnected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Monitor
Radio 2 : Ap
country-name : NA
country-code : N/A
client-count : 0
base-bssid : [Link]
max-vaps : 7
oper-chan : 0
Radio 3 : Not Exist
WTP: FWF60C-WIFI0 0-[Link]:15246
wtp-id : FWF60C-WIFI0
region-code : ALL
name :
mesh-uplink : ethernet
mesh-downlink : enabled
mesh-hop-count : 0
parent-wtp-id :
software-version : FWF60C-v5.0-build041
local-ipv4-addr : [Link]
board-mac : [Link]
join-time : Mon Apr 2 [Link] 2012
connection-state : Connected
image-download-progress: 0
last-failure : 0 -- N/A
last-failure-param:
last-failure-time: N/A
Radio 1 : Ap
country-name : US
country-code : N/A
client-count : 1
base-bssid : [Link]
max-vaps : 7
oper-chan : 1
Radio 2 : Not Exist
Radio 3 : Not Exist

CLI Reference for FortiOS 5.4 995

Fortinet Technologies Inc.
tree

tree

The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.
Each configuration command forms a branch of the tree.

Syntax
tree [branch] [sub-branch]
You can enter the tree command from the top of the configuration tree the command displays the complete
configuration tree. Commands are displayed in the order that they are processed when the FortiGate unit starts
up. For example, the following output shows the first 10 lines of tree command output:
tree
-- -- system -- [vdom] --*name (12)
+- vcluster-id (0,0)
|- <global> -- language
|- gui-ipv6
|- gui-voip-profile
|- gui-lines-per-page (20,1000)
|- admintimeout (0,0)
|- admin-concurrent
|- admin-lockout-threshold (0,0)
|- admin-lockout-duration (1,2147483647)
|- refresh (0,2147483647)
|- interval (0,0)
|- failtime (0,0)
|- daily-restart
|- restart-time
...
You can include a branch name with the tree command to view the commands in that branch:
tree user
-- user -- [radius] --*name (36)
 |- server (64)
 |- secret
 |- secondary-server (64)
 |- secondary-secret
...
 |- [tacacs+] --*name (36)
 |- server (64)
 |- secondary-server (64)
 |- tertiary-server (64)
...
 |- [ldap] --*name (36)
 |- server (64)
 |- secondary-server (64)
 |- tertiary-server (64)
 |- port   (1,65535)
...
You can include a branch and sub branch name with the tree command to view the commands in that sub branch:
tree user local
-- [local] --*name (36)
|- status

CLI Reference for FortiOS 5.4 996

Fortinet Technologies Inc.
 tree

|- type
|- passwd
|- ldap-server (36)
|- radius-server (36)
+- tacacs+-server (36)
...
If you enter the tree command from inside the configuration tree the command displays the tree for the
current command:
config user ldap
tree
-- [ldap] --*name (36)
|- server (64)
|- cnid (21)
|- dn (512)
|- port (1,65535)
|- type
...
The tree command output includes information about field limits. These apply in both the CLI and the web-
based manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. For
example (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number in
parentheses is one more than the maximum number of characters permitted.

In the following example, the FQDN can contain up to 255 characters.

config firewall address
tree
-- [address] --*name (64)
 |- subnet
 |- type
 |- start-ip
 |- end-ip
 |- fqdn (256)
 |- country (3)
 |- cache-ttl (0,86400)
 |- wildcard
 |- comment
 |- visibility
 |- associated-interface   (36)
 |- color   (0,32)
 +- [tags] --*name   (64)

CLI Reference for FortiOS 5.4 997

Fortinet Technologies Inc.
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants,
CLI Reference representations,and
for FortiOS 5.4 guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,998
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Fortinet Technologies Inc.