fortigate cli reference - pub.kb.fortinet.com · fortigate units improve network security, reduce...

FortiGate™

Version 4.0CLI Reference

FortiGate CLI ReferenceVersion 4.015 April 200901-400-93051-20090415

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Contents

F0h

ContentsIntroduction ............................................................................................ 15About the FortiGate Unified Threat Management System ........................................ 15

Registering your Fortinet product............................................................................... 15

Customer service and technical support.................................................................... 16

Fortinet documentation ................................................................................................ 16Fortinet Tools and Documentation CD ..................................................................... 16Fortinet Knowledge Center ...................................................................................... 16Comments on Fortinet technical documentation ..................................................... 16

Conventions .................................................................................................................. 16IP addresses............................................................................................................. 16CLI constraints.......................................................................................................... 17Notes, Tips and Cautions ......................................................................................... 17Typographical conventions ....................................................................................... 17

What’s new ............................................................................................. 19

Using the CLI .......................................................................................... 29CLI command syntax .................................................................................................... 29

Administrator access.................................................................................................... 30

Connecting to the CLI................................................................................................... 32Connecting to the FortiGate console ........................................................................ 32Setting administrative access on an interface .......................................................... 33Connecting to the FortiGate CLI using SSH............................................................. 33Connecting to the FortiGate CLI using Telnet .......................................................... 34Connecting to the FortiGate CLI using the web-based manager.............................. 34

CLI objects..................................................................................................................... 35

CLI command branches ............................................................................................... 35config branch ............................................................................................................ 36get branch................................................................................................................. 37show branch ............................................................................................................. 39execute branch ......................................................................................................... 40diagnose branch ....................................................................................................... 40Example command sequences................................................................................. 41

CLI basics ...................................................................................................................... 43Command help ......................................................................................................... 44Command completion............................................................................................... 44Recalling commands ................................................................................................ 44Editing commands .................................................................................................... 44Line continuation....................................................................................................... 45Command abbreviation............................................................................................. 45Environment variables .............................................................................................. 45

ortiGate Version 4.0 CLI Reference1-400-93051-20090415 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html

Contents

Encrypted password support .................................................................................... 45Entering spaces in strings......................................................................................... 46Entering quotation marks in strings .......................................................................... 46Entering a question mark (?) in a string.................................................................... 46International characters ............................................................................................ 46Special characters .................................................................................................... 46IP address formats.................................................................................................... 47Editing the configuration file...................................................................................... 47Setting screen paging ............................................................................................... 47Changing the baud rate ............................................................................................ 48Using Perl regular expressions................................................................................. 48

Working with virtual domains ............................................................... 51Enabling virtual domain configuration ....................................................................... 51

Accessing commands in virtual domain configuration ............................................ 51

Creating and configuring VDOMs................................................................................ 52Creating a VDOM ..................................................................................................... 52Assigning interfaces to a VDOM............................................................................... 52Setting VDOM operating mode................................................................................. 52Changing back to NAT/Route mode......................................................................... 53

Configuring inter-VDOM routing.................................................................................. 54

Changing the management VDOM .............................................................................. 55

Creating VDOM administrators.................................................................................... 55

Troubleshooting ARP traffic on VDOMs ..................................................................... 55Duplicate ARP packets ............................................................................................. 55Multiple VDOMs solution .......................................................................................... 55Forward-domain solution .......................................................................................... 56

global.............................................................................................................................. 57

vdom............................................................................................................................... 60

alertemail ................................................................................................ 65setting ............................................................................................................................ 66

antivirus .................................................................................................. 71filepattern....................................................................................................................... 72

grayware ........................................................................................................................ 74

heuristic ......................................................................................................................... 76

quarantine...................................................................................................................... 77

quarfilepattern ............................................................................................................... 79

service............................................................................................................................ 80

FortiGate Version 4.0 CLI Reference4 01-400-93051-20090415

http://docs.fortinet.com/ • Feedback


Contents

F0h

application .............................................................................................. 83list ................................................................................................................................... 84

name............................................................................................................................... 90

dlp............................................................................................................ 91compound...................................................................................................................... 92

rule.................................................................................................................................. 93

sensor ............................................................................................................................ 97

endpoint-control..................................................................................... 99apps-detection............................................................................................................. 100

settings ........................................................................................................................ 101

firewall................................................................................................... 103address, address6....................................................................................................... 104

addrgrp, addrgrp6 ....................................................................................................... 106

dnstranslation ............................................................................................................. 107

interface-policy............................................................................................................ 109

interface-policy6.......................................................................................................... 111

ipmacbinding setting .................................................................................................. 112

ipmacbinding table ..................................................................................................... 114

ippool ........................................................................................................................... 116

ldb-monitor .................................................................................................................. 117

multicast-policy........................................................................................................... 119

policy, policy6 ............................................................................................................. 121

profile ........................................................................................................................... 132config log ................................................................................................................ 154config app-recognition ............................................................................................ 155

schedule onetime........................................................................................................ 159

schedule recurring...................................................................................................... 160

service custom ............................................................................................................ 162

service group............................................................................................................... 164

ssl setting .................................................................................................................... 165

traffic-shaper ............................................................................................................... 167

vip ................................................................................................................................. 168

vipgrp ........................................................................................................................... 179



Contents

gui.......................................................................................................... 181console......................................................................................................................... 182

topology ....................................................................................................................... 183

imp2p..................................................................................................... 185aim-user ....................................................................................................................... 186

icq-user ........................................................................................................................ 187

msn-user ...................................................................................................................... 188

old-version................................................................................................................... 189

policy............................................................................................................................ 190

yahoo-user................................................................................................................... 191

ips.......................................................................................................... 193DoS ............................................................................................................................... 194

config limit............................................................................................................... 194

custom ......................................................................................................................... 197

decoder ........................................................................................................................ 198

global............................................................................................................................ 199

rule................................................................................................................................ 201

sensor .......................................................................................................................... 202

log.......................................................................................................... 207custom-field................................................................................................................. 208

{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter ................ 209

disk setting .................................................................................................................. 214

fortianalyzer setting .................................................................................................... 218

fortiguard setting ........................................................................................................ 219

memory setting ........................................................................................................... 220

memory global setting................................................................................................ 221

syslogd setting............................................................................................................ 222

webtrends setting ....................................................................................................... 224

trafficfilter .................................................................................................................... 225

router..................................................................................................... 227access-list.................................................................................................................... 228

aspath-list .................................................................................................................... 231

auth-path...................................................................................................................... 233




Contents

F0h

bgp................................................................................................................................ 235config router bgp..................................................................................................... 237config admin-distance............................................................................................. 240config aggregate-address ....................................................................................... 241config neighbor ....................................................................................................... 241config network......................................................................................................... 245config redistribute ................................................................................................... 246

community-list............................................................................................................. 248

key-chain...................................................................................................................... 251

multicast ...................................................................................................................... 253Sparse mode .......................................................................................................... 253Dense mode ........................................................................................................... 254config router multicast............................................................................................. 255config interface ....................................................................................................... 256config pim-sm-global............................................................................................... 259

ospf............................................................................................................................... 263config router ospf .................................................................................................... 265config area .............................................................................................................. 267config distribute-list ................................................................................................. 271config neighbor ....................................................................................................... 271config network......................................................................................................... 272config ospf-interface ............................................................................................... 273config redistribute ................................................................................................... 275config summary-address ........................................................................................ 276

policy............................................................................................................................ 278

prefix-list ...................................................................................................................... 282

rip.................................................................................................................................. 285config router rip....................................................................................................... 286config distance........................................................................................................ 287config distribute-list ................................................................................................. 288config interface ....................................................................................................... 289config neighbor ....................................................................................................... 290config network......................................................................................................... 291config offset-list....................................................................................................... 291config redistribute ................................................................................................... 292

route-map..................................................................................................................... 294Using route maps with BGP.................................................................................... 295

setting .......................................................................................................................... 300

static............................................................................................................................. 301

static6........................................................................................................................... 303



Contents

spamfilter .............................................................................................. 305bword ........................................................................................................................... 306

emailbwl ....................................................................................................................... 308

fortishield..................................................................................................................... 310

ipbwl ............................................................................................................................. 312

iptrust ........................................................................................................................... 314

mheader ....................................................................................................................... 315

options ......................................................................................................................... 317

DNSBL.......................................................................................................................... 318

system................................................................................................... 321accprofile ..................................................................................................................... 322

admin............................................................................................................................ 326

alertemail ..................................................................................................................... 331

amc............................................................................................................................... 333

arp-table ....................................................................................................................... 334

auto-install ................................................................................................................... 335

autoupdate clientoverride .......................................................................................... 336

autoupdate override.................................................................................................... 337

autoupdate push-update ............................................................................................ 338

autoupdate schedule .................................................................................................. 339

autoupdate tunneling.................................................................................................. 341

aux ................................................................................................................................ 343

bug-report .................................................................................................................... 344

central-management ................................................................................................... 345

console......................................................................................................................... 347

dhcp reserved-address............................................................................................... 348

dhcp server.................................................................................................................. 349

dns................................................................................................................................ 352

fips-cc........................................................................................................................... 354

fortianalyzer, fortianalyzer2, fortianalyzer3 .............................................................. 355

fortiguard ..................................................................................................................... 357

fortiguard-log............................................................................................................... 362

global............................................................................................................................ 363

gre-tunnel..................................................................................................................... 373

ha .................................................................................................................................. 375

interface ....................................................................................................................... 387




Contents

F0h

ipv6-tunnel ................................................................................................................... 404

mac-address-table ...................................................................................................... 405

management-tunnel .................................................................................................... 406

modem ......................................................................................................................... 408

npu................................................................................................................................ 412

ntp................................................................................................................................. 413

proxy-arp...................................................................................................................... 414

replacemsg admin....................................................................................................... 415

replacemsg alertmail .................................................................................................. 417

replacemsg auth.......................................................................................................... 419

replacemsg ec ............................................................................................................. 423

replacemsg fortiguard-wf ........................................................................................... 424

replacemsg ftp............................................................................................................. 426

replacemsg http .......................................................................................................... 428

replacemsg im ............................................................................................................. 431

replacemsg mail .......................................................................................................... 433

replacemsg nac-quar .................................................................................................. 435

replacemsg nntp ......................................................................................................... 437

replacemsg spam........................................................................................................ 439

replacemsg sslvpn...................................................................................................... 441

resource-limits ............................................................................................................ 442

session-helper............................................................................................................. 444

session-sync ............................................................................................................... 446Notes and limitations .............................................................................................. 447Configuring session synchronization ...................................................................... 447Configuring the session synchronization link.......................................................... 448

session-ttl .................................................................................................................... 452

settings ........................................................................................................................ 453

sit-tunnel ...................................................................................................................... 457

snmp community ........................................................................................................ 458

snmp sysinfo ............................................................................................................... 462

snmp user .................................................................................................................... 464

switch-interface........................................................................................................... 466

tos-based-priority........................................................................................................ 468

vdom-link ..................................................................................................................... 469

vdom-property............................................................................................................. 471

wccp ............................................................................................................................. 473



Contents

wireless ap-status ....................................................................................................... 475

wireless mac-filter....................................................................................................... 476

wireless settings ......................................................................................................... 477

zone .............................................................................................................................. 479

user........................................................................................................ 481Configuring users for authentication........................................................................ 482

Configuring users for password authentication....................................................... 482Configuring peers for certificate authentication ...................................................... 482

adgrp ............................................................................................................................ 483

ban................................................................................................................................ 484

fsae ............................................................................................................................... 488

group ............................................................................................................................ 490

ldap............................................................................................................................... 495

local .............................................................................................................................. 498

peer............................................................................................................................... 500

peergrp......................................................................................................................... 502

radius ........................................................................................................................... 503

settings ........................................................................................................................ 505

tacacs+......................................................................................................................... 506

vpn......................................................................................................... 507certificate ca ................................................................................................................ 508

certificate crl................................................................................................................ 509

certificate local ............................................................................................................ 511

certificate ocsp............................................................................................................ 512

certificate remote ........................................................................................................ 513

ipsec concentrator ...................................................................................................... 514

ipsec forticlient............................................................................................................ 515

ipsec manualkey ......................................................................................................... 516

ipsec manualkey-interface ......................................................................................... 519

ipsec phase1................................................................................................................ 522

ipsec phase1-interface ............................................................................................... 530

ipsec phase2................................................................................................................ 539

ipsec phase2-interface ............................................................................................... 546

l2tp................................................................................................................................ 552

pptp .............................................................................................................................. 554

ssl monitor................................................................................................................... 556




Contents

F0h

ssl settings .................................................................................................................. 557

ssl web portal .............................................................................................................. 560

wanopt................................................................................................... 563auth-group ................................................................................................................... 564

cache-storage.............................................................................................................. 566

iscsi .............................................................................................................................. 569

peer............................................................................................................................... 570

rule................................................................................................................................ 571

settings ........................................................................................................................ 577

ssl-server ..................................................................................................................... 578Example: SSL offloading for a WAN optimization tunnel........................................ 579

storage ......................................................................................................................... 582

webcache ..................................................................................................................... 584

web-proxy ............................................................................................. 587explicit.......................................................................................................................... 588

global............................................................................................................................ 589

webfilter ................................................................................................ 591bword ........................................................................................................................... 592

exmword ...................................................................................................................... 594

fortiguard ..................................................................................................................... 596FortiGuard-Web category blocking ......................................................................... 596

ftgd-local-cat................................................................................................................ 599

ftgd-local-rating........................................................................................................... 600

ftgd-ovrd ...................................................................................................................... 601

ftgd-ovrd-user.............................................................................................................. 603

urlfilter.......................................................................................................................... 605

execute.................................................................................................. 607backup.......................................................................................................................... 608

batch............................................................................................................................. 611

central-mgmt ............................................................................................................... 612

cfg reload ..................................................................................................................... 613

cfg save........................................................................................................................ 614

clear system arp table ................................................................................................ 615

cli check-template-status ........................................................................................... 616

cli status-msg-only ..................................................................................................... 617



Contents

date............................................................................................................................... 618

dhcp lease-clear .......................................................................................................... 619

dhcp lease-list ............................................................................................................. 620

disconnect-admin-session......................................................................................... 621

enter ............................................................................................................................. 622

factoryreset.................................................................................................................. 623

formatlogdisk .............................................................................................................. 624

fortiguard-log update.................................................................................................. 625

fsae refresh.................................................................................................................. 626

ha disconnect .............................................................................................................. 627

ha manage ................................................................................................................... 628

ha synchronize ............................................................................................................ 629

interface dhcpclient-renew......................................................................................... 631

interface pppoe-reconnect ......................................................................................... 632

log delete-all ................................................................................................................ 633

log delete-filtered ........................................................................................................ 634

log delete-rolled .......................................................................................................... 635

log display ................................................................................................................... 636

log filter ........................................................................................................................ 637

log fortianalyzer test-connectivity............................................................................. 638

log list........................................................................................................................... 639

log roll .......................................................................................................................... 640

modem dial .................................................................................................................. 641

modem hangup ........................................................................................................... 642

modem trigger ............................................................................................................. 643

ping............................................................................................................................... 644

ping-options, ping6-options....................................................................................... 645

ping6............................................................................................................................. 647

reboot ........................................................................................................................... 648

router clear bfd............................................................................................................ 649

restore .......................................................................................................................... 650

router clear bgp........................................................................................................... 653

router clear ospf process ........................................................................................... 654

router restart................................................................................................................ 655

scsi-dev........................................................................................................................ 656

send-fds-statistics ...................................................................................................... 658




Contents

F0h

set-next-reboot ............................................................................................................ 659

sfp-mode-sgmii ........................................................................................................... 660

shutdown ..................................................................................................................... 661

ssh ................................................................................................................................ 662

telnet............................................................................................................................. 663

time............................................................................................................................... 664

traceroute..................................................................................................................... 665

update-ase ................................................................................................................... 666

update-av ..................................................................................................................... 667

update-ips .................................................................................................................... 668

update-now .................................................................................................................. 669

upd-vd-license............................................................................................................. 670

usb-disk ....................................................................................................................... 671

vpn certificate ca......................................................................................................... 672

vpn certificate crl ........................................................................................................ 674

vpn certificate local..................................................................................................... 675

vpn certificate remote................................................................................................. 678

vpn sslvpn del-tunnel ................................................................................................. 679

vpn sslvpn del-web ..................................................................................................... 680

get.......................................................................................................... 681firewall service predefined ......................................................................................... 682

gui console status....................................................................................................... 683

gui topology status ..................................................................................................... 684

hardware status........................................................................................................... 685

ips decoder status ...................................................................................................... 686

ips rule status.............................................................................................................. 687

ipsec tunnel list ........................................................................................................... 688

router info bfd neighbor ............................................................................................. 689

router info bgp............................................................................................................. 690

router info multicast ................................................................................................... 693

router info ospf............................................................................................................ 695

router info protocols................................................................................................... 697

router info rip............................................................................................................... 698

router info routing-table ............................................................................................ 699

router info6 interface .................................................................................................. 700

router info6 routing-table ........................................................................................... 701



Contents

system admin list ........................................................................................................ 702

system admin status................................................................................................... 703

system arp ................................................................................................................... 704

system central-management...................................................................................... 705

system checksum ....................................................................................................... 706

system cmdb status.................................................................................................... 707

system dashboard ...................................................................................................... 708

system fdp-fortianalyzer............................................................................................. 709

system fortianalyzer-connectivity ............................................................................. 710

system fortiguard-log-service status ........................................................................ 711

system fortiguard-service status............................................................................... 712

system ha status ......................................................................................................... 713About the HA cluster index and the execute ha manage command....................... 715

system info admin ssh ............................................................................................... 719

system info admin status ........................................................................................... 720

system interface physical .......................................................................................... 721

system performance status ....................................................................................... 722

system session list ..................................................................................................... 723

system session status................................................................................................ 724

system status .............................................................................................................. 725

system wireless detected-ap ..................................................................................... 726

Index...................................................................................................... 727




Introduction About the FortiGate Unified Threat Management System

F0h

IntroductionThis chapter introduces you to the FortiGate Unified Threat Management System and the following topics:• About the FortiGate Unified Threat Management System• Registering your Fortinet product• Customer service and technical support• Fortinet documentation• Conventions

About the FortiGate Unified Threat Management SystemThe FortiGate Unified Threat Management System supports network-based deployment of application-level services, including virus protection and full-scan content filtering. FortiGate units improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include:• application-level services such as virus protection and content filtering,• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

Registering your Fortinet productBefore you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.


https://support.fortinet.comhttp://kc.forticare.com/default.asp?id=2071http://kc.forticare.com/default.asp?id=2071http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html

Customer service and technical support Introduction

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer?

Fortinet documentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Center The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].

ConventionsFortinet technical documentation uses the conventions described below.

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.



http://kc.forticare.com/default.asp?id=1068http://kc.forticare.com/default.asp?id=1068http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttp://docs.fortinet.comhttp://docs.fortinet.comhttp://kc.fortinet.commailto:[email protected]://ietf.org/rfc/rfc1918.txt?number-1918

Introduction Conventions

F0h

CLI constraintsCLI constraints, such as , indicate which data types or string patterns are acceptable input for a given parameter or variable value. CLI constraint conventions are described in the CLI Reference document for each product.

Notes, Tips and CautionsFortinet technical documentation uses the following guidance and styles for notes, tips and cautions.

Typographical conventionsFortinet documentation uses the following typographical conventions:

Tip: Highlights useful additional information, often tailored to your workplace activity.

Note: Also presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Table 1: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary

end

CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content Firewall AuthenticationYou must authenticate to use this service.

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).Publication For details, see the FortiGate Administration Guide.


http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttps://support.fortinet.comhttp://docs.fortinet.com/fgt.html

Conventions Introduction




What’s new

F0h

What’s newThe tables below list commands which have changed since the previous release, version 3.0 MR7.

Command Changeconfig antivirus filepattern

set file-type New keyword. Select the type of file the file filter will search for. This was previously available on FortiCarrier units only.

set filter-type New keyword. Selects whether the file type is detected by file content of file name extension. This was previously available on FortiCarrier units only.

config application list New command. Configures application control list entries.

config application name New command. Displays the settings for each application under application control.

config dlp compound New command. Creates compound DLP rules.

config dlp rule New command. Creates Data Leak Prevention (DLP) rules.

config dlp sensor New command. Creates a DLP sensor.

config endpoint-control New command. Configures the Endpoint Control feature.

config firewall address, address6

edit

set comment New keyword. Adds a comment

config firewall addrgrp, addrgrp6 .

edit

set comment New keyword. Adds a comment

config firewall interface-policy New command. Applies DoS sensors and IPS sensors to network traffic on an interface. In the web-based manager, interface policies are called DoS policies.

config firewall interface-policy6 New command. Applies IPS sensors to IPv6 network traffic on an interface.

config firewall policy, policy6

edit

set endpoint-allow-collect-sysinfoset endpoint-checkset endpoint-restrict-checkset endpoint-redir-portal

New keywords. These keywords configure the Endpoint Control feature, which replaces the v3.0 FortiClient Check feature.

set forticlient-checkset forticlient-ra-db-outdatedset forticlient-ra-no-avset forticlient-ra-no-fwset forticlient-ra-notinstalledset forticlient-ra-notlicensedset forticlient-ra-no-wfset forticlient-redir-portal

Keywords removed. These keywords configured the FortiClient Check feature. In FortiOS v4.0, the Endpoint Control feature replaces the FortiClient Check feature.

set gbandwidth Keyword removed. Use the guaranteed-bandwidth keyword in the new config firewall traffic-shaper command.



What’s new

set groups Keyword moved to config identity-based-policy subcommand.

set identity-based enableconfig identity-based-policy

edit set groupsset logtrafficset profileset scheduleset serviceset traffic-shaperset traffic-shaper-reverse

New keyword. Enables identity-based policies which are defined in the new config identity-based-policy subcommand. The groups keyword defines the user groups who can use this policy. The other keywords in the subcommand have the same meaning as they do in the main config firewall policy command.

set match-vip New keyword. If enabled, the FortiGate unit checks whether DNATed traffic matches the policy, even in non-VIP policies.

set maxbandwidth Keyword removed. Use the maximum-bandwidth keyword in the new config firewall traffic-shaper command.

set session-ttl New keyword. Overrides the global timeout setting defined in config system session-ttl.

set traffic-shaper New keyword. Selects a traffic shaper defined in the new config firewall traffic-shaper command.

set traffic-shaper-reverse New keyword. Selects a traffic shaper defined in the new config firewall traffic-shaper command. This traffic shaper applies to traffic from destination to source.

set traffic-shaping Keyword removed. In FortiOS 4.0, you define traffic shapers with the new config firewall traffic-shaper command and select traffic shapers in the firewall policy using the traffic-shaper and traffic-shaper-reverse keywords.

set wccp New keyword. Enables web caching on the policy.

config firewall profile

edit

set aimset bittorrentset bittorrent-limitset edonkeyset edonkey-limitset gnutellaset gnutella-limitset icqset imoversizechatset kazaaset kazaa-limitset msnset p2pset skypeset winnyset winny-limitset yahoo

Keywords removed. In FortiOS 4.0 you define application control lists that you can select in firewall profiles. See the config application chapter.

set log-antispam-mass-mmsset log-av-endpoint-filterset log-imset log-p2pset log-voipset log-voip-violations

Keywords removed. In FortiOS 4.0, you enable logging in application control settings. See the config application chapter.

Command Change




What’s new

F0h

set application-listset application-list-status

Keyword added. Sets application list to use in this profile.Keyword added. Enables application control in this profile.

set dlp-sensor-table Keyword added. Selects a Data Leak Prevention sensor for this profile.

set httppostaction Keyword added. Selects action to take against HTTP uploads.

set httpsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with HTTPS protocol.

set https-deep-scan Keyword added. Enables decryption and additional scanning of the content of the HTTPS traffic.

set https-retry-count Keyword added. Sets the number of times to retry establishing an HTTPs connection.

set httpscomfortinterval Keyword added. Sets the interval between client comforting sends.

set httpscomfortamount Keyword added. Sets the number of bytes client comforting sends each time.

set imaps Keyword added. Selects actions that the FortiGate unit performs on IMAP connections.

set imapsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with IMAPS protocol.

set nac-quar-expiry Keyword added. Sets the duration of quarantine.

set nac-quar-infected Keyword added. Enables quarantine of infected hosts to banned user list.

set pop3s Keyword added. Selects actions that the FortiGate unit performs on POP3 connections.

set pop3soversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with POP3 protocol.

set smtps Keyword added. Selects actions that the FortiGate unit performs on SMTP connections.

set smtpsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with SMTP protocol.

config sccp Subcommand removed. See config application list command.

config simple Subcommand removed. See config application list command.

config sip Subcommand removed. See config application list command.

config app-recognitionedit

set inspect-allset port

Subcommand added. Configures application recognition.

Keyword added. Enables monitoring all ports for this protocol.Keyword added. Sets port to monitor if not monitoring all ports.

config firewall service custom

edit

set comment Keyword added. Adds a comment.

config firewall service group

edit

set comment Keyword added. Adds a comment.

config firewall ssl setting New command. Configures SSL proxy settings that apply antivirus scanning, web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic.

config firewall traffic-shaper New command. Defines traffic shapers. In FortiOS 4.0, traffic shaping settings are configured in traffic shapers. In the firewall profile, you select a traffic shaper.

Command Change



What’s new

config firewall vip

edit

set gratuitous-arp-interval New keyword. Sets the time interval between sending ARP packets from a virtual IP address.

set http Keyword renamed to http-multiplex.

set http-multiplex Keyword renamed from http. Enables the FortiGate unit’s HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server.

set monitor New keyword. Selects the health check monitor to use to determine a virtual server’s connectivity status.

set persistence New keyword. Set connection persistence option.

set server-type New keyword. Selects the communication protocol that the virtual server uses.

set ssl Keyword renamed to ssl-mode.

set ssl-mode Keyword renamed from ssl. Sets SSL offloading option.

config realservers

edit

set client-ip New keyword. Sets the IP address of the client in the X-Forwarded-For HTTP header.

set dead-interval Removed keyword.

set max-connections New keyword. Sets the limit on the number of active connections directed to a real server.

set ping-detect Removed keyword.

set wake-interval Removed keyword.

config global application, system replacemsg ec, system replacemsg nac-quar, and system vdom-property added to global config commands.execute scsi-dev, execute sfpmode-sgmii, execute send-fsd-statistics, execute update-ase added to global commands.

config imp2p policy Default value is allow for all imp2p policy commands.

config ips DoS

config address Subcommand removed. Addresses are now specified in the DoS policy. See firewall interface-policy.

config anomaly

set quarantine New keyword. Quarantines the attacker to the banned user list.

config ips global

set algorithm New keyword. Selects the method that the IPS engine uses to determine whether traffic matches signatures.

config ips sensor

edit

config filter

edit

set quarantine New keyword. Quarantines the attacker to the banned user list.

Command Change




What’s new

F0h

config log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

set amc-intf-bypass New keyword. Enables logging of AMC interfaces entering bypass mode.

set app-ctrl New keyword. Enables logging of application control logs.

set app-ctrl-all New keyword. Enables logging of application control log sub-categories.

set content-log New keyword. Enables log content archiving to an AMC hard disk.

set content-log-ftp New keyword. Enables FTP log content archiving.

set content-log-http New keyword. Enables HTTP log content archiving.

set content-log-imap New keyword. Enables IMAP log content archiving.

set content-log-pop3 New keyword. Enables POP3 log content archiving.

set content-log-smtp New keyword. Enables SMTP log content archiving.

set dlp New keyword. Enables logging of data leak prevention logs.

set dlp-all New keyword. Enables logging of data leak prevention subcategories.

set im Keyword removed.

set im-all Keyword removed.

set voip Keyword removed.

set voip-all Keyword removed.

set wan-opt New keyword. Enables logging of wan optimization messages.

config router setting New command. Sets a prefix list as a filter to show routes.

config system amc

set asm-cx4 New option. Support for ASM-CX4 single-width card.

set asm-fx2 New option. Support for ASM-FX2 single-width card.

config spamfilter fortishield

set reports-status New keyword. Enables storage of FortiGuard Antispam statistics on the FortiGate unit hard drive.

config system accprofile

edit

set Removed avgrp, imp2pgrp and spamgrp options for . Use new utmgrp instead. Also added endpoint-control-grp and wanoptgrp as options.

config system central-management Command renamed from config system fortimanager.

config system fortimanager Command renamed to config system central-management.

Command Change



What’s new

config system global

set admin-lockout-duration New keyword. Sets the administrator lockout duration in seconds. Lockout occurs after repeated failed login attempts.

set admin-lockout-threshold New keyword. Sets the number of failed attempts that triggers administrator lockout.

set auth-policy-exact-match New keyword. Enables requirement that traffic must match an authenticated policy for policy id in addition to IP address.

set batch-cmdb Renamed from batch_cmdb.

set batch_cmdb Rename to batch-cmdb.

set check-protocol-header New keyword. Selects the loose or strict checking of protocol headers.

set endpoint-control-portal-port New keyword. Selects port used for endpoint control portal.

set send-pmtu-icmp New keyword. Enables sending path maximum transmission unit (PMTU) - ICMP destination unreachable packets to support PTMUD protocol.

config system interface

set gwaddr Keyword removed.

set mux-type Keyword removed.

set ips-sniffer-mode New keyword. Enables one-armed IPS on the interface.

set nontp-web-proxy New keyword. Enables web cache support for this interface.

set type Removed adsl option.

set vci Keyword removed.

set vpi Keyword removed.

set wccp New keyword. Enables Web Cache Control Protocol (WCCP) on this interface.

config system modem

set account-relation New keyword. Sets the account relationship as either equal or fallback.

set extra-init1set extra-init2set extra-init3

New keywords. Send extra initialization strings to the modem.

set modem-dev1set modem-dev2set modem-dev3

New keywords. Selects the PCMCIA wireless card or the normal interface for the modem device.

set pin-init New keyword. Configures an AT command string to set the PIN.

set wireless-custom-product-id New keyword. Configures the product ID of an installed 3G wireless PCMCIA modem.

set wireless-custom-vendor-id New keyword. Configure the vendor ID of an installed 3G wireless PCMCIA modem.

config system replacemsg ec New command. Changes the endpoint check download portal replacement message page.

config system replacemsg mail email-dlp New replacement message for email blocked because a data leak was detected.

config system replacemsg mail email-dlp-ban

New replacement messages for email blocked because a data leak was detected and the email was banned.

config system replacemsg mail email-dlp-ban-sender

New replacement messages for email blocked because the sender was banned for a data leak.

Command Change




What’s new

F0h

config system replacemsg mail email-dlp-subject

New replacement message for email blocked because a data leak was detected.

config system replacemsg nac-quar New command. Changes the NAC quarantine pages for data leak (DLP), denial of service (DoS), IPS, and virus detected.

config system replacemsg spam smtp-spam-ase

New replacement message for an email message that the antispam engine marked as spam.

config system replacemsg spam smtp-spam-dnsbl

New replacement message for an email message that the spam filter marked as spam because it originated from a blacklisted IP address.

config system resource-limits New command. Sets limits on global system resources, and customizes limits for particular resources.

config system settings

set p2p-rate-limit Keyword removed.

set vpn-stats-log New keyword. Enables periodic VPN log statistics for selected traffic.

set vpn-stats-period New keyword. Sets the interval in seconds for vpn-stats-log to collect VPN statistics.

config system snmp user New command. Configures an SNMP user.

config system switch-interface All FortiGate models now support this command.

config system vdom-property New command. Sets maximum and guaranteed system resource limits for the specified virtual domain (VDOM).

config system wccp New command. Configures Web Cache Communication Protocol (WCCP) settings.

config system wireless ap-status New command. Designates an access point as either “accepted” or “rogue”. This designation affects the web-based manager Rogue AP listing. For FortiWiFi models only.

config system wireless settings

set bgscanset bgscan-idleset bgscan-interval

New keywords. Configures background scanning for access points while the FortiWiFi unit is in AP mode.

set broadcast_ssidset fragment_thresholdset keyset passphraseset radius_serverset rts_thresholdset securityset ssid

Keywords removed. These keywords applied to models not supported in FortiOS 4.0. Equivalent keywords prefixed with wifi- are available in the config system interface command on FortiWiFi models.

config user ban New command. Configures Banned User List entries.

config vpn ipsec concentratoredit

set src-check New keyword. Enables checking the source address of the phase2 selector when locating the best matching phase2 in a concentrator. The default is to check only the destination selector.

Command Change



What’s new

config vpn ipsec phase1edit

set dpd Default changed to enable.

set nattraversal Default changed to enable.

set proposal Default changed to aes128-sha1 3des-sha1.

config vpn ipsec phase1-interfaceedit

set pfs Default changed to enable.

set nattraversal Default changed to enable.


config vpn ipsec phase2edit

set add-route New keyword. Enables routes to be propagated to routing peers over a dynamic routing protocol (RIP, OSPF, or BGP).



set replay Default changed to enable.

config vpn ipsec phase2-interfaceedit

set dhcp-ipsec New keyword. Enables assignment of IP addresses to dialup clients using DHCP over IPsec.



set replay Default changed to enable.

config vpn pptp

set ip-mode New keyword. Enables assignment of PPTP client IP addresses according to PPTP user group. The default mode is to select an IP address from the pre-configured IP address range.

set local-ip New keyword. Sets the FortiGate unit PPTP gateway IP address.

config vpn ssl web portal New command. Configures an SSL VPN web portal.

config vdom Added application, dlp, config endpoint-control, firewall interface-policy, firewall traffic-shape, system ipv6-tunnel, system modem, system wccp to VDOM config commands.Added execute interface, execute modem dial, execute modem hangup, execute ping6-options, execute sfp-mode-sgmii, and execute ssh to VDOM execute commands.

config wanopt ... New commands. Configure WAN Optimization.

config web-proxy explicit New command. Configures an explicit web proxy.

config web-proxy global New command. Configures global web-proxy settings.

execute backup ftp ... Added the ability to back up all logs and individual log types to FTP servers as well as TFTP servers.

execute ha synchronize ase New command. Synchronizes the antispam engine and antispam rule sets.

execute log delete-rolled app-ctrl ...execute log delete-rolled dlp ...

Added Application control (app-ctrl) and Data leak prevention (dlp) log categories.

Command Change




What’s new

F0h

execute log filter category app-ctrl ...execute log filter category dlp ...


execute log list app-ctrlexecute log list dlp


execute router clear bfd ase ftp ...execute router clear bfd ase tftp ...

Restore the antispam engine from an ftp or tftp server.

execute scsi-dev ... New commands. Change the SCSI device configuration as part of WAN optimization.

execute update-ase New command. Manually initiates an antispam engine and rules update.

get router info6 interface New command. Lists information about IPv6 interfaces.

get router info6 routing-table New command. Lists the routes in the IPv6 routing table.

get system fdp-fortianalyzer New command. Lists the serial number of the FortiAnalyzer unit you use for logging.

get system interface physical New command. Lists information about the unit’s physical network interfaces.

get system wireless detected-ap Lists the detected access points. For WiFi models only.

Command Change



What’s new




Using the CLI CLI command syntax

F0h

Using the CLIThis chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.This chapter describes:• CLI command syntax• Administrator access• Connecting to the CLI• CLI objects• CLI command branches• CLI basics

CLI command syntaxThis guide uses the following conventions to describe command syntax.• Angle brackets < > to indicate variables.

For example:execute restore config

You enter:execute restore config myfile.bak

indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4

fortigate cli reference - pub.kb.fortinet.com · fortigate units improve network security, reduce...

Documents