FortiGate CLI Reference 01-400-93051-20090415

FortiGate
Version 4.0
CLI Reference
FortiGate CLI Reference
Version 4.0
15 April 2009
01-400-93051-20090415
Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.
Dispose of Used Batteries According to the Instructions.
Contents
FortiGate Version 4.0 CLI Reference
01-400-93051-20090415 3
http://docs.fortinet.com/ Feedback
Contents
Introduction ............................................................................................ 15
About the FortiGate Unified Threat Management System ........................................ 15
Registering your Fortinet product ............................................................................... 15
Customer service and technical support .................................................................... 16
Fortinet documentation ................................................................................................ 16
Fortinet Tools and Documentation CD..................................................................... 16
Fortinet Knowledge Center ...................................................................................... 16
Comments on Fortinet technical documentation ..................................................... 16
Conventions .................................................................................................................. 16
IP addresses............................................................................................................. 16
CLI constraints.......................................................................................................... 17
Notes, Tips and Cautions ......................................................................................... 17
Typographical conventions....................................................................................... 17
Whats new ............................................................................................. 19
Using the CLI .......................................................................................... 29
CLI command syntax .................................................................................................... 29
Administrator access.................................................................................................... 30
Connecting to the CLI ................................................................................................... 32
Connecting to the FortiGate console........................................................................ 32
Setting administrative access on an interface.......................................................... 33
Connecting to the FortiGate CLI using SSH............................................................. 33
Connecting to the FortiGate CLI using Telnet .......................................................... 34
Connecting to the FortiGate CLI using the web-based manager.............................. 34
CLI objects..................................................................................................................... 35
CLI command branches ............................................................................................... 35
config branch............................................................................................................ 36
get branch................................................................................................................. 37
show branch............................................................................................................. 39
execute branch......................................................................................................... 40
diagnose branch....................................................................................................... 40
Example command sequences................................................................................. 41
CLI basics ...................................................................................................................... 43
Command help......................................................................................................... 44
Command completion............................................................................................... 44
Recalling commands ................................................................................................ 44
Editing commands.................................................................................................... 44
Line continuation....................................................................................................... 45
Command abbreviation............................................................................................. 45
Environment variables .............................................................................................. 45
Contents
4 01-400-93051-20090415
Encrypted password support.................................................................................... 45
Entering spaces in strings......................................................................................... 46
Entering quotation marks in strings .......................................................................... 46
Entering a question mark (?) in a string.................................................................... 46
International characters ............................................................................................ 46
Special characters.................................................................................................... 46
IP address formats.................................................................................................... 47
Editing the configuration file...................................................................................... 47
Setting screen paging............................................................................................... 47
Changing the baud rate............................................................................................ 48
Using Perl regular expressions................................................................................. 48
Working with virtual domains ............................................................... 51
Enabling virtual domain configuration ....................................................................... 51
Accessing commands in virtual domain configuration ............................................ 51
Creating and configuring VDOMs................................................................................ 52
Creating a VDOM..................................................................................................... 52
Assigning interfaces to a VDOM............................................................................... 52
Setting VDOM operating mode................................................................................. 52
Changing back to NAT/Route mode......................................................................... 53
Configuring inter-VDOM routing.................................................................................. 54
Changing the management VDOM.............................................................................. 55
Creating VDOM administrators .................................................................................... 55
Troubleshooting ARP traffic on VDOMs ..................................................................... 55
Duplicate ARP packets............................................................................................. 55
Multiple VDOMs solution.......................................................................................... 55
Forward-domain solution.......................................................................................... 56
global .............................................................................................................................. 57
vdom............................................................................................................................... 60
alertemail ................................................................................................ 65
setting ............................................................................................................................ 66
antivirus .................................................................................................. 71
filepattern....................................................................................................................... 72
grayware ........................................................................................................................ 74
heuristic ......................................................................................................................... 76
quarantine...................................................................................................................... 77
quarfilepattern ............................................................................................................... 79
service............................................................................................................................ 80
Contents
01-400-93051-20090415 5
application .............................................................................................. 83
list ................................................................................................................................... 84
name............................................................................................................................... 90
dlp............................................................................................................ 91
compound...................................................................................................................... 92
rule.................................................................................................................................. 93
sensor ............................................................................................................................ 97
endpoint-control ..................................................................................... 99
apps-detection............................................................................................................. 100
settings ........................................................................................................................ 101
firewall ................................................................................................... 103
address, address6....................................................................................................... 104
addrgrp, addrgrp6....................................................................................................... 106
dnstranslation ............................................................................................................. 107
interface-policy............................................................................................................ 109
interface-policy6.......................................................................................................... 111
ipmacbinding setting .................................................................................................. 112
ipmacbinding table ..................................................................................................... 114
ippool ........................................................................................................................... 116
ldb-monitor .................................................................................................................. 117
multicast-policy........................................................................................................... 119
policy, policy6 ............................................................................................................. 121
profile ........................................................................................................................... 132
config log................................................................................................................ 154
config app-recognition............................................................................................ 155
schedule onetime........................................................................................................ 159
schedule recurring...................................................................................................... 160
service custom............................................................................................................ 162
service group............................................................................................................... 164
ssl setting .................................................................................................................... 165
traffic-shaper ............................................................................................................... 167
vip ................................................................................................................................. 168
vipgrp ........................................................................................................................... 179
Contents
6 01-400-93051-20090415
gui .......................................................................................................... 181
console......................................................................................................................... 182
topology ....................................................................................................................... 183
imp2p..................................................................................................... 185
aim-user ....................................................................................................................... 186
icq-user ........................................................................................................................ 187
msn-user ...................................................................................................................... 188
old-version................................................................................................................... 189
policy............................................................................................................................ 190
yahoo-user ................................................................................................................... 191
ips .......................................................................................................... 193
DoS............................................................................................................................... 194
config limit............................................................................................................... 194
custom ......................................................................................................................... 197
decoder ........................................................................................................................ 198
global ............................................................................................................................ 199
rule................................................................................................................................ 201
sensor .......................................................................................................................... 202
log.......................................................................................................... 207
custom-field................................................................................................................. 208
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter ................ 209
disk setting .................................................................................................................. 214
fortianalyzer setting .................................................................................................... 218
fortiguard setting ........................................................................................................ 219
memory setting ........................................................................................................... 220
memory global setting................................................................................................ 221
syslogd setting............................................................................................................ 222
webtrends setting ....................................................................................................... 224
trafficfilter .................................................................................................................... 225
router ..................................................................................................... 227
access-list .................................................................................................................... 228
aspath-list .................................................................................................................... 231
auth-path...................................................................................................................... 233
Contents
01-400-93051-20090415 7
bgp................................................................................................................................ 235
config router bgp..................................................................................................... 237
config admin-distance............................................................................................. 240
config aggregate-address....................................................................................... 241
config neighbor....................................................................................................... 241
config network......................................................................................................... 245
config redistribute................................................................................................... 246
community-list ............................................................................................................. 248
key-chain...................................................................................................................... 251
multicast ...................................................................................................................... 253
Sparse mode.......................................................................................................... 253
Dense mode........................................................................................................... 254
config router multicast............................................................................................. 255
config interface....................................................................................................... 256
config pim-sm-global............................................................................................... 259
ospf ............................................................................................................................... 263
config router ospf.................................................................................................... 265
config area.............................................................................................................. 267
config distribute-list................................................................................................. 271
config neighbor....................................................................................................... 271
config network......................................................................................................... 272
config ospf-interface............................................................................................... 273
config summary-address ........................................................................................ 276
policy............................................................................................................................ 278
prefix-list ...................................................................................................................... 282
rip.................................................................................................................................. 285
config router rip....................................................................................................... 286
config distance........................................................................................................ 287
config distribute-list................................................................................................. 288
config interface....................................................................................................... 289
config neighbor....................................................................................................... 290
config network......................................................................................................... 291
config offset-list....................................................................................................... 291
route-map..................................................................................................................... 294
Using route maps with BGP.................................................................................... 295
setting .......................................................................................................................... 300
static............................................................................................................................. 301
static6........................................................................................................................... 303
Contents
8 01-400-93051-20090415
spamfilter .............................................................................................. 305
bword ........................................................................................................................... 306
emailbwl ....................................................................................................................... 308
fortishield..................................................................................................................... 310
ipbwl ............................................................................................................................. 312
iptrust ........................................................................................................................... 314
mheader ....................................................................................................................... 315
options ......................................................................................................................... 317
DNSBL.......................................................................................................................... 318
system................................................................................................... 321
accprofile ..................................................................................................................... 322
admin............................................................................................................................ 326
alertemail ..................................................................................................................... 331
amc ............................................................................................................................... 333
arp-table....................................................................................................................... 334
auto-install ................................................................................................................... 335
autoupdate clientoverride .......................................................................................... 336
autoupdate override.................................................................................................... 337
autoupdate push-update ............................................................................................ 338
autoupdate schedule .................................................................................................. 339
autoupdate tunneling.................................................................................................. 341
aux ................................................................................................................................ 343
bug-report .................................................................................................................... 344
central-management ................................................................................................... 345
console......................................................................................................................... 347
dhcp reserved-address............................................................................................... 348
dhcp server .................................................................................................................. 349
dns................................................................................................................................ 352
fips-cc........................................................................................................................... 354
fortianalyzer, fortianalyzer2, fortianalyzer3.............................................................. 355
fortiguard ..................................................................................................................... 357
fortiguard-log............................................................................................................... 362
global ............................................................................................................................ 363
gre-tunnel ..................................................................................................................... 373
ha.................................................................................................................................. 375
interface ....................................................................................................................... 387
Contents
01-400-93051-20090415 9
ipv6-tunnel ................................................................................................................... 404
mac-address-table ...................................................................................................... 405
management-tunnel .................................................................................................... 406
modem ......................................................................................................................... 408
npu................................................................................................................................ 412
ntp................................................................................................................................. 413
proxy-arp...................................................................................................................... 414
replacemsg admin....................................................................................................... 415
replacemsg alertmail .................................................................................................. 417
replacemsg auth.......................................................................................................... 419
replacemsg ec ............................................................................................................. 423
replacemsg fortiguard-wf ........................................................................................... 424
replacemsg ftp............................................................................................................. 426
replacemsg http .......................................................................................................... 428
replacemsg im............................................................................................................. 431
replacemsg mail .......................................................................................................... 433
replacemsg nac-quar .................................................................................................. 435
replacemsg nntp ......................................................................................................... 437
replacemsg spam........................................................................................................ 439
replacemsg sslvpn...................................................................................................... 441
resource-limits ............................................................................................................ 442
session-helper ............................................................................................................. 444
session-sync ............................................................................................................... 446
Notes and limitations .............................................................................................. 447
Configuring session synchronization...................................................................... 447
Configuring the session synchronization link.......................................................... 448
session-ttl .................................................................................................................... 452
settings ........................................................................................................................ 453
sit-tunnel ...................................................................................................................... 457
snmp community ........................................................................................................ 458
snmp sysinfo ............................................................................................................... 462
snmp user .................................................................................................................... 464
switch-interface........................................................................................................... 466
tos-based-priority........................................................................................................ 468
vdom-link ..................................................................................................................... 469
vdom-property............................................................................................................. 471
wccp ............................................................................................................................. 473
Contents
10 01-400-93051-20090415
wireless ap-status ....................................................................................................... 475
wireless mac-filter ....................................................................................................... 476
wireless settings ......................................................................................................... 477
zone.............................................................................................................................. 479
user........................................................................................................ 481
Configuring users for authentication........................................................................ 482
Configuring users for password authentication....................................................... 482
Configuring peers for certificate authentication...................................................... 482
adgrp ............................................................................................................................ 483
ban................................................................................................................................ 484
fsae............................................................................................................................... 488
group ............................................................................................................................ 490
ldap............................................................................................................................... 495
local .............................................................................................................................. 498
peer............................................................................................................................... 500
peergrp......................................................................................................................... 502
radius ........................................................................................................................... 503
settings ........................................................................................................................ 505
tacacs+......................................................................................................................... 506
vpn......................................................................................................... 507
certificate ca ................................................................................................................ 508
certificate crl ................................................................................................................ 509
certificate local ............................................................................................................ 511
certificate ocsp............................................................................................................ 512
certificate remote ........................................................................................................ 513
ipsec concentrator ...................................................................................................... 514
ipsec forticlient ............................................................................................................ 515
ipsec manualkey ......................................................................................................... 516
ipsec manualkey-interface ......................................................................................... 519
ipsec phase1................................................................................................................ 522
ipsec phase1-interface ............................................................................................... 530
ipsec phase2................................................................................................................ 539
ipsec phase2-interface ............................................................................................... 546
l2tp................................................................................................................................ 552
pptp .............................................................................................................................. 554
ssl monitor ................................................................................................................... 556
Contents
01-400-93051-20090415 11
ssl settings .................................................................................................................. 557
ssl web portal .............................................................................................................. 560
wanopt................................................................................................... 563
auth-group ................................................................................................................... 564
cache-storage.............................................................................................................. 566
iscsi .............................................................................................................................. 569
peer............................................................................................................................... 570
rule................................................................................................................................ 571
settings ........................................................................................................................ 577
ssl-server ..................................................................................................................... 578
Example: SSL offloading for a WAN optimization tunnel........................................ 579
storage ......................................................................................................................... 582
webcache..................................................................................................................... 584
web-proxy ............................................................................................. 587
explicit .......................................................................................................................... 588
global ............................................................................................................................ 589
webfilter ................................................................................................ 591
bword ........................................................................................................................... 592
exmword ...................................................................................................................... 594
fortiguard ..................................................................................................................... 596
FortiGuard-Web category blocking......................................................................... 596
ftgd-local-cat ................................................................................................................ 599
ftgd-local-rating........................................................................................................... 600
ftgd-ovrd ...................................................................................................................... 601
ftgd-ovrd-user.............................................................................................................. 603
urlfilter .......................................................................................................................... 605
execute.................................................................................................. 607
backup.......................................................................................................................... 608
batch............................................................................................................................. 611
central-mgmt ............................................................................................................... 612
cfg reload ..................................................................................................................... 613
cfg save........................................................................................................................ 614
clear system arp table ................................................................................................ 615
cli check-template-status ........................................................................................... 616
cli status-msg-only ..................................................................................................... 617
Contents
12 01-400-93051-20090415
date............................................................................................................................... 618
dhcp lease-clear .......................................................................................................... 619
dhcp lease-list ............................................................................................................. 620
disconnect-admin-session......................................................................................... 621
enter ............................................................................................................................. 622
factoryreset .................................................................................................................. 623
formatlogdisk .............................................................................................................. 624
fortiguard-log update.................................................................................................. 625
fsae refresh.................................................................................................................. 626
ha disconnect .............................................................................................................. 627
ha manage ................................................................................................................... 628
ha synchronize............................................................................................................ 629
interface dhcpclient-renew......................................................................................... 631
interface pppoe-reconnect ......................................................................................... 632
log delete-all ................................................................................................................ 633
log delete-filtered ........................................................................................................ 634
log delete-rolled .......................................................................................................... 635
log display ................................................................................................................... 636
log filter ........................................................................................................................ 637
log fortianalyzer test-connectivity ............................................................................. 638
log list ........................................................................................................................... 639
log roll .......................................................................................................................... 640
modem dial .................................................................................................................. 641
modem hangup ........................................................................................................... 642
modem trigger ............................................................................................................. 643
ping............................................................................................................................... 644
ping-options, ping6-options....................................................................................... 645
ping6............................................................................................................................. 647
reboot ........................................................................................................................... 648
router clear bfd............................................................................................................ 649
restore.......................................................................................................................... 650
router clear bgp........................................................................................................... 653
router clear ospf process ........................................................................................... 654
router restart ................................................................................................................ 655
scsi-dev........................................................................................................................ 656
send-fds-statistics ...................................................................................................... 658
Contents
01-400-93051-20090415 13
set-next-reboot ............................................................................................................ 659
sfp-mode-sgmii ........................................................................................................... 660
shutdown ..................................................................................................................... 661
ssh ................................................................................................................................ 662
telnet ............................................................................................................................. 663
time............................................................................................................................... 664
traceroute..................................................................................................................... 665
update-ase ................................................................................................................... 666
update-av ..................................................................................................................... 667
update-ips .................................................................................................................... 668
update-now.................................................................................................................. 669
upd-vd-license............................................................................................................. 670
usb-disk ....................................................................................................................... 671
vpn certificate ca......................................................................................................... 672
vpn certificate crl ........................................................................................................ 674
vpn certificate local ..................................................................................................... 675
vpn certificate remote................................................................................................. 678
vpn sslvpn del-tunnel ................................................................................................. 679
vpn sslvpn del-web ..................................................................................................... 680
get .......................................................................................................... 681
firewall service predefined ......................................................................................... 682
gui console status....................................................................................................... 683
gui topology status ..................................................................................................... 684
hardware status........................................................................................................... 685
ips decoder status ...................................................................................................... 686
ips rule status.............................................................................................................. 687
ipsec tunnel list ........................................................................................................... 688
router info bfd neighbor ............................................................................................. 689
router info bgp............................................................................................................. 690
router info multicast ................................................................................................... 693
router info ospf ............................................................................................................ 695
router info protocols ................................................................................................... 697
router info rip............................................................................................................... 698
router info routing-table ............................................................................................ 699
router info6 interface .................................................................................................. 700
router info6 routing-table ........................................................................................... 701
Contents
14 01-400-93051-20090415
system admin list ........................................................................................................ 702
system admin status................................................................................................... 703
system arp ................................................................................................................... 704
system central-management ...................................................................................... 705
system checksum ....................................................................................................... 706
system cmdb status.................................................................................................... 707
system dashboard ...................................................................................................... 708
system fdp-fortianalyzer............................................................................................. 709
system fortianalyzer-connectivity ............................................................................. 710
system fortiguard-log-service status ........................................................................ 711
system fortiguard-service status............................................................................... 712
system ha status ......................................................................................................... 713
About the HA cluster index and the execute ha manage command....................... 715
system info admin ssh ............................................................................................... 719
system info admin status ........................................................................................... 720
system interface physical .......................................................................................... 721
system performance status ....................................................................................... 722
system session list ..................................................................................................... 723
system session status................................................................................................ 724
system status .............................................................................................................. 725
system wireless detected-ap ..................................................................................... 726
Index...................................................................................................... 727
Introduction About the FortiGate Unified Threat Management System
01-400-93051-20090415 15
Introduction
This chapter introduces you to the FortiGate Unified Threat Management System and the
following topics:
About the FortiGate Unified Threat Management System
Registering your Fortinet product
Customer service and technical support
Fortinet documentation
Conventions
About the FortiGate Unified Threat Management System
The FortiGate Unified Threat Management System supports network-based deployment
of application-level services, including virus protection and full-scan content filtering.
FortiGate units improve network security, reduce network misuse and abuse, and help you
use communications resources more efficiently without compromising the performance of
your network.
The FortiGate unit is a dedicated easily managed security device that delivers a full suite
of capabilities that include:
application-level services such as virus protection and content filtering,
network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
The FortiGate unit employs Fortinets Accelerated Behavior and Content Analysis System
(ABACAS) technology, which leverages breakthroughs in chip design, networking,
security, and content analysis. The unique ASIC-based architecture analyzes content and
behavior in real-time, enabling key applications to be deployed right at the network edge
where they are most effective at protecting your networks. The FortiGate series
complements existing solutions, such as host-based antivirus protection, and enables new
applications and services while greatly lowering costs for equipment, administration, and
maintenance.
Registering your Fortinet product
Before you begin, take a moment to register your Fortinet product at the Fortinet Technical
Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
Customer service and technical support Introduction
16 01-400-93051-20090415
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Center article What does
Fortinet Technical Support require in order to best assist the customer?
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Center
The Fortinet Knowledge Center provides additional Fortinet technical documentation,
such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary,
and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Introduction Conventions
01-400-93051-20090415 17
CLI constraints
CLI constraints, such as <addr ess_i pv4>, indicate which data types or string patterns
are acceptable input for a given parameter or variable value. CLI constraint conventions
are described in the CLI Reference document for each product.
Notes, Tips and Cautions
Fortinet technical documentation uses the following guidance and styles for notes, tips
and cautions.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Tip: Highlights useful additional information, often tailored to your workplace activity.
Note: Also presents useful information, but usually focused on an alternative, optional
method, such as a shortcut, to perform a step.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Table 1: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box,
field, or check box label
From Minimum log level, select Notification.
CLI input conf i g syst emdns
set pr i mar y <addr ess_i pv4>
end
CLI output FGT- 602803030703 # get syst emset t i ngs
comment s : ( nul l )
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by
a third party.
File content <HTML><HEAD><TI TLE>Fi r ewal l
Aut hent i cat i on</ TI TLE></ HEAD>
<BODY><H4>You must aut hent i cat e t o use t hi s
ser vi ce. </ H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Cent r al _Of f i ce_1.
Navigation Go to VPN >IPSEC >Auto Key (IKE).
Publication For details, see the FortiGate Administration Guide.
Conventions Introduction
18 01-400-93051-20090415
Whats new
01-400-93051-20090415 19
Whats new
The tables below list commands which have changed since the previous release, version 3.0 MR7.
Command Change
conf i g ant i vi r us f i l epat t er n
set f i l e- t ype New keyword. Select the type of file the file filter will search for.
This was previously available on FortiCarrier units only.
set f i l t er - t ype New keyword. Selects whether the file type is detected by file
content of file name extension. This was previously available
on FortiCarrier units only.
conf i g appl i cat i on l i st New command. Configures application control list entries.
conf i g appl i cat i on name New command. Displays the settings for each application
under application control.
conf i g dl p compound New command. Creates compound DLP rules.
conf i g dl p r ul e New command. Creates Data Leak Prevention (DLP) rules.
conf i g dl p sensor New command. Creates a DLP sensor.
conf i g endpoi nt - cont r ol New command. Configures the Endpoint Control feature.
conf i g f i r ewal l addr ess, addr ess6
edi t <name_st r >
set comment <comment _st r i ng> New keyword. Adds a comment
conf i g f i r ewal l addr gr p, addr gr p6 .
edi t <name_st r >
set comment <comment _st r i ng> New keyword. Adds a comment
conf i g f i r ewal l i nt er f ace- pol i cy New command. Applies DoS sensors and IPS sensors to
network traffic on an interface. In the web-based manager,
interface policies are called DoS policies.
conf i g f i r ewal l i nt er f ace- pol i cy6 New command. Applies IPS sensors to IPv6 network traffic on
an interface.
conf i g f i r ewal l pol i cy, pol i cy6
edi t 
set endpoi nt - al l ow- col l ect - sysi nf o
set endpoi nt - check
set endpoi nt - r est r i ct - check
set endpoi nt - r edi r - por t al
New keywords. These keywords configure the Endpoint
Control feature, which replaces the v3.0 FortiClient Check
feature.
set f or t i cl i ent - check
set f or t i cl i ent - r a- db- out dat ed
set f or t i cl i ent - r a- no- av
set f or t i cl i ent - r a- no- f w
set f or t i cl i ent - r a- not i nst al l ed
set f or t i cl i ent - r a- not l i censed
set f or t i cl i ent - r a- no- wf
set f or t i cl i ent - r edi r - por t al
Keywords removed. These keywords configured the FortiClient
Check feature. In FortiOS v4.0, the Endpoint Control feature
replaces the FortiClient Check feature.
set gbandwi dt h Keyword removed. Use the guar ant eed- bandwi dt h
keyword in the new conf i g f i r ewal l t r af f i c- shaper
command.
Whats new
20 01-400-93051-20090415
set gr oups Keyword moved to conf i g i dent i t y- based- pol i cy
subcommand.
set i dent i t y- based enabl e
conf i g i dent i t y- based- pol i cy
edi t 
set gr oups
set l ogt r af f i c
set pr of i l e
set schedul e
set ser vi ce
set t r af f i c- shaper
set t r af f i c- shaper - r ever se
New keyword. Enables identity-based policies which are
defined in the new conf i g i dent i t y- based- pol i cy
subcommand.
The gr oups keyword defines the user groups who can use this
policy. The other keywords in the subcommand have the same
meaning as they do in the main conf i g f i r ewal l pol i cy
command.
set mat ch- vi p New keyword. If enabled, the FortiGate unit checks whether
DNATed traffic matches the policy, even in non-VIP policies.
set maxbandwi dt h Keyword removed. Use the maxi mum- bandwi dt h keyword in
the new conf i g f i r ewal l t r af f i c- shaper command.
set sessi on- t t l New keyword. Overrides the global timeout setting defined in
conf i g syst emsessi on- t t l .
set t r af f i c- shaper New keyword. Selects a traffic shaper defined in the new
conf i g f i r ewal l t r af f i c- shaper command.
set t r af f i c- shaper - r ever se New keyword. Selects a traffic shaper defined in the new
conf i g f i r ewal l t r af f i c- shaper command. This traffic
shaper applies to traffic from destination to source.
set t r af f i c- shapi ng Keyword removed. In FortiOS 4.0, you define traffic shapers
with the new conf i g f i r ewal l t r af f i c- shaper
command and select traffic shapers in the firewall policy using
the t r af f i c- shaper and t r af f i c- shaper - r ever se
keywords.
set wccp New keyword. Enables web caching on the policy.
conf i g f i r ewal l pr of i l e
edi t 
set ai m
set bi t t or r ent
set bi t t or r ent - l i mi t
set edonkey
set edonkey- l i mi t
set gnut el l a
set gnut el l a- l i mi t
set i cq
set i mover si zechat
set kazaa
set kazaa- l i mi t
set msn
set p2p
set skype
set wi nny
set wi nny- l i mi t
set yahoo
Keywords removed. In FortiOS 4.0 you define application
control lists that you can select in firewall profiles. See the
config application chapter.
set l og- ant i spam- mass- mms
set l og- av- endpoi nt - f i l t er
set l og- i m
set l og- p2p
set l og- voi p
set l og- voi p- vi ol at i ons
Keywords removed. In FortiOS 4.0, you enable logging in
application control settings. See the config application chapter.
Command Change
Whats new
01-400-93051-20090415 21
set appl i cat i on- l i st
set appl i cat i on- l i st - st at us
Keyword added. Sets application list to use in this profile.
Keyword added. Enables application control in this profile.
set dl p- sensor - t abl e Keyword added. Selects a Data Leak Prevention sensor for this
profile.
set ht t ppost act i on Keyword added. Selects action to take against HTTP uploads.
set ht t psover si zel i mi t Keyword added. Sets maximum in-memory file size that will be
scanned for files received with HTTPS protocol.
set ht t ps- deep- scan Keyword added. Enables decryption and additional scanning of
the content of the HTTPS traffic.
set ht t ps- r et r y- count Keyword added. Sets the number of times to retry establishing
an HTTPs connection.
set ht t pscomf or t i nt er val Keyword added. Sets the interval between client comforting
sends.
set ht t pscomf or t amount Keyword added. Sets the number of bytes client comforting
sends each time.
set i maps Keyword added. Selects actions that the FortiGate unit
performs on IMAP connections.
set i mapsover si zel i mi t Keyword added. Sets maximum in-memory file size that will be
scanned for files received with IMAPS protocol.
set nac- quar - expi r y Keyword added. Sets the duration of quarantine.
set nac- quar - i nf ect ed Keyword added. Enables quarantine of infected hosts to
banned user list.
set pop3s Keyword added. Selects actions that the FortiGate unit
performs on POP3 connections.
set pop3sover si zel i mi t Keyword added. Sets maximum in-memory file size that will be
scanned for files received with POP3 protocol.
set smt ps Keyword added. Selects actions that the FortiGate unit
performs on SMTP connections.
set smt psover si zel i mi t Keyword added. Sets maximum in-memory file size that will be
scanned for files received with SMTP protocol.
conf i g sccp Subcommand removed. See config application list command.
conf i g si mpl e Subcommand removed. See config application list command.
conf i g si p Subcommand removed. See config application list command.
conf i g app- r ecogni t i on
edi t <pr ot ocol >
set i nspect - al l
set por t
Subcommand added. Configures application recognition.
Keyword added. Enables monitoring all ports for this protocol.
Keyword added. Sets port to monitor if not monitoring all ports.
conf i g f i r ewal l ser vi ce cust om
edi t <name_st r >
set comment <st r i ng> Keyword added. Adds a comment.
conf i g f i r ewal l ser vi ce gr oup
edi t <name_st r >
set comment <st r i ng> Keyword added. Adds a comment.
conf i g f i r ewal l ssl set t i ng New command. Configures SSL proxy settings that apply
antivirus scanning, web filtering, spam filtering, data leak
prevention (DLP), and content archiving to HTTPS, IMAPS,
POP3S, and SMTPS traffic.
conf i g f i r ewal l t r af f i c- shaper New command. Defines traffic shapers. In FortiOS 4.0, traffic
shaping settings are configured in traffic shapers. In the firewall
profile, you select a traffic shaper.
Command Change
Whats new
22 01-400-93051-20090415
conf i g f i r ewal l vi p
edi t <name_st r >
set gr at ui t ous- ar p- i nt er val New keyword. Sets the time interval between sending ARP
packets from a virtual IP address.
set ht t p Keyword renamed to ht t p- mul t i pl ex.
set ht t p- mul t i pl ex Keyword renamed from ht t p. Enables the FortiGate units
HTTP proxy to multiplex multiple client connections destined
for the web server into a few connections between the
FortiGate unit and the web server.
set moni t or New keyword. Selects the health check monitor to use to
determine a virtual servers connectivity status.
set per si st ence New keyword. Set connection persistence option.
set ser ver - t ype New keyword. Selects the communication protocol that the
virtual server uses.
set ssl Keyword renamed to ssl - mode.
set ssl - mode Keyword renamed from ssl . Sets SSL offloading option.
conf i g r eal ser ver s
edi t <t abl e_i d>
set cl i ent - i p New keyword. Sets the IP address of the client in the
X- For war ded- For HTTP header.
set dead- i nt er val Removed keyword.
set max- connect i ons New keyword. Sets the limit on the number of active
connections directed to a real server.
set pi ng- det ect Removed keyword.
set wake- i nt er val Removed keyword.
conf i g gl obal appl i cat i on, syst emr epl acemsg ec,
syst emr epl acemsg nac- quar , and
syst emvdom- pr oper t y added to global conf i g
commands.
execut e scsi - dev, execut e sf pmode- sgmi i ,
execut e send- f sd- st at i st i cs, execut e updat e-
ase added to global commands.
conf i g i mp2p pol i cy Default value is al l owfor all imp2p policy commands.
conf i g i ps DoS
conf i g addr ess Subcommand removed. Addresses are now specified in the
DoS policy. See f i r ewal l i nt er f ace- pol i cy.
conf i g anomal y
set quar ant i ne New keyword. Quarantines the attacker to the banned user list.
conf i g i ps gl obal
set al gor i t hm New keyword. Selects the method that the IPS engine uses to
determine whether traffic matches signatures.
conf i g i ps sensor
edi t <sensor _st r >
conf i g f i l t er
edi t <f i l t er _st r >
set quar ant i ne New keyword. Quarantines the attacker to the banned user list.
Command Change
Whats new
01-400-93051-20090415 23
conf i g l og {di sk | f or t i anal yzer |
memor y | sysl ogd | webt r ends |
f or t i guar d} f i l t er
set amc- i nt f - bypass New keyword. Enables logging of AMC interfaces entering
bypass mode.
set app- ct r l New keyword. Enables logging of application control logs.
set app- ct r l - al l New keyword. Enables logging of application control log sub-
categories.
set cont ent - l og New keyword. Enables log content archiving to an AMC hard
disk.
set cont ent - l og- f t p New keyword. Enables FTP log content archiving.
set cont ent - l og- ht t p New keyword. Enables HTTP log content archiving.
set cont ent - l og- i map New keyword. Enables IMAP log content archiving.
set cont ent - l og- pop3 New keyword. Enables POP3 log content archiving.
set cont ent - l og- smt p New keyword. Enables SMTP log content archiving.
set dl p New keyword. Enables logging of data leak prevention logs.
set dl p- al l New keyword. Enables logging of data leak prevention
subcategories.
set i m Keyword removed.
set i m- al l Keyword removed.
set voi p Keyword removed.
set voi p- al l Keyword removed.
set wanopt New keyword. Enables logging of wan optimization messages.
conf i g r out er set t i ng New command. Sets a prefix list as a filter to show routes.
conf i g syst emamc
set asm- cx4 New option. Support for ASM-CX4 single-width card.
set asm- f x2 New option. Support for ASM-FX2 single-width card.
conf i g spamf i l t er f or t i shi el d
set r epor t s- st at us New keyword. Enables storage of FortiGuard Antispam
statistics on the FortiGate unit hard drive.
conf i g syst emaccpr of i l e
edi t <pr of i l e_name>
set <access- gr oup> <access- l evel > Removed avgr p, i mp2pgr p and spamgr p options for
<access-group>. Use new ut mgr p instead. Also added
endpoi nt - cont r ol - gr p and wanopt gr p as
<access- gr oup>options.
conf i g syst emcent r al - management Command renamed from conf i g syst emf or t i manager .
conf i g syst emf or t i manager Command renamed to conf i g syst em
cent r al - management .
Command Change
Whats new
24 01-400-93051-20090415
conf i g syst emgl obal
set admi n- l ockout - dur at i on New keyword. Sets the administrator lockout duration in
seconds. Lockout occurs after repeated failed login attempts.
set admi n- l ockout - t hr eshol d New keyword. Sets the number of failed attempts that triggers
administrator lockout.
set aut h- pol i cy- exact - mat ch New keyword. Enables requirement that traffic must match an
authenticated policy for policy id in addition to IP address.
set bat ch- cmdb Renamed from bat ch_cmdb.
set bat ch_cmdb Rename to bat ch- cmdb.
set check- pr ot ocol - header New keyword. Selects the loose or strict checking of protocol
headers.
set endpoi nt - cont r ol - por t al - por t New keyword. Selects port used for endpoint control portal.
set send- pmt u- i cmp New keyword. Enables sending path maximum transmission
unit (PMTU) - ICMP destination unreachable packets to
support PTMUD protocol.
conf i g syst emi nt er f ace
set gwaddr Keyword removed.
set mux- t ype Keyword removed.
set i ps- sni f f er - mode New keyword. Enables one-armed IPS on the interface.
set nont p- web- pr oxy New keyword. Enables web cache support for this interface.
set t ype Removed adsl option.
set vci Keyword removed.
set vpi Keyword removed.
set wccp New keyword. Enables Web Cache Control Protocol (WCCP)
on this interface.
conf i g syst emmodem
set account - r el at i on New keyword. Sets the account relationship as either equal
or f al l back.
set ext r a- i ni t 1
New keywords. Send extra initialization strings to the modem.
set modem- dev1
set modem- dev2
set modem- dev3
New keywords. Selects the PCMCIA wireless card or the
normal interface for the modem device.
set pi n- i ni t New keyword. Configures an AT command string to set the
PIN.
set wi r el ess- cust om- pr oduct - i d New keyword. Configures the product ID of an installed 3G
wireless PCMCIA modem.
set wi r el ess- cust om- vendor - i d New keyword. Configure the vendor ID of an installed 3G
wireless PCMCIA modem.
conf i g syst emr epl acemsg ec New command. Changes the endpoint check download portal
replacement message page.
conf i g syst emr epl acemsg mai l emai l - dl p New replacement message for email blocked because a data
leak was detected.
conf i g syst emr epl acemsg mai l
emai l - dl p- ban
New replacement messages for email blocked because a data
leak was detected and the email was banned.
emai l - dl p- ban- sender
New replacement messages for email blocked because the
sender was banned for a data leak.
Command Change
Whats new
01-400-93051-20090415 25
emai l - dl p- subj ect
New replacement message for email blocked because a data
leak was detected.
conf i g syst emr epl acemsg nac- quar New command. Changes the NAC quarantine pages for data
leak (DLP), denial of service (DoS), IPS, and virus detected.
conf i g syst emr epl acemsg spam
smt p- spam- ase
New replacement message for an email message that the
antispam engine marked as spam.
smt p- spam- dnsbl
New replacement message for an email message that the
spam filter marked as spam because it originated from a
blacklisted IP address.
conf i g syst emr esour ce- l i mi t s New command. Sets limits on global system resources, and
customizes limits for particular resources.
conf i g syst emset t i ngs
set p2p- r at e- l i mi t Keyword removed.
set vpn- st at s- l og New keyword. Enables periodic VPN log statistics for selected
traffic.
set vpn- st at s- per i od New keyword. Sets the interval in seconds for
vpn- st at s- l og to collect VPN statistics.
conf i g syst emsnmp user New command. Configures an SNMP user.
conf i g syst emswi t ch- i nt er f ace All FortiGate models now support this command.
conf i g syst emvdom- pr oper t y New command. Sets maximum and guaranteed system
resource limits for the specified virtual domain (VDOM).
conf i g syst emwccp New command. Configures Web Cache Communication
Protocol (WCCP) settings.
conf i g syst emwi r el ess ap- st at us New command. Designates an access point as either
accepted or rogue. This designation affects the web-based
manager Rogue AP listing. For FortiWiFi models only.
conf i g syst emwi r el ess set t i ngs
set bgscan
set bgscan- i dl e
set bgscan- i nt er val
New keywords. Configures background scanning for access
points while the FortiWiFi unit is in AP mode.
set br oadcast _ssi d
set f r agment _t hr eshol d
set key
set passphr ase
set r adi us_ser ver
set r t s_t hr eshol d
set secur i t y
set ssi d
Keywords removed. These keywords applied to models not
supported in FortiOS 4.0. Equivalent keywords prefixed with
wi f i - are available in the conf i g syst emi nt er f ace
command on FortiWiFi models.
conf i g user ban New command. Configures Banned User List entries.
conf i g vpn i psec concent r at or
edi t <concent r at or _name>
set sr c- check New keyword. Enables checking the source address of the
phase2 selector when locating the best matching phase2 in a
concentrator. The default is to check only the destination
selector.
Command Change
Whats new
26 01-400-93051-20090415
conf i g vpn i psec phase1
edi t <gat eway_name>
set dpd Default changed to enabl e.
set nat t r aver sal Default changed to enabl e.
set pr oposal Default changed to aes128- sha1 3des- sha1.
conf i g vpn i psec phase1- i nt er f ace
set pf s Default changed to enabl e.
set nat t r aver sal Default changed to enabl e.
edi t <t unnel _name>
set add- r out e New keyword. Enables routes to be propagated to routing
peers over a dynamic routing protocol (RIP, OSPF, or BGP).
set r epl ay Default changed to enabl e.
set dhcp- i psec New keyword. Enables assignment of IP addresses to dialup
clients using DHCP over IPsec.
set r epl ay Default changed to enabl e.
conf i g vpn ppt p
set i p- mode New keyword. Enables assignment of PPTP client IP
addresses according to PPTP user group. The default mode is
to select an IP address from the pre-configured IP address
range.
set l ocal - i p New keyword. Sets the FortiGate unit PPTP gateway IP
address.
conf i g vpn ssl web por t al New command. Configures an SSL VPN web portal.
conf i g vdom Added appl i cat i on, dl p, conf i g endpoi nt - cont r ol ,
f i r ewal l i nt er f ace- pol i cy, f i r ewal l t r af f i c-
shape, syst emi pv6- t unnel , syst emmodem, syst em
wccp to VDOM config commands.
Added execut e i nt er f ace, execut e modemdi al ,
execut e modemhangup, execut e pi ng6- opt i ons,
execut e sf p- mode- sgmi i , and execut e ssh to VDOM
execute commands.
conf i g wanopt . . . New commands. Configure WAN Optimization.
conf i g web- pr oxy expl i ci t New command. Configures an explicit web proxy.
conf i g web- pr oxy gl obal New command. Configures global web-proxy settings.
execut e backup <t ype> f t p . . . Added the ability to back up all logs and individual log types to
FTP servers as well as TFTP servers.
execut e ha synchr oni ze ase New command. Synchronizes the antispam engine and
antispam rule sets.
execut e l og del et e- r ol l ed app- ct r l . . .
execut e l og del et e- r ol l ed dl p . . .
Added Application control (app-ctrl) and Data leak prevention
(dlp) log categories.
Command Change
Whats new
01-400-93051-20090415 27
execut e l og f i l t er cat egor y app- ct r l . . .
execut e l og f i l t er cat egor y dl p . . .
execut e l og l i st app- ct r l
execut e l og l i st dl p
execut e r out er cl ear bf d ase f t p . . .
execut e r out er cl ear bf d ase t f t p . . .
Restore the antispam engine from an ftp or tftp server.
execut e scsi - dev . . . New commands. Change the SCSI device configuration as part
of WAN optimization.
execut e updat e- ase New command. Manually initiates an antispam engine and
rules update.
get r out er i nf o6 i nt er f ace New command. Lists information about IPv6 interfaces.
get r out er i nf o6 r out i ng- t abl e New command. Lists the routes in the IPv6 routing table.
get syst emf dp- f or t i anal yzer New command. Lists the serial number of the FortiAnalyzer
unit you use for logging.
get syst emi nt er f ace physi cal New command. Lists information about the units physical
network interfaces.
get syst emwi r el ess det ect ed- ap Lists the detected access points. For WiFi models only.
Command Change
Whats new
28 01-400-93051-20090415
Using the CLI CLI command syntax
01-400-93051-20090310 29
Using the CLI
This chapter explains how to connect to the CLI and describes the basics of using the CLI.
You can use CLI commands to view all system information and to change all system
configuration settings.
This chapter describes:
CLI command syntax
Administrator access
Connecting to the CLI
CLI objects
CLI command branches
CLI basics
CLI command syntax
This guide uses the following conventions to describe command syntax.
Angle brackets < > to indicate variables.
For example:
execut e r est or e conf i g <f i l ename_st r >
You enter:
execut e r est or e conf i g myf i l e. bak
<xxx_i pv4>indicates a dotted decimal IPv4 address.
<xxx_v4mask>indicates a dotted decimal IPv4 netmask.
<xxx_i pv4mask>indicates a dotted decimal IPv4 address followed by a dotted
decimal IPv4 netmask.
<xxx_i pv6>indicates an IPv6 address.
<xxx_v6mask>indicates an IPv6 netmask.
<xxx_i pv6mask>indicates an IPv6 address followed by an IPv6 netmask.
Vertical bar and curly brackets {| } to separate alternative, mutually exclusive required
keywords.
For example:
set opmode {nat | t r anspar ent }
You can enter set opmode nat or set opmode t r anspar ent .
Square brackets [ ] to indicate that a keyword or variable is optional.
For example:
show syst emi nt er f ace [ <name_st r >]
To show the settings for all interfaces, you can enter show syst emi nt er f ace. To
show the settings for the internal interface, you can enter show syst emi nt er f ace
i nt er nal .
Administrator access Using the CLI
30 01-400-93051-20090310
A space to separate options that can be entered in any combination and must be
separated by spaces.
For example:
set al l owaccess {pi ng ht t ps ssh snmp ht t p t el net }
You can enter any of the following:
set al l owaccess pi ng
set al l owaccess pi ng ht t ps ssh
set al l owaccess ht t ps pi ng ssh
set al l owaccess snmp
In most cases to make changes to lists that contain options separated by spaces, you
need to retype the whole list including all the options you want to apply and excluding
all the options you want to remove.
Administrator access
The access profile (Admin Profile in the web-based manager) assigned to your
administrator account controls which CLI commands you can access. You need read
access to view configurations and write access to make changes. In access profiles,
access control is divided into groups, as follows:
Table 2: Access profile control of access to CLI commands
Access control group Available CLI commands
Admin Users (admingrp) conf i g syst emadmi n
Auth Users (authgrp) conf i g i mp2p ai m- user
conf i g i mp2p i cq- user
conf i g i mp2p msn- user
conf i g i mp2p yahoo- user
conf i g user
Endpoint Control (endpoint-control-grp) conf i g endpoi nt - cont r ol
Firewall Configuration (fwgrp) conf i g f i r ewal l
conf i g gui t opol ogy
execut e f sae r ef r esh
FortiGuard Update (updategrp) conf i g syst emaut oupdat e
execut e updat e- ase
execut e updat e- av
execut e updat e- i ps
execut e updat e- now
Log & Report (loggrp) conf i g al er t emai l
conf i g l og
conf i g syst emal er t emai l
conf i g syst emf or t i anal yzer 1/ 2/ 3
execut e f or mat l ogdi sk
execut e f or t i guar d- l og
execut e l og
Maintenance (mntgrp) execut e backup
execut e bat ch
execut e cent r al - mgmt
execut e r est or e
execut e usb- di sk
Using the CLI Administrator access
01-400-93051-20090310 31
Network Configuration (netgrp) conf i g syst emar p- t abl e
conf i g syst emdhcp
conf i g syst emgr e- t unnel
conf i g syst empr oxy- ar p
conf i g syst emvdom- l i nk
conf i g syst emzone
conf i g web- pr oxy
execut e cl ear syst emar p t abl e
execut e dhcp l ease- cl ear
execut e dhcp l ease- l i st
execut e i nt er f ace
Router Configuration (routegrp) conf i g r out er
execut e mr out er
execut e r out er
System Configuration (sysgrp) conf i g dl p
conf i g gui consol e
conf i g syst em except accpr of i l e,
admi n, al er t emai l , ar p- t abl e,
aut oupdat e, dhcp, f or t i anal yzer ,
gr e- t unnel , i nt er f ace, pr oxy- ar p,
vdom- l i nk, and zone.
execut e cf g
execut e cl i
execut e dat e
execut e di sconnect - admi n- sessi on
execut e f act or yr eset
execut e ha
execut e pi ng
execut e pi ng6
execut e pi ng- opt i ons
execut e pi ng6- opt i ons
execut e r eboot
execut e send- f ds- st at i st i cs
execut e set - next - r eboot
execut e shut down
execut e ssh
execut e t el net
execut e t i me
execut e t r acer out e
UTM Configuration (utmgrp) conf i g ant i vi r us
conf i g appl i cat i on
conf i g i mp2p ol d- ver si on
conf i g i mp2p pol i cy
conf i g i ps
conf i g spamf i l t er
conf i g webf i l t er
VPN Configuration (vpngrp) conf i g vpn
execut e vpn
Table 2: Access profile control of access to CLI commands
Connecting to the CLI Using the CLI
32 01-400-93051-20090310
Connecting to the CLI
You can use a direct console connection, SSH, Telnet or the web-based manager to
connect to the FortiGate CLI.
Connecting to the FortiGate console
Setting administrative access on an interface
Connecting to the FortiGate CLI using SSH
Connecting to the FortiGate CLI using Telnet
Connecting to the FortiGate CLI using the web-based manager
Connecting to the FortiGate console
Only the admin administrator or a regular administrator of the root domain can log in by
connecting to the console interface. You need:
a computer with an available communications port
a null modem cable, provided with your FortiGate unit, to connect the FortiGate
console port and a communications port on your computer
terminal emulation software such as HyperTerminal for Windows
To connect to the CLI
1 Connect the FortiGate console port to the available communications port on your
computer.
2 Make sure the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the FortiGate console port.
5 Select OK.
6 Select the following port settings and select OK.
7 Press Enter to connect to the FortiGate CLI.
A prompt similar to the following appears (shown for the FortiGate-300):
For t i Gat e- 300 l ogi n:
8 Type a valid administrator name and press Enter.
9 Type the password for this administrator and press Enter.
The following prompt appears:
Wel come!
You have connected to the FortiGate CLI, and you can enter CLI commands.
Note: The following procedure describes how to connect to the FortiGate CLI using
Windows HyperTerminal software. You can use any terminal emulation program.
Bits per second 9600 (115200 for the FortiGate-300)
Data bits 8
Parity None
Stop bits 1
Flow control None
Using the CLI Connecting to the CLI
01-400-93051-20090310 33
Setting administrative access on an interface
To perform administrative functions through a FortiGate network interface, you must
enable the required types of administrative access on the interface to which your
management computer connects. Access to the CLI requires SSH or Telnet access. If you
want to use the web-based manager, you need HTTPS or HTTP access.
To use the web-based manager to configure FortiGate interfaces for SSH or Telnet
access, see the FortiGate Administration Guide.
To use the CLI to configure SSH or Telnet access
1 Connect and log into the CLI using the FortiGate console port and your terminal
emulation software.
2 Use the following command to configure an interface to accept SSH connections:
edi t 
set al l owaccess <access_t ypes>
end
Where is the name of the FortiGate interface to be configured to
allow administrative access and <access_t ypes>is a whitespace-separated list of
access types to enable.
For example, to configure the internal interface to accept HTTPS (web-based
manager), SSH and Telnet connections, enter:
edi t <name_st r >
set al l owaccess ht t ps ssh t el net
end
3 To confirm that you have configured SSH or Telnet access correctly, enter the following
command to view the access settings for the interface:
get syst emi nt er f ace <name_st r >
The CLI displays the settings, including al l owaccess, for the named interface.
Other access methods
The procedure above shows how to allow access only for Telnet or only for SSH. If you
want to allow both or any of the other management access types you must include all the
options you want to apply. For example to allow PING, HTTPS and SSH access to an
interface, the set portion of the command is set al l owaccess pi ng ht t ps ssh.
Connecting to the FortiGate CLI using SSH
Secure Shell (SSH) provides strong secure authentication and secure communications to
the FortiGate CLI from your internal network or the internet. Once the FortiGate unit is
configured to accept SSH connections, you can run an SSH client on your management
computer and use this client to connect to the FortiGate CLI.
Note: Remember to press Enter at the end of each line in the command example. Also,
type end and press Enter to commit the changes to the FortiGate configuration.
Note: A maximum of 5 SSH connections can be open at the same time.
Connecting to the CLI Using the CLI
34 01-400-93051-20090310
To connect to the CLI using SSH
1 Install and start an SSH client.
2 Connect to a FortiGate interface that is configured for SSH connections.
The FortiGate model name followed by a #is displayed.
Connecting to the FortiGate CLI using Telnet
You can use Telnet to connect to the FortiGate CLI from your internal network or the
Internet. Once the FortiGate unit is configured to accept Telnet connections, you can run a
Telnet client on your management computer and use this client to connect to the FortiGate
CLI.
To connect to the CLI using Telnet
1 Install and start a Telnet client.
2 Connect to a FortiGate interface that is configured for Telnet connections.
The following prompt appears:
Wel come!
Connecting to the FortiGate CLI using the web-based manager
The web-based manager also provides a CLI console that can be detached as a separate
window.
To connect to the CLI using the web-based manager
1 Connect to the web-based manager and log in.
For information about how to do this, see the FortiGate Administration Guide.
2 Go to System > Status.
3 If you do not see the CLI Console display, select Add Content > CLI Console.
4 Click in the CLI Console display to connect.
Caution: Telnet is not a secure access method. SSH should be used to access the
FortiGate CLI from the Internet or any other unprotected network.
Note: A maximum of 5 Telnet connections can be open at the same time.
Using the CLI CLI objects
01-400-93051-20090310 35
CLI objects
The FortiGate CLI is based on configurable objects. The top-level objects are the basic
components of FortiGate functionality.
There is a chapter in this manual for each of these top-level objects. Each of these objects
contains more specific lower level objects. For example, the firewall object contains
objects for addresses, address groups, policies and protection profiles.
CLI command branches
The FortiGate CLI consists of the following command branches:
config branch
get branch
show branch
execute branch
diagnose branch
Examples showing how to enter command sequences within each branch are provided in
the following sections. See also Example command sequences on page 41.
Table 3: CLI objects
alertemail Sends email to designated recipients when it detects log messages of
a defined severity level.
antivirus Scans services for viruses and grayware, optionally providing
quarantine of infected files.
application Controls the operation of applications over the network.
dlp Configures sensors and rules for Data Leak Prevention.
endpoint-control Enforces use of FortiClient Endpoint Security and monitors which
applications are installed on endpoint PCs.
firewall Controls connections between interfaces according to policies based
on IP addresses and type of service, applies protection profiles.
gui Controls preferences for the web-based manager CLI console and
topology viewer.
imp2p Controls user access to Internet Messaging and Person-to-Person
applications.
ips Intrusion Prevention System detects and prevents network intrusions.
log Configures logging.
router Moves packets from one network segment to another towards a
network destination, based on packet headers.
spamfilter Filters email based on MIME headers, a banned word list, lists of
banned email and ip addresses.
system Configures options related to the overall operation of the FortiGate
unit, such as interfaces, virtual domains, and administrators.
user Authenticates users to use firewall policies or VPNs.
vpn Provides Virtual Private Network access through the FortiGate unit
wanopt Configures WAN Optimization.
web-proxy Configures web proxies used for web content filtering, WAN
optimization, and antivirus scanning.
webfilter Blocks or passes web traffic based on a banned word list, filter URLs,
and FortiGuard-Web category filtering.
CLI command branches Using the CLI
36 01-400-93051-20090310
config branch
The conf i g commands configure CLI objects, such as the firewall, the router, antivirus
protection, and so on. For more information about CLI objects, see CLI objects on
page 35.
Top-level objects are containers for more specific lower level objects that are each in the
form of a table. For example, the firewall object contains tables of addresses, address
groups, policies and protection profiles. You can add, delete or edit the entries in the table.
Table entries consist of keywords that you can set to particular values.
To configure an object, you use the conf i g command to navigate to the objects
command shell. For example, to configure administrators, you enter the command
conf i g syst emadmi n
The command prompt changes to show that you are now in the admin shell.
( admi n) #
This is a table shell. You can use any of the following commands:
If you enter the get command, you see a list of the entries in the table of administrators.
To add a new administrator, you enter the edit command with a new administrator name:
edi t admi n_1
del et e Remove an entry from the FortiGate configuration. For example in the
conf i g syst emadmi n shell, type del et e newadmi n and press
Enter to delete the administrator account named newadmi n.
edi t Add an entry to the FortiGate configuration or edit an existing entry. For
example in the conf i g syst emadmi n shell:
type edi t admi n and press Enter to edit the settings for the default
admin administrator account.
type edi t newadmi n and press Enter to create a new administrator
account with the name newadmi n and to edit the default settings for
the new administrator account.
end Save the changes you have made in the current shell and leave the
shell. Every conf i g command must be paired with an end command.
You return to the root FortiGate CLI prompt.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
move Change the position of an entry in an ordered table. For example in the
conf i g f i r ewal l pol i cy shell:
type move 3 af t er 1 and press Enter to move the policy in the
third position in the table to the second position in the table.
type move 3 bef or e 1 and press Enter to move the policy in the
third position in the table to the first position in the table.
pur ge Remove all entries configured in the current shell. For example in the
conf i g user l ocal shell:
type get to see the list of user names added to the FortiGate
configuration,
type pur ge and then y to confirm that you want to purge all the user
names,
type get again to confirm that no user names are displayed.
rename Rename a table entry. For example, in the conf i g syst emadmi n
shell, you could rename admin3 to fwadmin like this:
r ename admi n3 t o f wadmi n
show Show changes to the default configuration in the form of configuration
commands.
Using the CLI CLI command branches
01-400-93051-20090310 37
The FortiGate unit acknowledges the new table entry and changes the command prompt
to show that you are now editing the new entry:
new ent r y ' admi n_1' added
( admi n_1) #
From this prompt, you can use any of the following commands:
The conf i g branch is organized into configuration shells. You can complete and save the
configuration within each shell for that shell, or you can leave the shell without saving the
configuration. You can only use the configuration commands for the shell that you are
working in. To use the configuration commands for another shell you must leave the shell
you are working in and enter the other shell.
get branch
Use get to display system status information. For information about these commands,
see get on page 681.
You can also use get within a conf i g shell to display the settings for that shell, or you
can use get with a full path to display the settings for a particular object.
abor t Exit an edit shell without saving the configuration.
conf i g In a few cases, there are subcommands that you access using a second
config command while editing a table entry. An example of this is the
command to add a secondary IP address to a network interface. See the
example To add two secondary IP addresses to the internal interface
on page 41.
end Save the changes you have made in the current shell and leave the
shell. Every conf i g command must be paired with an end command.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
next Save the changes you have made in the current shell and continue
working in the shell. For example if you want to add several new user
accounts enter the conf i g user l ocal shell.
1 Type edi t User 1 and press Enter.
2 Use the set commands to configure the values for the new user
account.
3 Type next to save the configuration for User1 without leaving the
conf i g user l ocal shell.
4 Continue using the edi t , set , and next commands to continue
adding user accounts.
5 Type end and press Enter to save the last configuration and leave
the shell.
set Assign values. For example from the edi t admi n command shell,
typing set passwd newpass changes the password of the admin
administrator account to newpass.
Note: When using a set command to make changes to lists that contain
options separated by spaces, you need to retype the whole list including
all the options you want to apply and excluding all the options you want
to remove.
show Show changes to the default configuration in the form of configuration
commands.
unset Reset values to defaults. For example from the edi t admi n command
shell, typing unset passwor d resets the password of the admin
administrator account to the default of no password.
38 01-400-93051-20090310
To use get from the root prompt, you must include a path to a shell. The root prompt is the
FortiGate host name followed by a #.
Example
The command get har dwar e st at us provides information about various physical
components of the FortiGate unit.
# get har dwar e st at us
Model name: For t i gat e- 300
ASI C ver si on: CP
SRAM: 64M
CPU: Pent i umI I I ( Copper mi ne)
RAM: 250 MB
Compact Fl ash: 122 MB / dev/ hda
Har d di sk: 38154 MB / dev/ hdc
Net wor k Car d chi pset : I nt el ( R) 8255x- based Et her net Adapt er
( r ev. 0x0009)
Example
When you type get in the conf i g syst emi nt er f ace shell, information about all of
the interfaces is displayed.
At the ( i nt er f ace) #prompt, type:
get
The screen displays:
== [ i nt er nal ]
name: i nt er nal mode: st at i c i p: 192. 168. 20. 200
255. 255. 255. 0 st at us: up net bi os- f or war d: di sabl e t ype:
physi cal i p6- addr ess: : : / 0 i p6- send- adv: di sabl e
== [ ext er nal ]
name: ext er nal mode: st at i c i p: 192. 168. 100. 99
. . .
Example
When you type get in the i nt er nal interface shell, the configuration values for the
internal interface are displayed.
edi t i nt er nal
At the ( i nt er nal ) #prompt, type:
get
name : i nt er nal
al l owaccess : pi ng ht t ps ssh
ar pf or wor d : enabl e
cl i _conn_st at us : 0
det ect ser ver : ( nul l )
gwdet ect : di sabl e
Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate-300 unit.
01-400-93051-20090310 39
i p : 192. 168. 20. 200 255. 255. 255. 0
and so on.
Example
You are working in the conf i g syst emgl obal shell and want to see information about
the FortiGate interfaces.
At the (global)#prompt, type:
get syst emi nt er f ace
== [ i nt er nal ]
name: i nt er nal mode: st at i c i p: 192. 168. 20. 200
== [ ext er nal ]
name: ext er nal mode: st at i c i p: 192. 168. 100. 99
. . .
Example
You want to confirm the IP address and netmask of the internal interface from the root
prompt.
At the #prompt, type:
get syst emi nt er f ace i nt er nal
name : i nt er nal
al l owaccess : pi ng ht t ps ssh
ar pf or wor d : enabl e
cl i _conn_st at us : 0
det ect ser ver : ( nul l )
gwdet ect : di sabl e
i p : 192. 168. 20. 200 255. 255. 255. 0
i p6- addr ess : : : / 0
i p6- def aul t - l i f e : 1800
. . .
show branch
Use show to display the FortiGate unit configuration. By default, only changes to the
default configuration are displayed. Use show f ul l - conf i gur at i on to display the
complete configuration.
You can use show within a conf i g shell to display the configuration of that shell, or you
can use show with a full path to display the configuration of the specified object.
To display the configuration of all objects, you can use show from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.
Example
When you type show and press Enter within the i nt er nal interface shell, the changes to
the default internal interface configuration are displayed.
40 01-400-93051-20090310
At the ( i nt er nal ) #prompt, type:
show
edi t i nt er nal
set al l owaccess ssh pi ng ht t ps
set i p 192. 168. 20. 200 255. 255. 255. 0
next
end
Example
You are working in the i nt er nal interface shell and want to see the syst emgl obal
configuration. At the ( i nt er nal ) #prompt, type:
show syst emgl obal
set admi nt i meout 5
set aut ht i meout 15
set f ai l t i me 5
set host name ' For t i gat e- 300'
set i nt er val 5
set l cdpi n 123456
set nt pser ver ' 132. 246. 168. 148'
set synci nt er val 60
set t i mezone 04
end
execute branch
Use execut e to run static commands, to reset the FortiGate unit to factory defaults, to
back up or restore FortiGate configuration files. The execute commands are available only
from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.
Example
At the root prompt, type:
execut e r eboot
and press Enter to restart the FortiGate unit.
diagnose branch
Commands in the di agnose branch are used for debugging the operation of the
FortiGate unit and to set parameters for displaying different levels of diagnostic
information. The di agnose commands are not documented in this CLI Reference Guide.
Caution: Diagnose commands are intended for advanced users only. Contact Fortinet
technical support before using these commands.
01-400-93051-20090310 41
Example command sequences
To configure the primary and secondary DNS server addresses
1 Starting at the root prompt, type:
conf i g syst emdns
and press Enter. The prompt changes to ( dns) #.
2 At the ( dns) #prompt, type ?
The following options are displayed.
set
unset
get
show
abor t
end
3 Type set ?
pr i mar y
secondar y
domai n
dns- cache- l i mi t
cache- not - f ound- r esponses
4 To set the primary DNS server address to 172. 16. 100. 100, type:
set pr i mar y 172. 16. 100. 100
and press Enter.
5 To set the secondary DNS server address to 207. 104. 200. 1, type:
set secondar y 207. 104. 200. 1
and press Enter.
6 To restore the primary DNS server address to the default address, type unset
pr i mar y and press Enter.
7 To restore the secondary DNS server address to the default address, type unset
secondar y and press Enter.
8 If you want to leave the conf i g syst emdns shell without saving your changes, type
abor t and press Enter.
9 To save your changes and exit the dns sub-shell, type end and press Enter.
10 To confirm your changes have taken effect after leaving the dns sub-shell, type get
syst emdns and press Enter.
To add two secondary IP addresses to the internal interface
1 Starting at the root prompt, type:
and press Enter. The prompt changes to (interface)#.
Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate_300 unit.
42 01-400-93051-20090310
2 At the ( i nt er f ace) #prompt, type ?
edi t
del et e
pur ge
r ename
get
show
end
3 At the ( i nt er f ace) #prompt, type:
edi t i nt er nal
and press Enter. The prompt changes to ( i nt er nal ) #.
4 At the ( i nt er nal ) #prompt, type ?
conf i g
set
unset
get
show
next
abor t
end
5 At the ( i nt er nal ) #prompt, type:
conf i g secondar yi p
and press Enter. The prompt changes to ( secondar yi p) #.
6 At the ( secondar yi p) #prompt, type ?
edi t
del et e
pur ge
r ename
get
show
end
7 To add a secondary IP address with the ID number 0, type:
edi t 0
and press Enter. The prompt changes to ( 0) #.
8 At the ( 0) #prompt, type ?
set
unset
get
show
next
abor t
end
9 Type set ?
Using the CLI CLI basics
01-400-93051-20090310 43
al l owaccess
det ect ser ver
gwdet ect
i p
10 To set the secondary IP address with the ID number 0 to 192. 168. 100. 100 and the
netmask to 255. 255. 255. 0, type:
set i p 192. 168. 100. 100 255. 255. 255. 0
and press Enter.
11 To add another secondary IP address to the internal interface, type next and press
Enter.
The prompt changes to ( secondar yi p) #.
12 To add a secondary IP address with the ID number 1, type:
edi t 1
and press Enter. The prompt changes to ( 1) #.
13 To set the secondary IP address with the ID number 1 to 192. 168. 100. 90 and the
netmask to 255. 255. 255. 0, type:
set i p 192. 168. 100. 90 255. 255. 255. 0
and press Enter.
14 To restore the secondary IP address with the ID number 1 to the default, type unset
i p and press Enter.
15 If you want to leave the secondary IP address 1 shell without saving your changes,
type abor t and press Enter.
16 To save your changes and exit the secondary IP address 1 shell, type end and press
Enter.
The prompt changes to (internal)#.
17 To delete the secondary IP address with the ID number 1, type del et e 1 and press
Enter.
18 To save your changes and exit the i nt er nal interface shell, type end and press
Enter.
19 To confirm your changes have taken effect after using the end command, type get
syst emi nt er f ace i nt er nal and press Enter.
CLI basics
This section includes:
Command help
Command completion
Recalling commands
Editing commands
Line continuation
Command abbreviation
Environment variables
Encrypted password support
Entering spaces in strings
CLI basics Using the CLI
44 01-400-93051-20090310
Entering quotation marks in strings
Entering a question mark (?) in a string
International characters
Special characters
IP address formats
Editing the configuration file
Setting screen paging
Changing the baud rate
Using Perl regular expressions
Command help
You can press the question mark (?) key to display command help.
Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
Type a command followed by a space and press the question mark (?) key to display a
list of the options available for that command and a description of each option.
Type a command followed by an option and press the question mark (?) key to display
a list of additional options available for that command option combination and a
description of each option.
Command completion
You can use the tab key or the question mark (?) key to complete commands.
You can press the tab key at any prompt to scroll through the options available for that
prompt.
You can type the first characters of any command and press the tab key or the
question mark (?) key to complete the command or to scroll through the options that
are available at the current cursor position.
After completing the first word of a command, you can press the space bar and then
the tab key to scroll through the options available at the current cursor position.
Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to
scroll through commands you have entered.
Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled
command. You can also use the Backspace and Delete keys and the control keys listed in
Table 4 to edit the command.
Table 4: Control keys for editing commands
Function Key combination
Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
01-400-93051-20090310 45
Line continuation
To break a long command over multiple lines, use a \ at the end of each line.
Command abbreviation
You can abbreviate commands and command options to the smallest number of
non-ambiguous characters. For example, the command get syst emst at us can be
abbreviated to g sy st .
Environment variables
The FortiGate CLI supports the following environment variables.
Variable names are case sensitive. In the following example, the unit hostname is set to
the serial number.
set host name $Ser i al Num
end
Encrypted password support
After you enter a clear text password using the CLI, the FortiGate unit encrypts the
password and stores it in the configuration file with the prefix ENC. For example:
show syst emadmi n user 1
lists the user1 administrator password as follows:
edi t " user 1"
set accpr of i l e " pr of _admi n"
set passwor d ENC XXNFKpSV3oI Vk
next
end
It is also possible to enter an already encrypted password. For example, type:
and press Enter.
Type:
edi t user 1
and press Enter.
Type:
set passwor d ENC XXNFKpSV3oI Vk
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root prompt, exit the CLI CTRL+C
Table 4: Control keys for editing commands
Function Key combination
$USERFROM The management access type (SSH, Telnet and so on) and the IP
address of the logged in administrator.
$USERNAME The user account name of the logged in administrator.
$SerialNum The serial number of the FortiGate unit.
46 01-400-93051-20090310
and press Enter.
Type:
end
and press Enter.
Entering spaces in strings
When a string value contains a space, do one of the following:
Enclose the string in quotation marks, " Secur i t y Admi ni st r at or " , for example.
Enclose the string in single quotes, ' Secur i t y Admi ni st r at or ' , for example.
Use a backslash (\) preceding the space, Secur i t y\ Admi ni st r at or , for
example.
Entering quotation marks in strings
If you want to include a quotation mark, single quote or apostrophe in a string, you must
precede the character with a backslash character. To include a backslash, enter two
backslashes.
Entering a question mark (?) in a string
If you want to include a question mark (?) in a string, you must precede the question mark
with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to
display possible command completions, terminating the string.
International characters
The CLI supports international characters in strings.The web-based manager dashboard
CLI Console applet supports the appropriate character set for the current administration
language. If you want to enter strings that contain Asian characters, configure the CLI
Console to use the external command input box.
International character support with external applications such as SSH clients depends on
the capabilities and settings of the application.
Special characters
The characters <, >, (, ), #, , and are not permitted in most CLI fields. The exceptions
are:
passwords
r epl acemsg buf f er
f i r ewal l pol i cy comment s
i ps cust omsi gnat ur e
ant i vi r us f i l epat t er n
ant i vi r us exempt f i l epat t er n
webf i l t er bwor d
spamf i l t er bwor d pat t er n
syst emi nt er f ace user name (PPPoE mode)
syst emmodemphone numbers or account user names
f i r ewal l pr of i l e comment
spamf i l t er mheader f i el dbody
01-400-93051-20090310 47
spamf i l t er mheader f i el dbody
spamf i l t er emai l bwl emai l _pat t er n
r out er i nf o bgp regular expressions
r out er aspat h- l i st r ul e regular expressions
IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit format.
For example you can type either:
set i p 192. 168. 1. 1 255. 255. 255. 0
or
set i p 192. 168. 1. 1/ 24
The IP address is displayed in the configuration file in dotted decimal format.
Editing the configuration file
You can change the FortiGate configuration by backing up the configuration file to a TFTP
server. Then you can make changes to the file and restore it to the FortiGate unit.
1 Use the execut e backup conf i g command to back up the configuration file to a
TFTP server.
2 Edit the configuration file using a text editor.
Related commands are listed together in the configuration file. For instance, all the
system commands are grouped together, all the antivirus commands are grouped
together and so on. You can edit the configuration by adding, changing or deleting the
CLI commands in the configuration file.
The first line of the configuration file contains information about the firmware version
and FortiGate model. Do not edit this line. If you change this information the FortiGate
unit will reject the configuration file when you attempt to restore it.
You can add comments to the configuration file by starting the comment line with a #
character.
3 Use the execut e r est or e conf i g command to copy the edited configuration file
back to the FortiGate unit.
The FortiGate unit receives the configuration file and checks to make sure the firmware
version and model information is correct. If it is, the FortiGate unit loads the
configuration file and checks each command for errors. If the FortiGate unit finds an
error, an error message is displayed after the command and the command is rejected.
Then the FortiGate unit restarts and loads the new configuration.
Setting screen paging
Using the conf i g syst emconsol e command, you can configure the display to pause
when the screen is full. This is convenient for viewing the lengthy output of a command
such as get syst emgl obal .
When the display pauses, the bottom line of the console displays - - Mor e- - . You can
then do one of the following:
Press the spacebar to continue.
Press Q to end the display. One more line of output is displayed, followed by the shell
prompt.
48 01-400-93051-20090310
To set paged output, enter the following command:
conf i g syst emconsol e
set out put mor e
end
Changing the baud rate
Using set baudr at e in the conf i g syst emconsol e shell, you can change the
default console connection baud rate.
Using Perl regular expressions
Some FortiGate features, such as spam filtering and web content filtering can use either
wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
Some differences between regular expression and wildcard pattern
matching
In Perl regular expressions, . character refers to any single character. It is similar to the
? character in wildcard pattern matching. As a result:
f or t i net . comnot only matches f or t i net . combut also matches
f or t i net acom, f or t i net bcom, f or t i net ccomand so on.
To match a special character such as '.' and *, regular expressions use the \ escape
character. For example:
To match f or t i net . com, the regular expression should be f or t i net \ . com.
In Perl regular expressions, * means match 0 or more times of the character before it, not
0 or more times of any character. For example:
f or t i *\ . commatches f or t i i i i . combut does not match f or t i net . com.
To match any character 0 or more times, use .* where . means any character and the *
means 0 or more times. For example:
the wildcard match pattern f or t i *. comis equivalent to the regular expression
f or t i . *\ . com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression test not only matches the word test but also matches
any word that contains the word test such as atest, mytest, testimony, atestb. The
notation \b specifies the word boundary. To match exactly the word test, the expression
should be \ bt est \ b.
Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam filters. To
make a word or phrase case insensitive, use the regular expression / i . For example,
/ bad l anguage/ i will block all instances of bad language regardless of case.
Note: Changing the default baud rate is available for FortiGate units with BIOS 3.03 and
higher and FortiOS version 2.50 and higher.
01-400-93051-20090310 49
Table 5: Perl regular expression examples
Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
âbc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
âbc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c
ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[âbc]+ any (nonempty) string which does not contain any of a, b and c (such as
defg)
\d\d any two decimal digits, such as 42; same as \d{2}
/i makes the pattern case insensitive. For example, / bad l anguage/ i
blocks any instance of bad language regardless of case.
\w+ a "word": a nonempty sequence of alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and foo_1
100\s*mk the strings 100 and mk optionally separated by any amount of white space
(spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl
stuff)
\x tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up your
regular expression into (slightly) more readable parts.
50 01-400-93051-20090310
Working with virtual domains Enabling virtual domain configuration
01-400-93051-20090415 51
Working with virtual domains
By default, the FortiGate unit has one virtual domain (root) and one administrator (admin) with
unrestricted access to the system configuration. If you enable virtual domain configuration, the super
admin account can also:
Use the vdomcommand to create and configure additional virtual domains.
Use the gl obal command to create and assign administrators to each virtual domain.
Use the gl obal command to configure features that apply to all virtual domains.
This section contains the following topics:
Enabling virtual domain configuration
The administrators with the super_admin profile can enable virtual domain configuration through either
the web-based manager or the CLI. In the CLI, use the following command:
set vdom- admi n enabl e
end
Log off and then log on again with a super_admin admin account. By default, there is no password for
the default admin account.
Accessing commands in virtual domain configuration
When you log in as admin with virtual domain configuration enabled, you have only four top-level
commands:
Enabling virtual domain configuration
Accessing commands in virtual domain configuration
Creating and configuring VDOMs
Configuring inter-VDOM routing
Changing the management VDOM
Creating VDOM administrators
Troubleshooting ARP traffic on VDOMs
global
vdom
conf i g gl obal Enter conf i g gl obal to access global commands.
In the gl obal shell, you can execute commands that affect all virtual domains, such
as conf i g syst emaut oupdat e.
For a list of the global commands, see global on page 57.
conf i g vdom Enter conf i g vdomto access VDOM-specific commands.
In the vdomshell, use the edi t <vdom_name>command to create a new VDOM or
to edit the configuration of an existing VDOM.
In the <vdom_name>shell, you can execute commands to configure options that
apply only within the VDOM, such as conf i g f i r ewal l pol i cy.
For a list of VDOM-specific commands, see vdom on page 60.
When you have finished, enter next to edit another vdom, or end.
get syst emst at us System status. For more information, see vdom-link on page 469.
exi t Log off.
52 01-400-93051-20090415
Creating and configuring VDOMs Working with virtual domains
Creating and configuring VDOMs
When virtual domain configuration is enabled, admin has full access to the global FortiGate unit
configuration and to the configuration of each VDOM. All of the commands described in this Reference
are available to admin, but they are accessed through a special top-level command shell.
Creating a VDOM
You create a new VDOM using the conf i g vdomcommand. For example, to create a new VDOM
called vdomain2, you enter the following:
conf i g vdom
edi t vdomai n2
end
This creates a new VDOM operating in NAT/Route mode. You can have up to 10 VDOMs on your
FortiGate unit by default.
For this VDOM to be useful, you need to assign interfaces or VLAN subinterfaces to it.
Assigning interfaces to a VDOM
By default, all interfaces belong to the root domain. You can reassign an interface or VLAN
subinterface to another VDOM if the interface is not already used in a VDOM-specific configuration
such as a firewall policy. Interfaces are part of the global configuration of the FortiGate unit, so only the
admin account can configure interfaces.
For example, to assign port3 and port4 to vdomain2, log on as admin and enter the following
commands:
conf i g gl obal
edi t por t 3
set vdomvdomai n2
next
edi t por t 4
set vdomvdomai n2
end
end
Setting VDOM operating mode
When you create a VDOM, its default operating mode is NAT/Route. You can change the operating
mode of each VDOM independently. When viewing a list of interfaces that are in different VDOMs and
different operating modes, fields that are not available for some interfaces will display a -.
Changing to Transparent mode
When you change the operating mode of a VDOM from NAT/Route to Transparent mode, you must
specify the management IP address and the default gateway IP address. The following example
shows how to change vdomain2 to Transparent mode. The management IP address is
192.168.10.100, and the default gateway is 192.168.10.1:
conf i g vdom
edi t vdomai n3
set opmode t r anspar ent
set managei p 192. 168. 10. 100 255. 255. 255. 0
set gat eway 192. 168. 10. 1
end
Working with virtual domains Creating and configuring VDOMs
01-400-93051-20090415 53
For more information, see system settings on page 453.
Changing back to NAT/Route mode
If you change a Transparent mode VDOM back to NAT/Route mode, you must specify which interface
you will use for administrative access and the IP address for that interface. This ensures that
administrative access is configured on the interface. You must also specify the default gateway IP
address and the interface that connects to the gateway. For example,
conf i g vdom
edi t vdomai n3
set opmode nat
end
edi t por t 1
set i p 192. 168. 10. 100 255. 255. 255. 0
end
For more information, see system settings on page 453.
54 01-400-93051-20090415
Configuring inter-VDOM routing Working with virtual domains
Configuring inter-VDOM routing
By default, VDOMs are independent of each other and to communicate they need to use physical
interfaces that are externally connected. By using the vdom- l i nk command that was added in
FortiOS v3.0, this connection can be moved inside the FortiGate unit, freeing up the physical
interfaces. This feature also allows you to determine the level of inter-VDOM routing you want - only 2
VDOMs inter-connected, or interconnect all VDOMs. The vdom- l i nk command creates virtual
interfaces, so you have access to all the security available to physical interface connections. These
internal interfaces have the added bonus of being faster the physical interfaces unless the CPU load is
very heavy. As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop.
When traffic is encrypted or decrypted it changes the content of the packets and this resets the inter-
VDOM counter. However using IPIP or GRE tunnels do not reset the counter.
VDOM-links can also be configured through the web-based management interface. For more
information, see the FortiGate Administration Guide.
In this example you already have configured two VDOMs called v1 and v2. You want to set up a link
between them. The following command creates the VDOM link called v12_link. Once you have the link
in place, you need to bind the two ends of the link to the VDOMs it will be connecting. Then you are
free to apply firewall policies or other security measures.
conf i g gl obal
edi t v12_l i nk
end
edi t v12_l i nk0
set vdomv1
next
edi t v12_l i nk1
set vdomv2
next
end
To remove the vdom-link, delete the vdom-link. You will not be able to delete the ends of the vdom-link
by themselves. To delete the above set up, enter:
conf i g gl obal
del et e v12_l i nk
end
Before inter-VDOM routing, VDOMs were completely separate entities. Now, many new configurations
are available such as a service provider configuration (a number of VDOMS that go through one main
VDOM to access the internet) or a mesh configuration (where some or all VDOMs are connected to
some or all other VDOMs). These configurations are discussed in-depth in the FortiGate VLANs and
VDOMs Guide.
Note: When you are naming VDOM links you are limited to 8 characters for the base name. In the
example below the link name v12_link that is used is correct, but a link name of v12_verylongname is too
long.
Note: In an HA setup with virtual clusters, inter-VDOM routing must be entirely within one cluster. You
cannot create links between virtual clusters, and you cannot move a VDOM that is linked into another
virtual cluster. In HA mode, with multiple vclusters when you create the vdom-link in system vdom-link
there is an option to set which vcluster the link will be in.
Working with virtual domains Changing the management VDOM
01-400-93051-20090415 55
Changing the management VDOM
All management traffic leaves the FortiGate unit through the management VDOM. Management traffic
includes all external logging, remote management, and other Fortinet services. By default the
management VDOM is root. You can change this to another VDOM so that the traffic will leave your
FortiGate unit over the new VDOM.
You cannot change the management VDOM if any administrators are using RADIUS authentication.
If you want to change the management VDOM to vdomain2, you enter:
conf i g gl obal
set management - vdomvdomai n2
end
Creating VDOM administrators
The super_admin admin accounts can create regular administrators and assign them to VDOMs. The
syst emadmi n command, when accessed by admin, includes a VDOM assignment.
For example, to create an administrator, admin2, for VDOM vdomain2 with the default profile
prof_admin, you enter:
conf i g gl obal
edi t admi n2
set accpr of i l e pr of _admi n
set passwor d har dt oguess
set vdomvdomai n2
end
The admin2 administrator account can only access the vdomain2 VDOM and can connect only
through an interface that belongs to that VDOM. The VDOM administrator can access only VDOM-
specific commands, not global commands.
Troubleshooting ARP traffic on VDOMs
Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on
FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit,
especially if it is sitting between a client and a server or between a client and a router.
Duplicate ARP packets
ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one
interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches
become unstable when they detect the same MAC address originating on more than one switch
interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not
maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network
traffic to slow down.
Multiple VDOMs solution
One solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. This means
one inbound and one outbound VLAN interface in each virtual domain. ARP packets are not forwarded
between VDOMs.
56 01-400-93051-20090415
Troubleshooting ARP traffic on VDOMs Working with virtual domains
By default, physical interfaces are in the root domain. Do not configure any of your VLANs in the root
domain.
As a result of this VDOM configuration, the switches do not receive multiple ARP packets with the
same source MAC but different VLAN IDs, and the instability does not occur.
Forward-domain solution
You may run into problems using the multiple VDOMs solution. It is possible that you have more
VLANs than licensed VDOMs, not enough physical interfaces or your configuration may work better by
grouping some VLANs together. In these situations the separate VDOMs solution may not work for
you.
In these cases, the solution is to use the forward-domain <collision_group_number>command. This
command tags VLAN traffic as belonging to a particular forward-domain collision group, and only
VLANs tagged as part of that collision group receive that traffic. By default ports and VLANs are part of
forward-domain collision group 0. For more information, see the FortiGate VLANs and VDOMs Guide.
There are many benefits for this solution from reduced administration, to using fewer physical
interfaces to being able to allowing you more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on Port1 and
untagged traffic on Port2. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and
untagged traffic on Port3. All other ports are part of forward-domain collision group 0 by default.
These are the CLI commands to accomplish this setup.
edi t por t 1
next
edi t " por t 2"
set f or war d_domai n 340
next
edi t por t 3
next
edi t " por t 1- 340"
set i nt er f ace " por t 1"
set vl ani d 340
next
edi t " por t 1- 341"
set i nt er f ace " por t 1"
set vl ani d 341
next
end
There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer-
2 Installation Issues technical note.
Working with virtual domains global
01-400-93051-20090415 57
global
From a super_admin profile account, use this command to configure features that apply to the
complete FortiGate unit including all virtual domains. Virtual domain configuration (vdom-admin) must
be enabled first. For more information, see system global on page 363.
Syntax
This command syntax shows how you access the commands within config global. For information on
these commands, refer to the relevant sections in this Reference. If there are multiple versions of the
same command with a 2 or 3 added, the additional commands are not listed but fall under the
unnumbered command of the same name.
conf i g gl obal
conf i g ant i vi r us . . .
conf i g f i r ewal l ser vi ce
conf i g f i r ewal l ssl
conf i g i ps . . .
conf i g l og f or t i anal yzer set t i ng
conf i g l og f or t i guar d set t i ng
conf i g l og memor y set t i ng
conf i g l og memor y gl obal set t i ng
conf i g l og sysl ogd set t i ng
conf i g l og webt r ends set t i ng
conf i g spamf i l t er . . .
conf i g syst emaut o- i nst al l
conf i g syst emamc
conf i g syst emaut oupdat e cl i ent over r i de
conf i g syst emaut oupdat e over r i de
conf i g syst emaut oupdat e push- updat e
conf i g syst emaut oupdat e schedul e
conf i g syst emaut oupdat e t unnel i ng
conf i g syst embug- r epor t
conf i g syst emcent r al - management
conf i g syst emdns
conf i g syst emf i ps- cc
conf i g syst emf or t i anal yzer , f or t i anal yzer 2, f or t i anal yzer 3
conf i g syst emf or t i guar d
coni f g syst emf or t i guar d- l og
conf i g syst emha
coni f g syst emmanagement - t unnel
conf i g syst emnpu
conf i g syst emnt p
conf i g syst emr epl acemsg admi n
conf i g syst emr epl acemsg al er t mai l
conf i g syst emr epl acemsg aut h
conf i g syst emr epl acemsg ec
58 01-400-93051-20090415
global Working with virtual domains
conf i g syst emr epl acemsg f or t i guar d- wf
conf i g syst emr epl acemsg f t p
conf i g syst emr epl acemsg ht t p
conf i g syst emr epl acemsg i m
conf i g syst emr epl acemsg nac- quar
conf i g syst emr epl acemsg nnt p
conf i g syst emr epl acemsg ssl vpn
conf i g syst emsessi on- hel per
conf i g syst emsessi on- sync
conf i g syst emsnmp communi t y
conf i g syst emsnmp sysi nf o
conf i g syst emswi t ch- i nt er f ace
coni f g syst emt os- based- pr i or i t y
conf i g syst emvdom- pr oper t y
conf i g vpn cer t i f i cat e ca
conf i g vpn cer t i f i cat e cr l
conf i g vpn cer t i f i cat e l ocal
conf i g vpn cer t i f i cat e r emot e
conf i g webf i l t er f or t i guar d
execut e backup
execut e bat ch
execut e cent r al - mgmt
execut e cf g r el oad
execut e cf g save
execut e cl i check- t empl at e- st at us
execut e cl i st at us- msg- onl y
execut e dat e
execut e di sconnect - admi n- sessi on
execut e ent er
execut e f or t i guar d- l og updat e
execut e ha di sconnect
execut e ha manage
execut e ha synchr oni ze
execut e l og del et e- al l
execut e l og del et e- f i l t er ed
execut e l og del et e- r ol l ed
execut e l og di spl ay
execut e l og f i l t er
execut e l og f or t i anal yzer set t i ng
execut e l og l i st
execut e l og r ol l
execut e r eboot
execut e r est or e
execut e scsi - dev
execut e set - next - r eboot
execut e sf p- mode- sgmi i
execut e shut down
execut e t i me
Working with virtual domains global
01-400-93051-20090415 59
execut e usb- di sk
execut e vpn cer t i f i cat e . . .
get f i r ewal l vi p . . .
end
History
Related topics
vdom
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added vdom-link, vpn, webfilter, execute backup, batch, dhcp lease-client, dhcp lease-
list, fsae refresh, restore, telnet, and traceroute.
FortiOS v3.0 MR5 Added config firewall service, gui console, system console, system fortiguard, system
replacemsg admin/alertemail/auth/nntp, vpn certificate crl/local/remote, execute
central-mgmt, execute cfg ..., execute update-ips, and execute update-now.
FortiOS v3.0 MR6 Added conf i g syst emsessi on- sync, expanded command to vpn
cer t i f i cat e . . . . Removed vpn ssl vpn.
FortiOS v4.0 Added appl i cat i on, syst emr epl acemsg ec, syst emr epl acemsg nac-
quar , syst emvdom- pr oper t y, execut e scsi - dev, execut e sf pmode-
sgmi i , execut e send- f sd- st at i st i cs, execut e updat e- ase.
60 01-400-93051-20090415
vdom Working with virtual domains
vdom
From the super admin account, use this command to add and configure virtual domains. The number
of virtual domains you can add is dependent on the FortiGate model. Virtual domain configuration
(vdom-admin) must be enabled. See system global on page 363.
Once you add a virtual domain you can configure it by adding zones, firewall policies, routing settings,
and VPN settings. You can also move physical interfaces from the root virtual domain to other virtual
domains and move VLAN subinterfaces from one virtual domain to another.
By default all physical interfaces are in the root virtual domain. You cannot remove an interface from a
virtual domain if the interface is part of any of the following configurations:
routing
proxy arp
DHCP server
zone
firewall policy
IP pool
redundant pair
link aggregate (802.3ad) group
Delete these objects, or modify them, to be able to remove the interface.
Syntax
This command syntax shows how you access the commands within a VDOM. Refer to the relevant
sections in this Reference for information on these commands.
conf i g vdom
edi t <vdom_name>
conf i g ant i vi r us
conf i g dl p
conf i g endpoi nt - cont r ol
conf i g f i r ewal l addr ess, addr ess6
conf i g f i r ewal l addr gr p, addr gr p6
conf i g f i r ewal l dnst r ansl at i on
conf i g f i r ewal l i nt er f ace- pol i cy
conf i g f i r ewal l i nt er f ace- pol i cy6
conf i g f i r ewal l i pmacbi ndi ng set t i ng
conf i g f i r ewal l i pmacbi ndi ng t abl e
conf i g f i r ewal l i ppool
conf i g f i r ewal l l db- moni t or
conf i g f i r ewal l mul t i cast - pol i cy
conf i g f i r ewal l schedul e onet i me
conf i g f i r ewal l schedul e r ecur r i ng
conf i g f i r ewal l t r af f i c- shaper
Note: You cannot delete the default root virtual domain, and you cannot delete a virtual domain that is
used for system management.
Working with virtual domains vdom
01-400-93051-20090415 61
conf i g f i r ewal l vi pgr p
conf i g i mp2p
conf i g i ps
conf i g l og {di sk | f or t i anal yzer | memor y | sysl ogd | webt r ends |
conf i g r out er
conf i g spamf i l t er
conf i g syst emar p- t abl e
conf i g syst emdhcp r eser ved- addr ess
conf i g syst emdhcp ser ver
conf i g syst emi pv6- t unnel
conf i g syst emsessi on- t t l
conf i g syst emsi t - t unnel
conf i g syst emwccp
conf i g user adgr p
conf i g user ban
conf i g user f sae
conf i g user gr oup
conf i g user l dap
conf i g user l ocal
conf i g user peer
conf i g user peer gr p
conf i g user r adi us
conf i g user set t i ngs
conf i g user t acacs+
conf i g vpn . . .
conf i g wanopt
conf i g web- pr oxy
conf i g webf i l t er
execut e backup
execut e cl ear syst emar p t abl e
execut e cl i check- t empl at e- st at us
execut e cl i st at us- msg- onl y
execut e ha di sconnect
execut e ha manage
execut e ha synchr oni ze
execut e i nt er f ace dhcpcl i ent - r enew
execut e l og del et e- r ol l ed
execut e l og f i l t er
execut e l og l i st
62 01-400-93051-20090415
execut e modemdi al
execut e modemhangup
execut e modemt r i gger
execut e pi ng, pi ng6
execut e pi ng- opt i ons, pi ng6- opt i ons
execut e r est or e
execut e r out er cl ear bgp
execut e r out er cl ear ospf pr ocess
execut e r out er r est ar t
execut e sf p- mode- sgmi i
execut e ssh
execut e t r acer out e
execut e usb- di sk
execut e vpn ssl vpn del - t unnel
next
edi t <anot her _vdom>
conf i g . . .
execut e . . .
end
end
Example
This example shows how to add a virtual domain called Test1.
conf i g syst emvdom
edi t Test 1
end
History
Variable Description Default
edi t <vdom_name> Enter a new name to create a new VDOM. Enter an existing
VDOM name to configure that VDOM.
The VDOM you enter becomes the current VDOM.
A VDOM cannot have the same name as a VLAN.
A VDOM name cannot exceed 11 characters in length.
Note: The VDOM names vsys_ha and vsys_f gf mare in use by the FortiGate unit. If you attempt to
name a new VDOM vsys_ha or vsys_f gf mit will generate an error.
Note: Use conf i g syst emset t i ngs set opmode {nat | t r anspar ent } to set the operation
mode for this VDOM to nat (NAT/Route) or transparent.
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added syst emadmi n, i nt er f ace, i pv6- t unnel commands.
Added bat ch, dat e, r eboot , execut e r out er cl ear ospf pr ocess
commands.
Removed l og f or t i anal yzer , l og sysl ogd, l og webt r ends, r out er
gr acef ul - r est ar t commands.
FortiOS v3.0 MR1 Added syst emset t i ng mul t i cast - f or war d and mul t i cast - t t l - not change.
FortiOS v3.0 MR5 Removed config alertemail, and execute batch.
Added config gui, system arp-table, system proxy-arp, all of system settings.
Working with virtual domains vdom
01-400-93051-20090415 63
Related topics
global
FortiOS v3.0 MR7 Removed conf i g gui and syst emi pv6- t unnel .
Added syst emsi t - t unnel .
FortiOS v4.0 Added conf i g appl i cat i on, dl p, conf i g endpoi nt - cont r ol , f i r ewal l
i nt er f ace- pol i cy, f i r ewal l t r af f i c- shape, syst emi pv6- t unnel ,
syst emmodem, syst emwccp. Added execut e i nt er f ace, modemdi al ,
modemhangup, pi ng6- opt i ons, sf p- mode- sgmi i , and ssh.
64 01-400-93051-20090415
alertemail
01-400-93051-20090415 65
alertemail
Use al er t emai l commands to configure the FortiGate unit to monitor logs for log messages with certain
severity levels. If the message appears in the logs, the FortiGate unit sends an email to a predefined
recipient(s) of the log message encountered. Alert emails provide immediate notification of issues
occurring on the FortiGate unit, such as system failures or network attacks.
By default, the al er t emai l commands do not appear if no SMTP server is configured. An SMTP server
is configured using the syst emal er t emai l commands. See system alertemail on page 331 for more
information.
When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the
SMTP server name to connect to the mail server and must look up this name on your DNS server. See
dns on page 352 for more information about configuring DNS servers.
This chapter contains the following section:
setting
setting alertemail
66 01-400-93051-20090415
setting
Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This
command can also be configured to send an alert email a certain number of days before the FDS license
expires and/or when the disk usage exceeds a certain threshold amount. You need to configure an SMTP
server before configuring alert email settings. See system alertemail on page 331 for more information.
Syntax
conf i g al er t emai l set t i ng
set user name <user - name- st r >
set mai l t o1 <emai l - addr ess- st r >
set f i l t er - mode <cat egor y> <t hr eshol d>
set emai l - i nt er val <mi nut es- i nt eger >
set sever i t y {al er t | cr i t i cal | debug | emer gency | er r or | i nf or mat i on |
not i f i cat i on | war ni ng}
set emer gency- i nt er val <mi nut es- i nt eger >
set al er t - i nt er val <mi nut es- i nt eger >
set cr i t i cal - i nt er val <mi nut es- i nt eger >
set er r or - i nt er val <mi nut es- i nt eger >
set war ni ng- i nt er val <mi nut es- i nt eger >
set not i f i cat i on- i nt er val <mi nut es- i nt eger >
set i nf or mat i on- i nt er val <mi nut es- i nt eger >
set debug- i nt er val <mi nut es- i nt eger >
set I PS- l ogs {di sabl e | enabl e}
set f i r ewal l - aut hent i cat i on- f ai l ur e- l ogs {di sabl e | enabl e}
set HA- l ogs {enabl e | di sabl e}
set I Psec- er r or - l ogs {di sabl e | enabl e}
set FDS- updat e- l ogs {di sabl e | enabl e}
set PPP- er r or s- l ogs {di sabl e | enabl e}
set ssl vpn- aut hent i cat i on- er r or s- l ogs {di sabl e | enabl e}
set ant i vi r us- l ogs {di sabl e | enabl e}
set webf i l t er - l ogs {di sabl e | enabl e}
set conf i gur at i on- changes- l ogs {di sabl e | enabl e}
set vi ol at i on- t r af f i c- l ogs {di sabl e | enabl e}
set admi n- l ogi n- l ogs {di sabl e | enabl e}
set l ocal - di sk- usage- war ni ng {di sabl e | enabl e}
set FDS- l i cense- expi r i ng- war ni ng {di sabl e | enabl e}
set FDS- l i cense- expi r i ng- days 
set l ocal - di sk- usage <per cent age>
set f or t i guar d- l og- quot a- war ni ng
end
Note: The FortiGate unit must be able to look up the SMTP server name on your DNS server because the
FortiGate unit uses the SMTP server to connect to the mail server. See system dns on page 352 for more
information.
alertemail setting
01-400-93051-20090415 67
Keywords and variables Description Default
user name
<user - name- st r >
Enter a valid email address in the format user @domai n. com.
This address appears in the From header of the alert email.
No default.
mai l t o1
<emai l - addr ess- st r >
Enter an email address. This is one of the email addresses where
the FortiGate unit sends an alert email.
No default.
mai l t o2
No default.
mai l t o3
No default.
f i l t er - mode
<cat egor y>
<t hr eshol d>
Enter to set the filter mode of the alert email.The following only
displays when t hr eshol d is entered:
emer gency- i nt er val
al er t - i nt er val
cr i t i cal - i nt er val
er r or - i nt er val
war ni ng- i nt er val
not i f i cat i on- i nt er val
i nf or mat i on- i nt er val
debug- i nt er val
cat egor y
emai l - i nt er val
<mi nut es- i nt eger >
Enter the number of minutes the FortiGate unit should wait before
sending out an alert email. This is not available when f i l t er -
mode t hr eshol d is enabled.
5
emer gency- i nt er val
sending out alert email for emergency level messages. Only
available when f i l t er - mode t hr eshol d is entered.
1
al er t - i nt er val
sending out an alert email for alert level messages. Only available
when f i l t er - mode t hr eshol d is entered.
2
cr i t i cal - i nt er val
sending out an alert email for critical level messages. Only
3
er r or - i nt er val
sending out an alert email for error level messages. Only available
when f i l t er - mode t hr eshol d is entered.
5
war ni ng- i nt er val
sending out an alert email for warning level messages. Only
10
not i f i cat i on- i nt er val
sending out an alert email for notification level messages. Only
20
i nf or mat i on- i nt er val
sending out an alert email for information level messages. Only
30
debug- i nt er val
sending out an alert email for debug level messages. Only
60
setting alertemail
68 01-400-93051-20090415
sever i t y
{al er t | cr i t i cal |
debug | emer gency |
er r or | i nf or mat i on |
Select the logging severity level. This is only available when
f i l t er - mode t hr eshol d is entered. The FortiGate unit logs all
messages at and above the logging severity level you select. For
example, if you er r or , the unit logs er r or , cr i t i cal , al er t ,
and emer gency level messages.
al er t Immediate action is required.
cr i t i cal Functionality is affected.
debug Information used for diagnosing or debugging the
FortiGate unit.
emer gency The system is unusable.
er r or An erroneous condition exists and functionality is
probably affected.
i nf or mat i on General information about system operations
not i f i cat i on Information about normal events.
war ni ng Functionality might be affected.
al er t
I PS- l ogs
{di sabl e | enabl e}
Enable or disable IPS logs. di sabl e
f i r ewal l -
aut hent i cat i on- f ai l ur e-
l ogs
Enable or disable firewall authentication failure logs. di sabl e
HA- l ogs
{enabl e | di sabl e}
Enable or disable high availability (HA) logs. di sabl e
I Psec- er r or - l ogs
Enable or disable IPSec error logs di sabl e
FDS- updat e- l ogs
Enable or disable FDS update logs. di sabl e
PPP- er r or s- l ogs
Enable or disable PPP error logs. di sabl e
ssl vpn- aut hent i cat i on-
er r or s- l ogs
Enable or disable SSL VPN authentication error logs. di sabl e
ant i vi r us- l ogs
Enable or disable antivirus logs. di sabl e
webf i l t er - l ogs
Enable or disable web filter logs. di sabl e
conf i gur at i on- changes-
l ogs
Enable or disable configuration changes logs. di sabl e
vi ol at i on- t r af f i c- l ogs
Enable or disable traffic violation logs. di sabl e
admi n- l ogi n- l ogs
Enable or disable admin login logs di sabl e
l ocal - di sk- usage-
war ni ng
Enable or disable local disk usage warning in percent. For
example enter the number 15 for a warning when the local disk
usage is at 15 percent. The number cannot be 0 or 100.
di sabl e
FDS- l i cense- expi r i ng-
war ni ng
Enable or disable to receive an email notification of the expire date
of the FDS license.
di sabl e
FDS- l i cense- expi r i ng-
days

Enter the number of days to be notified by email when the FDS
license expires. For example, if you want notification five days in
advance, enter 5.
15
alertemail setting
01-400-93051-20090415 69
Examples
This example shows how to configure the user name, add three email addresses for sending alerts to, and
what type of emails will contain which log messages, such as HA and antivirus.
conf i g al er t emai l set t i ng
set user name f or t i gat e@our company. com
set mai l 1 admi n1@our company. com
set f i l t er - mode cat egor y
set HA- l ogs enabl e
set FDS- updat e- l ogs enabl e
set ant i vi r us- l ogs enabl e
set webf i l t er - l ogs enabl e
set admi n- l ogi n- l ogs enabl e
set vi ol at i on- t r af f i c- l ogs enabl e
end
History
Related topics
system alertemail
system dns
l ocal - di sk- usage
<per cent age>
Enter a number for when the local disks usage exceeds that
number.
75
f or t i guar d- l og- quot a-
war ni ng
Enter to receive an alert email when the FortiGuard Log &
Analysis server reaches its quota.
di sabl e
FortiOS v2.80 Substantially revised and expanded.
FortiOS v3.0 Moved aut hent i cat i on, ser ver and passwor d to conf i g syst emal er t emai l .
FortiOS v3.0MR2 New keywords added for:
IPS-logs
firewall-authentication-failure-logs
HA-logs
IPSec-errors-logs
FDS-update-logs
PPP-errors-logs
sslvpn-authentication-errors-logs
antivirus-logs
webfilter-logs
configuration-changes-logs
violation-traffic-logs
admin-login-logs
FDS-license-expiring-warning
local-disk-usage-warning
FDS-license-expiring-days
local-disk-usage
FortiOS 3.0MR4 Added f or t i guar d- l og- quot a- war ni ng keyword.
setting alertemail
70 01-400-93051-20090415
antivirus
01-400-93051-20090415 71
antivirus
Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or
disable grayware and heuristic scanning.
This chapter contains the following sections:
filepattern
grayware
heuristic
quarantine
quarfilepattern
service
filepattern antivirus
72 01-400-93051-20090415
filepattern
Use this command to add, edit or delete the file patterns used for virus blocking and to set which protocols
to check for files to block.
If you need to add configuration via CLI that requires ? as part of config, you need to input CTRL-V first. If
you enter the question mark (?) without first using CTRL-V, the question mark has a different meaning in
CLI: it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edi t " *. xe
t oken l i ne: Unmat ched doubl e quot e.
If you enter ? with CTRL-V:
edi t " *. xe?"
new ent r y ' *. xe?' added
Syntax
conf i g ant i vi r us f i l epat t er n
edi t <f i l epat t er n_l i st _i nt eger >
set name <f i l epat t er n_l i st >
set comment <f i l epat t er n_l i st _comment >
conf i g ent r i es
edi t <f i l epat t er n_st r i ng>
set act i on <al l ow | bl ock>
set act i ve {f t p ht t p i mi map nnt p pop3 smt p}
set f i l e- t ype {unknown | i gnor ed | act i vemi me | ar j | aspack | base64
| bat | bi nhex | bzi p | bzi p2 | cab | j ad | el f | exe | f sg | gzi p
| hl p | ht a | ht ml | j avascr i pt | l zh | msc | msof f i ce | mi me |
pet i t e | pr c | r ar | cl ass | si s | t ar | upx | uue | cod | zi p}
set f i l t er - t ype {pat t er n | t ype}
end
<f i l epat t er n_l i st _i nt eger > A unique number to identify the file pattern list.
<f i l epat t er n_l i st > The name of the file pattern header list.
<f i l epat t er n_l i st _comment > The comment attached to the file pattern header list.
<f i l epat t er n_st r i ng> The name of the file pattern being configured. This can be any
character string.
act i on <al l ow | bl ock> The action taken when a matching file is being transferred via a set
act i ve protocol.
Select al l owto have the FortiGate unit allow matching files.
Select bl ock to have the FortiGate unit block matching files.
bl ock
act i ve
{f t p ht t p i mi map nnt p
pop3 smt p}
The act i on specified will affect the file pattern in the selected
protocols.
Varies.
antivirus filepattern
01-400-93051-20090415 73
History
Related topics
antivirus heuristic
antivirus grayware
antivirus quarantine
antivirus quarfilepattern
antivirus service
f i l e- t ype
{unknown | i gnor ed |
act i vemi me | ar j | aspack
| base64 | bat | bi nhex |
bzi p | bzi p2 | cab | j ad |
el f | exe | f sg | gzi p |
hl p | ht a | ht ml |
j avascr i pt | l zh | msc |
msof f i ce | mi me | pet i t e |
pr c | r ar | cl ass | si s |
t ar | upx | uue | cod |
zi p}
This command is only available and valid when f i l t er - t ype is
set to t ype.
Select the type of file the file filter will search for. Note that unlike the
file pattern filter, this file type filter will examine the file contents to
determine the what type of file it is. The file name and file extension
is ignored.
Because of the way the file type filter works, renaming files to make
them appear to be of a different type will not allow them past the
FortiGate unit without detection.
Two of the available options are not file types:
Sel ect unknown to configure a rule affecting every file format
the file type filter unit does not recognize. Unknown includes
every file format not available in the f i l e- t ype command.
Sel ect i gnor ed to configure a rule affecting traffic the
FortiGate unit typically does not scan. This includes primarily
streaming audio and video.
unknown
f i l t er - t ype {pat t er n |
t ype}
Select the file filter detection method.
Enter pat t er n to examine files only by their names. For
example, if f i l t er - t ype is set to pat t er n, and the pattern is
*. zi p, all files ending in .zip will trigger this file filter. Even files
ending in .zip that are not actually ZIP archives will trigger this
filter.
Enter t ype to examine files only by their contents. Using the
above example, if f i l t er - t ype is set to t ype, and the type is
zi p, all ZIP archives will trigger this file filter. Even files renamed
with non-zip file extensions will trigger this filter.
pat t er n
FortiOS v2.80 Substantially revised.
FortiOS v3.0 Added IM. Added multiple-list capability for models 800 and above.
FortiOS v4.0 Updated file-type options. The f i l e- t ype option now available on all
FortiGate models.
grayware antivirus
74 01-400-93051-20090415
grayware
Use this command to enable or disable grayware scanning for the specified category.
Grayware programs are unsolicited commercial software programs that get installed on computers, often
without the users consent or knowledge. Grayware programs are generally considered an annoyance, but
these programs can cause system performance problems or be used for malicious purposes.
The FortiGate unit scans for known grayware executable programs in each category enabled. The
category list and contents are added or updated whenever the FortiGate unit receives a virus update
package. New categories may be added at any time and are loaded with virus updates. By default, all new
categories are disabled.
Grayware scanning is enabled in a protection profile when Virus Scan is enabled.
Syntax
conf i g ant i vi r us gr aywar e <cat egor y_name_st r >
set st at us {enabl e | di sabl e}
end
Adware Adware is usually embedded in freeware programs and causes ads to pop up whenever the
program is opened or used.
BHO BHOs (Browser Helper Objects) are DLL files that are often installed as part of a software
package so the software can control the behavior of Internet Explorer 4.x and higher. Not all
BHOs are malicious, but the potential exists to track surfing habits and gather other
information.
Dial Dialers allow others to use the PC modem to call premium numbers or make long distance
calls.
Download Download components are usually run at Windows startup and are designed to install or
download other software, especially advertising and dial software.
Game Games are usually joke or nuisance games that may be blocked from network users.
HackerTool
Hijacker Browser hijacking occurs when a spyware type program changes web browser settings,
including favorites or bookmarks, start pages, and menu options.
Joke J oke programs can include custom cursors and programs that appear to affect the system.
Keylog Keylogger programs can record every keystroke made on a keyboard including passwords,
chat, and instant messages.
Misc The miscellaneous grayware category.
NMT Network management tools can be installed and used maliciously to change settings and
disrupt network security.
P2P P2P, while a legitimate protocol, is synonymous with file sharing programs that are used to
swap music, movies, and other files, often illegally.
Plugin Browser plugins can often be harmless Internet browsing tools that are installed and operate
directly from the browser window. Some toolbars and plugins can attempt to control or record
and send browsing preferences.
RAT Remote administration tools allow outside users to remotely change and monitor a computer
on a network.
Spy Spyware, like adware, is often included with freeware. Spyware is a tracking and analysis
program that can report users activities, such as web browsing habits, to the advertisers web
site where it may be recorded and analyzed.
Toolbar While some toolbars are harmless, spyware developers can use these toolbars to monitor
web habits and send information back to the developer.
antivirus grayware
01-400-93051-20090415 75
Example
This example shows how to enable grayware scanning for Adware programs.
conf i g ant i vi r us gr aywar e Adwar e
set st at us enabl e
end
History
Related topics
antivirus heuristic
antivirus service
system autoupdate schedule
execute update-av
Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase.
<cat egor y_name_st r > The grayware category being configured.
st at us {enabl e | di sabl e} Enable or disable grayware scanning for the specified category. di sabl e
FortiOS v2.80 New.
heuristic antivirus
76 01-400-93051-20090415
heuristic
Use this command to configure heuristic scanning for viruses in binary files.
Syntax
conf i g ant i vi r us heur i st i c
set mode {pass | bl ock | di sabl e}
end
Example
This example shows how to enable heuristic scanning.
conf i g ant i vi r us heur i st i c
set mode pass
end
History
Related topics
antivirus service
mode
{pass | bl ock | di sabl e}
Enter pass to enable heuristic scanning but pass detected files to
the recipient. Suspicious files are quarantined if quarantine is
enabled.
Enter bl ock to enable heuristic scanning and block detected
files. A replacement message is forwarded to the recipient.
Blocked files are quarantined if quarantine is enabled.
Enter di sabl e to disable heuristic scanning.
di sabl e
FortiOS v2.80 New.
FortiOS v3.0 MR7 The default value changes to disable.
01-400-93051-20090415 77
quarantine
Use this command to set file quarantine options.
FortiGate units with a local disk can quarantine blocked and infected files. The quarantined files are
removed from the content stream and stored on the FortiGate local disk. Users receive a message
informing them that the removed files have been quarantined.
FortiGate units that do not have a local disk can quarantine blocked and infected files to a FortiAnalyzer
unit.
View the file names and status information about the file in the quarantined file list. Submit specific files
and add file patterns to the autoupload list so they are automatically uploaded to Fortinet for analysis.
Syntax
conf i g ant i vi r us quar ant i ne
set agel i mi t <hour s_i nt eger >
set dr op- bl ocked {f t p ht t p i map nnt p pop3 smt p}
set dr op- heur i st i c {f t p ht t p i mi map nnt p pop3 smt p}
set dr op- i nf ect ed {f t p ht t p i mi map nnt p pop3 smt p}
set l owspace {dr op- new | ovr w- ol d}
set maxf i l esi ze <MB_i nt eger >
set quar - t o- f or t i anal yzer {enabl e | di sabl e}
set st or e- bl ocked {f t p ht t p i map nnt p pop3 smt p}
set st or e- heur i st i c {f t p ht t p i mi map nnt p pop3 smt p}
set st or e- i nf ect ed {f t p ht t p i mi map nnt p pop3 smt p}
end
agel i mi t <hour s_i nt eger > Specify how long files are kept in quarantine to a maximum of 479
hours. The age limit is used to formulate the value in the TTL
column of the quarantined files list. When the limit is reached the
TTL column displays EXP and the file is deleted (although a
record is maintained in the quarantined files list). Entering an age
limit of 0 (zero) means files are stored on disk indefinitely
depending on low disk space action.
0
dr op- bl ocked
{f t p ht t p i map nnt p pop3
smt p}
Do not quarantine blocked files found in traffic for the specified
protocols. The files are deleted.
i map
nnt p
dr op- heur i st i c
pop3 smt p}
Do not quarantine files found by heuristic scanning in traffic for the
specified protocols.
NNTP support for this keyword will be added in the future.
ht t p
i m
i map
nnt p
pop3
smt p
dr op- i nf ect ed
pop3 smt p}
Do not quarantine virus infected files found in traffic for the
i m
i map
nnt p
l owspace
{dr op- new | ovr w- ol d}
Select the method for handling additional files when the FortiGate
hard disk is running out of space.
Enter ovwr - ol d to drop the oldest file (lowest TTL), or
dr op- newto drop new quarantine files.
ovr w-
ol d
maxf i l esi ze <MB_i nt eger > Specify, in MB, the maximum file size to quarantine.
The FortiGate unit keeps any existing quarantined files over the
limit. The FortiGate unit does not quarantine any new files larger
than this value. The file size range is 0-499 MB. Enter 0 for
unlimited file size.
0
quarantine antivirus
78 01-400-93051-20090415
Example
This example shows how to set the quarantine age limit to 100 hours, not quarantine blocked files from
SMTP and POP3 traffic, not quarantine heuristic tagged files from SMTP and POP3 traffic, set the
quarantine to drop new files if the memory is full, set the maximum file size to quarantine at 2 MB,
quarantine files from IMAP traffic with blocked status, quarantine files with heuristic status in IMAP, HTTP,
and FTP traffic.
conf i g ant i vi r us quar ant i ne
set agel i mi t 100
set dr op- bl ocked smt p pop3
set dr op- heur i st i c smt p pop3
set l owspace dr op- new
set maxf i l esi ze 2
set st or e- bl ocked i map
set st or e- heur i st i c i map ht t p f t p
end
History
Related topics
antivirus heuristic
antivirus service
quar - t o- f or t i anal yzer
For FortiGate units that do not have a local disc, send infected
files to a FortiAnalyzer unit.
This command appears only if the FortiGate unit is configured to
use a FortiAnalyzer unit.
disable
st or e- bl ocked
{f t p ht t p i map nnt p pop3
smt p}
Quarantine blocked files found in traffic for the specified protocols.
No
default.
st or e- heur i st i c
pop3 smt p}
Quarantine files found by heuristic scanning in traffic for the
No
default.
st or e- i nf ect ed
pop3 smt p}
Quarantine virus infected files found in traffic for the specified
protocols.
No
default.
FortiOS v2.80 MR2 The enabl e_aut o_upl oad keyword was changed to enabl e- aut o- submi t .
FortiOS v3.0 Added IM and NNTP options.
FortiOS v3.0 MR5 Removed set enabl e- aut o- submi t , set sel - st at us, set use- f pat ,
set use- st at us.
01-400-93051-20090415 79
quarfilepattern
Use this command to configure the file patterns used by automatic file uploading. This command is only
available on FortiGate units with a hard drive.
Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file
patterns to be uploaded to the autoupload list using the * wildcard character. File patterns are applied for
autoupload regardless of file blocking settings.
Also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from
the quarantined files list. For more information, see antivirus quarantine.
Syntax
conf i g ant i vi r us quar f i l epat t er n
edi t <pat t er n_st r >
end
Example
Use the following commands to enable automatic upload of *. bat files.
conf i g ant i vi r us quar f i l epat t er n
edi t *. bat
end
History
Related topics
antivirus heuristic
antivirus service
<pat t er n_st r > The file pattern to be quarantined.
st at us {enabl e | di sabl e} Enable or disable using a file pattern. di sabl e
FortiOS v2.80 New.
service antivirus
80 01-400-93051-20090415
service
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP,
HTTPS, FTP, POP3, IMAP, and SMTP traffic and what ports the FortiGate unit scans for these services.
For HTTPS, you can only configure the ports.
Syntax
conf i g ant i vi r us ser vi ce <ser vi ce_st r >
set bl ock- page- st at us- code 
set por t <por t _i nt eger >
set scan- bzi p2 {enabl e | di sabl e}
set uncompnest l i mi t <dept h_i nt eger >
set uncompsi zel i mi t <MB_i nt eger >
end
How file size limits work
The uncompsizelimit applies to the uncompressed size of the file. If other files are included within the file,
the uncompressed size of each one is checked against the uncompsizelimit value. If any one of the
uncompressed files is larger than the limit, the file is passed without scanning, but the total size of all
uncompressed files within the original file can be greater than the uncompsizelimit.
<ser vi ce_st r > The service being configured: HTTP, HTTPS, FTP, IM, IMAP,
NNTP, POP3, SMTP.
bl ock- page- st at us- code

Set a return code for HTTP replacement pages.
This keyword is only for the HTTP service.
200
por t <por t _i nt eger > Configure antivirus scanning on a nonstandard port number or
multiple port numbers for the service. Use ports from the
range 1-65535. Add up to 20 ports.
HTTP: 80
HTTPS: 443
FTP: 21
IMAP: 143
NNTP: 119
POP3: 110
SMTP: 25
scan- bzi p2 {enabl e |
di sabl e}
Enable to allow the antivirus engine to scan the contents of
bzip2 compressed files. Requires antivirus engine 1.90 for full
functionality. Bzip2 scanning is extemely CPU intensive.
Unless this feature is required, leave scan- bzi p2 disabled.
disable
uncompnest l i mi t
<dept h_i nt eger >
Set the maximum number of archives in depth the AV engine
will scan with nested archives. The limit is from 2 to 100. The
supported compression formats are arj, bzip2, cab, gzip, lha,
lzh, msc, rar, tar, and zip. Bzip2 support is disabled by default.
12
uncompsi zel i mi t
<MB_i nt eger >
Set the maximum uncompressed file size that can be buffered
to memory for virus scanning. Enter a value in megabytes
between 1 and the maximum oversize threshold. Enter ? to
display the range for your FortiGate unit. Enter 0 for no limit
(not recommended).
10 (MB)
Note: If the file in uncompnest l i mi t has more levels than the limit you set, or if the file in
uncompsi zel i mi t is larger than the limit you set, the file will pass through without being virus scanned.
antivirus service
01-400-93051-20090415 81
Example
This example shows how to set the maximum uncompressed file size that can be buffered to memory for
scanning at 15 MB, and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic.
conf i g ant i vi r us ser vi ce ht t p
set uncompsi zel i mi t 15
set por t 70
set por t 80
set por t 443
end
History
Related topics
antivirus heuristic
FortiOS v2.80 MR6 Removed di skf i l esi zel i mi t keyword.
FortiOS v2.80 MR7 Added uncompsi zel i mi t keyword.
FortiOS v3.0 Combined all services into one section. Added IM. Added
scan_bzi p2. Removed client comforting and file size limit
commands.
FortiOS v3.0 MR3 Added support for HTTPS. But only ports can be configured.
FortiOS v3.0 MR7 Added return code selection for HTTP replacement pages.
service antivirus
82 01-400-93051-20090415
application
01-400-93051-20090415 83
application
Use these commands to configure application control.
Application control is a UTM feature that allows your FortiGate unit to detect and take action against
network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection
protocol decoders, application control is a more user-friendly and powerful way to use Intrusion Protection
features to log and manage the behavior of application traffic passing through the FortiGate unit.
Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic
even if the traffic uses non-standard ports or protocols.
The FortiGate unit can recognize the network traffic generated by more than 70 applications. You can
create application control lists that specify what action will be taken with the traffic of the applications you
need to manage. Specify the application control list in the protection profile applied to the network traffic
you need to monitor. Create multiple application control lists, each tailored to a particular network, for
example.
list
name
list application
84 01-400-93051-20090415
list
Use this command to create application control lists and configure the application options.
Syntax
conf i g appl i cat i on l i st
edi t <app_l i st _st r >
conf i g ent r i es
edi t 
set act i on {bl ock | pass}
set appl i cat i on {<app_i nt > | Al l }
set bl ock- ack {enabl e | di sabl e}
set bl ock- audi o {enabl e | di sabl e}
set bl ock- bye {enabl e | di sabl e}
set bl ock- cancel {enabl e | di sabl e}
set bl ock- encr ypt {enabl e | di sabl e}
set bl ock- f i l e {enabl e | di sabl e}
set bl ock- i m{enabl e | di sabl e}
set bl ock- i nf o {enabl e | di sabl e}
set bl ock- i nvi t e {enabl e | di sabl e}
set bl ock- l ong- chat {enabl e | di sabl e}
set bl ock- l ong- l i nes {enabl e | di sabl e}
set bl ock- mcast {enabl e | di sabl e}
set bl ock- message {enabl e | di sabl e}
set bl ock- not i f y {enabl e | di sabl e}
set bl ock- opt i ons {enabl e | di sabl e}
set bl ock- phot o {enabl e | di sabl e}
set bl ock- pr ack {enabl e | di sabl e}
set bl ock- publ i sh {enabl e | di sabl e}
set bl ock- r ef er {enabl e | di sabl e}
set bl ock- r egi st er {enabl e | di sabl e}
set bl ock- subscr i be {enabl e | di sabl e}
set bl ock- unknown {enabl e | di sabl e}
set bl ock- updat e {enabl e | di sabl e}
set cal l - keepal i ve <mi nut es_i nt >
set cat egor y {<cat _i nt > | Al l }
set comment <comment _st r i ng>
set i m- no- cont ent - summar y {enabl e | di sabl e}
set i mover si zechat <byt es_i nt >
set i nspect - anypor t {enabl e | di sabl e}
set i nvi t e- r at e <r at e_i nt >
set l og {enabl e | di sabl e}
set max- cal l s <cal l s_i nt >
set max- di al ogs <cal l s_i nt >
set max- l i ne- l engt h <l engt h_i nt >
set message- r at e <r at e_i nt >
set ot her - appl i cat i on- act i on {bl ock | pass}
set ot her - appl i cat i on- l og {enabl e | di sabl e}
set r eg- di f f - por t {enabl e | di sabl e}
set r egi st er - r at e <r at e_i nt >
set r t p {enabl e | di sabl e}
set sccp- ar chi ve- f ul l {enabl e | di sabl e}
set sccp- ar chi ve- summar y {enabl e | di sabl e}
application list
01-400-93051-20090415 85
set sccp- l og- vi ol at i ons {enabl e | di sabl e}
set sccp- no- cont ent - summar y {enabl e | di sabl e}
set sessi on- t t l <t t l _i nt >
set shaper <pr of i l e_st r >
set shaper - r ever se
set si mpl e- ar chi ve- f ul l {enabl e | di sabl e}
set si mpl e- ar chi ve- summar y {enabl e | di sabl e}
set si p- ar chi ve- f ul l {enabl e | di sabl e}
set si p- ar chi ve- summar y {enabl e | di sabl e}
set si p- l og- vi ol at i ons {enabl e | di sabl e}
set st r i ct - r egi st er {enabl e | di sabl e}
set ver i f y- header {enabl e | di sabl e}
end
end
set ot her - appl i cat i on- act i on {bl ock | pass}
set ot her - appl i cat i on- l og {enabl e | di sabl e}
end
Variables Description Default
<app_l i st _st r > The name of the application control list. No default.
 Enter the unique ID of the list entry you want to edit, or enter an
unused ID to create a new one.
act i on {bl ock | pass} Enter the action the FortiGate unit will take with traffic from the
application of the specified type.
bl ock will stop traffic from the specified application.
pass will allow traffic from the specified application.
bl ock
appl i cat i on {<app_i nt > |
Al l }
Enter the application integer to specify an individual application,
or enter Al l to include all applications in the currently specified
category.
Enter set appl i cat i on ? to list all application integers in the
currently configured category.
al l
bl ock- ack {enabl e |
di sabl e}
Enable to block ACK requests.
This command is available only when appl i cat i on is set to
SI P.
di sabl e
bl ock- audi o {enabl e |
di sabl e}
Enable to block audio.
AI M, I CQ, MSN, or Yahoo.
di sabl e
bl ock- bye {enabl e |
di sabl e}
Enable to block BYE requests.
SI P.
di sabl e
bl ock- cancel {enabl e |
di sabl e}
Enable to block CANCEL requests.
SI P.
di sabl e
bl ock- encr ypt {enabl e |
di sabl e}
Enable to block encrypted IM sessions.
di sabl e
bl ock- f i l e {enabl e |
di sabl e}
Enable to block IM file transfers.
di sabl e
bl ock- i m{enabl e |
di sabl e}
Enable to block instant messages.
di sabl e
list application
86 01-400-93051-20090415
bl ock- i nf o {enabl e |
di sabl e}
Enable to block INFO requests.
SI P.
di sabl e
bl ock- i nvi t e {enabl e |
di sabl e}
Enable to block INVITE requests.
SI P.
di sabl e
bl ock- l ong- chat {enabl e |
di sabl e}
Enable to block oversized chat messages.
di sabl e
bl ock- l ong- l i nes
Enable to block requests with headers exceeding the value set
in max- l i ne- l engt h.
SI P.
enabl e
bl ock- mcast {enabl e |
di sabl e}
Enable to block multicast RTP connections.
SCCP.
di sabl e
bl ock- message {enabl e |
di sabl e}
Enable to block SIMPLE instant messages.
SI MPLE.
di sabl e
bl ock- not i f y {enabl e |
di sabl e}
Enable to block NOTIFY requests.
This command appears only when appl i cat i on is set to SI P.
di sabl e
bl ock- opt i ons {enabl e |
di sabl e}
Enable to block OPTIONS requests.
SI P.
di sabl e
bl ock- phot o {enabl e |
di sabl e}
Enable to block IM photo sharing.
di sabl e
bl ock- pr ack {enabl e |
di sabl e}
Enable to block PRACK requests.
SI P.
di sabl e
bl ock- publ i sh {enabl e |
di sabl e}
Enable to block PUBLISH requests.
SI P.
di sabl e
bl ock- r ef er {enabl e |
di sabl e}
Enable to block REFER requests.
SI P.
di sabl e
bl ock- r egi st er {enabl e |
di sabl e}
Enable to block REGISTER requests.
SI P.
di sabl e
bl ock- subscr i be {enabl e |
di sabl e}
Enable to block SUBSCRIBE requests.
SI P.
di sabl e
bl ock- unknown {enabl e |
di sabl e}
Enable to block unrecognized SIP requests.
SI P.
enabl e
bl ock- updat e {enabl e |
di sabl e}
Enable to block UPDATE requests.
SI P.
di sabl e
cal l - keepal i ve
<mi nut es_i nt >
Enter the number of minutes the FortiGate unit will continue
tracking calls with no RTP.
SI P.
0
application list
01-400-93051-20090415 87
cat egor y {<cat _i nt > |
Al l }
Enter the category integer to specify an application category, or
enter All to include all categories.
Set a specific category to limit the scope of the Al l setting of
the appl i cat i on command. For example, setting cat egor y
to i mand appl i cat i on to Al l will have the list entry include
all IM applications. Similarly, the applications listed with the
set appl i cat i on ? command will be limited to the currently
configured category.
Enter set cat egor y ? to list all category integers.
al l
comment <comment _st r i ng> Optionally, enter a descriptive comment. No default.
i m- no- cont ent - summar y
Enable to prevent display of content information on the
dashboard.
di sabl e
i mover si zechat
<byt es_i nt >
Enter the maximum length of chat messages, in bytes. The
value must be between 2048 and 65536.
This command appears only when appl i cat i on is set to AI M.
8192
i nspect - anypor t {enabl e |
di sabl e}
Enable to inspect all ports not used by any proxy for IM traffic.
di sabl e
i nvi t e- r at e <r at e_i nt > Enter the maximum number of INVITE requests per second, per
policy.
0
l og {enabl e | di sabl e} Enable to have the FortiGate until log the occurrence and the
action taken if traffic from the specified application is detected.
enabl e
max- cal l s <cal l s_i nt > Enter the maximum number of calls calls per minute per SCCP
client. The value can not exceed 65535.
SCCP.
0
max- di al ogs <cal l s_i nt > Enter the maximum number of concurrent dialogs.
0
max- l i ne- l engt h
<l engt h_i nt >
Enter the maximum SIP header line length. The value must be
between 78 and 4096. Enable bl ock- l ong- l i nes to enforce
this limit.
SI P.
998
message- r at e <r at e_i nt > Enter the maximum number of MESSAGE requests per second,
per policy.
SI MPLE.
0
ot her - appl i cat i on- act i on
{bl ock | pass}
Enter the action the FortiGate unit will take for unrecognized
application traffic or supported application traffic not configured
in the current application control list.
pass
ot her - appl i cat i on- l og
Enter the logging action the FortiGate unit will take for
unrecognized application traffic or supported application traffic
not configured in the current application control list.
di sabl e
r eg- di f f - por t {enabl e |
di sabl e}
Enable to accept the register response even if the source port is
different from the destination port in the register request.
SI P.
di sabl e
r egi st er - r at e <r at e_i nt > Enter the maximum number of REGISTER requests per second,
per policy.
SI P.
0
list application
88 01-400-93051-20090415
r t p {enabl e | di sabl e} Enable to allow RTP traffic.
SI P.
enabl e
sccp- ar chi ve- f ul l
Enable to have the FortiGate unit archive the full content of calls
to a FortiAnalyzer unit or the FortiGuard Analysis and
Management Service.
SCCP.
di sabl e
sccp- ar chi ve- summar y
Enable to archive a summary of calls.
SCCP.
di sabl e
sccp- l og- vi ol at i ons
Enable to log SCCP violations.
SCCP.
di sabl e
sccp- no- cont ent - summar y
Enable to prevent display of content information on the
dashboard.
SCCP.
di sabl e
sessi on- t t l <t t l _i nt > Enter the applications session TTL. Enter 0 to disable this
option. If this option is not enabled, the TTL defaults to the
setting of the conf i g syst emsessi on- t t l CLI command.
0
shaper <pr of i l e_st r > Enter the name of a traffic shaping profile to enable traffic
shaping. Traffic flowing from the source to the destination as
specified in the firewall policy is subject to the specified traffic
shaping policy.
For information about traffic shaping profiles, see firewall traffic-
shaper on page 167.
No default
shaper - r ever se Enter the name of a traffic shaping profile to enable traffic
shaping. Traffic flowing from the destination to the source as
specified in the firewall policy is subject to the specified traffic
shaping policy.
For information about traffic shaping profiles, see firewall traffic-
shaper on page 167.
No default
si mpl e- ar chi ve- f ul l
Enable to archive the full contents of instant messages to a
FortiAnalyzer unit or the FortiGuard Analysis and Management
Service.
SI MPLE.
di sabl e
si mpl e- ar chi ve- summar y
Enable to archive a summary of chat messages.
SI MPLE.
di sabl e
si p- ar chi ve- f ul l
Enable to have the FortiGate unit archive the full content of calls
to a FortiAnalyzer unit or the FortiGuard Analysis and
Management Service.
SI P.
di sabl e
si p- ar chi ve- summar y
Enable to archive a summary of calls.
SI P.
di sabl e
si p- l og- vi ol at i ons
Enable to log SCCP violations.
SI P.
di sabl e
application list
01-400-93051-20090415 89
History
Related commands
application name
st r i ct - r egi st er {enabl e |
di sabl e}
Enable to allow only the registrar to connect.
SI P.
di sabl e
ver i f y- header {enabl e |
di sabl e}
Enable to verify SCCP header content.
SCCP.
di sabl e
FortiOS v4.0 New.
name application
90 01-400-93051-20090415
name
Use this command to view the settings of each application. The application category and ID are displayed.
This command is read only and cannot be used to change application settings.
Syntax
conf i g appl i cat i on name <app_st r >
get
end
History
Related commands
application list
name <app_st r > Enter the name of the application you want to view. Enter
conf i g appl i cat i on name ? to list all the applications.
No default
FortiOS v4.0 New.
dlp
01-400-93051-20090415 91
dlp
The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your
network. You can define sensitive data patterns, and data matching these patterns will be blocked and/or
logged when passing through the FortiGate unit. The DLP system is configured by creating individual
rules, combining the rules into DLP sensors, and then assigning a sensor to a protection profile.
Use these commands to configure Data Leak Prevention (DLP).
compound
rule
sensor
compound dlp
92 01-400-93051-20090415
compound
Use this command to create compound DLP rules. A compound rule is made up of multiple DLP rules.
Syntax
conf i g dl p compound
edi t <compound_r ul e_st r >
set comment <comment _st r >
set member <r ul e1> [ <r ul e2> . . . ]
set pr ot ocol {f t p | ht t p | i m| nnt p}
set sub- pr ot ocol {ht t p- get ht t p- post smt p pop3 i map f t p- get f t p- put ai m
i cq msn ym}
end
History
Related commands
dlp rule
compound_r ul e_st r The name of the compound rule. No default.
comment <comment _st r > Optionally, enter a descriptive comment. No default.
member <r ul e1> [ <r ul e2>
. . . ]
Enter a space-delimited list of DLP rules that belong to this
compound rule. For information about creating rules, see dlp
rule on page 93.
No default.
pr ot ocol
{f t p | ht t p | i m| nnt p}
Select the protocol to which this compound rule applies. No default.
sub- pr ot ocol {ht t p- get
ht t p- post smt p pop3 i map
f t p- get f t p- put ai mi cq
msn ym}
Set the sub-protocols to which this compound rule applies. This
is not available if pr ot ocol is nnt p. For other protocols, the
available sub-protocols are:
http: ht t p- get , ht t p- post
email: smt p, pop3, i map
ftp: f t p- get , f t p- put
im: ai m(AOL IM), i cq, msn, ym(Yahoo IM)
If your FortiGate unit is capable of examining encrypted traffic,
the available sub-protocols are:
http: ht t p- get , ht t p- post , ht t ps- get , ht t ps- post
email: smt p, pop3, i map, smt ps, pop3s, i maps
im: ai m, i cq, msn, ym
No default.
FortiOS v4.0.0 New.
dlp rule
01-400-93051-20090415 93
rule
Use this command to create DLP rules.
Syntax
conf i g dl p r ul e
edi t r ul e_name <r ul e_st r >
set descr i pt i on <desc_st r >
set f i el d {at t achment - si ze | at t achment - t ext | at t achment - t ype | body |
cgi - par amet er s | cooki e- cont ent | encr ypt ed | f i l e- pat t er n |
f i l e- t ext | f i l e- t ype | header | host name | r ecei ver | sender |
ser ver | subj ect | t r ansf er - si ze | ur l | user | user - gr oup}
set f i l e- pat t er n <pat t er n_st r >
set f i l e- pat t er n- negat ed {enabl e | di sabl e}
set f i l e- scan {ar chi ve- cont ent ar chi ve- whol e ms- wor d- cont ent
ms- wor d- whol e pdf - cont ent pdf - whol e}
set f i l e- t ype <t ype_i nt >
set f i l e- t ype- negat ed {enabl e | di sabl e}
set negat ed {enabl e | di sabl e}
set oper at or {equal | gr eat er - equal | l ess- equal | not - equal }
set pr ot ocol {emai l | ht t p | f t p | nnt p | i m}
set r egexp <r egex_st r >
set r egexp- negat ed {enabl e | di sabl e}
set r egexp- wi l dcar d {enabl e | di sabl e}
set r egexp- ut f 8 {enabl e | di sabl e}
set r ul e_name <r ul e_st r >
set st r i ng <st r >
set st r i ng- negat ed {enabl e | di sabl e}
set sub- pr ot ocol {ht t p- get ht t p- post smt p pop3 i map f t p- get f t p- put ai m
i cq msn ym}
set val ue <val ue_i nt >
end
rule dlp
94 01-400-93051-20090415
descr i pt i on <desc_st r > Enter an optional description of the DLP rule. No default
f i el d {at t achment - si ze |
at t achment - t ext |
at t achment - t ype | body |
cgi - par amet er s |
cooki e- cont ent |
encr ypt ed |
f i l e- pat t er n |
f i l e- t ext | f i l e- t ype |
header | host name |
r ecei ver | sender |
ser ver | subj ect |
t r ansf er - si ze | ur l |
user | user - gr oup}
Enter the attribute the DLP rule will examine for a match. The
available fields will depend on the protocol and sub-protocol
youve set.
at t achment - si ze Check the attachment file size. This
option is available for Email.
at t achment - t ext Check the attachment for a text string.
This option is available for Email.
at t achment - t ype Search email messages for file types or
file patterns as specified in the selected file filter. This option is
available for Email.
body Search for text in the message or page body. This
option is available for Email, HTTP, and NNTP.
cgi - par amet er s Search for a CGI parameter in any web
page with CGI code. This option is available for HTTP.
cooki e- cont ent Search the contents of cookies for a text
string. This option is available for HTTP.
encr ypt ed Check whether files are or are not encrypted.
Encrypted files are archives and MS Word files protected with
passwords. Because they are password protected, the
FortiGate unit cannot scan the contents of encrypted files.
f i l e- pat t er n Search for file patterns and file types. The
patterns and types configured in file filter lists and a list is
selected in the DLP rule. This option is available for FTP, HTTP,
IM, and NNTP.
f i l e- t ext Search for text in transferred text files. This
option is available in FTP, IM, and NNTP.
f i l e- t ype Search for file patterns and file types. The
patterns and types configured in file filter lists and a list is
selected in the DLP rule. This option is available for FTP, HTTP,
IM, and NNTP.
header Search for a text string in HTTP headers.
host name Search for the host name when contacting a
HTTP server.
r ecei ver Search for a text string in the message recipient
email address. This option is available for Email.
sender Search for a text string in the message sender user
ID or email address. This option is available for Email and IM.
ser ver Search for the servers IP address in a specified
address range. This option is available for FTP, NNTP.
subj ect Search for a text string in the message subject.
This option is available for Email.
t r ansf er - si ze Check the total size of the information
transfer. In the case of email traffic for example, the transfer size
includes the message header, body, and any encoded
attachment.
ur l Search for the specified URL in HTTP traffic.
user Search for traffic from an authenticated user.
user - gr oup Search for traffic from any authenticated user
in a user group.
body
f i l e- pat t er n
<pat t er n_st r >
Enter a base-64 string the FortiGate unit will search for in files.
A match will trigger the rule.
No default
f i l e- pat t er n- negat ed
Enable to trigger the rule when a file does not contain the
pattern specified with the f i l e- pat t er n command.
disable
dlp rule
01-400-93051-20090415 95
f i l e- scan
{ar chi ve- cont ent
ar chi ve- whol e
ms- wor d- cont ent
ms- wor d- whol e pdf - cont ent
pdf - whol e}
You can select file options for any protocol to configure how the
DLP rule handles archive files, MS-Word files, and PDF files
found in content traffic.
Note: Office 2007/2008 DOCX files are not recognized as
MS-Word by the DLP scanner. To scan the contents of DOCX
files, select the ar chi ve- cont ent option.
ar chi ve- cont ent When selected, files within archives are
extracted and scanned in the same way as files that are not
archived.
ar chi ve- whol e When selected, archives are scanned as a
whole. The files within the archive are not extracted and
scanned individually.
ms- wor d- cont ent When selected the text contents of MS
Word DOC documents are extracted and scanned for a match.
All metadata and binary information is ignored.
ms- wor d- whol e When selected, MS Word DOC files are
scanned. All binary and metadata information is included. If you
are scanning for text entered in a DOC file, use the Scan MS-
Word option. Binary formatting codes and file information may
appear within the text, causing text matches to fail.
pdf - cont ent When selected, the text contents of PDF
documents are extracted and scanned for a match. All metadata
and binary information is ignored.
pdf - whol e When selected, PDF files are scanned. All
binary and metadata information is included. If you are scanning
for text in PDF files, use the Scan PDF Text option. Binary
formatting codes and file information may appear within the text,
causing text matches to fail.
nul l
f i l e- t ype <t ype_i nt > When you set the f i el d command to f i l e- t ype, use the
f i l e- t ype command to specify which file-type list is used.
The <t ype_i nt >variable corresponds to the list position in the
UTM > AntiVirus > File Filter list in the web-based manager. For
example, enter 3 to specify the third list.
No default
f i l e- t ype- negat ed
Enable to trigger the rule when the file type does not match that
specified with the f i l e- t ype command.
disable
negat ed {enabl e |
di sabl e}
When the f i el d command is set to encr ypt ed, password
protected archives and MS Word documents trigger the rule. To
reverse this behavior and trigger the rule when archives and
MS Word documents are not password protected, set negat ed
to enabl e.
disable
oper at or {equal |
gr eat er - equal |
l ess- equal | not - equal }
When the FortiGate unit checks sizes or quantities, an operator
must be used to specify when the rule is triggered. The
operators are:
equal The rule is triggered when the stated quantity is equal
to the quantity detected.
gr eat er - equal The rule is triggered when the stated
quantity is greater then or equal to the quantity detected.
l ess- equal The rule is triggered when the stated quantity
is less than or equal to the quantity detected.
not - equal The rule is triggered when the stated quantity is
not equal to the quantity detected. The detected quantity can be
greater than or less than the stated quantity.
equal
pr ot ocol {emai l | ht t p |
f t p | nnt p | i m}
Select the type of content traffic to which the DLP rule the rule
will apply. The available rule options vary depending on the
protocol that you select.
No default
r egexp <r egex_st r > Enter the regular expression or wildcard to test. Use the
r egexp- wi l dcar d keyword to choose between regular
expression syntax and wildcards.
No default
rule dlp
96 01-400-93051-20090415
History
Related commands
dlp compound
r egexp- negat ed {enabl e |
di sabl e}
By default, DLP rules are triggered when the FortiGate unit
discovers network traffic that matches the regular expressions
or wildcards specified in DLP rules. Enable r egexp- negat ed
to have the DLP rule triggered when traffic does not match the
regular expression or wildcard specified in the rule.
di sabl e
r egexp- wi l dcar d {enabl e |
di sabl e}
DLP rule expressions can be written using regular expressions
or wildcards. Enable r egexp- wi l dcar d to use wildcards and
disable it to use regular expressions.
di sabl e
r egexp- ut f 8 {enabl e |
di sabl e}
Either ASCII or UTF-8 encoding can be used when comparing
rules with network traffic. Enable r egexp- ut f 8 to use UTF-8
encoding and disable it to use plain ASCII.
di sabl e
r ul e_name <r ul e_st r > Enter the name of the rule you want to edit. Enter a new name
to create a DLP rule.
No default
st r i ng <st r > When the field command is set to user or user - gr oup, use
the string command to specify the user name or user-group
name.
No default
st r i ng- negat ed {enabl e |
di sabl e}
Enable st r i ng- negat ed to have the DLP rule triggered when
the user or user-group specified with the st r i ng command
does not match.
disable
sub- pr ot ocol {ht t p- get
ht t p- post smt p pop3 i map
f t p- get f t p- put ai mi cq
msn ym}
Set the sub-protocols to which this rule applies. This is not
available if pr ot ocol is nnt p. For other protocols, the
available sub-protocols are:
http: ht t p- get , ht t p- post
email: smt p, pop3, i map
im: ai m(AOL IM), i cq, msn, ym(Yahoo IM)
If your FortiGate unit is capable of examining encrypted traffic,
the available sub-protocols are:
http: ht t p- get , ht t p- post , ht t ps- get , ht t ps- post
email: smt p, pop3, i map, smt ps, pop3s, i maps
im: ai m, i cq, msn, ym
nul l
val ue <val ue_i nt > Field types that search for matches based on numbers require a
number be specified with the val ue command. For example,
the at t achment - si ze command checks attachments based
on their size, measured in kilobytes.
0
FortiOS v4.0.0 New.
dlp sensor
01-400-93051-20090415 97
sensor
Use this command to create a DLP sensor.
Syntax
conf i g dl p sensor
conf i g r ul e
edi t <r ul e_st r >
set act i on {ban | ban- sender | bl ock | exempt | l og- onl y |
quar ant i ne- i p | quar ant i ne- por t }
set expi r y {d | h | m| i ndef i ni t e}
set ar chi ve {enabl e | di sabl e}
next
conf i g compound- r ul e
edi t <compound- r ul e_st r >
set act i on {ban | ban- sender | bl ock | exempt | l og- onl y |
quar ant i ne- i p | quar ant i ne- por t }
set expi r y {d | h | m| i ndef i ni t e}
set ar chi ve {enabl e | di sabl e}
next
end
end
<sensor _st r > Enter the name of a sensor to edit. Enter a new name to
create a new DLP sensor.
No default
comment <comment _st r > Enter an optional description of the DLP sensor. No default
edi t <r ul e_st r > Enter a rule name defined in dlp rule on page 93.
edi t <compound- r ul e_st r > Enter a compound rule name defined in dlp compound on
page 92.
sensor dlp
98 01-400-93051-20090415
History
Related commands
dlp compound
dlp rule
act i on {ban | ban- sender |
bl ock | exempt | l og- onl y |
quar ant i ne- i p |
quar ant i ne- por t }
Enter the action taken when the rule is triggered.
ban Block all traffic to or from the user using the protocol
that triggered the rule and add the user to the Banned User
list if the user is authenticated. If the user is not
authenticated, block all traffic of the protocol that triggered
the rule from the users IP address.
ban- sender Block email or IM traffic from the sender of
matching email or IM messages and add the sender to the
Banned User list. This action is available only for email and
IM protocols. For email, the sender is determined by the
From: address in the email header. For IM, all members of
an IM session are senders and the senders are determined
by finding the IM user IDs in the session.
bl ock prevents the traffic matching the rule from being
delivered.
exempt Prevent any DLP sensors from taking action on
matching traffic. This action overrides any other action from
any matching sensors.
l og- onl y Prevent the DLP rule from taking any action
on network traffic but log the rule match. Other matching
rules in the same sensor and other sensors may still operate
on matching traffic.
quar ant i ne- i p Block access through the FortiGate
unit for any IP address that sends traffic matching a sensor
with this action. The IP address is added to the Banned User
list.
quar ant i ne- por t Block access to the network from
any client on the interface that sends traffic matching a
sensor with this action.
l og- onl y
expi r y {d | h |
m| i ndef i ni t e}
For the actions ban, ban-sender, quarantine-ip, and
quarantine-port, you can set the duration of the
ban/quarantine. The duration can be indefinite or a specified
number of days, hours, or minutes.
d Enter the number of days followed
immediate with the letter d. For example, 7d represents
seven days.
h Enter the number of hours followed
immediate with the letter h. For example, 12h represents
12 hours.
m Enter the number of minutes followed
immediate with the letter m. For example, 30mrepresents
30 minutes.
i ndef i ni t e Enter i ndef i ni t e to keep the
ban/quarantine active until the user or IP address is
manually removed from the banned user list.
indefinite
ar chi ve {enabl e | di sabl e} Enable for full content archiving to a FortiAnalyzer unit or the
FortiGuard Analysis and Management Service. If neither of
these remote management systems are configured, this
option has no effect.
disable
st at us {enabl e | di sabl e} You can disable a sensor rule or compound rule by setting
status to di sabl e. The item will be listed as part of the
sensor, but it will not be used.
disable
FortiOS v4.0.0 New.
endpoint-control
01-400-93051-20090415 99
endpoint-control
Use endpoint-control commands to configure the following parts of the Endpoint Control feature:
the required minimum version of FortiClient Endpoint Security
the FortiClient installer download location
software detection
Endpoint Control is enabled in firewall policies.
apps-detection
settings
apps-detection endpoint-control
100 01-400-93051-20090415
apps-detection
Use this command to configure the software detection part of the Endpoint Control feature. Software
detection must be enabled in the Endpoint Control firewall policy options
Syntax
conf i g endpoi nt - cont r ol apps- det ect i on
edi t <app- name>
set sear ch- pat t er n <pat t er n>
end
History
Related commands
endpoint-control settings
firewall policy, policy6
<app- name> Enter a descriptive name for the application. No default.
sear ch- pat t er n
<pat t er n>
Enter a pattern to match the applications entry in the Windows Add and
Remove Programs list.
No default.
FortiOS v4.0 New.
endpoint-control settings
01-400-93051-20090415 101
settings
Use this command to configure the required minimum version of FortiClient Endpoint Security and the
installer download location. This is part of the Endpoint Control feature.
Syntax
conf i g endpoi nt - cont r ol set t i ngs
set downl oad- l ocat i on {cust om| f or t i gat e | f or t i guar d}
set downl oad- cust om- l i nk <ur l >
set ver si on <maj or . mi nor . pat ch>
set ver si on- check {l at est | mi ni mum}
end
If download-location is fortiguard and FortiGuard Services is not available, the download portal directs the
user to contact the administrator.
History
Related commands
endpoint-control apps-detection
downl oad- l ocat i on {cust om
| f or t i gat e | f or t i guar d}
Select location from which FortiClient application is
downloaded:
custom set downl oad- cust om- l i nk to a URL that
provides the download
fortigate this FortiGate unit, available on some models
fortiguard FortiGuard Services
fortiguard
downl oad- cust om- l i nk <ur l > Enter a URL where the FortiClient installer can be
downloaded. This is available if downl oad- l ocat i on is
cust om.
No default.
ver si on
<maj or . mi nor . pat ch>
Enter the minimum acceptable version of the FortiClient
application. This is available if ver si on- check is mi ni mum.
4. 0. 0
ver si on- check
{l at est | mi ni mum}
Enter l at est to require the newest version available from the
download location. Enter mi ni mumto specify a minimum
version in ver si on.
mi ni mum
FortiOS v4.0 New.
settings endpoint-control
102 01-400-93051-20090415
firewall
01-400-93051-20090415 103
firewall
Use firewall commands to configure firewall policies and the data they use, including protection profiles, IP
addresses and virtual IP addresses, schedules, and services. You can also configure DNS translation,
IP/MAC binding, and multicast policies.
address, address6
addrgrp, addrgrp6
dnstranslation
interface-policy
interface-policy6
ipmacbinding setting
ipmacbinding table
ippool
ldb-monitor
multicast-policy
policy, policy6
profile
schedule onetime
schedule recurring
service custom
service group
ssl setting
traffic-shaper
vip
vipgrp
address, address6 firewall
104 01-400-93051-20090415
address, address6
Use this command to configure firewall addresses used in firewall policies. An IPv4 firewall address is a set
of one or more IP addresses, represented as a domain name, an IP address and a subnet mask, or an IP
address range. An IPv6 firewall address is an IPv6 6-to-4 address prefix.
By default, FortiGate units have the firewall address All, which represents any IP address.
Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies.
If an address is selected in a policy, it cannot be deleted until it is deselected from the policy.
Syntax
conf i g f i r ewal l addr ess
edi t <name_st r >
set associ at ed- i nt er f ace 
set end- i p <addr ess_i pv4>
set f qdn <domai nname_st r >
set st ar t - i p <addr ess_i pv4>
set subnet <addr ess_i pv4mask>
set t ype {i pmask | i pr ange | f qdn | wi l dcar d}
end
conf i g f i r ewal l addr ess6
edi t <name_st r >
set i p6 <addr ess_i pv6pr ef i x>
end
The following commands are for conf i g f i r ewal l addr ess.
<name_st r > Enter the name of the address. No default.
associ at ed- i nt er f ace

Enter the name of the associated interface.
If not configured, the firewall address is bound to an interface
during firewall policy configuration.
No default.
comment <comment _st r i ng> Enter any comments for this address. No default.
end- i p <addr ess_i pv4> If t ype is i pr ange, enter the last IP address in the range. 0. 0. 0. 0
f qdn <domai nname_st r > If t ype is f qdn, enter the fully qualified domain name (FQDN). No default.
st ar t - i p <addr ess_i pv4> If t ype is i pr ange, enter the first IP address in the range. 0. 0. 0. 0
subnet <addr ess_i pv4mask> If t ype is i pmask, enter an IP address then its subnet mask, in
dotted decimal format and separated by a space, or in CIDR
format with no separation. For example, you could enter either:
172. 168. 2. 5/ 32
172. 168. 2. 5 255. 255. 255. 255
The IP address can be for a single computer or a subnetwork.
The subnet mask corresponds to the class of the IP address
being added.
A single computers subnet mask is 255. 255. 255. 255 or
/ 32.
A class A subnet mask is 255. 0. 0. 0 or / 8.
A class B subnet mask is 255. 255. 0. 0 or / 26.
A class C subnet mask is 255. 255. 255. 0 or / 24.
0. 0. 0. 0
0. 0. 0. 0
t ype {i pmask | i pr ange |
f qdn | wi l dcar d}
Select whether this firewall address is a subnet address, an
address range, fully qualified domain name, or an IP with a
wildcard netmask.
i pmask
The following command is for conf i g f i r ewal l addr ess6.
firewall address, address6
01-400-93051-20090415 105
Example
This example shows how to add one IPv4 address of each type: i pmask, i pr ange, and f qdn. It also
shows how to configure an IPv6 address prefix.
conf i g f i r ewal l addr ess
edi t Exampl e_Subnet
set t ype i pmask
set subnet 192. 168. 1. 0 255. 255. 255. 0
next
edi t Exampl e_Range
set t ype i pr ange
set st ar t - i p 10. 10. 1. 10
set end- i p 10. 10. 1. 30
next
edi t Exampl e_Domai n
set t ype f qdn
set f qdn www. exampl e. com
end
conf i g f i r ewal l addr ess6
edi t Exampl e_i pv6_Pr ef i x
set i p6 2002: CF8E: 83CA: : / 48
end
History
Related topics
firewall addrgrp, addrgrp6
<name_st r > Enter the name of the IPv6 address prefix. No default.
i p6 <addr ess_i pv6pr ef i x> If the IP address is IPv6, enter an IPv6 IP address prefix. : : / 0
FortiOS v2.80 Substantially revised. IP address range option added. Requiring that an address be added to
an interface removed.
FortiOS v3.0 Added f qdn.
FortiOS v3.0 MR4 Added option associ at ed- i nt er f ace.
FortiOS v3.0 MR7 Added wi l dcar d as type. Allows for firewall address with a wildcard netmask.
FortiOS v4.0 Added option comment .
addrgrp, addrgrp6 firewall
106 01-400-93051-20090415
addrgrp, addrgrp6
Use this command to configure firewall address groups used in firewall policies.
You can organize related firewall addresses into firewall address groups to simplify firewall policy
configuration. For example, rather than creating three separate firewall policies for three firewall
addresses, you could create a firewall address group consisting of the three firewall addresses, then
create one firewall policy using that firewall address group.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in the
policy.
Syntax
conf i g f i r ewal l addr gr p, addr gr p6
edi t <name_st r >
set member <name_st r >
end
Example
This example shows how to add two firewall addresses to a firewall address group.
conf i g f i r ewal l addr gr p
edi t Gr oup1
set Exampl e_Subnet Exampl e_Range
end
History
Related topics
<name_st r > Enter the name of the address group. No default.
comment <comment _st r i ng> Enter any comments for this address group. No default.
member <name_st r > Enter one or more names of firewall addresses to add to the
address group. Separate multiple names with a space. To
remove an address name from the group, retype the entire new
list, omitting the address name.
No default.
FortiOS v2.80 Revised.
FortiOS v4.0 Added option comment .
firewall dnstranslation
01-400-93051-20090415 107
dnstranslation
Use this command to add, edit or delete a DNS translation entry.
If DNS translation is configured, the FortiGate unit rewrites the payload of outbound DNS query replies
from internal DNS servers, replacing the resolved names internal network IP addresses with external
network IP address equivalents, such as a virtual IP address on a FortiGate units external network
interface. This allows external network hosts to use an internal network DNS server for domain name
resolution of hosts located on the internal network.
For example, if a virtual IP provided network address translation (NAT) between a public network, such as
the Internet, and a private network containing a web server, hosts on the public network could access the
web server by using its virtual IP address. However, if hosts attempted to access the web server by domain
name, and the DNS server performing name resolution for that domain name was also located on the
private network, the DNS query reply would contain a private network IP address, which is not routable
from the external network. To solve this, you might configure DNS translation, and substitute the web
servers private network IP address with the virtual IP address in DNS query replies to the public network.
DNS translation mappings between sr c and dst must be one-to-one; you cannot create one-to-many or
many-to-one mappings. For example, if sr c is a single IP address, it cannot be DNS translated into a dst
subnet; dst must be a single IP address, like sr c. If sr c is a subnet, dst must also be a subnet.
Syntax
set dst <dest i nat i on_i pv4>
set net mask <addr ess_i pv4mask>
set sr c <sour ce_i pv4>
end
Example
This example shows how to translate the resolved addresses in DNS query replies, from an internal
(source) subnet to an external (destination) subnet.
edi t 1
set sr c 192. 168. 100. 12
set dst 172. 16. 200. 190
set net mask 255. 255. 255. 0
end
 Enter the unique ID number of the DNS translation entry. No default.
dst <dest i nat i on_i pv4> Enter the IP address or subnet on the external network to
substitute for the resolved address in DNS query replies.
dst can be either a single IP address or a subnet on the
external network, but must be equal in number to the number
of mapped IP addresses in sr c.
0. 0. 0. 0
net mask
<addr ess_i pv4mask>
If sr c and dst are subnets rather than single IP addresses,
enter the netmask for both sr c and dst .
0. 0. 0. 0
sr c <sour ce_i pv4> Enter the IP address or subnet on the internal network to
compare with the resolved address in DNS query replies. If the
resolved address matches, the resolved address is substituted
with dst .
0. 0. 0. 0
dnstranslation firewall
108 01-400-93051-20090415
History
Related topics
firewall vip
firewall interface-policy
01-400-93051-20090415 109
interface-policy
DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic
based on the FortiGate interface it is leaving or entering as well as the source and destination addresses.
DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or
common traffic patterns and behavior. A common example of anomalous traffic is the denial of service
attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions
with a target system. The large number of sessions slows down or disables the target system so legitimate
users can no longer use it. You can also use the I nt er f ace- pol i cy command to invoke an IPS sensor
as part of a DoS policy.
The i nt er f ace- pol i cy command is used for DoS policies applied to IPv4 addresses. For IPv6
addresses, use i nt er f ace- pol i cy6 instead.
Syntax
edi t <pol i cy_i d>
set dst addr <dst addr _i pv4>
set i nt er f ace 
set i ps- DoS- st at us {enabl e | di sabl e}
set i ps- DoS <DoS_st r >
set i ps- sensor - st at us {enabl e | di sabl e}
set i ps- sensor <sensor _st r >
set ser vi ce <ser vi ce_st r >
set sr caddr <sr caddr _i pv4>
end
History
dst addr
<dst addr _i pv4>
Enter an address or address range to limit traffic monitoring to network
traffic sent to the specified address or range.
i nt er f ace The interface or zone to be monitored.
i ps- DoS- st at us
Enable to have the FortiGate unit examine network traffic for DoS sensor
violations.
di sabl e
i ps- DoS <DoS_st r > Enter the name of the DoS sensor the FortiGate unit will use when
examining network traffic.
This option is available only when i ps- DoS- st at us is set to enabl e.
i ps- sensor - st at us
Enable to have the FortiGate unit examine network traffic for attacks and
vulnerabilities.
di sabl e
i ps- sensor
<sensor _st r >
Enter the name of the IPS sensor the FortiGate unit will use when
This option is available only when i ps- sensor - st at us is set to enabl e.
ser vi ce
<ser vi ce_st r >
Enter a service to limit traffic monitoring to only the selected type. You may
also specify a service group, or multiple services separated by spaces.
sr caddr
<sr caddr _i pv4>
traffic sent from the specified address or range.
st at us
Enable or disable the DoS policy. A disabled DoS policy has no effect on
network traffic.
enabl e
FortiOS v4.0 New.
interface-policy firewall
110 01-400-93051-20090415
Related commands
firewall interface-policy6
firewall profile
firewall interface-policy6
01-400-93051-20090415 111
interface-policy6
DoS policies (called interface policies in the CLI) for IPv6 addresses, are used to apply IPS sensors to
network traffic based on the FortiGate interface it is leaving or entering as well as the source and
destination addresses.
The i nt er f ace- pol i cy6 command is used for DoS policies applied to IPv6 addresses. For IPv4
addresses, use i nt er f ace- pol i cy instead.
Syntax
set dst addr 6 <dst addr _i pv6>
set i nt er f ace
set i ps- sensor <sensor _st r >
set ser vi ce6 <ser vi ce_st r >
set sr caddr 6 <sr caddr _i pv6>
end
History
Related commands
firewall profile
dst addr 6
<dst addr _i pv6>
traffic sent to the specified address or range.
i nt er f ace The interface or zone to be monitored.
Enable to have the FortiGate unit examine network traffic for attacks and
vulnerabilities.
di sabl e
i ps- sensor
<sensor _st r >
Enter the name of the IPS sensor the FortiGate unit will use when
This option is available only when i ps- sensor - st at us is set to enabl e.
ser vi ce6
<ser vi ce_st r >
Enter a service to limit traffic monitoring to only the selected type. You may
also specify a service group, or multiple services separated by spaces.
sr caddr 6
<sr caddr _i pv6>
traffic sent from the specified address or range.
st at us
Enable or disable the DoS policy. A disabled DoS policy has no effect on
network traffic.
enabl e
FortiOS v4.0 New.
ipmacbinding setting firewall
112 01-400-93051-20090415
Use this command to configure IP to MAC address binding settings.
IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP
spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the
FortiGate unit from a different computer. It is simple to change a computers IP address to mimic that of a
trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to
change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for
that host, fraudulent connections are more difficult to construct.
To configure the table of IP addresses and the MAC addresses bound to them, see ipmacbinding table on
page 114. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see
i pmac in system interface on page 387.
Syntax
set bi ndt hr oughf w {enabl e | di sabl e}
set bi ndt of w {enabl e | di sabl e}
set undef i nedhost {al l ow | bl ock}
end
Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is
changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC
binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating
the IP/MAC binding table, see ipmacbinding table on page 114.
Caution: If a client receives an IP address from the FortiGate units DHCP server, the clients MAC
address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP
server.
bi ndt hr oughf w
Select to use IP/MAC binding to filter packets that a firewall policy
would normally allow through the FortiGate unit.
di sabl e
bi ndt of w
Select to use IP/MAC binding to filter packets that would normally
connect to the FortiGate unit.
di sabl e
undef i nedhost
{al l ow | bl ock}
Select how IP/MAC binding handles packets with IP and MAC
addresses that are not defined in the IP/MAC list for traffic going
through or to the FortiGate unit.
al l ow: Allow packets with IP and MAC address pairs that are not
in the IP/MAC binding list.
bl ock: Block packets with IP and MAC address pairs that are not
in the IP/MAC binding list.
This option is available only when either or both bi ndt hr oughf wand
bi ndt of ware enabl e.
bl ock
firewall ipmacbinding setting
01-400-93051-20090415 113
Example
This example shows how to enable IP/MAC binding for traffic both going to and through the FortiGate unit,
and block undefined hosts (IP/MAC address pairs).
set bi ndt hr oughf w enabl e
set bi ndt of w enabl e
set undef i nedhost bl ock
end
History
Related topics
firewall ipmacbinding table
ipmacbinding table firewall
114 01-400-93051-20090415
ipmacbinding table
Use this command to configure IP and MAC address pairs in the IP/MAC binding table. You can bind
multiple IP addresses to the same MAC address, but you cannot bind multiple MAC addresses to the same
IP address.
To configure the IP/MAC binding settings, see ipmacbinding setting on page 112. To enable or disable
IP/MAC binding for an individual FortiGate unit network interface, see i pmac in system interface on
page 387.
Syntax
set i p <addr ess_i pv4>
set mac <addr ess_hex>
set name <name_st r >
end
Example
This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table.
edi t 1
set i p 172. 16. 44. 55
set mac 00: 10: F3: 04: 7A: 4C
set name Remot eAdmi n
end
Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is
changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC
binding list, the new or changed hosts will not have access to or through the FortiGate unit.
Caution: If a client receives an IP address from the FortiGate units DHCP server, the clients MAC
address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP
server.
 Enter the unique ID number of this IP/MAC pair. No default.
i p <addr ess_i pv4> Enter the IP address to bind to the MAC address.
To allow all packets with the MAC address, regardless of the IP
address, set the IP address to 0. 0. 0. 0.
0. 0. 0. 0
mac <addr ess_hex> Enter the MAC address.
To allow all packets with the IP address, regardless of the MAC
address, set the MAC address to 00: 00: 00: 00: 00: 00.
00: 00: 00
: 00: 00: 0
0
name <name_st r > Enter a name for this entry on the IP/MAC address table.
(Optional.)
noname
st at us {enabl e | di sabl e} Select to enable this IP/MAC address pair.
Packets not matching any IP/MAC binding will be dropped.
Packets matching an IP/MAC binding will be matched against
the firewall policy list.
di sabl e
firewall ipmacbinding table
01-400-93051-20090415 115
History
Related topics
firewall ipmacbinding setting
ippool firewall
116 01-400-93051-20090415
ippool
Use this command to configure IP address pools that you can use to configure NAT mode firewall policies.
An IP pool, also called a dynamic IP pool, is a range of IP addresses added to a firewall interface. You can
enable Dynamic IP Pool in a firewall policy to translate the source address to an address randomly
selected from the IP pool. To use IP pools, the IP pool interface must be the same as the firewall policy
destination interface.
Add an IP pool if in order to add NAT mode policies that translate source addresses to addresses randomly
selected from the IP pool rather than being limited to the IP address of the destination interface. IP pools
are only available in NAT/Route mode. Add multiple IP pools to any interface and configure the firewall
policy to select the IP pool to use for that firewall policy.
Syntax
set endi p <addr ess_i pv4>
set i nt er f ace <name_st r >
set st ar t i p <addr ess_i pv4>
end
Example
You might use the following commands to add an IP pool to the internal network interface. The IP pool
would then be available when configuring firewall policies.
edi t 1
set st ar t i p 192. 168. 1. 100
set endi p 192. 168. 1. 200
set i nt er f ace i nt er nal
end
History
Related topics
 The unique ID number of this IP pool. No default.
endi p <addr ess_i pv4> The end IP of the address range. The end IP must be higher
than the start IP. The end IP does not have to be on the same
subnet as the IP address of the interface for which you are
adding the IP pool.
0.0.0.0
i nt er f ace <name_st r > Enter the name of a network interface, binding the IP pool to
that interface. On FortiGate-200 models and greater, the
network interface can also be a VLAN subinterface.
No default.
st ar t i p <addr ess_i pv4> The start IP of the address range. The start IP does not have to
be on the same subnet as the IP address of the interface for
which you are adding the IP pool.
0.0.0.0
firewall ldb-monitor
01-400-93051-20090415 117
ldb-monitor
Use this command to configure health check settings.
Health check settings can be used by load balancing VIPs to determine if a real server is currently
responsive before forwarding traffic. One health check is sent per interval using the specified protocol, port
and HTTP-GET, where applicable to the protocol. If the server does not respond during the timeout period,
the health check fails and, if retries are configured, another health check is performed. If all health checks
fail, the server is deemed unavailable, and another real server is selected to receive the traffic according to
the selected load balancing algorithm.
Health check settings can be re-used by multiple real servers. For details on enabling health checking and
using configured health check settings, see firewall vip on page 168.
Syntax
conf i g f i r ewal l l db- moni t or
edi t <name_st r >
set ht t p- get <ht t pr equest _st r >
set ht t p- mat ch <cont ent mat ch_st r >
set i nt er val <seconds_i nt >
set por t <por t _i nt >
set r et r y <r et r i es_i nt >
set t i meout <seconds_i nt >
set t ype {ht t p | pi ng | t cp}
end
<name_st r > Enter the name of the health check monitor. No default.
ht t p- get
<ht t pr equest _st r >
Enter the path (URI) of the HTTP-GET request to use when
testing the responsiveness of the server.
This option appears only if t ype is ht t p.
No default.
ht t p- mat ch
<cont ent mat ch_st r >
Enter the content of the servers reply to the HTTP request that
must be matched for the health check to succeed. If the
FortiGate unit does not receive a reply from the server, or its
reply does not contain matching content, the health check fails.
This option appears only if t ype is ht t p.
No default.
i nt er val <seconds_i nt > Enter the interval time in seconds between health checks. 10
por t <por t _i nt > Enter the port number that will be used by the health check.
This option does not appear if t ype is pi ng.
0
r et r y <r et r i es_i nt > Enter the number of times that the FortiGate unit should retry
the health check if a health check fails. If all health checks,
including retries, fail, the server is deemed unavailable.
3
t i meout <seconds_i nt > Enter the timeout in seconds. If the FortiGate unit does not
receive a response to the health check in this period of time, the
the health check fails.
2
t ype {ht t p | pi ng | t cp} Select the protocol used by the health check monitor. No default.
ldb-monitor firewall
118 01-400-93051-20090415
Example
You might configure a health check for a server using the HTTP protocol to retrieve a web page. To ensure
that a web page reply containing an error message, such as an HTTP 404 page, does not inadvertently
cause the health check to succeed, you might search the reply for text that does not occur in any web
server error page, such as unique text on a main page.
conf i g f i r ewal l l dp- moni t or
edi t ht t pheal t hcheckset t i ngs
set t ype ht t p
set por t 8080
set ht t p- get / i ndex. php
set ht t p- mat ch Wel come t o Exampl e, I nc.
set i nt er val 5
set t i meout 2
set r et r y 2
end
History
Related topics
firewall vip
FortiOS v3.0 MR6 New command. Configures health check settings which can be used when enabling
health checks for load balanced real servers associated with a virtual IP. This extends
and replaces deprecated commands in conf i g r eal ser ver for health check by
ICMP ECHO (ping).
firewall multicast-policy
01-400-93051-20090415 119
multicast-policy
Use this command to configure a source NAT IP. This command can also be used in Transparent mode to
enable multicast forwarding by adding a multicast policy.
The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP
address. For additional options related to multicast, see multicast-forward {enable | disable}in system
settings on page 453 and tp-mc-skip-policy {enable | disable}in system global on page 363.
Syntax
set act i on {accept | deny}
set dnat <addr ess_i pv4>
set dst addr <addr ess_i pv4mask>
set dst i nt f <name_st r >
set nat <addr ess_i pv4>
set sr caddr <addr ess_i pv4mask>
set sr ci nt f <name_st r >
set pr ot ocol <mul t i cast l i mi t _i nt >
set st ar t - por t <por t _i nt >
set end- por t <por t _i nt >
end
 Enter the unique ID number of this multicast policy. No default.
act i on {accept | deny} Enter the policy action. accept
dnat <addr ess_i pv4> Enter an IP address to destination network address translate
(DNAT) externally received multicast destination addresses to
addresses that conform to your organization's internal
addressing policy.
0. 0. 0. 0
dst addr
Enter the destination IP address and netmask, separated by a
space, to match against multicast NAT packets.
0. 0. 0. 0
0. 0. 0. 0
dst i nt f <name_st r > Enter the destination interface name to match against multicast
NAT packets.
No default.
nat <addr ess_i pv4> Enter the IP address to substitute for the original source IP
address.
0. 0. 0. 0
sr caddr
Enter the source IP address and netmask to match against
multicast NAT packets.
0. 0. 0. 0
0. 0. 0. 0
sr ci nt f <name_st r > Enter the source interface name to match against multicast
NAT packets.
No default.
pr ot ocol
<mul t i cast l i mi t _i nt >
Limit the number of protocols (services) sent out via multicast
using the FortiGate unit.
0
st ar t - por t <por t _i nt > The beginning of the port range used for multicast. No default.
end- por t <por t _i nt > The end of the port range used for multicast. 65535
multicast-policy firewall
120 01-400-93051-20090415
Example
This example shows how to configure a multicast NAT policy.
edi t 1
set dst addr 10. 0. 0. 1 255. 255. 255. 0
set dst i nt f dmz
set nat 10. 0. 1. 1
set sr caddr 192. 168. 100. 12 255. 255. 255. 0
set sr ci nt f i nt er nal
end
History
Related topics
system global
FortiOS v3.0 MR4 Added pr ot ocol , st ar t - por t , and end- por t to mul t i cast - pol i cy.
FortiOS v3.0 MR5 Added dnat .
01-400-93051-20090415 121
policy, policy6
Use this command to add, edit, or delete firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used
by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow
the connection, deny the connection, require authentication before the connection is allowed, or apply
IPSec or SSL VPN processing.
Syntax
set act i on {accept | deny | i psec | ssl - vpn}
set aut h- cer t <cer t i f i cat e_st r >
set aut h- pat h {enabl e | di sabl e}
set aut h- r edi r ect - addr <domai nname_st r >
set comment s <comment _st r >
set cust om- l og- f i el ds <f i el di d_i nt >
set di f f ser v- f or war d {enabl e | di sabl e}
set di f f ser v- r ever se {enabl e | di sabl e}
set di f f ser vcode- f or war d <dscp_bi n>
set di f f ser vcode- r ev <dscp_bi n>
set di scl ai mer {enabl e | di sabl e}
set dst addr <name_st r >
set dst i nt f <name_st r >
set f i xedpor t {enabl e | di sabl e}
set endpoi nt - al l ow- col l ect - sysi nf o {enabl e | di sabl e}
set endpoi nt - check {enabl e | di sabl e}
set endpoi nt - r est r i ct - check {no- av no- f w no- wf not - l i censed}
set endpoi nt - r edi r - por t al {enabl e | di sabl e}
set f sae {enabl e | di sabl e}
set f sae- guest - pr of i l e <pr of i l e_st r >
set i dent i t y- based {enabl e | di sabl e}
set i nbound {enabl e | di sabl e}
set i ppool {enabl e | di sabl e}
set l ogt r af f i c {enabl e | di sabl e}
set mat ch- vi p {enabl e | di sabl e}
set nat {enabl e | di sabl e}
set nat i nbound {enabl e | di sabl e}
set nat i p <addr ess_i pv4mask>
set nat out bound {enabl e | di sabl e}
set nt l m{enabl e | di sabl e}
set out bound {enabl e | di sabl e}
set pool name <name_st r >
set pr of i l e <name_st r >
set pr of i l e- st at us {enabl e | di sabl e}
set r edi r ect - ur l <name_st r >
set schedul e <name_st r >
set ser vi ce <name_st r >
set sessi on- t t l <sessi on_t i me_i nt eger >
Note: If you are creating an IPv6 policy, some of the IPv4 options, such as NAT and VPN settings, are not
applicable.
policy, policy6 firewall
122 01-400-93051-20090415
set sr caddr <name_st r >
set sr ci nt f <name_st r >
set ssl vpn- aut h {any | l dap | l ocal | r adi us | t acacs+}
set ssl vpn- ccer t {enabl e | di sabl e}
set ssl vpn- ci pher {0 | 1 | 2}
set t cp- mss- sender <maxi mumsi ze_i nt >
set t cp- mss- r ecei ver <maxi mumsi ze_i nt >
set t r af f i c- shaper <name_st r >
set t r af f i c- shaper - r ever se <name_st r >
set vpnt unnel <name_st r >
set wccp {enabl e | di sabl e}
conf i g i dent i t y- based- pol i cy
set gr oups <gr oup_name>
set l ogt r af f i c {enabl e | di sabl e}
set pr of i l e <name_st r >
set schedul e <name_st r >
set ser vi ce <name_st r >
set t r af f i c- shaper <name_st r >
set t r af f i c- shaper - r ever se <name_st r >
end
end
end
 Enter the unique ID number of this policy. No default.
act i on
{accept | deny | i psec |
ssl - vpn}
Select the action that the FortiGate unit will perform on traffic
matching this firewall policy.
accept : Allow packets that match the firewall policy. Also
enable or disable nat to make this a NAT policy (NAT/Route
mode only), enable or disable i ppool so that the NAT
policy selects a source address for packets from a pool of IP
addresses added to the destination interface, and enable or
disable f i xedpor t so that the NAT policy does not
translate the packet source port.
deny: Deny packets that match the firewall policy.
i psec: Allow and apply IPSec VPN. When act i on is set to
i psec, you must specify the vpnt unnel attribute. You may
also enable or disable the i nbound, out bound,
nat out bound, and nat i nbound attributes and/or specify
a nat i p value.
ssl - vpn: Allow and apply SSL VPN. When act i on is set
to ssl - vpn, you may specify values for the ssl vpn- aut h,
ssl vpn- ccer t , and ssl vpn- ci pher attributes.
For IPv6 policies, only accept and deny options are
available.
deny
aut h- cer t
<cer t i f i cat e_st r >
Select a HTTPS server certificate for policy authentication.
sel f - si gn is the built-in, self-signed certificate; if you have
added other certificates, you may select them instead.
This option appears only if i dent i t y- based is enabl e.
No default.
01-400-93051-20090415 123
aut h- pat h {enabl e |
di sabl e}
Select to apply authentication-based routing. You must also
specify a RADIUS server, and the RADIUS server must be
configured to supply the name of an object specified in conf i g
r out er aut h- pat h. For details on configuring
authentication-based routes, see router auth-path on
page 233.
This option appears only when the FortiGate unit is operating in
NAT mode and i dent i t y- based is enabl e.
For details on NAT and transparent mode, see opmode {nat |
transparent} on page 455.
di sabl e
aut h- r edi r ect - addr
<domai nname_st r >
Enter the IP address or domain name that the FortiGate unit will
use when performing an HTTP-to-HTTPS URL redirects for
firewall policy authentication.
To prevent web browser security warnings, this should match
the CN field of the specified aut h- cer t , which is usually a
fully qualified domain name (FQDN).
This option appears only if gr oups is configured and
i dent i t y- based is enabl e.
No default.
comment s <comment _st r > Enter a description or other information about the policy.
(Optional)
comment _st r is limited to 63 characters. Enclose the string in
single quotes to enter special characters or spaces. For more
information, see Entering spaces in strings on page 46
No default.
cust om- l og- f i el ds
<f i el di d_i nt >
Enter custom log field index numbers to append one or more
custom log fields to the log message for this policy. Separate
multiple log custom log field indices with a space. (Optional.)
This option takes effect only if logging is enabled for the policy,
and requires that you first define custom log fields. For details,
see log custom-field on page 208.
No default.
di f f ser v- f or war d
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of forward (original)
traffic. If enabled, also configure di f f ser vcode- f or war d.
di sabl e
di f f ser v- r ever se
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of reverse (reply) traffic. If
enabled, also configure di f f ser vcode- r ev.
di sabl e
di f f ser vcode- f or war d
<dscp_bi n>
Enter the differentiated services code point (DSCP) value that
the FortiGate unit will apply to the field of originating (forward)
packets. The value is 6 bits binary. The valid range is 000000-
111111.
This option appears only if di f f ser v- f or war d is enabl e.
For details and DSCP configuration examples, see the
Knowledge Center article Differentiated Services Code Point
(DSCP) behavior.
000000
di f f ser vcode- r ev
<dscp_bi n>
Enter the differentiated services code point (DSCP) value that
the FortiGate unit will apply to the field of reply (reverse)
packets. The value is 6 bits binary. The valid range is 000000-
111111.
This option appears only if di f f ser v- r ev is enabl e
For details and DSCP configuration examples, see the
Knowledge Center article Differentiated Services Code Point
(DSCP) behavior.
000000
di scl ai mer {enabl e |
di sabl e}
Enable to display the authentication disclaimer page, which is
configured with other replacement messages. The user must
accept the disclaimer to connect to the destination.
This option appears only if pr of i l e or gr oups
(authentication) is configured, and only appears on some
models.
di sabl e
124 01-400-93051-20090415
dst addr <name_st r > Enter one or more destination firewall addresses, or a virtual IP,
if creating a NAT policy. Separate multiple firewall addresses
with a space.
If act i on is set to i psec, enter the name of the IP address to
which IP packets may be delivered at the remote end of the
IPSec VPN tunnel. For details, see Defining IP source and
destination addresses in the FortiGate IPSec VPN User
Guide.
If act i on is set to ssl - vpn, enter the name of the IP address
that corresponds to the host, server, or network that remote
clients need to access behind the FortiGate unit.
For details on configuring virtual IPs, see vip on page 168.
No default.
dst i nt f <name_st r > Enter the destination interface for the policy. The interface can
be a physical interface, a VLAN subinterface, or a zone.
If act i on is set to i psec, enter the name of the interface to
the external (public) network.
If act i on is set to ssl - vpn, enter the name of the interface to
the local (private) network.
Note: If a interface or VLAN subinterface has been added to a
zone, the interface or VLAN subinterface cannot be used
for dst i nt f .
No default.
f i xedpor t
Enable to preserve packets source port number, which may
otherwise be changed by a NAT policy. Some applications do
not function correctly if the source port number is changed, and
may require this option.
If f i xedpor t is enabl e, you should usually also enable IP
pools; if you do not configure an IP pool for the policy, only one
connection can occur at a time for this port.
di sabl e
endpoi nt - al l ow- col l ect -
sysi nf o
Enable to allow the endpoint compliance check to detect
specific applications on the endpoint. This is available only if
endpoi nt - check is enabled.
disable
endpoi nt - check
Enable to perform endpoint compliance check. This check
denies access to this firewall policy for hosts that do not have
up-to-date FortiClient Endpoint Security software running. You
need to also configure:
endpoi nt - r est r i ct - check
endpoi nt - r edi r - por t al
endpoi nt - al l ow- col l ect - sysi nf o
Note: If the firewall policy involves a load balancing virtual IP,
the endpoint compliance check is not performed.
For more information, see endpoint-control on page 99.
disable
endpoi nt - r edi r - por t al
When endpoint-check denies a user access, redirect the user to
the FortiClient Download Portal. The portal page displays the
reason the user was denied access. The user can download
FortiClient Endpoint Security software from the portal.
This keyword is available only if endpoi nt - check is enabled.
disable
endpoi nt - r est r i ct - check
{no- av no- f w no- wf
not - l i censed}
Deny access to this firewall policy if any of the following
FortiClient Endpoint Security conditions are true:
no- av antivirus (real-time protection) is not enabled
no- f w firewall is not enabled
no- wf web filter is not enabled
not - l i censed FortiClient software is not licensed
This keyword is available only if endpoi nt - check is enabled.
No default.
f sae {enabl e | di sabl e} Enable or disable Directory Service authentication.
If you enable this option, you must also define the user groups
and the guest account protection profile. For details, see fsae-
guest-profile <profile_str> on page 125 and groups
<group_name> on page 127.
disable
01-400-93051-20090415 125
f sae- guest - pr of i l e
<pr of i l e_st r >
Enter the name of the protection profile used when a guest
account authenticates using FSAE. If any other authentication
method is selected in the firewall policy, the fsae guest profile is
not applied.
No default.
i dent i t y- based
Select to enable or disable identity-based policy authentication.
This option appears only if act i on is accept .
di sabl e
i nbound
When act i on is set to i psec, enable or disable traffic from
computers on the remote private network to initiate an IPSec
VPN tunnel.
di sabl e
i ppool
When the action is set to accept and NAT is enabled, configure
a NAT policy to translate the source address to an address
randomly selected from the first IP pool added to the
destination interface of the policy. If f i xedpor t is specified for
a service or for dynamic NAT, use IP pools.
di sabl e
l ogt r af f i c
Enable or disable recording traffic log messages for this policy. di sabl e
mat ch- vi p
The FortiGate unit will check whether DNATed traffic matches
the policy if mat ch- vi p is enabled. Normally, the FortiGate
unit only checks whether DNATed traffic matches VIP policies.
disable
nat {enabl e | di sabl e} Enable or disable network address translation (NAT). NAT
translates the address and the port of packets accepted by the
policy. When NAT is enabled, i ppool and f i xedpor t can
also be enabled or disabled.
FortiOS v3.0 also supports NAT in transparent mode. For
details see Example: Adding a NAT firewall policy in
transparent mode on page 128.
This option appears only if act i on is accept or ssl - vpn.
di sabl e
nat i nbound
Enable or disable translating the source addresses IP packets
emerging from the tunnel into the IP address of the FortiGate
units network interface to the local private network.
This option appears only if act i on is i psec.
di sabl e
nat i p <addr ess_i pv4mask> When act i on is set to i psec and nat out bound is enabled,
specify the source IP address and subnet mask to apply to
outbound clear text packets before they are sent through the
tunnel.
If you do not specify a nat i p value when nat out bound is
enabled, the source addresses of outbound encrypted packets
are translated into the IP address of the FortiGate units
external interface. When a nat i p value is specified, the
FortiGate unit uses a static subnetwork-to-subnetwork mapping
scheme to translate the source addresses of outbound IP
packets into corresponding IP addresses on the subnetwork
that you specify. For example, if the source address in the
firewall encryption policy is 192.168.1.0/24 and the nat i p
value is 172.16.2.0/24, a source address of 192.168.1.7 will be
translated to 172.16.2.7.
0.0.0.0
0.0.0.0
nat out bound
When act i on is set to i psec, enable or disable translating the
source addresses of outbound encrypted packets into the IP
address of the FortiGate units outbound interface. Enable this
attribute in combination with the nat i p attribute to change the
source addresses of IP packets before they go into the tunnel.
di sabl e
nt l m{enabl e | di sabl e} Enable or disable Directory Service authentication via NTLM.
If you enable this option, you must also define the user groups.
For details, see groups <group_name> on page 127.
This option appears only if i dent i t y- based is enabl e.
disable
out bound
When act i on is set to i psec, enable or disable traffic from
computers on the local private network to initiate an IPSec VPN
tunnel.
di sabl e
126 01-400-93051-20090415
pool name <name_st r > Enter the name of the IP pool.
This variable appears only if nat and i ppool are enabl e and
when dst i nt f is the network interface bound to the IP pool.
No default.
pr of i l e <name_st r > Enter the name of a protection profile to use with the policy.
This option appears only if pr of i l e- st at us is enabl e.
No default.
pr of i l e- st at us
Enable or disable using a protection profile with the policy. If
enabled, also configure pr of i l e.
This is automatically disabled if a user group with an associated
protection profile has been configured in gr oups. In that case,
the protection profile is determined by the user group, rather
than the firewall policy.
di sabl e
r edi r ect - ur l <name_st r > Enter a URL, if any, that the user is redirected to after
authenticating and/or accepting the user authentication
disclaimer.
This option is available on some models, and only appears if
di scl ai mer is enabl e.
No default.
schedul e <name_st r > Enter the name of the one-time or recurring schedule to use for
the policy.
No default.
ser vi ce <name_st r > Enter the name of one or more services, or a service group, to
match with the firewall policy. Separate multiple services with a
space.
No default.
sessi on- t t l
<sessi on_t i me_i nt eger >
Set the timeout value in the policy to override the global timeout
setting defined by using conf i g sys set t i on- t t l . When it
is on default value, it will not take effect.
0
sr caddr <name_st r > Enter one or more source firewall addresses for the policy.
Separate multiple firewall addresses with a space.
If act i on is set to i psec, enter the private IP address of the
host, server, or network behind the FortiGate unit.
If act i on is set to ssl - vpn and the firewall encryption policy
is for web-only mode clients, type al l .
If act i on is set to ssl - vpn and the firewall encryption policy
is for tunnel mode clients, enter the name of the IP address
range that you reserved for tunnel mode clients. To define an
address range for tunnel mode clients, see ssl settings on
page 557.
No default.
sr ci nt f <name_st r > Enter the source interface for the policy. The interface can be a
physical interface, a VLAN subinterface or a zone.
If the interface or VLAN subinterface has been added to a zone,
interface or VLAN subinterface cannot be used for sr ci nt f .
If act i on is set to i psec, enter the name of the interface to
the local (private) network.
If act i on is set to ssl - vpn, enter the name of the interface
that accepts connections from remote clients.
No default.
ssl vpn- aut h
{any | l dap | l ocal |
r adi us | t acacs+}
If act i on is set to ssl - vpn, enter one of the following client
authentication options:
If you want the FortiGate unit to authenticate remote clients
using any local user group, a RADIUS server, or LDAP
server, type any.
If the user group is a local user group, type l ocal .
If the remote clients are authenticated by an external
RADIUS server, type r adi us.
If the remote clients are authenticated by an external LDAP
server, type l dap.
If the remote clients are authenticated by an external
TACACS+server, type t acacs+.
You must also set the name of the group which will use the
authentication method. For details, see groups
any
01-400-93051-20090415 127
ssl vpn- ccer t
If act i on is set to ssl - vpn, enable or disable the use of
security certificates to authenticate remote clients.
di sabl e
ssl vpn- ci pher {0 | 1 | 2} If act i on is set to ssl - vpn, enter one of the following options
to determine the level of SSL encryption to use. The web
browser on the remote client must be capable of matching the
level that you select:
To use any cipher suite, type 0.
To use a 164-bit or greater cipher suite (high), type 1.
To use a 128-bit or greater cipher suite (medium), type 2.
0
st at us
Enable or disable the policy. enabl e
t cp- mss- sender
<maxi mumsi ze_i nt >
Enter a TCP Maximum Sending Size number for the sender.
When a FortiGate unit is configured to use PPPoE to connect to
an ISP, certain web sites may not be accessible to users. This
occurs because a PPPoE frame takes an extra 8 bytes off the
standard Ethernet MTU of 1500.
When the server sends the large packet with DF bit set to 1, the
ADSL providers router either does not send an ICMP
fragmentation needed packet or the packet is dropped along
the path to the web server. In either case, the web server never
knows fragmentation is required to reach the client.
In this case, configure the t cp- mss- sender option to enable
access to all web sites. For more information, see the article
Cannot view some web sites when using PPPoE on the Fortinet
Knowledge Center.
0
t cp- mss- r ecei ver
<maxi mumsi ze_i nt >
Enter a TCP MSS number for the receiver. 0
t r af f i c- shaper <name_st r > Select a traffic shaper for the policy. A traffic shaper controls the
bandwidth available to, and sets the priority of the traffic
processed by, the policy.
This option appears only if i dent i t y- based is di sabl e.
No default.
t r af f i c- shaper - r ever se
<name_st r >
Select a reverse traffic shaper. For example, if the traffic
direction that a policy controls is from port1 to port2, select this
option will also apply the policy shaping configuration to traffic
from port2 to port1.
This option appears only if a t r af f i c- shaper is selected.
No default.
vpnt unnel <name_st r > Enter the name of a Phase 1 IPSec VPN configuration to apply
to the tunnel.
This option appears only if act i on is i psec.
No default.
wccp {enabl e | di sabl e} Enable or disable web cache on the policy. If enabled, the
FortiGate unit will check the learned web cache information,
and may redirect the traffic to the web cache server.
di sabl e
i dent i t y- based- pol i cy Create an identity-based firewall policy that requires
authentication. This option is only available if set i dent i t y-
based is enabl e. For more information, see identity-based
{enable | disable}.
No default.
<pol i cy_i d> Enter the name for the identity-based policy. No default.
gr oups <gr oup_name> Enter the user group name for the identity-based policy. No default.
l ogt r af f i c
Enable or disable traffic logging for the identity-based policy. disable
pr of i l e <name_st r > Enter the protection profile name for the identity-based policy. No default.
schedul e <name_st r > Enter the firewall schedule for the identity-based policy. No default.
ser vi ce <name_st r > Enter the firewall service for the identity-based policy. No default.
128 01-400-93051-20090415
Example: Adding a firewall policy in NAT/Route mode
On a FortiGate-100, FortiGate-200, or FortiGate-300, use the following example to add policy number 2
that allows users on the external network to access a web server on a DMZ network. The policy:
Is for connections from the external interface (sr ci nt f is ext er nal ) to the DMZ interface (dst i nt f
is dmz)
Is enabled
Allows users from any IP address on the Internet to access the web server (sr caddr is al l )
Allows access to an address on the DMZ network (dst addr is dmz_web_ser ver )
Sets the schedul e to Al ways so that users can access the web server 24 hours a day, seven days a
week
Sets the ser vi ce to HTTP to limit access to the web server to HTTP connections
Sets act i on to accept to allow connections
Applies network address translation (nat is enabled)
conf i g f i r ewal l pol i cy
edi t 2
set sr ci nt f ext er nal
set dst i nt f dmz
set sr caddr al l
set dst addr dmz_web_ser ver
set schedul e Al ways
set ser vi ce HTTP
set act i on accept
set nat enabl e
end
Example: Adding a NAT firewall policy in transparent mode
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different
networks with two different subnet addresses. Then you can create firewall policies to translate source or
destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP. To
support NAT in Transparent mode you can add a second management IP. These two management IPs
must be on different subnets. When you add two management IP addresses, all FortiGate unit network
interfaces will respond to connections to both of these IP addresses.
In the example below, all of the PCs on the internal network (subnet address 192.168.1.0/24) are
configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set
to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the internal
network attempts to connect to the Internet, the PC's default route sends packets destined for the Internet
to the FortiGate unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of
10.1.1.99.
t r af f i c- shaper <name_st r > Enter the traffic shaper for the identity-based policy. No default.
t r af f i c- shaper - r ever se
<name_st r >
Enter the reverse direction traffic shaper for the identity-based
policy.
This option is only available if you have selected a traffic
shaper.
No default.
01-400-93051-20090415 129
The example describes adding an internal to wan1 firewall policy to relay these packets from the internal
interface out the wan1 interface to the Internet. Because the wan1 interface does not have an IP address
of its own, you must add an IP pool to the wan1 interface that translates the source addresses of the
outgoing packets to an IP address on the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a
PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with
their source address translated to 10.1.1.201. These packets can now travel across the Internet to their
destination. Reply packets return to the wan1 interface because they have a destination address of
10.1.1.201. The internal to wan1 NAT policy translates the destination address of these return packets to
the IP address of the originating PC and sends them out the internal interface to the originating PC.
Use the following steps to configure NAT in Transparent mode
Adding two management IPs
Adding an IP pool to the wan1 interface
Adding an internal to wan1 firewall policy
Figure 1: Example NAT in Transparent mode configuration
To add a source address translation NAT policy in Transparent mode
1 Enter the following command to add two management IPs.
The second management IP is the default gateway for the internal network.
set managei p 10. 1. 1. 99/ 24 192. 168. 1. 99/ 24
end
2 Enter the following command to add an IP pool to the wan1 interface:
edi t nat - out
set i nt er f ace " wan1"
set st ar t i p 10. 1. 1. 201
DMZ network
10.1.1.0/24
10.1.1.0/24
Transparent mode
Management IPs:
10.1.1.99
192.168.1.99
Internal network
192.168.1.0/24
Internal
DMZ
WAN 1
Router
Internet
130 01-400-93051-20090415
set endi p 10. 1. 1. 201
end
3 Enter the following command to add an internal to wan1 firewall policy with NAT enabled that also
includes an IP pool:
edi t 1
set sr ci nt f " i nt er nal "
set dst i nt f " wan1"
set scr addr " al l "
set dst addr " al l "
set act i on accept
set schedul e " al ways"
set ser vi ce " ANY"
set nat enabl e
set i ppool enabl e
set pool name nat - out
end
History
Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT
and add the IP Pool.
FortiOS v2.80 MR2 Replaced usr gr p keyword with user domai n.
Added pool name keyword.
FortiOS v2.80 MR3 Removed user domai n keyword.
Added gr oups keyword.
FortiOS v2.80 MR6 Removed aut hent i cat i on keyword. Authentication is automatically enabled for a
policy when one or more user group are set with the gr oups keyword.
FortiOS v3.0 Added ssl - vpn options: sslvpn-ccert, sslvpn-cipher, and sslvpn-auth. The encr ypt
action name changed to i psec. Updated i psec options: vpnt unnel , i nbound,
out bound, nat out bound, nat i nbound, and nat i p. Added f sae. Changes to
pr of i l e and pr of i l e_st at us.
Added t cp- mms- sender and t cp- mss- r ecei ver .
FortiOS v3.0 MR4 Added the command nt l m. Described the new ability to add multiple entries for the
following commands: sr caddr , dst addr , and ser vi ce.
Nat policy in transparent mode example added.
FortiOS v3.0 MR5 Added secur e- vl an keyword. This is available only on the FortiGate-224B unit.
FortiOS v3.0 MR6 New variable cust om- l og- f i el ds <f i el di d_i nt >. Selects custom log fields to
append to the policys log message.
FortiOS v3.0 MR6 New option t acacs+. Selects TACACS+authentication method when the firewall
policy act i on is set to ssl - vpn.
FortiOS v3.0 MR6 New variable aut h- pat h {enabl e | di sabl e}. Enables or disables
authentication-based routing.
01-400-93051-20090415 131
Related topics
firewall profile
firewall schedule onetime
firewall schedule recurring
firewall service custom
firewall service group
endpoint-control
FortiOS v3.0 MR6 New variable aut h- r edi r ect - addr <domai nname_st r >. Specifies address used
in URL when performing HTTP-to-HTTPS redirects for policy authentication.
FortiOS v4.0.0 Removed keywords f or t i cl i ent - check, f or t i cl i ent - r a- db- out dat ed,
f or t i cl i ent - r a- no- av, f or t i cl i ent - r a- no- f w, f or t i cl i ent - r a-
not i nst al l ed, f or t i cl i ent - r a- not l i censed, f or t i cl i ent - r a- no- wf ,
f or t i cl i ent - r edi r - por t al , gbandwi dt h, gr oups, maxbandwi dt h,
t r af f i c- shapi ng.
Added keywords endpoi nt - al l ow- col l ect - sysi nf o, endpoi nt - check,
endpoi nt - r edi r - por t al , endpoi nt - r est r i ct - check, i dent i t y- based,
t r af f i c- shaper , t r af f i c- shaper - r ever se, sessi on- t t l , wccp,
mat ch- vi p.
New conf i g i dent i t y- based- pol i cy subcommand.
profile firewall
132 01-400-93051-20090415
profile
Use this command to configure protection profiles which can be applied to traffic by selecting the
protection profile in one or more firewall policies, or by associating a protection profile with a firewall user
group. The firewall policy will apply the subset of the protection profile that is relevant to the service or
service group.
Syntax
edi t <pr of i l e_st r >
set appl i cat i on- l i st - st at us {enabl e | di sabl e}
set appl i cat i on- l i st <name_st r i ng>
set dl p- sensor - t abl e <name_st r i ng>
set f i l epat t abl e 
set f t gd- wf - al l ow {al l | <cat egor y_st r >}
set f t gd- wf - deny {al l | <cat egor y_st r >}
set f t gd- wf - enabl e {al l | <cat egor y_st r >}
set f t gd- wf - di sabl e {al l | <cat egor y_st r >}
set f t gd- wf - ht t ps- opt i ons {al l ow- ovr d er r or - al l ow r at e- ser ver - i p
st r i ct - bl ocki ng}
set f t gd- wf - l og {al l | <cat egor y_st r >}
set f t gd- wf - opt i ons {al l ow- ovr d er r or - al l ow ht t p- er r - det ai l r at e- i mage-
ur l s r at e- ser ver - i p r edi r - bl ock st r i ct - bl ocki ng}
set f t gd- wf - ovr d {al l | <cat egor y_st r >}
set f t p {ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bl ock
cl i ent comf or t no- cont ent - summar y over si ze quar ant i ne scan
scanext ended spl i ce}
set f t pcomf or t amount <si ze_i nt >
set f t pcomf or t i nt er val <seconds_i nt >
set f t pover si zel i mi t <si ze_i nt >
set ht t p {act i vexf i l t er avmoni t or avquer y bannedwor d bl ock bl ock-
i nval i d- ur l chunkedbypass cl i ent comf or t cooki ef i l t er exempt wor d
f or t i guar d- wf j avaf i l t er no- cont ent - summar y over si ze quar ant i ne
r angebl ock scan scanext ended st r i ct - f i l e ur l f i l t er }
set ht t pcomf or t amount <si ze_i nt >
set ht t pcomf or t i nt er val <seconds_i nt >
set ht t pover si zel i mi t <si ze_i nt >
set ht t psover si zel i mi t <si ze_i nt >
set ht t p- r et r y- count <r et r y_i nt >
set ht t ps- r et r y- count <r et r y_i nt >
set ht t ps {al l ow- i nval i d- ser ver - cer t bl ock- ssl - unknown- sess- i d bl ock-
i nval i d- ur l f or t i guar d- wf no- cont ent - summar y ur l f i l t er }
set ht t ps- deep- scan {enabl e | di sabl e}
set i m{ avmoni t or avquer y bl ock over si ze quar ant i ne scan scanext ended}
set i map { ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bannedwor d
bl ock f r agmai l no- cont ent - summar y over si ze quar ant i ne scan
scanext ended spammai l - l og spamemai l bwl spamf schksumspamf si p
spamf ssubmi t spamf sur l spamhdr check spami pbwl spamr addr dns spamr bl }
firewall profile
01-400-93051-20090415 133
set i maps { al l ow- i nval i d- ser ver - cer t ar chi ve- f ul l ar chi ve- summar y
avmoni t or avquer y bannedwor d bl ock f r agmai l l og- i nval i d- ser ver - cer t
no- cont ent - summar y over si ze quar ant i ne scan scanext ended spammai l -
l og spamemai l bwl spamf schksumspamf si p spamf ssubmi t spamf sur l
spamhdr check spami pbwl spamr addr dns spamr bl }
set i mapover si zel i mi t <si ze_i nt >
set i mapsover si zel i mi t <si ze_i nt >
set i map- spamact i on {pass | t ag}
set i map- spamt agt ype{ subj ect header spami nf o}
set i map- spamt agmsg <t ext _st r i ng>
set i maps- spamact i on {pass | t ag}
set i maps- spamt agt ype{ subj ect header spami nf o}
set i map- spamt agmsg <t ext _st r i ng>
set i mover si zel i mi t <si ze_i nt >
set i ps- sensor <name_st r >
set mai l - si g <si gnat ur e_st r >
set mai l si g- st at us {enabl e | di sabl e}
set nac- quar - i nf ect ed {none quar - i nt er f ace quar - sr c- i p}
set nac- quar - expi r y {###d##h##mi ndef i ni t e}
set nnt p {avmoni t or avquer y bl ock no- cont ent - summar y over si ze scan
scanext ended spammai l - l og spl i ce}
set nnt pover si zel i mi t <l i mi t _i nt >
set pop3 {avmoni t or avquer y bannedwor d bl ock f r agmai l no- cont ent - summar y
over si ze quar ant i ne scan scanext ended spammai l - l og spamemai l bwl
spamf schksumspamf si p spamf ssubmi t spamf sur l spamhdr check spami pbwl
spamr addr dns spamr bl }
set pop3s {al l ow- i nval i d- ser ver - cer t avmoni t or avquer y bannedwor d bl ock
f r agmai l l og- i nval i d- ser ver - cer t no- cont ent - summar y over si ze
quar ant i ne scan scanext ended spammai l - l og spamemai l bwl spamf schksum
spamf si p spamf ssubmi t spamf sur l spamhdr check spami pbwl spamr addr dns
spamr bl }
set pop3over si zel i mi t <si ze_i nt >
set pop3sover si zel i mi t <si ze_i nt >
set pop3- spamact i on {pass | t ag}
set pop3- spamt agmsg <message_st r >
set pop3- spamt agt ype {header | subj ect } {spami nf o | }
set pop3- spamact i on {pass | t ag}
set pop3- spamt agmsg <message_st r >
set smt p {avmoni t or avquer y bannedwor d bl ock f r agmai l no- cont ent - summar y
over si ze quar ant i ne scan scanext ended spammai l - l og spamemai l bwl
spamf si p spamf schksumspamf sur l spamhdr check spamhel odns spami pbwl
spamr addr dns spamr bl spl i ce}
set smt ps {al l ow- i nval i d- ser ver - cer t avmoni t or avquer y bannedwor d bl ock
f r agmai l l og- i nval i d- ser ver - cer t no- cont ent - summar y over si ze
quar ant i ne scan scanext ended spammai l - l og spamemai l bwl spamf si p
spamf schksumspamf sur l spamhdr check spamhel odns spami pbwl
spamr addr dns spamr bl spl i ce}
set smt p- spam- l ocal over r i de {enabl e | di sabl e}
set smt pover si zel i mi t <si ze_i nt >
set smt psover si zel i mi t <si ze_i nt >
set smt p- spamact i on {di scar d | pass | t ag}
set smt p- spamhdr i p {enabl e | di sabl e}
set smt p- spamt agmsg <message_st r >
profile firewall
134 01-400-93051-20090415
set smt p- spamt agt ype {header | subj ect } {spami nf o | }
set smt ps- spamact i on {di scar d | pass | t ag}
set smt ps- spamhdr i p {enabl e | di sabl e}
set smt ps- spamt agmsg <message_st r >
set smt ps- spamt agmsg <message_st r >
set spambwor dt abl e 
set spamemaddr t abl e 
set spami pbwl t abl e 
set spami pt r ust t abl e 
set spammheader t abl e 
set spamr bl t abl e 
set spambwor dt hr eshol d <val ue_i nt >
set webbwor dt abl e 
set webbwor dt hr eshol d <val ue_i nt >
set webexmwor dt abl e 
set webur l f i l t er t abl e 
conf i g l og
set l og- app- ct r l {enabl e | di sabl e}
set l og- dl p {enabl e | di sabl e}
set l og- av- bl ock {enabl e | di sabl e}
set l og- av- over si ze {enabl e | di sabl e}
set l og- av- vi r us {enabl e | di sabl e}
set l og- i ps {enabl e | di sabl e}
set l og- spam{enabl e | di sabl e}
set l og- web- cont ent {enabl e | di sabl e}
set l og- web- f i l t er - act i vex {enabl e | di sabl e}
set l og- web- f i l t er - appl et {enabl e | di sabl e}
set l og- web- f i l t er - cooki e {enabl e | di sabl e}
set l og- web- ur l {enabl e | di sabl e}
end
end
<pr of i l e_st r > Enter the name of this protection profile. No default.
The following commands are the set options for edi t <pr of i l e st r >.
appl i cat i on- l i st - st at us
Enable or disable application control. di sabl e
appl i cat i on- l i st
<name_st r i ng>
Set the application control list name.
This option only appears after appl i cat i on- l i st - st at us
is enabl e.
No default.
comment <comment _st r > Enter a comment about the protection profile. If the comment
contains spaces or special characters, surround the comment
with double quotes (). Comments can be up to 64 characters
long.
No default.
dl p- sensor - t abl e
<name_st r i ng>
Select a Data Leak Prevention sensor for the profile. No default.
f i l epat t abl e Enter the ID number of the file pattern list to be used with the
protection profile.
This option appears only on FortiGate-800 models and greater.
0
firewall profile
01-400-93051-20090415 135
f t gd- wf - al l ow
{al l | <cat egor y_st r >}
Enter al l , or enter one or more category codes, representing
FortiGuard Web Filtering web page categories or category
groups that you want to allow.
To view a list of available category codes with their descriptions,
enter get , then locate entries for f t gd- wf - enabl e, such as
g01 Pot ent i al l y Li abl e, 1 Dr ug Abuse, and c06 Spam
URL.
Separate multiple codes with a space. To delete entries, use the
unset command to delete the entire list.
See also webfilter fortiguard on page 596.
All categories not
specified as deny
or monitor.
f t gd- wf - deny
groups that you want to block.
URL.
No default.
f t gd- wf - enabl e
Enable categories for use in local ratings. You can enable
categories, classes, and groups.
URL.
No default.
f t gd- wf - di sabl e
Disable categories for use in local ratings. You can disable
categories, classes, and groups.
URL.
No default.
f t gd- wf - ht t ps- opt i ons
{al l ow- ovr d
er r or - al l ow
r at e- ser ver - i p
Select the options for FortiGuard Web Filtering category
blocking.
al l ow- ovr d: Allow authenticated rating overrides.
er r or - al l owto allow web pages with a rating error to
pass through.
r at e- ser ver - i p: Rate both the URL and the IP address
of the requested site, providing additional security against
circumvention attempts.
st r i ct - bl ocki ng to block any web pages if any
classification or category matches the rating.
Separate multiple options with a space. To remove an option
from the list or add an option to the list, retype the list with the
option removed or added.
st r i ct -
bl ocki ng
f t gd- wf - l og
groups that you want to log.
URL.
No default.
profile firewall
136 01-400-93051-20090415
f t gd- wf - opt i ons
{al l ow- ovr d
er r or - al l ow
ht t p- er r - det ai l
r at e- i mage- ur l s
r at e- ser ver - i p
r edi r - bl ock
Select options for FortiGuard web filtering, separating multiple
options with a space.
al l ow- ovr d: Allow authenticated rating overrides.
er r or - al l ow: Allow web pages with a rating error to pass
through.
ht t p- er r - det ai l : Display a replacement message for
4xx and 5xx HTTP errors. If error pages are allowed,
malicious or objectionable sites could use these common
error pages to circumvent web category blocking. This
option does not apply to HTTPS.
r at e- i mage- ur l s: Rate images by URL. Blocked images
are replaced with blanks. This option does not apply to
HTTPS.
r at e- ser ver - i p: Send both the URL and the IP address
of the requested site for checking, providing additional
security against attempts to bypass the FortiGuard system.
r edi r - bl ock: Block HTTP redirects. Many web sites use
HTTP redirects legitimately; however, in some cases,
redirects may be designed specifically to circumvent web
filtering, as the initial web page could have a different rating
than the destination web page of the redirect.
st r i ct - bl ocki ng: Block any web pages if any
classification or category matches the rating. This option
does not apply to HTTPS.
To remove an option from the list or add an option to the list,
retype the list with the option removed or added.
These options take effect only if FortiGuard web filtering is
enabled for the protocol.
st r i ct -
bl ocki ng
f t gd- wf - ovr d
groups that you want to allow users to override. If filtering
overrides are enabled for the protocol and a user requests a
web page from a category that is blocked, the user is presented
with an authentication challenge; if they successfully
authenticate, they are permitted to bypass the filter and access
the web page. User groups permitted to authenticate are
defined in the firewall policy. For details, see groups
URL.
No default.
firewall profile
01-400-93051-20090415 137
f t p
{ar chi ve- f ul l
ar chi ve- summar y
avmoni t or
avquer y
bl ock
cl i ent comf or t
no- cont ent - summar y
over si ze
quar ant i ne
scan
scanext ended
spl i ce}
Select actions, if any, the FortiGate unit will perform with FTP
connections.
ar chi ve- f ul l : Content archive both metadata and the file
itself.
ar chi ve- summar y: Content archive metadata.
avmoni t or : Log detected viruses, but allow them through the
firewall without modification.
avquer y: Use the FortiGuard AV query service.
bl ock: Deny files matching the file pattern selected by
f i l epat t abl e, even if the files do not contain viruses.
cl i ent comf or t : Apply client comforting and prevent client
timeout.
no- cont ent - summar y: Omit the content summary from the
dashboard.
over si ze: Block files that are over the file size limit.
quar ant i ne: Quarantine files that contain viruses. This
feature is available for FortiGate units that contain a hard disk or
are connected to a FortiAnalyzer unit.
scan: Scan files for viruses and worms.
scanext ended: Scan files for viruses and worms, using both
the current FortiGuard Antivirus wild list database and the
extended database, which consists of definitions for older
viruses that FortiGuard has not recently observed in the wild.
The extended antivirus data is available on newer FortiGate
models with more than one partition, for example:
FortiGate-50B and FortiWiFi-50B
FortiGate-310B
FortiGate-1000A and FortiGate-1000AFA2
FortiGate-1000A-LENC
FortiGate-3016B, FortiGate-3600A, and FortiGate-3810A
FortiGate-5005FA2 and FortiGate-5001A
spl i ce: Simultaneously scan a message and send it to the
recipient. If the FortiGate unit detects a virus, it prematurely
terminates the connection.
spl i ce
f t pcomf or t amount
<si ze_i nt >
Enter the number of bytes client comforting sends each interval
to show that an FTP download is progressing. The interval time
is set using f t pcomf or t i nt er val .
1
f t pcomf or t i nt er val
<seconds_i nt >
Enter the time in seconds before client comforting starts after an
FTP download has begun. It is also the interval between
subsequent client comforting sends. The amount of data sent
each interval is set using f t pcomf or t amount .
10
f t pover si zel i mi t
<si ze_i nt >
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the f t pover si zel i mi t ,
the file is passed or blocked, depending on whether f t p
contains the over si ze option. The maximum file size for
scanning in memory is 10% of the FortiGate units RAM.
10
profile firewall
138 01-400-93051-20090415
ht t p
{act i vexf i l t er
avmoni t or
avquer y
bannedwor d
bl ock
bl ock- i nval i d- ur l
chunkedbypass
cl i ent comf or t
cooki ef i l t er
exempt wor d
f or t i guar d- wf
j avaf i l t er
over si ze
quar ant i ne
r angebl ock
scan
scanext ended
st r i ct - f i l e
ur l f i l t er }
Select actions, if any, the FortiGate unit will perform with HTTP
connections.
act i vexf i l t er : Block ActiveX plugins.
avmoni t or : Log detected viruses, but allow them through the
firewall without modification.
avquer y: Use the FortiGuard Antivirus service for virus
detection using MD5 checksums. This feature is disabled by
default.
bannedwor d: Block web pages containing content in the
banned word list.
chunkedbypass: Allow web sites that use chunked encoding
for HTTP to bypass the firewall. Chunked encoding means the
HTTP message body is altered to allow it to be transferred in a
series of chunks. Use of this feature is a risk. Malicious content
could enter the network if web content is allowed to bypass the
firewall.
cl i ent comf or t : Apply client comforting and prevent client
timeout.
cooki ef i l t er : Block cookies.
exempt wor d: Exempt words from content blocking.
f or t i guar d- wf : Use FortiGuard Web Filtering.
j avaf i l t er : Block J ava applets.
no- cont ent - summar y: Omit content information from the
dashboard.
feature is available for FortiGate units that contain a hard disk or
are connected to a FortiAnalyzer unit.
r angebl ock
r angebl ock: Block downloading parts of a file that have
already been partially downloaded. Enabling this option
prevents the unintentional download of virus files hidden in
fragmented files. Note that some types of files, such as PDF,
fragment files to increase download speed and enabling this
option can cause download interruptions. Enabling this option
may break certain applications that use the Range Header in
the HTTP protocol, such as YUM, a Linux update manager.
scanext ended: Scan files for viruses and worms, using both
the current FortiGuard Antivirus wild list database and the
extended database, which consists of definitions for older
viruses that FortiGuard has not recently observed in the wild.
The extended antivirus data is available on newer FortiGate
models with more than one partition, for example:
FortiGate-310B
FortiGate-1000A and FortiGate-1000AFA2
FortiGate-1000A-LENC
FortiGate-3016B, FortiGate-3600A, and FortiGate-3810A
FortiGate-5005FA2 and FortiGate-5001A
st r i ct - f i l e to perform stricter checking for blocked files as
specified by antivirus file patterns. This more thorough checking
can effectively block some web sites with elaborate scripting
using . exe or . dl l files if those patterns are blocked.
ur l f i l t er : Use the URL filter list.
Separate multiple options with a space.To remove an option
firewall profile
01-400-93051-20090415 139
ht t pcomf or t amount
<si ze_i nt >
to show an HTTP download is progressing. The interval time is
set using ht t pcomf or t i nt er val .
1
ht t pcomf or t i nt er val
<seconds_i nt >
HTTP download has begun. It is also the interval between
each interval is set using ht t pcomf or t amount .
10
ht t pover si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the ht t pover si zel i mi t ,
the file is passed or blocked, depending on whether over si ze
is set in the profile ht t p command. The maximum file size for
10
ht t psover si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the
ht t psover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile ht t ps
command. The maximum file size for scanning in memory is
10% of the FortiGate units RAM.
10
ht t p- r et r y- count
<r et r y_i nt >
Enter the number of times to retry establishing an HTTP
connection when the connection fails on the first try. The range
is 0 to 100.
This allows the web server proxy to repeat the connection
attempt on behalf of the browser if the server refuses the
connection the first time. This works well and reduces the
number of hang-ups or page not found errors for busy web
servers.
Entering zero (0) effectively disables this feature.
0
ht t ppost act i on
{bl ock
comf or t
nor mal }
Select the action to take against HTTP uploads.
Bl ock: Ban HTTP POST operations.
Comf or t : Use the comfort amount and interval settings to
send comfort bytes to the server in case the client connection
is too slow. This is to prevent a timeout when scanning or other
filtering tool is turned on.
Nor mal : Allow the traffic to pass, subject to the results of
FortiGate firewall screening.
Nor mal
ht t ps- r et r y- count
<r et r y_i nt >
Enter the number of times to retry establishing an HTTPs
connection when the connection fails on the first try. The range
is 0 to 100.
This allows the web server proxy to repeat the connection
attempt on behalf of the browser if the server refuses the
connection the first time. This works well and reduces the
number of hang-ups or page not found errors for busy web
servers.
Entering zero (0) effectively disables this feature.
0
profile firewall
140 01-400-93051-20090415
ht t ps
{al l ow- i nval i d- ser ver -
cer t
bl ock- ssl - unknown- sess-
i d
bl ock- i nval i d- ur l
f or t i guar d- wf
ur l f i l t er }
Select actions, if any, the FortiGate unit will perform with
HTTPS connections.
al l ow- i nval i d- ser ver - cer t : Allow SSL sessions
whose server certificate validation failed.
bl ock- ssl - unknown- sess- i d: Enable blocking of SSL
sessions whose ID has not been previously filtered.
If HTTPS web filtering is enabled, session IDs may be
regenerated by the server, which in turn will reject some
HTTPS sessions based on the 'unknown session ID' test.
This option allows for unknown (encrypted SSL data)
session IDs by default.
bl ock- i nval i d- ur l : Block web sites whose SSL
certificates CN field does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of
whether this option is enabled. However, if this option is
disabled, although validation failure does not cause the
FortiGate unit to block the request, it changes the behavior
of FortiGuard Web Filtering.
If the request is made directly to the web server, rather than
a web server proxy, the FortiGate unit queries for FortiGuard
Web Filtering category or class ratings using the IP address
only, not the domain name.
If the request is to a web server proxy, the real IP address of
the web server is not known, and so rating queries by either
or both the IP address and the domain name is not reliable.
In this case, the FortiGate unit does not perform FortiGuard
Web Filtering.
f or t i guar d- wf : Enable FortiGuard Web Filtering.
dashboard.
Enter ur l f i l t er to enable the URL filter list.
Separate multiple options with a space.To remove an option
No default.
ht t ps- deep- scan
Select to decrypt HTTPS traffic and perform additional scanning
of the content of the HTTPS traffic. Select this option if you want
to apply all applicable protection profile options to HTTPS
traffic. Using this option requires adding HTTPS server
certificates to the FortiGate unit so that HTTPS traffic can be
unencrypted.
di sabl e
ht t pscomf or t i nt er val
<seconds_i nt >
HTTPs download has begun. It is also the interval between
each interval is set using ht t spcomf or t amount .
10
ht t pscomf or t amount
<si ze_i nt >
to show an HTTPs download is progressing. The interval time is
set using ht t pscomf or t i nt er val .
1
i m{
avmoni t or
avquer y
bl ock
over si ze
quar ant i ne
scan
scanext ended}
Select actions, if any, the FortiGate unit will perform with instant
message (IM) connections.
avmoni t or : Log detected viruses, but allow them through
the firewall without modification.
detection using MD5 checksums.
feature is available for FortiGate units that contain a hard
disk or are connected to a FortiAnalyzer unit.
scanext ended: Scan files for viruses and worms using
extended database.
No default.
firewall profile
01-400-93051-20090415 141
i map {
ar chi ve- f ul l
ar chi ve- summar y
avmoni t or
avquer y
bannedwor d
bl ock
f r agmai l
over si ze
quar ant i ne
scan
scanext ended
spammai l - l og
spamemai l bwl
spamf schksum
spamf si p
spamf ssubmi t
spamf sur l
spamhdr check
spami pbwl
spamr addr dns
spamr bl }
Select actions, if any, the FortiGate unit will perform with IMAP
connections.
ar chi ve- f ul l : Content archive both metadata and the
email itself.
bannedwor d: Block email containing content on the banned
word list.
f r agmai l : Allow fragmented email. Fragmented email
cannot be scanned for viruses.
dashboard.nto email, ftp, and http categories.
quar ant i ne to enable quarantining files that contain
viruses. This feature is available for FortiGate units that
contain a hard disk.
extended database.
spammai l - l og to include spam in mail log.
spamemai l bwl to enable filtering based on the email
address list.
spamf schksumto enable the FortiGuard Antispam email
message checksum spam check.
spamf si p to enable the FortiGuard Antispam filtering IP
address blacklist.
spamf ssubmi t to add a link to the message body to allow
users to report messages incorrectly marked as spam. If an
email message is not spam, simply click the link in the
message to inform FortiGuard of the false positive.
spamf sur l to enable the FortiGuard Antispam filtering URL
blacklist.
spamhdr check to enable email mime header check.
spami pbwl to enable filtering based on the email ip
address.
spamaddr dns to enable filtering based on the return email
DNS check.
spamr bl to enable checking traffic against configured DNS-
based Blackhole List (DNSBL) and Open Relay Database
List (ORDBL) servers.
f r agmai l
spamf ssubmi t
i map- spamact i on
{pass | t ag}
Select action on spam.
pass: Allow spam email to pass.
t ag: Tag spam email with configured text in subject or
header.
no default
i map- spamt agt ype{
subj ect
header
spami nf o}
Choose tag subject or header for spam email.
subj ect : Prepend text to spam email subject.
header : Append a user defined mime header to spam
email.
spami nf o: Append spam info to spam email header.
subject
spaminfo
i map- spamt agmsg
<t ext _st r i ng>
Add subject text or header to spam email. spam
profile firewall
142 01-400-93051-20090415
i maps {
al l ow- i nval i d- ser ver -
cer t
ar chi ve- f ul l
ar chi ve- summar y
avmoni t or
avquer y
bannedwor d
bl ock
f r agmai l
l og- i nval i d- ser ver - cer t
over si ze
quar ant i ne
scan
scanext ended
spammai l - l og
spamemai l bwl
spamf schksum
spamf si p
spamf ssubmi t
spamf sur l
spamhdr check
spami pbwl
spamr addr dns
spamr bl }
Select actions, if any, the FortiGate unit will perform with IMAP
connections.
email itself.
bannedwor d: Block email containing content on the banned
word list.
l og- i nval i d- ser ver - cer t : Log SSL sessions whose
server certificate validation failed.
dashboard.nto email, ftp, and http categories.
quar ant i ne to enable quarantining files that contain
viruses. This feature is available for FortiGate units that
contain a hard disk.
extended database.
spammai l - l og to include spam in mail log.
spamemai l bwl to enable filtering based on the email
address list.
spamf schksumto enable the FortiGuard Antispam email
message checksum spam check.
spamf si p to enable the FortiGuard Antispam filtering IP
address blacklist.
spamf ssubmi t to add a link to the message body to allow
email message is not spam, simply click the link in the
message to inform FortiGuard of the false positive.
spamf sur l to enable the FortiGuard Antispam filtering URL
blacklist.
spamhdr check to enable email mime header check.
spami pbwl to enable filtering based on the email ip
address.
spamaddr dns to enable filtering based on the return email
DNS check.
spamr bl to enable checking traffic against configured DNS-
based Blackhole List (DNSBL) and Open Relay Database
List (ORDBL) servers.
f r agmai l
spamf ssubmi t
i maps- spamact i on
{pass | t ag}
Select action on spam.
pass: Allow spam email to pass.
t ag: Tag spam email with configured text in subject or
header.
no default
i maps- spamt agt ype{
subj ect
header
spami nf o}
Choose tag subject or header for spam email.
subj ect : Prepend text to spam email subject.
header : Append a user defined mime header to spam
email.
spami nf o: Append spam info to spam email header.
subject
spaminfo
firewall profile
01-400-93051-20090415 143
i map- spamt agmsg
<t ext _st r i ng>
Add subject text or header to spam email. spam
i mapover si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the i mapover si zel i mi t ,
is set in the profile i map command. The maximum file size for
Note: For email scanning, the oversize threshold refers to the
final size of the email after encoding by the email client,
including attachments. Email clients may use a variety of
encoding types and some encoding types translate into larger
file sizes than the original attachment. The most common
encoding, base64, translates 3 bytes of binary data into 4 bytes
of base64 data. So a file may be blocked or logged as oversized
even if the attachment is several megabytes smaller than the
configured oversize threshold.
10
i mapsover si zel i mi t
<si ze_i nt >
i mapsover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile i map
10
i mover si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the i mover si zel i mi t , the
file is passed or blocked, depending on whether over si ze is
set in the profile i mcommand. The maximum file size for
10
i ps- sensor
<name_st r >
Enter the name of an IPS sensor (set of signatures). No default.
Select to use an IPS sensor. If enabled, also configure i ps-
sensor .
This option does not select denial of service (DoS) sensors. For
details on configuring DoS sensors, see ips DoS on page 194.
disable
mai l - si g <si gnat ur e_st r > Enter a signature to add to outgoing email. If the signature
contains spaces, surround it with single or double quotes ( or
" ).
This option is applied only if mai l si g- st at us is enabl e.
No default.
mai l si g- st at us
Select to add a signature to outgoing email. Also configure
mai l - si g.
di sabl e
nac- quar - i nf ect ed {none
quar - i nt er f ace quar - sr c-
i p}
Select to quarantine infected hosts to banned user list.
none: No action is taken.
quar - i nt er f ace: Quarantine all traffic on infected
interface.
quar - sr c- i p: Quarantine all traffic from source IP.
none
nac- quar - expi r y
{###d##h##mi ndef i ni t e}
Set the duration of quarantine. The minimum is 0d0h5m and the
maximum is indefinite.
5m
profile firewall
144 01-400-93051-20090415
nnt p {avmoni t or avquer y
bl ock no- cont ent - summar y
over si ze scan
scanext ended spammai l -
l og spl i ce}
Select actions, if any, the FortiGate unit will perform with NNTP
connections.
mail itself.
avquer y: Use the FortiGuard Antivirus query service.
dashboard.
extended database.
spammai l - l og: Include spam in the mail log.
Streaming mode (also called spl i ce) is enabled by default
when scan is enabled.
Streaming mode has the FortiGate unit simultaneously scan
a message and send it to the recipient. If the FortiGate unit
detects a virus, it terminates the server connection and
returns an error message to the recipient, listing the virus
name and infected file name. When streaming mode is
disabled for NNTP, infected attachments are removed and
the message is sent (without the attachment) to the
recipient.
Throughput is higher when streaming mode is enabled.
No default.
nnt pover si zel i mi t
<l i mi t _i nt >
megabytes. If the file is larger than the nt pover si zel i mi t ,
is set in the profile nnt p command. The maximum file size for
10
firewall profile
01-400-93051-20090415 145
pop3
{avmoni t or avquer y
bannedwor d bl ock
f r agmai l
over si ze quar ant i ne scan
l og spamemai l bwl
spamf schksumspamf si p
spamf ssubmi t spamf sur l
spamhdr check spami pbwl
Select actions, if any, the FortiGate unit will perform with POP3
connections.
bannedwor d: Block email containing content in the banned
word list.
dashboard.nto email, FTP, and HTTP categories.
disk or a connection to a FortiAnalyzer unit.
extended database.
spammai l - l og: Include spam in the email log.
spamemai l bwl : Block email containing addresses in the
email address list.
spamf schksum: Use FortiGuard Antispam email message
checksum spam checking.
spamf si p: Use the FortiGuard Antispam IP address
blacklist.
spamf ssubmi t : Add a link to the message body to allow
email message is not spam, click the link in the message to
inform FortiGuard of the false positive.
spamf sur l : Use the FortiGuard Antispam URL blacklist.
spamhdr check: Filter email using the MIME header list.
spami pbwl : Filter email using the email IP address.
spamaddr dns: Filter email using the return email DNS
check.
spamr bl : Filter email using the configured DNS-based
Blackhole List (DNSBL) and Open Relay Database List
(ORDBL) servers.
f r agmai l
spamf ssubmi t
pop3over si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the pop3over si zel i mi t ,
is set in the profile pop3 command. The maximum file size for
10
profile firewall
146 01-400-93051-20090415
pop3sover si zel i mi t
<si ze_i nt >
pop3sover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile pop3s
10
pop3- spamact i on
{pass | t ag}
Select the action to perform on POP3 email that is detected as
spam.
pass: Disable spam filtering for POP3 traffic.
t ag: Tag spam email with text configured using the pop3-
spamt agmsg keyword and the location set using the pop3-
spamt agt ype keyword.
t ag
pop3- spamt agmsg
<message_st r >
Enter a word or phrase (tag) to affix to email identified as spam.
When typing a tag, use the same language as the FortiGate
units current administrator language setting. Tag text using
other encodings may not be accepted. For example, when
entering a spam tag that uses J apanese characters, first verify
that the administrator language setting is J apanese; the
FortiGate unit will not accept a spam tag written in J apanese
characters while the administrator language setting is English.
For details on changing the language setting, see system
global on page 363.
Note: To correctly enter the tag, your SSH or telnet client must
also support your languages encoding. Alternatively, you can
use the web-based managers CLI widget to enter the tag.
Tags must not exceed 64 bytes. The number of characters
constituting 64 bytes of data varies by text encoding, which may
vary by the FortiGate administrator language setting.
Tags containing space characters, such as multiple words or
phrases, must be surrounded by quote characters ( )to be
accepted by the CLI.
Spam
pop3- spamt agt ype
{header | subj ect }
{spami nf o | }
Select to affix the tag to either the MIME header or the subject
line, and whether or not to append spam information to the
spam header, when an email is detected as spam. Also
configure pop3- spamt agmsg.
If you select to affix the tag to the subject line, the FortiGate unit
will convert the entire subject line, including tag, to UTF-8 by
default. This improves display for some email clients that
cannot properly display subject lines that use more than one
encoding. For details on disabling conversion of subject line to
UTF-8, see system settings on page 453.
subj ect
spami nf o
firewall profile
01-400-93051-20090415 147
pop3s
cer t avmoni t or avquer y
bannedwor d bl ock
f r agmai l l og- i nval i d-
ser ver - cer t
l og spamemai l bwl
spamf schksumspamf si p
spamf ssubmi t spamf sur l
spamhdr check spami pbwl
Select actions, if any, the FortiGate unit will perform with POP3
connections.
word list.
dashboard.nto email, FTP, and HTTP categories.
extended database.
spamemai l bwl : Block email containing addresses in the
email address list.
spamf si p: Use the FortiGuard Antispam IP address
blacklist.
spamf ssubmi t : Add a link to the message body to allow
inform FortiGuard of the false positive.
spamf sur l : Use the FortiGuard Antispam URL blacklist.
spami pbwl : Filter email using the email IP address.
spamaddr dns: Filter email using the return email DNS
check.
spamr bl : Filter email using the configured DNS-based
(ORDBL) servers.
f r agmai l
spamf ssubmi t
pop3s- spamact i on
{di scar d | pass | t ag}
Select the action that this profile uses for filtered POP3s email.
Tagging appends custom text to the subject or header of email
identified as spam. When scan or streaming mode (also called
spl i ce) is selected, the FortiGate unit can only discard spam
email. Discard immediately drops the connection. Without
streaming mode or scanning enabled, chose to discard, pass,
or tag POP3s spam. In the US Domestic distribution, streaming
mode is permanently enabled for POP3s, and the tag option is
not available.
di scar d: Do not pass email identified as spam.
pass: Disable spam filtering for POP3s traffic.
t ag: Tag spam email with text configured using the pop3s-
spamt agmsg keyword and the location set using the
pop3s- spamt agt ype keyword.
di scar d
profile firewall
148 01-400-93051-20090415
pop3s- spamt agt ype
{spami nf o | }
configure pop3s- spamt agmsg.
subj ect
spami nf o
pop3s- spamt agmsg
<message_st r >
global on page 363.
Spam
firewall profile
01-400-93051-20090415 149
smt p
{avmoni t or avquer y
bannedwor d bl ock
f r agmai l
l og spamemai l bwl
spamf si p spamf schksum
spamf sur l spamhdr check
spamhel odns spami pbwl
spamr addr dns spamr bl
spl i ce}
Select actions, if any, the FortiGate unit will perform with SMTP
connections.
word list.
dashboard.
extended database.
spamemai l bwl : Filter email using the email address list.
spamf si p: Use the FortiGuard Antispam filtering IP
address blacklist.
spamf ssubmi t : Add a link to the message body allowing
report the false positive.
spamf sur l : Use the FortiGuard Antispam filtering URL
blacklist.
spamhel odns: Filter email using an HELO/EHLO DNS
check.
spami pbwl : Filter email using the source IP or subnet
address.
spamaddr dns: Filter email using a return email DNS check.
spamr bl : Filter email using configured DNS-based
(ORDBL) servers.
spl i ce: Simultaneously scan a message and send it to the
recipient. If the FortiGate unit detects a virus, it prematurely
terminates the connection, and returns an error message to
the sender, listing the virus and infected file name. spl i ce
is selected when scan is selected. With streaming mode
enabled, select either Spam Action (Tagged or Discard) for
SMTP spam. When streaming mode is disabled for SMTP,
infected attachments are removed and the email is
forwarded (without the attachment) to the SMTP server for
delivery to the recipient.
no- cont ent -
summar y
spl i ce
smt p- spam- l ocal over r i de
Select to override SMTP remote check, which includes IP RBL
check, IP FortiGuard antispam check, and HELO DNS check,
with the locally defined black/white antispam list.
disable
profile firewall
150 01-400-93051-20090415
smt pover si zel i mi t
<si ze_i nt >
megabytes. If the file is larger than the smt pover si zel i mi t ,
is set in the profile smt p command. The maximum file size for
10
smt psover si zel i mi t
<si ze_i nt >
smt psover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile smt ps
10
smt p- spamact i on
Select the action that this profile uses for filtered SMTP email.
or tag SMTP spam. In the US Domestic distribution, streaming
mode is permanently enabled for SMTP, and the tag option is
not available.
pass: Disable spam filtering for SMTP traffic.
t ag: Tag spam email with text configured using the smt p-
spamt agmsg keyword and the location set using the smt p-
spamt agt ype keyword.
di scar d
smt p- spamhdr i p
Select to check header IP addresses for spamf si p,
spamr bl , and spami pbwl filters.
disable
smt p- spamt agmsg
<message_st r >
global on page 363.
Spam
firewall profile
01-400-93051-20090415 151
smt p- spamt agt ype
{spami nf o | }
configure smt p- spamt agmsg.
subj ect
spami nf o
smt ps
cer t avmoni t or avquer y
bannedwor d bl ock
f r agmai l l og- i nval i d-
ser ver - cer t
l og spamemai l bwl
spamf si p spamf schksum
spamf sur l spamhdr check
spamhel odns spami pbwl
spamr addr dns spamr bl
spl i ce}
Select actions, if any, the FortiGate unit will perform with SMTP
connections.
whose server certificate validation failed
word list.
dashboard.
extended database.
spamemai l bwl : Filter email using the email address list.
spamf si p: Use the FortiGuard Antispam filtering IP
address blacklist.
spamf ssubmi t : Add a link to the message body allowing
report the false positive.
spamf sur l : Use the FortiGuard Antispam filtering URL
blacklist.
spamhel odns: Filter email using an HELO/EHLO DNS
check.spami pbwl : Filter email using the source IP or
subnet address.
spamaddr dns: Filter email using a return email DNS check.
spamr bl : Filter email using configured DNS-based
(ORDBL) servers.
no- cont ent -
summar y
spl i ce
profile firewall
152 01-400-93051-20090415
spl i ce: Simultaneously scan a message and send it to
the recipient. If the FortiGate unit detects a virus, it
prematurely terminates the connection, and returns an
error message to the sender, listing the virus and infected
file name. spl i ce is selected when scan is selected.
With streaming mode enabled, select either Spam Action
(Tagged or Discard) for SMTP spam. When streaming
mode is disabled for SMTP, infected attachments are
removed and the email is forwarded (without the
attachment) to the SMTP server for delivery to the
recipient.
smt ps- spamact i on
Select the action that this profile uses for filtered SMTPs email.
or tag SMTPs spam. In the US Domestic distribution, streaming
mode is permanently enabled for SMTPs, and the tag option is
not available.
pass: Disable spam filtering for SMTPs traffic.
t ag: Tag spam email with text configured using the smt ps-
spamt agmsg keyword and the location set using the
smt ps- spamt agt ype keyword.
di scar d
smt ps- spamhdr i p
Select to check header IP addresses for spamf si p,
spamr bl , and spami pbwl filters.
di sabl e
smt ps- spamt agmsg
<message_st r >
global on page 363.
Spam
smt p- spamt agt ype
{spami nf o | }
configure smt p- spamt agmsg.
subj ect
spami nf o
spambwor dt abl e

Enter the ID number of the spamfilter banned word list to be
used with the protection profile.
This variable appears only on FortiGate-800 and above units.
0
firewall profile
01-400-93051-20090415 153
Example
This example shows how to create a profile called spammai l , using:
filtering of email according to the email banned word list, the MIME header list, and the return DNS
check, enable spam to be logged and tagged with the tag Spam in the subject for POP3 traffic
filtering of email based on the DNSBL server, and discard messages identified as spam for SMTP traffic
edi t spammai l
set pop3 spamemai l bwl spamhdr check spamr addr dns
set pop3- spamact i on l og t ag
set pop3- spamt agmsg Spam
set pop3- spamt agt ype subj ect
set smt p spamr bl
set smt p- spamact i on di scar d
end
spamemaddr t abl e

Enter the ID number of the spamfilter email address list to be
0
spami pbwl t abl e

Enter the ID number of the spamfilter IP address black/white list
to be used with the protection profile.
0
spami pt r ust t abl e

Enter the ID number of the spamfilter IP trust list to be used with
the protection profile.
This variable only appears on FortiGate-800 models and
greater.
0
spammheader t abl e

Enter the ID number of the spamfilter MIME header list to be
greater.
0
spamr bl t abl e Enter the ID number of the spamfilter DNSBL list to be used
with the protection profile.
greater.
0
spambwor dt hr eshol d
<val ue_i nt >
If the combined scores of the banned word patterns appearing
in an email message exceed the threshold value, the message
will be processed according to the Spam Action setting.
10
webbwor dt abl e

Enter the ID number of the webfilter banned word list to be used
greater.
0
webbwor dt hr eshol d
<val ue_i nt >
Enter the maximum score a web page can have before being
blocked. If the combined scores of the content block patterns
appearing on a web page exceed the threshold value, the page
will be blocked.
10
webexmwor dt abl e

Enter the ID number of the webfilter exempt word list to be used
greater.
0
webur l f i l t er t abl e

Enter the ID number of the webfilter URL filter list to be used
This variable appears only on FortiGate-800 models and
greater.
0
profile firewall
154 01-400-93051-20090415
This example shows how to add HTTP category blocking to the spammai l profile created above, using:
category blocking to deny access to web pages categorized as Games (20), Personals and Dating (37),
Shopping and Auction (42) and the category group Objectionable or Controversial (g02)
category monitoring to log access to web pages categorized as Computer Security (50) and the
category group Potentially Bandwidth Consuming (g04)
edi t spammai l
set f t gd- wf - deny 20 37 42 g02
set f t gd- wf - l og 50 g04
end
config log
Use this command to write event log messages when the options that you have enabled in this protection
profile perform an action. For example, if you enable antivirus protection you could also use the conf i g
l og command to enable l og- av- bl ock so that the FortiGate unit writes an event log message every
time a virus is detected.
l og- app- ct r l
Select to log application control. di sabl e
l og- dl p
Select to log data leak protection. di sabl e
l og- av- bl ock
Select to log file pattern or file type blocking. di sabl e
l og- av- over si ze
Select to log oversize file and email blocking. di sabl e
l og- av- vi r us
Select to log viruses detected. di sabl e
l og- i m
Select to log IM activity by profile. di sabl e
l og- i ps
Select to log IPS events. di sabl e
l og- p2p
Select to log P2P activity. di sabl e
l og- spam
Select to log spam detected. di sabl e
l og- voi p
Select to log VoIP activity. di sabl e
l og- voi p- vi ol at i ons
Select to log VoIP events. di sabl e
l og- web- cont ent
Select to log web content blocking. di sabl e
l og- web- f i l t er - act i vex
Select to log ActiveX plugin blocking. di sabl e
l og- web- f i l t er - appl et
Select to log J ava applet blocking. di sabl e
l og- web- f i l t er - cooki e
Select to log cookie blocking. di sabl e
firewall profile
01-400-93051-20090415 155
Example
This example shows how to enable writing event log messages when the following happens because of
settings in the protection profile being configured:
a virus is detected
an MMS message is intercepted.
edi t exampl e
conf i g l og
set l og- av- vi r us enabl e
set l og- i nt er cept enabl e
end
end
config app-recognition
Use this command to configure protocol recognition options to set the HTTPS content filtering mode and to
select the TCP port numbers that the protection profile monitors for the content protocols HTTP, HTTPS,
SMTP, POP3, IMAP, NNTP, FTP, SMTPS, POP3S, and IMAPS.
By default the protection profile monitors the default content protocol port numbers (for example, port 80
for HTTP and so on). You can edit the settings for each content protocol and select to inspect all port
numbers for that protocol or select one or more port numbers to monitor for that protocol.
Syntax
edi t <f t p>
set i nspect - al l {enabl e | di sabl e}
set por t <por t _number >
edi t <ht t p>
edi t <ht t ps>
edi t 
edi t 
edi t <nnt p>
edi t <pop3>
l og- web- f t gd- er r
Select to log FortiGuard rating errors. enabl e
l og- web- ur l
Select to log URL blocking. di sabl e
profile firewall
156 01-400-93051-20090415
edi t <pop3s>
edi t <smt p>
edi t <smt ps>
<f t p> Configure FTP recognition. No default.
i nspect - al l
Select to monitor all ports for FTP protocol. disable
por t <por t _number > Select the port number that the protection profile monitors
for FTP protocol. Not available if i nspect - al l enabled.
21
<ht t p> Configure HTTP recognition. No default.
i nspect - al l
Select to monitor all ports for HTTP protocol. disable
for HTTP protocol. Not available if i nspect - al l enabled.
80
<ht t ps> Configure HTTPS recognition. No default.
i nspect - al l
Select to monitor all ports for HTTPS protocol. disable
for HTTPS protocol. Not available if i nspect - al l enabled.
443
 Configure IMAP recognition. No default.
i nspect - al l
Select to monitor all ports for IMAP protocol. disable
for IMAP protocol. Not available if i nspect - al l enabled.
143
 Configure IMAPS recognition. No default.
i nspect - al l
Select to monitor all ports for IMAPS protocol. disable
for IMAPS protocol. Not available if i nspect - al l enabled.
993
<nnt p> Configure NNTP recognition. No default.
i nspect - al l
Select to monitor all ports for NNTP protocol. disable
for NNTP protocol. Not available if i nspect - al l enabled.
119
<pop3> Configure POP3 recognition. No default.
i nspect - al l
Select to monitor all ports for POP3 protocol. disable
for POP3 protocol.
110
<pop3s> Configure POP3S recognition. No default.
i nspect - al l
Select to monitor all ports for POP3S protocol. disable
firewall profile
01-400-93051-20090415 157
Example
Use the following example to monitor all ports for SMTPS protocol.
edi t <pr of i l e_name>
edi t smt ps
set i nspect - al l enabl e
end
end
History
for POP3S protocol.
995
<smt p> Configure SMTP recognition. No default.
i nspect - al l
Select to monitor all ports for SMTP protocol. disable
for SMTP protocol.
25
<smt ps> Configure SMTPS recognition. No default.
i nspect - al l
Select to monitor all ports for SMTPS protocol. disable
for SMTPS protocol.
465
FortiOS v2.80 MR2 Removed l og variable from i map- spamact i on, pop3- spamact i on, and smt p-
spamact i on keywords.
FortiOS v2.80 MR3 Added spl i ce variable to f t p and smt p keywords. Moved from conf i g ant i vi r us
f t p ser vi ce and conf i g ant i vi r us smt p ser vi ce.
Added chunkedbypass variable to ht t p keyword.
FortiOS v2.80 MR5 Added ht t p_er r _det ai l to cat _opt i ons keyword.
FortiOS v2.80 MR6 Removed buf f er _t o_di sk variable from f t p, ht t p, i map, pop3, and smt p
keywords.
Added spamf ei p variable to i map, pop3, and smt p keywords.
Changed cont ent _l og variable to cont ent - ar chi ve for f t p, ht t p, i map, pop3,
and smt p keywords.
FortiOS v2.80 MR7 Changed spamf ei p variable to spamf si p for the FortiShield Antispam Service.
Added no- cont ent - summar y variable to f t p, ht t p, i map, pop3, and smt p keywords.
FortiOS v2.80 MR8 Added spamf sur l for the FortiShield spam filter URL blacklist to i map, pop3, and smt p
keywords.
FortiOS v3.0 Added keywords for FortiGuard. New options added for f t p, ht t p, i map, pop3,
smt p, i map- spamt agt ype, pop3- spamt agt ype, smt p- spamt agt ype. Added
keywords for IM. Added new keywords for IPS. Added new keywords for logging. Added
smt p- spamhdr i p to profile. Added all IM and P2P options. Added client comforting and
oversize file commands. Added NNTP-related commands. Added list selection
commands for FortiGate-800 models and greater.
FortiOS v3.0 MR3 Added new options avquer y and exempt wor d for HTTP. Removed options
f i l eexempt , mai l _l og and spamf schksumfrom HTTP, POP3 and IMAP.
Added new options ar chi ve- f ul l , ar chi ve- summar y and avquer y for IMAP,
POP3, and AIM. Removed options cont ent - ar chi ve and f i l eexempt from IMAP
and IM.
profile firewall
158 01-400-93051-20090415
Related topics
alertemail
antivirus
ips
webfilter
FortiOS v3.0 MR4 Added no- cont ent - summar y to AIM, ICQ, MSN, and Yahoo options. Removed
t r ansf er - l og, from the same commands as it is not a feature.
FortiOS v3.0 MR4 Added VoIP config commands for SCCP, Si mpl e, and SI P protocols.
Added associ at ed- i nt er f ace, nnt pover si zel i mi t , i mover si zechat ,
l og- voi p, l og- voi p- vi ol at i ons, and HTTPS commands.
Removed the following options and commands: nnt p- spamact i on,
nnt p- spamt agt ype, nnt p- spamt agmsg.
Added set smt p- spam- l ocal over r i de command.
FortiOS v3.0 MR6 New option r edi r - bl ock for variable f t gd- wf - opt i ons. Blocks HTTP redirects.
FortiOS v3.0 MR6 Removed variables i ps- si gnat ur e and i ps- anomal y. IPS sensors, formerly
signatures, are now configured by selecting a sensor name. Denial of service (DoS)
sensors, formerly anomalies, are no longer configured in protection profiles.
FortiOS v3.0 MR6 New variables i ps- sensor - st at us and i ps- sensor . Enables IPS sensors, and
selects the IPS sensor name.
FortiOS v3.0 MR6 Renamed variable i ps- l og to l og- i ps.
FortiOS v3.0 MR6 New option bl ock- l ong- chat for variable ai m. Blocks oversize chat messages.
FortiOS v3.0 MR6 Renamed options cont ent - f ul l and cont ent - met a to ar chi ve- f ul l and
ar chi ve- summar y, respectively, for the msn, i cq, and yahoo variables.
FortiOS v3.0 MR6 Removed variable f t gd- wf - ovr d- gr oup. Authorizing a group to perform web filtering
overrides now occurs within group configuration.
FortiOS v3.0 MR6 New option scanext ended for the f t p and ht t p variables. Scans for viruses and
worms using the extended database of virus definitions.
FortiOS v3.0 MR7 Renamed variable al l ow- ssl - unknown- sess- i d to bl ock- ssl - unknown- sess-
i d. Blocking of unknown session ID is now disabled by default.
FortiOS v3.0 MR7 Removed variables IMAP spamhdr check, i map- spamact i on, i map- spamt agmsg,
and i map- spamt agt ype.
FortiOS v3.0 MR7 Added the new conf i g si p subcommand keyword r eg- di f f - por t .
FortiOS v3.0 MR7 Moved conf i g dupe, conf i g f l ood, conf i g l og, conf i g not i f i cat i on,
conf i g sccp, conf i g si mpl e, and conf i g si p into subcommand sections.
FortiOS 4.0 Moved keywords ai m, bi t t or r ent , bi t t or r ent - l i mi t , edonkey,
edonkey- l i mi t , gnut el l a, gnut el l a- l i mi t , i cq, i mover si zechat ,
kazaa, kazaa- l i mi t , msn, p2p, skype, wi nny, wi nny- l i mi t , yahoo,
l og- ant i spam- mass- mms, l og- av- endpoi nt - f i l t er , l og- i m, l og- p2p,
l og- voi p, l og- voi p- vi ol at i ons
Added keywords appl i cat i on- l i st , appl i cat i on- l i st - st at us,
dl p- sensor - t abl e, ht t ppost act i on, ht t psover si zel i met ,
ht t ps- deep- scan, ht t ps- r et r y- count , ht t pscomf or t i nt er val ,
ht t pscomf or t amount , i maps, i mapsover si zel i mi t , nac- quar - expi r y,
nac- quar - i nf ect ed, pop3s, pop3sover si zel i mi t , smt ps,
smt psover si zel i mi t .
Added syntax conf i g app- r ecogni t i on
01-400-93051-20090415 159
schedule onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive. Use one-time schedules for policies that are
effective once for the period of time specified in the schedule.
Syntax
edi t <name_st r >
set end <hh: mm> <yyyy/ mm/ dd>
set st ar t <hh: mm> <yyyy/ mm/ dd>
end
Example
Use the following example to add a one-time schedule named Hol i day that is valid from 5:00 pm on 3
September 2004 until 8:45 am on 7 September 2004.
edi t Hol i day
set st ar t 17: 00 2004/ 09/ 03
set end 08: 45 2004/ 09/ 07
end
History
Related topics
Note: To edit a schedule, define the entire schedule, including the changes. This means entering all of the
schedule parameters, both those that are changing and those that are not.
<name_st r > Enter the name of this schedule. No default.
end <hh: mm> <yyyy/ mm/ dd> Enter the ending day and time of the schedule.
hh - 00 to 23
mm- 00, 15, 30, or 45
yyyy - 1992 to infinity
mm- 01 to 12
dd - 01 to 31
00: 00
2001/ 01/ 01
st ar t <hh: mm>
<yyyy/ mm/ dd>
Enter the starting day and time of the schedule.
hh - 00 to 23
mm- 00, 15, 30, or 45
yyyy - 1992 to infinity
mm- 01 to 12
dd - 01 to 31
00: 00
2001/ 01/ 01
schedule recurring firewall
160 01-400-93051-20090415
schedule recurring
Use this command to add, edit, and delete recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create policies
that repeat weekly. Use recurring schedules to create policies that are effective only at specified times of
the day or on specified days of the week.
Syntax
edi t <name_st r >
set day <name_st r >
set end <hh: mm>
set st ar t <hh: mm>
end
Example
This example shows how to add a recurring schedule named access so that it is valid Monday to Friday
from 7:45 am to 5:30 pm.
edi t access
set day monday t uesday wednesday t hur sday f r i day
set st ar t 07: 45
set end 17: 30
end
Edit the recurring schedule named access so that it is no longer valid on Fridays.
edi t access
set day monday t uesday wednesday t hur sday
set st ar t 07: 45
set end 17: 30
end
History
Note: If a recurring schedule is created with a stop time that occurs before the start time, the schedule starts
at the start time and finishes at the stop time on the next day. You can use this technique to create recurring
schedules that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the
start and stop times to the same time.
<name_st r > Enter the name of this schedule. No default.
day <name_st r > Enter the names of one or more days of the week for which the
schedule is valid. Separate multiple names with a space.
sunday
end <hh: mm> Enter the ending time of the schedule.
hh can be 00 to 23
mmcan be 00, 15, 30, or 45 only
00: 00
st ar t <hh: mm> Enter the starting time of the schedule.
hh can be 00 to 23
mmcan be 00, 15, 30, or 45 only
00: 00
01-400-93051-20090415 161
Related topics
service custom firewall
162 01-400-93051-20090415
service custom
Use this command to configure a firewall service that is not in the predefined service list.
Syntax
edi t <name_st r >
set comment <st r i ng>
set i cmpcode <code_i nt >
set i cmpt ype <t ype_i nt >
set pr ot ocol {I CMP | I P | TCP/ UDP}
set pr ot ocol - number <pr ot ocol _i nt >
set t cppor t r ange <dst por t l ow_i nt >[ - <dst por t hi gh_i nt >: <sr cpor t l ow_i nt >-
<sr cpor t hi gh_i nt >]
set udppor t r ange <dst por t l ow_i nt >[ - <dst por t hi gh_i nt >: <sr cpor t l ow_i nt >-
end
Note: To display a list of all predefined service names, enter the command get f i r ewal l ser vi ce
pr edef i ned ?. To display a predefined services details, enter the command get f i r ewal l
ser vi ce pr edef i ned <ser vi ce_st r >. For details, see get firewall service predefined on
page 682.
<name_st r > Enter the name of this custom service. No default
comment <st r i ng> Add comments for the custom service. No default
i cmpcode <code_i nt > Enter the ICMP code number. Find ICMP type and code
numbers at www.iana.org.
No default.
i cmpt ype <t ype_i nt > Enter the ICMP type number. The range for t ype_i nt is from
0-255. Find ICMP type and code numbers at www.iana.org.
0
pr ot ocol
{I CMP | I P | TCP/ UDP}
Enter the protocol used by the service. I P
pr ot ocol - number
<pr ot ocol _i nt >
For an IP service, enter the IP protocol number. For information
on protocol numbers, see http://www.iana.org.
0
t cppor t r ange
<dst por t l ow_i nt >[ -
<dst por t hi gh_i nt >:
<sr cpor t l ow_i nt >-
For TCP services, enter the destination and source port ranges.
If the destination port range can be any port, enter 1- 65535. If
the destination is only a single port, simply enter a single port
number for dst por t l ow_i nt and no value for
dst por t hi gh_i nt .
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for sr cpor t l ow_i nt and no value for
sr cpor t hi gh_i nt .
No default.
udppor t r ange
<dst por t l ow_i nt >[ -
<dst por t hi gh_i nt >:
<sr cpor t l ow_i nt >-
For UDP services, enter the destination and source port
ranges.
If the destination port range can be any port, enter 1- 65535. If
the destination is only a single port, simply enter a single port
number for dst por t l ow_i nt and no value for
dst por t hi gh_i nt .
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for sr cpor t l ow_i nt and no value for
sr cpor t hi gh_i nt .
No default.
firewall service custom
01-400-93051-20090415 163
Example
This example shows how to add a custom service called Cust om_1. The service destination port range is
TCP 4501 to 4503. The service can use any source port.
edi t Cust om_1
set pr ot ocol TCP/ UDP
set t cppor t r ange 4501- 4503
end
A second example shows how to add a custom service called Cust om_2. The service destination port
range is TCP 4545 to 4550. The service uses source port 9620.
edi t Cust om_1
set pr ot ocol TCP/ UDP
set t cppor t r ange 4545- 4550: 9620
end
History
Related topics
FortiOS v3.00 The por t r ange command split into t cppor t r ange and udppor t r ange.
FortiOS v4.00 Added keyword comment .
service group firewall
164 01-400-93051-20090415
service group
Use this command to configure firewall service groups.
To simplify policy creation, you can create groups of services and then add one policy to provide or block
access for all the services in the group. A service group can contain predefined services and custom
services in any combination. A service group cannot contain another service group.
Syntax
edi t <gr oup- name_st r >
set comment
set member <ser vi ce_st r >
end
Example
This example shows how to add a service group called web_Ser vi ces that includes the FTP, HTTP,
HTTPS, and Real Audio services.
edi t web_Ser vi ces
set member FTP HTTP HTTPS RAUDI O
end
This example shows how to add the TELNET service to the web_Ser vi ces service group.
edi t web_Ser vi ces
set member FTP HTTP HTTPS RAUDI O TELNET
end
History
Related topics
Note: To edit a service group, enter all of the members of the service group, both those changing and those
staying the same.
<gr oup- name_st r > Enter the name of this service group. No default.
comment Add comments for this service group No default.
member <ser vi ce_st r > Enter one or more names of predefined or custom firewall
services to add to the service group. Separate multiple names
with a space. To view the list of available services enter set
member ? at the prompt.
<ser vi ce_st r >is case-sensitive.
No default.
FortiOS v4.00 Added keyword comment .
firewall ssl setting
01-400-93051-20090415 165
ssl setting
Use this command to configure SSL proxy settings so that you can apply antivirus scanning, web filtering,
FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS,
IMAPS, POP3S, and SMTPS traffic by using the conf i g f i r ewal l pr of i l e command.
To perform SSL content scanning and inspection, the FortiGate unit does the following:
intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers
(FortiGate SSL acceleration speeds up decryption)
applies content inspection to decrypted content, including:
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP., and content archiving
HTTPS web filtering and FortiGuard web filtering
IMAPS, POP3S, and SMTPS spam filtering
re-encrypts the sessions and forwards them to their destinations.
Syntax
conf i g f i r ewal l ssl set t i ng
set caname <cer t i f i cat e_st r >
set cer t - cache- capaci t y <capaci t y_i nt eger >
set cer t - cache- t i meout <t i meout _i nt eger >
set pr oxy- connect - t i meout <t i meout _i nt eger >
set sessi on- cache- capaci t y <capaci t y_i nt eger >
set sessi on- cache- t i meout <por t _i nt >
set ssl - dh- bi t s {1024 | 1536 | 2048 | 768}
set ssl - max- ver si on {ssl - 3. 0 | t l s- 1. 0}
set ssl - mi n- ver si on {ssl - 3. 0 | t l s- 1. 0}
set ssl - send- empt y- f r ags {enabl e | di sabl e}
end
caname <cer t i f i cat e_st r > Select the CA certificate used by SSL content scanning and
inspection for establishing encrypted SSL sessions.
For t i net _
CA_
SSLPr oxy
cer t - cache- capaci t y
<capaci t y_i nt eger >
Enter the capacity of the host certificate cache. The range is
from 0 to 200.
100
cer t - cache- t i meout
<t i meout _i nt eger >
Enter the time limit to keep the certificate cache. The range is
from 1 to 120 minutes.
10
pr oxy- connect - t i meout
Enter the time limit to make an internal connection to the
appropriate proxy process (1 - 60 seconds).
30
sessi on- cache- capaci t y
<capaci t y_i nt eger >
Enter the capacity of SSL session cache (0 - 1000). 500
sessi on- cache- t i meout
<por t _i nt >
Enter the time limit in minutes to keep the SSL session. 20
ssl - dh- bi t s {1024 | 1536
| 2048 | 768}
Select the size of Diffie-Hellman prime used in DHE_RSA
negotiation.
1024
ssl - max- ver si on {ssl - 3. 0
| t l s- 1. 0}
Select the highest SSL/TLS version to negotiate. t l s- 1. 0
ssl setting firewall
166 01-400-93051-20090415
Example
This example shows how to add a signing CA certificate to the SSL content scanning and inspection
configuration. Use the following CLI command if the certificate name is Example_CA.
conf i g f i r ewal l ssl set t i ng
set caname Exampl e_CA
end
The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for
establishing encrypted SSL sessions.
History
Related topics
firewall profile
ssl - mi n- ver si on {ssl - 3. 0
| t l s- 1. 0}
Select the lowest SSL/TLS version to negotiate. ssl - 3. 0
ssl - send- empt y- f r ags
Enable or disable sending empty fragments to avoid attack on
CBC IV (SSL 3.0 & TLS 1.0 only).
Enabl e
FortiOS v4.00 New.
firewall traffic-shaper
01-400-93051-20090415 167
traffic-shaper
Use this command to configure which firewall policies have the highest priority when large amounts of data
are moving through the FortiGate unit.
Syntax
edi t <name_st r >
set guar ant eed- bandwi dt h <bandwi dt h_val ue>
set maxi mum- bandwi dt h <bandwi dt h_val ue>
set per - pol i cy {enabl e | di sabl e}
set pr i or i t y {hi gh | l ow | medi um}
end
end
Example
This example shows how to set t r af f i c_shaper 1s guaranteed bandwidth to 100000.
edi t t r af f i c_shaper 1
set guar ant eed- bandwi dt h 100000
end
History
Related topics
firewall profile
<name_st r > Enter the name of the traffic shaper. No default.
guar ant eed- bandwi dt h
<bandwi dt h_val ue>
Enter the amount of bandwidth guaranteed to be available for
traffic controlled by the policy. bandwi dt h_val ue can be 0
to 2097000 Kbytes/second.
0
maxi mum- bandwi dt h
<bandwi dt h_val ue>
Enter the maximum amount of bandwidth available for traffic
controlled by the policy. bandwi dt h_val ue can be 0 to
2097000 Kbytes/second. If maximum bandwidth is set to 0 no
traffic is allowed by the policy.
0
per - pol i cy {enabl e |
di sabl e}
Enable or disable applying this traffic shaper to a single
firewall policy that uses it.
di sabl e
pr i or i t y
{hi gh | l ow | medi um}
Select the priority level for traffic controlled by the policy. hi gh
FortiOS v4.00 Separated from f i r ewal l pol i cy.
vip firewall
168 01-400-93051-20090415
vip
Use this command to configure virtual IPs and their associated address and port mappings (NAT).
Virtual IPs can be used to allow connections through a FortiGate unit using network address translation
(NAT) firewall policies. Virtual IPs can use proxy ARP so that the FortiGate unit can respond to ARP
requests on a network for a server that is actually installed on another network. Proxy ARP is defined in
RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external interface
can respond to connection requests for users who are actually connecting to a server on the DMZ or
internal network.
Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT),
also known as port forwarding or network address port translation (NAPT), and/or network address
translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of:
static vs. dynamic NAT mapping
the dynamic NATs load balancing style, if using dynamic NAT mapping
full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall
policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to the same
mapped IP address.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range.
Static NAT with Port
Forwarding
Static, one-to-one NAT mapping with port forwarding: an external IP address is always
translated to the same mapped IP address, and an external port number is always
translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range. If using
port number ranges, the external port number range corresponds to a mapped port
number range containing an equal number of port numbers, and each port number in the
external range is always translated to the same port number in the mapped range.
Load Balancing Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
mapped IP addresses. For each session, a load balancing algorithm dynamically selects
an IP address from the mapped IP address range to provide more even traffic distribution.
The external IP address is not always translated to the same mapped IP address.
Load Balancing with
Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
translated to one of the mapped IP addresses. For each session, a load balancing
algorithm dynamically selects an IP address from the mapped IP address range to provide
more even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Dynamic Virtual IPs Dynamic, many-to-few or many-to-one NAT mapping: if you set the external IP address of
a virtual IP to 0.0.0.0, the interface maps traffic destined for any IP address, and is
dynamically translated to a mapped IP address or address range.
firewall vip
01-400-93051-20090415 169
Virtual IPs have the following requirements.
The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
The Mapped IP Address/Range must not include any interface IP addresses.
If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the External IP
Address/Range cannot be 0.0.0.0.
When port forwarding, the External IP Address/Range cannot include any interface IP addresses.
When port forwarding, the count of mapped port numbers and external port numbers must be the
same, and the last port number in the range must not exceed 65535.
Virtual IP names must be different from address or address group names.
Duplicate entries or overlapping ranges are not permitted.
Syntax
edi t <name_st r >
set ar p- r epl y {enabl e | di sabl e}
set ext i nt f <name_st r >
set ext i p <addr ess_i pv4>
set ext por t <por t _i nt >
set gr at ui t ous- ar p- i nt er val 
set ht t p- i p- header {enabl e | di sabl e}
set ht t p- mul t i pl ex {enabl e | di sabl e}
set i d 
set l db- met hod {f i r st - al i ve | l east - r t t | l east - sessi on | r ound- r obi n |
st at i c | wei ght ed}
set mappedi p [ <st ar t _i pv4>- <end_i pv4>]
set mappedpor t <por t _i nt >
set max- embr yoni c- connect i ons 
set moni t or <name_st r >
set nat - sour ce- vi p {enabl e | di sabl e}
set por t f or war d {enabl e | di sabl e}
Server Load Balancing Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
mapped IP addresses, as determined by the selected load balancing algorithm for more
even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Server load balancing requires that you configure at least one real server, but can use up
to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health
check monitors. Health check monitors can be used to gauge server responsiveness
before forwarding packets.
Server Load Balancing
with Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
translated to one of the mapped IP addresses, as determined by the selected load
balancing algorithm for more even traffic distribution.The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but can use up
to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health
check monitors. Health check monitors can be used to gauge server responsiveness
before forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting policy does not
perform full (source and destination) NAT; instead, it performs destination network address translation
(DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP address, but
does not translate the source address. The private network is aware of the sources public IP address.
For reply traffic, the FortiGate unit translates packets private network source IP address to match the
destination address of the originating packets, which is maintained in the session table.
vip firewall
170 01-400-93051-20090415
set pr ot ocol {t cp | udp}
set ser ver - t ype {ht t p | ht t ps | i p | ssl | t cp | udp}
set per si st ence {none | ssl - sessi on- i d}
set ssl - mode {f ul l | hal f }
set ssl - cer t i f i cat e <cer t i f i cat e_st r >
set ssl - cl i ent - sessi onst at e- max <sessi onst at es_i nt >
set ssl - cl i ent - sessi onst at e- t i meout <t i meout _i nt >
set ssl - cl i ent - sessi onst at e- t ype {bot h | cl i ent | di sabl e | t i me}
set ssl - dh- bi t s <bi t s_i nt >
set ssl - ht t p- l ocat i on- conver si on {enabl e | di sabl e}
set ssl - ht t p- mat ch- host {enabl e | di sabl e}
set ssl - send- empt y- f r ags {enabl e | di sabl e}
set ssl - ser ver - sessi onst at e- max <sessi onst at es_i nt >
set ssl - ser ver - sessi onst at e- t i meout <t i meout _i nt >
set ssl - ser ver - sessi onst at e- t ype {bot h | count | di sabl e | t i me}
set t ype {l oadbal ance | ser ver - l oadbal ance | st at i c- nat }
conf i g r eal ser ver s
edi t <t abl e_i d>
set cl i ent - i p 
set heal t hcheck {enabl e | di sabl e}
set hol ddown- i nt er val <seconds_i nt >
set i p <ser ver _i p>
set max- connect i ons <connect i on_i nt eger >
set moni t or <heal t hcheck_st r >
set por t <por t _i p>
set st at us {act i ve | di sabl e | st andby}
set wei ght <l oadbal ancewei ght _i nt >
end
end
<name_st r > Enter the name of this virtual IP address. No default.
ar p- r epl y
Select to respond to ARP requests for this virtual IP address. enabl e
comment <comment _st r > Enter comments relevant to the configured virtual IP. No default
ext i nt f <name_st r > Enter the name of the interface connected to the source
network that receives the packets that will be forwarded to the
destination network. The interface name can be any FortiGate
network interface, VLAN subinterface, IPSec VPN interface,
or modem interface.
No default.
ext i p <addr ess_i pv4> Enter the IP address on the external interface that you want to
map to an address on the destination network.
If t ype is st at i c- nat and mappedi p is an IP address
range, the FortiGate unit uses ext i p as the first IP address in
the external IP address range, and calculates the last IP
address required to create an equal number of external and
mapped IP addresses for one-to-one mapping.
To configure a dynamic virtual IP that accepts connections
destined for any IP address, set ext i p to 0.0.0.0.
0. 0. 0. 0
firewall vip
01-400-93051-20090415 171
ext por t <por t _i nt > Enter the external port number that you want to map to a port
number on the destination network.
If you want to configure a static NAT virtual IP that maps a
range of external port numbers to a range of destination port
numbers, set ext i p to the first port number in the range.
Then set mappedpor t to the start and end of the destination
port range. The FortiGate unit automatically calculates the
end of the ext por t port number range.
To configure a dynamic virtual IP that accepts connections for
any port, set ext por t to 0.
0
gr at ui t ous- ar p- i nt er val

Configure sending of ARP packets by a virtual IP. You can set
the time interval between sending ARP packets. Set the
interval to 0 to disable sending ARP packets.
0
ht t p- i p- header
Select to preserve the clients IP address in the X-
For war ded- For HTTP header line. This can be useful if you
require logging on the server of the clients original IP
address. If this option is not selected, the header will contain
the IP address of the FortiGate unit.
This option appears only if por t f or war d and ht t p are
enabl e.
disable
ht t p- mul t i pl ex
Select to use the FortiGate units HTTP proxy to multiplex
multiple client connections destined for the web server into a
few connections between the FortiGate unit and the web
server. This can improve performance by reducing server
overhead associated with establishing multiple connections.
The server must be HTTP/1.1 compliant.
This option is only available if ser ver - t ype is ht t p or
ht t ps.
di sabl e
i d Enter a unique identification number for the configured virtual
IP. Not checked for uniqueness. Range 0 - 65535.
No default.
l db- met hod
{f i r st - al i ve | l east - r t t
| l east - sessi on | r ound-
r obi n | st at i c |
wei ght ed}
Select the load balancing method.
f i r st - al i ve: Always directs requests to the first alive
real server.
l east - r t t : Directs requests to the server with the least
round trip time. The round trip time is determined by a Ping
monitor and is defaulted to 0 if no Ping monitors are
defined.
l east - sessi on: Directs requests to the server that has
the least number of current connections. This method
works best in environments where the servers or other
equipment you are load balancing have similar
capabilities.
r ound- r obi n: Directs request to the next server, and
treats all servers as equals regardless of response time or
number of connections. Unresponsive servers are
avoided. A separate server is required.
st at i c: Distributes load evenly across all servers;
separate servers are not required.
wei ght ed: Servers with a higher weight value will
receive a larger percentage of connections at any one
time. Server weights can be set in conf i g
r eal ser ver s set wei ght
This option appears only if t ype is ser ver - l oadbal ance.
static
vip firewall
172 01-400-93051-20090415
mappedi p
[ <st ar t _i pv4>- <end_i pv4>]
Enter the IP address or IP address range on the destination
network to which the external IP address is mapped.
If t ype is st at i c- nat and mappedi p is an IP address
range, the FortiGate unit uses ext i p as the first IP address in
the external IP address range, and calculates the last IP
address required to create an equal number of external and
mapped IP addresses for one-to-one mapping.
If t ype is l oadbal ance and mappedi p is an IP address
range, the FortiGate unit uses ext i p as a single IP address
to create a one-to-many mapping.
0. 0. 0. 0
mappedpor t <por t _i nt > Enter the port number on the destination network to which the
external port number is mapped.
You can also enter a port number range to forward packets to
multiple ports on the destination network.
For a static NAT virtual IP, if you add a map to port range the
FortiGate unit calculates the external port number range.
0
max- embr yoni c- connect i ons

Enter the maximum number of partially established SSL or
HTTP connections. This should be greater than the maximum
number of connections you want to establish per second.
This option appears only if por t f or war d is enable, and
ht t p is enabl e or ssl i s not of f .
1000
moni t or <name_st r > Select the health check monitor for use when polling to
determine a virtual servers connectivity status.
No default.
nat - sour ce- vi p
Enable nat - sour ce- vi p to prevent unintended servers
from using this virtual IP.
di sabl e
por t f or war d
Select to enable port forwarding. You must also specify the
port forwarding mappings by configuring ext por t and
mappedpor t .
di sabl e
pr ot ocol {t cp | udp} Select the protocol, TCP or UDP, to use when forwarding
packets.
t cp
ser ver - t ype {ht t p | ht t ps
| i p | ssl | t cp | udp}
Select the communication protocol used by the virtual server.
This option is only available if t ype is ser ver - l oad-
bal ance.
ssl
per si st ence {none | ssl -
sessi on- i d}
Persistence is the process of ensuring that a user is
connected to the same server every time they make a request
within the boundaries of a single session.
none: No persistence option is selected.
ssl - sessi on- i d: Persistence time is equal to the SSL
sessions.
This option is only available if ser ver - t ype is ht t p,
ht t ps, and ssl .
none
firewall vip
01-400-93051-20090415 173
ssl - mode {f ul l | hal f } Select whether or not to accelerate SSL communications with
the destination by using the FortiGate unit to perform SSL
operations, and indicate which segments of the connection
will receive SSL offloading.
f ul l : Select to apply SSL to both parts of the connection:
the segment between client and the FortiGate unit, and the
segment between the FortiGate unit and the server. The
segment between the FortiGate unit and the server will
use encrypted communications, but the handshakes will
be abbreviated. This results in performance which is less
than the option hal f , but still improved over
communications without SSL acceleration, and can be
used in failover configurations where the failover path
does not have an SSL accelerator. If the server is already
configured to use SSL, this also enables SSL acceleration
without requiring changes to the servers configuration.
hal f : Select to apply SSL only to the part of the
connection between the client and the FortiGate unit. The
segment between the FortiGate unit and the server will
use clear text communications. This results in best
performance, but cannot be used in failover configurations
where the failover path does not have an SSL accelerator.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if ser ver - t ype is ssl , and only on
FortiGate models whose hardware support SSL acceleration,
such as FortiGate-3600A.
f ul l
ssl - cer t i f i cat e
<cer t i f i cat e_st r >
Enter the name of the SSL certificate to use with SSL
acceleration.
This option appears only if t ype is ser ver - l oadbal ance
and ser ver - t ype is ssl .
No default.
ssl - cl i ent - sessi onst at e-
max <sessi onst at es_i nt >
Enter the maximum number of SSL session states to keep for
the segment of the SSL connection between the client and the
FortiGate unit.
1000
t i meout <t i meout _i nt >
Enter the number of minutes to keep the SSL session states
for the segment of the SSL connection between the client and
the FortiGate unit.
30
t ype {bot h | cl i ent |
di sabl e | t i me}
Select which method the FortiGate unit should use when
deciding to expire SSL sessions for the segment of the SSL
connection between the client and the FortiGate unit.
bot h: Select to expire SSL session states when either
ssl - cl i ent - sessi onst at e- max or ssl - cl i ent -
sessi onst at e- t i meout is exceeded, regardless of
which occurs first.
count : Select to expire SSL session states when ssl -
cl i ent - sessi onst at e- max is exceeded.
di sabl e: Select to keep no SSL session states.
t i me: Select to expire SSL session states when ssl -
cl i ent - sessi onst at e- t i meout is exceeded.
both
ssl - dh- bi t s <bi t s_i nt > Enter the number of bits of the prime number used in the
Diffie-Hellman exchange for RSA encryption of the SSL
connection. Larger prime numbers are associated with
greater cryptographic strength.
1024
vip firewall
174 01-400-93051-20090415
ssl - ht t p- l ocat i on-
conver si on
Select to replace ht t p with ht t ps in the replys Locat i on
HTTP header field.
For example, in the reply, Locat i on:
ht t p: / / exampl e. com/ would be converted to Locat i on:
ht t ps: / / exampl e. com/ .
and ser ver - t ype is ht t ps.
disable
ssl - ht t p- mat ch- host
Select to apply Locat i on conversion to the replys HTTP
header only if the host name portion of Locat i on matches
the requests Host field, or, if the Host field does not exist,
the host name portion of the requests URI. If disabled,
conversion occurs regardless of whether the host names in
the request and the reply match.
For example, if host matching is enabled, and a request
contains Host : exampl e. comand the reply contains
Locat i on: ht t p: / / exampl e. cc/ , the Locat i on field
does not match the host of the original request and the replys
Locat i on field remains unchanged. If the reply contains
Locat i on: ht t p: / / exampl e. com/ , however, then the
FortiGate unit detects the matching host name and converts
the reply field to Locat i on: ht t ps: / / exampl e. com/ .
This option appears only if ssl - ht t p- l ocat i on-
conver si on is enabl e.
disable
ssl - max- ver si on {ssl - 3. 0
| t l s- 1. 0}
Enter the maximum version of SSL/TLS to accept in
negotiation.
tls-1.0
ssl - mi n- ver si on {ssl - 3. 0
| t l s- 1. 0}
Enter the minimum version of SSL/TLS to accept in
negotiation.
ssl-3.0
Select to precede the record with empty fragments to thwart
attacks on CBC IV. You might disable this option if SSL
acceleration will be used with an old or buggy SSL
implementation which cannot properly handle empty
fragments.
and ser ver - t ype is ssl , and applies only to SSL 3.0 and
TLS 1.0.
enable
ssl - ser ver - sessi onst at e-
max <sessi onst at es_i nt >
Enter the maximum number of SSL session states to keep for
the segment of the SSL connection between the server and
the FortiGate unit.
This option appears only if ssl - mode is f ul l .
1000
t i meout <t i meout _i nt >
Enter the number of minutes to keep the SSL session states
for the segment of the SSL connection between the server
and the FortiGate unit.
30
t ype {bot h | count |
di sabl e | t i me}
Select which method the FortiGate unit should use when
deciding to expire SSL sessions for the segment of the SSL
connection between the server and the FortiGate unit.
bot h: Select to expire SSL session states when either
ssl - ser ver - sessi onst at e- max or ssl - ser ver -
sessi onst at e- t i meout is exceeded, regardless of
which occurs first.
count : Select to expire SSL session states when ssl -
ser ver - sessi onst at e- max is exceeded.
di sabl e: Select to keep no SSL session states.
t i me: Select to expire SSL session states when ssl -
ser ver - sessi onst at e- t i meout is exceeded.
both
firewall vip
01-400-93051-20090415 175
t ype
{l oadbal ance |
ser ver - l oadbal ance |
st at i c- nat }
Select the type of static or dynamic NAT applied to the virtual
IP.
l oadbal ance: Dynamic NAT load balancing with server
selection from an IP address range. This option is
deprecated and may be removed in future.
ser ver - l oadbal ance: Dynamic NAT load balancing
with server selection from among up to eight
r eal ser ver s, determined by your selected load
balancing algorithm and server responsiveness monitors.
st at i c- nat : Static NAT.
st at i c-
nat
r eal ser ver s
The following commands are the options for conf i g r eal ser ver s, and are available only if t ype is
ser ver - l oadbal ance.
cl i ent - i p Enter the IP address of the client in the X- For war ded- For
HTTP header. This can be useful if you require logging on the
server of the clients original IP address. If this is not selected,
the header will contain the IP address of the FortiGate unit.
No default.
<t abl e_i d> Enter an index number used to identify the server that you are
configuring. You can configure a maximum number of eight
(8) servers in a server load balancing cluster.
No default.
heal t hcheck
Enable to check the responsiveness of the server before
forwarding traffic. You must also configure moni t or .
disable
hol ddown- i nt er val
<seconds_i nt >
Enter the amount of time in seconds that the health check
monitor will continue to monitor the status of a server whose
st at us is act i ve after it has been detected to be
unresponsive.
If the server is detected to be continuously responsive
during this interval, a server whose st at us is st andby
will be removed from current use and replaced with this
server, which will again be used by server load balanced
traffic. In this way, server load balancing prefers to use
servers whose st at us is act i ve, if they are responsive.
If the server is detected to be unresponsive during the first
holddown interval, the server will remain out of use for
server load balanced traffic, the health check monitor will
double the holddown interval once, and continue to
monitor the server for the duration of the doubled
holddown interval. The health check monitor continues to
monitor the server for additional iterations of the doubled
holddown interval until connectivity to the server becomes
reliable, at which time the holddown interval will revert to
the configured interval, and the newly responsive server
whose st at us is act i ve will replace the standby server
in the pool of servers currently in use. In effect, if the
st at us of a server is act i ve but the server is habitually
unresponsive, the health check monitor is less likely to
restore the server to use by server load balanced traffic
until the servers connectivity becomes more reliable.
This option applies only to real servers whose st at us is
act i ve, but have been detected to be unresponsive
(down).
300
i p <ser ver _i p> Enter the IP address of a server in this server load balancing
cluster.
0.0.0.0
max- connect i ons
<connect i on_i nt eger >
Enter the limit on the number of active connections directed to
a real server. If the maximum number of connections is
reached for the real server, the FortiGate unit will
automatically switch all further connection requests to another
server until the connection number drops below the specified
limit.
0 means unlimited number of connections.
0
vip firewall
176 01-400-93051-20090415
Example
This example shows how to add a static NAT virtual IP named Web_Ser ver that allows users on the
Internet to connect to a single web server on the private network. The public IP address of the web server
is 64.32.21.34 and the IP address of the web server on the internal network is 192.168.1.44.
edi t Web_Ser ver
set ext i nt f ext er nal
set ext i p 64. 32. 21. 34
set mappedi p 192. 168. 1. 44
end
This example shows how to edit the static NAT virtual IP named Web_Ser ver to change the IP address of
the web server on the internal network to 192.168.110.23.
edi t web_Ser ver
moni t or <heal t hcheck_st r > Enter one or more names of health check monitor settings to
use when performing a health check, separating each name
with a space. If any of the configured health check monitors
detect failures, the FortiGate unit will deem the server
unresponsive, and will not forward traffic to that server. For
details on configuring health check monitor settings, see
firewall ldb-monitor on page 117.
This option appears only if heal t hcheck is enabl e.
No default.
por t <por t _i p> Enter the port used if port forwarding is enabled. 10
st at us {act i ve |
di sabl e | st andby}
Select whether the server is in the pool of servers currently
being used for server load balanced traffic, the server is on
standby, or is disabled.
act i ve: The FortiGate unit may forward traffic to the
server unless its health check monitors determine that the
server is unresponsive, at which time the FortiGate unit
will temporarily use a server whose st at us is st andby.
The healthcheck monitor will continue to monitor the
unresponsive server for the duration of hol ddown-
i nt er val . If this server becomes reliably responsive
again, it will be restored to active use, and the standby
server will revert to standby. For details on health check
monitoring when an active server is unresponsive, see
holddown-interval <seconds_int> on page 175.
di sabl e: The FortiGate unit will not forward traffic to this
server, and will not perform health checks. You might use
this option to conserve server load balancing resources
when you know that a server will be unavailable for a long
period, such as when the server is down for repair.
st andby: If a server whose st at us is act i ve becomes
unresponsive, the FortiGate unit will temporarily use a
responsive server whose st at us is st andby until the
server whose st at us is act i ve again becomes reliably
responsive. If multiple responsive standby servers are
available, the FortiGate unit selects the standby server
with the greatest wei ght . If a standby server becomes
unresponsive, the FortiGate unit will select another
responsive server whose st at us is st andby.
active
wei ght
<l oadbal ancewei ght _i nt >
Enter the weight value of a specific server. Servers with a
greater weight receive a greater proportion of forwarded
connections, or, if their st at us is st andby, are more likely to
be selected to temporarily replace servers whose st at us is
act i ve, but that are unresponsive. Valid weight values are
between 1 and 255.
This option is available only if l db- met hod is wei ght ed.
1
firewall vip
01-400-93051-20090415 177
set mappedi p 192. 168. 110. 23
end
This example shows how to add a static NAT port forwarding virtual IP that uses port address translation to
allow external access to a web server on the private network if there is no separate external IP address for
the web server. In this example, the IP address of the external interface is 192.168.100.99 and the real IP
address of the web server on the internal network is 192.168.1.93.
edi t web_Ser ver
set por t f or war d enabl e
set ext i nt f ext er nal
set ext i p 192. 168. 100. 99
set ext por t 80
set mappedi p 192. 168. 1. 93
set mappedpor t 80
end
This example shows how to enter a static NAT virtual IP named Ser ver _Range that allows Internet users
to connect to a range of 10 virtual IP addresses on the Internet and have the IP addresses in this range
mapped to a range of IP addresses on the DMZ network. The DMZ network contains 10 servers with IP
addresses from 10.10.10.20 to 10.10.10.29. The Internet IP addresses for these servers are in the range
219.34.56.10 to 219.34.56.19. In this example you do not have to enter the external IP address range.
Instead you enter the first IP address in the external IP address range and the FortiGate unit calculates the
end of the IP address range based on the number of IP addresses defined by the mapped IP address
range. Also in the example, port2 is connected to the Internet.
edi t Ser ver _Range
set ext i nt f por t 2
set ext i p 219. 34. 56. 10
set mappedi p 10. 10. 10. 20 10. 10. 10. 19
end
This example shows how to enter a load balancing virtual IP named Ext _Load_Bal ance that allows
Internet users to connect to a single virtual IP address on the Internet and have that IP address mapped to
a range of IP addresses on the network connected to port5. You might use a configuration such as this to
load balance connections from the Internet to an internal server farm. In the example the Internet is
connected to port2 and the virtual IP address is 67.34.56.90 and the IP address range on the network
connected to port5 is 172.20.120.10 to 172.20.120.30.
edi t Ser ver _Range
set t ype l oadbal ance
set ext i nt f por t 2
set ext i p 67. 34. 56. 90
set mappedi p 172. 20. 120. 10- 172. 20. 120. 30
end
History
FortiOS v3.00 Added ser ver - l oadbal ance to set type.
FortiOS v3.0 MR4 Added the following commands and options: conf i g r eal ser ver .
FortiOS v3.0 MR5 ext i nt f <name_st r >variable now accepts modem interface names. Formerly, it
accepted a network interface, VLAN subinterface, or IPSec VPN virtual interface.
vip firewall
178 01-400-93051-20090415
Related topics
firewall ldb-monitor
firewall vipgrp
FortiOS v3.0 MR6 New variables moni t or and heal t hcheck. Enables health checking for real servers
and specifies which of the health check settings to use.
FortiOS v3.0 MR6 New variables:
ssl , ssl - cer t i f i cat e
ssl - cl i ent - sessi onst at e- max
ssl - cl i ent - sessi onst at e- t i meout
ssl - cl i ent - sessi onst at e- t ype
ssl - dh- bi t s
ssl - ht t p- l ocat i on- conver si on
ssl - ht t p- mat ch- host
ssl - max- ver si on
ssl - mi n- ver si on
ssl - ser ver - sessi onst at e- max
ssl - ser ver - sessi onst at e- t i meout
ssl - ser ver - sessi onst at e- t ype
Enables SSL acceleration by offloading SSL operations from the destination to the
FortiGate unit, and configures various aspects of the offloading, including to which
segment(s) of the connection the FortiGate unit will apply SSL, and what encryption
strength and other options to use.
FortiOS v3.0 MR6 New variable max- embr yoni c- connect i ons. Specifies the maximum number of
partially established SSL or HTTP connections when the virtual IP is performing
HTTP multiplexing or SSL offloading.
FortiOS v3.0 MR6 New variable ht t p. Enables multiplexing of port forwarded HTTP connections into a
few connections to the destination.
FortiOS v3.0 MR6 New variable ht t p- i p- header . Preserves the original clients IP address in the X-
For war ded- For HTTP header line when using HTTP multiplexing.
FortiOS v3.0 MR6 New variable st at us in conf i g r eal ser ver s subcommand. Designates each
server as an active or standby member of the server load balanced cluster, or
disables the cluster member.
FortiOS v3.0 MR6 New variable hol ddown- i nt er val in conf i g r eal ser ver s subcommand.
Configures the amount of time during which a previously unresponsive server must
remain responsive in order for the FortiGate unit to resume forwarding traffic to the
server. If the server is unresponsive during this interval, the FortiGate unit continues
to use a standby server.
FortiOS v3.0 MR7 New variables comment and i d, Customer requirement for unique identifier and
descriptive information relevant to virtual IP. Removed ssl - max- ver si on/ ssl -
mi n- ver si on t l s- 1. 1 option. TLS 1.1 is not supported. Added new variable
nat - sour ce- vi p.
FortiOS v4.0 New variables added: ser ver - t ype, per si st ence, gr at ui t ous- ar p-
i nt er val , moni t or .
New variables cl i ent - i p and max- connect i ons in conf i g r eal ser ver s
subcommand.
Renamed variable ssl to ssl - mode.
Renamed variable ht t p to ht t p- mul t i pl ex.
Removed variables dead- i nt er val , pi ng- det ect , and wake- i nt er val in
conf i g r eal ser ver s subcommand.
firewall vipgrp
01-400-93051-20090415 179
vipgrp
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ
interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into one
VIP group and create one external-to-DMZ policy, instead of two policies, to control the traffic.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and
port number(s).
Syntax
edi t <name_st r >
set member <vi r t ual i p_st r >
end
Example
edi t gr oup_one
set member vi pone vi pt wo vi pt hr ee
end
History
Related topics
firewall vip
<name_st r > Enter the name of the virtual IP group. No default.
i nt er f ace
<name_st r >
Enter the name of the interface to which the virtual IP group will
be bound.
No default.
member
<vi r t ual i p_st r >
Enter one or more virtual IPs that will comprise the virtual IP
group.
No default.
FortiOS v3.0 MR4 Command vi pgr p added.
vipgrp firewall
180 01-400-93051-20090415
gui
01-400-93051-20090415 181
gui
This chapter covers the commands to restore web-based manager CLI console and topology viewer.
console
topology
console gui
182 01-400-93051-20090415
console
Use this command to configure the web-based manager CLI console.
Syntax
set pr ef er ences <f i l edat a>
end
To obtain base-64 encoded data from a configured CLI console, use:
show gui consol e
Example
This example shows how to upload the data file pr ef - f i l e containing commands to set up the
web-based manager CLI console on the FortiGate unit.
set pr ef er ences pr ef - f i l e
end
History
pr ef er ences <f i l edat a> Base-64 encoded file to upload containing the commands to
set up the web-based manager CLI console on the FortiGate
unit.
No
default
FortiOS v3.00 MR5 New.
gui topology
01-400-93051-20090415 183
topology
Use this command to configure the web-based manager topology viewer. This command is not available
when virtual domains are enabled.
Syntax
set backgr ound- i mage <f i l edat abackgr ound>
set dat abase <f i l edat abase>
set pr ef er ences <f i l edat apr ef >
end
To obtain base-64 encoded data from a configured topology viewer, use:
show gui t opol ogy
Example
This example shows how to upload the data file (topguifile) containing commands to set up the topology
GUI on the FortiGate unit and the background image (backgroundfile).
set pr ef er ences t opgui f i l e
set backgr ound- i mage backgr oundf i l e
end
History
backgr ound- i mage
<f i l edat abackgr ound>
Base-64 encoded file to upload containing the commands to
set up the background image of the web-based manager
topology viewer.
dat abase <f i l edat abase> Base-64 encoded file to upload containing the data used to set
up the web-based manager topology viewer.
pr ef er ences <f i l edat apr ef > Base-64 encoded file to upload containing the commands to
set the preferences of the web-based manager topology
viewer.
topology gui
184 01-400-93051-20090415
imp2p
01-400-93051-20090415 185
imp2p
Use imp2p commands to configure user access to Instant Messaging and Peer-to-Peer applications, and
to configure a global policy for unknown users who might use these applications.
aim-user
icq-user
msn-user
old-version
policy
yahoo-user
aim-user imp2p
186 01-400-93051-20090415
aim-user
Use this command to permit or deny a specific user the use of AOL Instant Messenger.
Syntax
conf i g i mp2p ai m- user
edi t <name_st r >
set act i on {per mi t | deny}
end
Example
This example shows how to add user_1 and permit the user to use the AIM protocol if the policy is set to
allow AOL Instant Messenger.
conf i g i mp2p ai m- user
edi t user _1
set act i on per mi t
end
History
Related topics
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the AIM user.
act i on {per mi t | deny} Permit or deny the use of AOL Instant Messenger by this user. deny
FortiOS v3.0 New
imp2p icq-user
01-400-93051-20090415 187
icq-user
Use this command to permit or deny a specific user the use of ICQ Instant Messenger.
Syntax
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the ICQ protocol if the policy is set to
allow ICQ Instant Messenger.
edi t user _1
end
History
Related topics
imp2p aim-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the ICQ user.
act i on {per mi t | deny} Permit or deny the use of the ICQ Instant Messenger by this
user.
deny
FortiOS v3.0 New
msn-user imp2p
188 01-400-93051-20090415
msn-user
Use this command to permit or deny a specific user the use of MSN Messenger.
Syntax
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the MSN protocol if the policy is set to
allow MSN Messenger.
edi t user _1
end
History
Related topics
imp2p aim-user
imp2p icq-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the MSN user.
act i on {per mi t | deny} Permit or deny the use of MSN Messenger by this user. deny
FortiOS v3.0 New
imp2p old-version
01-400-93051-20090415 189
old-version
Some older versions of IM protocols are able to bypass file blocking because the message types are not
recognized. The following command provides the option to disable these older IM protocol versions.
Supported IM protocols include:
MSN 6.0 and above
ICQ 4.0 and above
AIM 5.0 and above
Yahoo 6.0 and above
Syntax
set ai m{bl ock | best - ef f or t }
set i cq {bl ock | best - ef f or t }
set msn {bl ock | best - ef f or t }
set yahoo {bl ock | best - ef f or t }
end
Example
This example shows how to block older versions of MSN Messenger and inspect older versions of Yahoo
Messenger.
set msn bl ock
set yahoo best - ef f or t
end
History
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p policy
imp2p yahoo-user
ai m{bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
Enter best - ef f or t to inspect the session based on the policy.
block
i cq {bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
block
msn {bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
block
yahoo {bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
block
FortiOS v3.0 New
policy imp2p
190 01-400-93051-20090415
policy
Use this command to create a global policy for instant messenger applications. If an unknown user
attempts to use one of the applications, the user can either be permitted use and added to a white list, or
be denied use and added to a black list.
Syntax
set ai m{al l ow | deny}
set i cq {al l ow | deny}
set msn {al l ow | deny}
set yahoo {al l ow | deny}
end
Example
This example shows how to configure the IM/P2P policy to allow AOL Instant Messenger, MSN
Messenger, and Yahoo Messenger but deny ICQ Instant Messenger.
set ai mal l ow
set msn al l ow
set i cq deny
set yahoo al l ow
end
History
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p yahoo-user
Note: In FortiOS 4.0, the imp2p settings are now part of Application Control. When creating
a new VDOM, the default imp2p policy settings are set to allow, thereby permitting the
settings in Application Control to drive the configuration.
ai m{al l ow | deny} Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
al l ow
i cq {al l ow | deny} Allow an unknown user and add the user to the white list.
al l ow
msn {al l ow | deny} Allow an unknown user and add the user to the white list.
al l ow
yahoo {al l ow | deny} Allow an unknown user and add the user to the white list.
al l ow
FortiOS v3.0 New
FortiOS v4.0 Configuration of imp2p policy is now CLI only. Default value is al l owfor all
imp2p policy commands.
imp2p yahoo-user
01-400-93051-20090415 191
yahoo-user
Use this command to permit or deny a specific user the use of Yahoo Messenger.
Syntax
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the Yahoo protocol if the policy is set to
allow Yahoo Messenger.
edi t user _1
end
History
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy
name_st r The name of the Yahoo user.
act i on {per mi t | deny} Permit or deny the use of Yahoo Messenger by this user. deny
FortiOS v3.0 New
yahoo-user imp2p
192 01-400-93051-20090415
ips
01-400-93051-20090415 193
ips
Use ips commands to configure IPS sensors to define which signatures are used to examine traffic and
what actions are taken when matches are discovered. DoS sensors can also be defined to examine traffic
for anomalies
DoS
custom
decoder
global
rule
sensor
Note: If the IPS test cant find the destination MAC address, the peer interface will be used. To ensure
packets get IPS inspection, there must be a Peer Interface. Both interfaces must be in the same VDOM,
and one interface cannot be both the peer and original interface. For information on how to set the Peer
Interface see interface on page 387.
DoS ips
194 01-400-93051-20090415
DoS
FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies
that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP
protocols can be identified.
Enable or disable logging for each anomaly, and select the action taken in response to detecting an
anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
config limit
Access the conf i g l i mi t subcommand using the conf i g i ps anomal y <name_st r > command.
Use this command for session control based on source and destination network address. This command is
available for t cp_sr c_sessi on, t cp_dst _sessi on, i cmp_sr c_sessi on, i cmp_dst _sessi on,
udp_sr c_sessi on, udp_dst _sessi on.
The def aul t entry cannot be edited. Addresses are matched from more specific to more general. For
example, if thresholds are defined for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24 bit
netmask is matched before the entry with the 16 bit netmask.
Syntax
conf i g i ps DoS
conf i g anomal y
edi t <anomal y_st r >
set act i on {bl ock | pass}
set quar ant i ne {at t acker | bot h | i nt er f ace | none}
set t hr eshol d <t hr eshol d_i nt >
end
set st at us {di sabl e | enabl e}
end
Flooding If the number of sessions targeting a single destination in one second is over a threshold, the
destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is
scanning.
Source session
limit
If the number of concurrent sessions from a single source is over a threshold, the source
session limit is reached.
Destination
session limit
If the number of concurrent sessions to a single destination is over a threshold, the destination
session limit is reached.
Note: It is important to estimate the normal and expected traffic on the network before changing the default
anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high
could allow some attacks.
ips DoS
01-400-93051-20090415 195
Examples
This example shows how to create a DoS sensor, name it, and enable blocking of the udp_f l ood
anomaly with the default threshold.
conf i g i ps DoS
edi t 12
set name t est
set comment " Thi s i s f or t est "
conf i g anomal y
edi t udp_f l ood
set act i on bl ock
end
end
History
<anomal y_st r > Enter the name of the anomaly you want to configure. Display a
list of the available anomaly types by entering ?.
st at us {enabl e | di sabl e} Enable or disable the specified anomaly in the current DoS
sensor.
di sabl e
l og {enabl e | di sabl e} Enable or disable logging of the specified anomaly in the
current DoS sensor.
enabl e
act i on {bl ock | pass} Pass or block traffic in which the specified anomaly is detected. pass
quar ant i ne {at t acker |
bot h | i nt er f ace | none}
To prevent the attacker from continuing to attack the FortiGate
unit, you can quarantine the attacker to the banned user list in
one of three ways.
Enter at t acker to block all traffic sent from the attackers
IP address. The attackers IP address is also added to the
banned user list. The targets address is not affected.
Enter bot h to block all traffic sent from the attackers IP
address to the target (victims) IP address. Traffic from the
attackers IP address to addresses other than the victims IP
address is allowed. The attackers and targets IP addresses
are added to the banned user list as one entry.
Enter i nt er f ace to block all traffic from connecting to the
FortiGate unit interface that received the attack. The
interface is added to the banned user list.
Enter none to disable the adding of addresses to the
quarantine but the current DoS sensor.
none
t hr eshol d <t hr eshol d_i nt > Enter the number of times the specified anomaly must be
detected in network traffic before the action is triggered.
varies by
anomaly
comment <comment _st r > Enter a description of the DoS sensor. This is displayed in the
DoS sensor list. Descriptions with spaces must be enclosed in
quotation marks.
name <name_st r > Enter a name for the DoS sensor. This is displayed in the DoS
sensor list. Names with spaces must be enclosed in quotation
marks.
st at us {di sabl e | enabl e} Enable or disable the current DoS sensor. di sabl e
FortiOS v3.0 Added sever i t y, def aul t - act i on, and def aul t - sever i t y.
FortiOS v3.0 MR5 Under the conf i g l i mi t command, set i paddr ess was
removed. dst - i p, ser vi ce, and sr c- i p commands were added.
DoS ips
196 01-400-93051-20090415
Related topics
ips custom
ips global
ips fail-open {enable | disable}
FortiOS v3.0 MR6 Completely revised. Anomalies now defined in DoS sensors allowing
the creation of multiple sensors to tailor behavior depending on traffic
source, destination, and port, if required.
FortiOS v4.0.0 Added the quar ant i ne option. Removed the conf i g addr ess tree.
Addresses are now specified in the DoS policy.
ips custom
01-400-93051-20090415 197
custom
Create custom IPS signatures and add them to IPS sensors.
Custom signatures provide the power and flexibility to customize FortiGate Intrusion Protection for diverse
network environments. The FortiGate predefined signatures cover common attacks. If an unusual or
specialized application or an uncommon platform is being used, add custom signatures based on the
security alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic.
The custom signature settings are configured when it is defined as a signature override in an IPS sensor.
This way, a single custom signature can be used in multiple sensors with different settings in each. See
ips sensor on page 202 for details.
For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical
Bulletin.
Syntax
conf i g i ps cust om
edi t <si g_st r >
set si gnat ur e <si gnat ur e_st r >
end
Example
This example shows how to add a custom signature.
conf i g i ps cust om
edi t bad_t hi ngs
set si gnat ur e ' F- SBI D ( - - pr ot ocol t cp; - - f l ow bi _di r ect i on;
- - pat t er n " nude cheer l eader " ; - - no_case) '
end
History
Related topics
ips global
execute backup
execute restore
Note: Custom signatures are an advanced feature. This document assumes the user has previous experience
writing intrusion detection signatures.
si g_st r The name of the custom signature.
si gnat ur e <si gnat ur e_st r > Enter the custom signature. The signature must be enclosed in
single quotes.
No default.
FortiOS v3.0 MR6 Removed all options except si gnat ur e. Other settings are configured
when specifying the signature in a signature override.
decoder ips
198 01-400-93051-20090415
decoder
The Intrusion Protection system looks for certain types of traffic on specific ports. Using the decoders
command, you can change ports if your configuration uses non-standard ports.
Syntax
conf i g i ps decoder <decoder _st r >
set por t _l i st <por t _i nt >
end
Example
This example shows how to modify the dns_decoder to examine ports 1, 2, and 3 instead of the default 53.
conf i g i ps decoder dns_decoder
set por t _l i st " 1, 2, 3"
end
<decoder _st r > Enter the name of the decoder. Enter ? for a list.
por t _l i st <por t _i nt > Enter the ports which the decoder will examine. Multiple ports
can be specified by separating them with commas and
enclosing the list in quotes.
varies by
decoder
ips global
01-400-93051-20090415 199
global
Use this command to ignore sessions after a set amount of traffic has passed.
Syntax
set al gor i t hm{engi ne- pi ck | hi gh | l ow}
set anomal y- mode {cont i nuous | per i odi cal }
set engi ne- count 
set f ai l - open {enabl e | di sabl e}
set i gnor e- sessi on- byt es <byt e_i nt eger >
set sessi on- l i mi t - mode {accur at e | heur i st i c}
set socket - si ze 
set t r af f i c- submi t {enabl e | di sabl e}
end
Examples
This example shows how to set intrusion protection to ignore sessions after 204800 bytes.
set i gnor e- sessi on- byt es 204800
end
al gor i t hm{engi ne- pi ck |
hi gh | l ow}
The IPS engine has two methods to determine whether traffic
matches signatures.
hi gh is a faster method that uses more memory
l owis a slower method that uses less memory
engi ne- pi ck allows the IPS engine to choose the best
method on the fly.
engi ne-
pi ck
anomal y- mode {cont i nuous
| per i odi cal }
Enter cont i nuous to start blocking packets once attack starts.
Enter per i odi cal to allow configured number of packets per
second.
cont i nuous
engi ne- count Enter the number of intrusion protection engines to run. Multi-
processor FortiGate units can more efficiently process traffic with
multiple engines running. When set to the default value of 0, the
FortiGate unit determines the optimal number of intrusion
protection engines.
0
f ai l - open
If for any reason the IPS should cease to function, it will fail open
by default. This means that crucial network traffic will not be
blocked and the Firewall will continue to operate while the problem
is resolved.
enabl e
i gnor e- sessi on- byt es
<byt e_i nt eger >
Set the number of bytes after which the session is ignored. 204800
sessi on- l i mi t - mode
{accur at e | heur i st i c}
Enter accur at e to accurately count the concurrent sessions. This
option demands more resource. Enter heur i st i c to heuristically
count the concurrent sessions.
heuristic
socket - si ze

Set intrusion protection buffer size. The default value is correct in
most cases.
model-
dependent
t r af f i c- submi t
Submit attack characteristics to FortiGuard Service di sabl e
global ips
200 01-400-93051-20090415
This example shows how to see the current configuration of ips global.
# get i ps gl obal
anomal y- mode : cont i nuous
engi ne- count : 0
f ai l - open : enabl e
i gnor e- sessi on- byt es: 204800
sessi on- l i mi t - mode : heur i st i c
socket - si ze : 8 ( MB)
t r af f i c- submi t : di sabl e
History
Related topics
execute backup
execute restore
FortiOS v3.0 New.
FortiOS v3.0 MR4 Merged get i ps gl obal including example.
FortiOS v3.0 MR6 Removed the i p- pr ot ocol option.
FortiOS v4.0.0 Added al gor i t hm.
ips rule
01-400-93051-20090415 201
rule
The IPS sensors use signatures to detect attacks. These signatures can be listed with the rules command.
Details about the default settings of each signature can also be displayed.
Syntax
conf i g i ps r ul e <r ul e_st r >
get
Example
This example shows how to display the current configuration of the Apache.Long.Header.DoS signature.
# conf i g i ps r ul e Apache. Long. Header . DoS
( Apache. Long. He~d) # get
name : Apache. Long. Header . DoS
st at us : enabl e
l og : enabl e
l og- packet : di sabl e
act i on : pass
gr oup : web_ser ver
sever i t y : medi um
l ocat i on : ser ver
os : Wi ndows, Li nux, BSD, Sol ar i s
appl i cat i on : Apache
ser vi ce : TCP, HTTP
r ul e- i d : 11206
r ev : 2. 335
<r ul e_st r > Enter the name of a signature. For a complete list of the
predefined signatures, enter ? instead of a signature name.
sensor ips
202 01-400-93051-20090415
sensor
The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules.
Each filter specifies a number of signature attributes and all signatures matching all the specified attributes
are included in the filter. Override rules allow you to override the settings of individual signatures.
Syntax
get
conf i g f i l t er
set l ocat i on {al l | cl i ent | ser ver }
set sever i t y {al l | i nf o l ow medi umhi gh cr i t i cal }
set pr ot ocol <pr ot ocol _st r >
set os {al l | ot her wi ndows l i nux bsd sol ar i s macos}
set appl i cat i on <app_st r >
set st at us {def aul t | enabl e | di sabl e}
set l og {def aul t | enabl e | di sabl e}
set act i on {bl ock | def aul t | pass | r ej ect }
get
end
conf i g over r i de
edi t <over r i de_i nt >
conf i g exempt - i p
edi t <exempt _i nt >
set dst - i p <dest _i pv4mask>
set sr c- i p <sour ce_i pv4mask>
end
set act i on {bl ock | pass | r eset }
set l og {di sabl e | enabl e}
set l og- packet {di sabl e | enabl e}
end
end
ips sensor
01-400-93051-20090415 203
<sensor _st r > Enter the name of an IPS sensor. For a list of the IPS sensors, enter
? instead of an IPS sensor name. Enter a new name to create a
sensor.
get The complete syntax of this command is:
get
end
This get command returns the following information about the
sensor:
name is the name of this sensor.
comment is the comment entered for this sensor.
count - enabl ed is the number of enabled signatures in this
IPS sensor. Disabled signatures are not included.
count - pass is the number of enabled signatures configured
with the pass action.
count - bl ock is the number of enabled signatures configured
with the bl ock action.
count - r eset is the number of enabled signatures configured
with the r eset action.
f i l t er lists the filters in this IPS sensor.
over r i de lists the overrides in the IPS sensor.
<f i l t er _st r > Enter the name of a filter. For a list of the filters in the IPS sensor,
enter ? instead of a filter name. Enter a new name to create a filter.
l ocat i on {al l | cl i ent |
ser ver }
Specify the type of system to be protected.
cl i ent selects signatures for attacks against client computers.
ser ver selects signatures for attacks against servers.
al l selects both client and server signatures.
al l
sever i t y {al l | i nf o l ow
medi umhi gh cr i t i cal }
Specify the severity level or levels.
Specify al l to include all severity levels.
al l
pr ot ocol <pr ot ocol _st r > Specify the protocols to be examined. Enter ? to display a list of
the available protocols. Al l will include all protocols. Ot her will
include all unlisted protocols.
al l
os {al l | ot her wi ndows
l i nux bsd sol ar i s macos}
Specify the operating systems to be protected. Al l will include all
operating systems. Ot her will include all unlisted operating
systems.
al l
appl i cat i on <app_st r > Specify the applications to be protected. Enter ? to display a list of
the available applications. Al l will include all applications. Ot her
will include all unlisted applications.
al l
st at us {def aul t | enabl e
| di sabl e}
Specify the status of the signatures included in the filter.
enabl e will enable the filter.
di sabl e will disable the filter.
def aul t will enable the filter and only use the filters with a
default status of enabl e. Filters with a default status of
di sabl e will not be used.
def aul t
l og {def aul t | enabl e |
di sabl e}
Specify the logging status of the signatures included in the filter.
enabl e will enable logging.
di sabl e will disable logging.
def aul t will enable logging for only the filters with a default
logging status of enabl e. Filters with a default logging status of
di sabl e will not be logged.
def aul t
sensor ips
204 01-400-93051-20090415
act i on {bl ock | def aul t |
pass | r ej ect }
Specify what action is taken with traffic in which signatures ar
detected.
bl ock will drop the session with the offending traffic.
pass will allow the traffic.
r ej ect will reset the session.
def aul t will either pass or drop matching traffic, depending on
the default action of each signature.
def aul t
quar ant i ne {at t acker |
bot h | i nt er f ace | none}
To prevent the attacker from continuing to attack the FortiGate unit,
you can quarantine the attacker to the banned user list in one of
three ways.
Enter at t acker to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned
user list. The targets address is not affected.
Enter bot h to block all traffic sent from the attackers IP address
to the target (victims) IP address. Traffic from the attackers IP
address to addresses other than the victims IP address is
allowed. The attackers and targets IP addresses are added to
the banned user list as one entry.
Enter i nt er f ace to block all traffic from connecting to the
FortiGate unit interface that received the attack. The interface is
added to the banned user list.
Enter none to disable the adding of addresses to the quarantine
but the current DoS sensor.
none
get The complete syntax of this command is:
conf i g f i l t er
get
end
This get command returns the following information about the filter:
name is the name of this filter.
count is the total number of signatures in this filter. Both
enabled and disabled signatures are included.
l ocat i on is type of system targeted by the attack. The
locations are client and server.
sever i t y is the relative importance of the signature, from info
to critical.
pr ot ocol is the type of traffic to which the signature applies.
Examples include HTTP, POP3, H323, and DNS.
os is the operating systems to which the signature applies.
appl i cat i on is the program affected by the signature.
st at us displays whether the signature state is enabled,
disabled, or default.
l og displays the logging status of the signatures included in the
filter. Logging can be set to enabled, disabled, or default.
act i on displays what the FortiGate does with traffic containing
a signature. The action can be set to pass all, block all, reset all,
or default.
quar ant i ne displays how the FortiGate unit will quarantine
attackers.
<over r i de_i nt > Enter the rule ID of an override filter. The rule ID is number
assigned to a filter, pre-defined or custom, and it specified which
filter is being overridden. For a list of the currently defined
overrides, enter ? instead of a rule ID.
Rule IDs are an attribute of every signature. Use the
conf i g i ps r ul e command to list the signatures or view them in
the GUI.
ips sensor
01-400-93051-20090415 205
Example
This example shows how to create an IPS sensor containing a filter that includes all signatures to protect
against Windows server attacks.
edi t dept _sr v
set comment " Depar t ment f i l e ser ver s"
conf i g f i l t er
edi t wi n_sr v
set l ocat i on ser ver
set os wi ndows
set act i on bl ock
end
end
History
<exempt _i nt > Each override can apply to any number of source addresses,
destination addresses, or source/destination pairs. The addresses
are referenced by exempt _i d values.
dst - i p <dest _i pv4mask> Enter the destination IP address and subnet to which this sensor
will apply. The default is all addresses.
0. 0. 0. 0
0. 0. 0. 0
sr c- i p <sour ce_i pv4mask> Enter the source IP address and subnet to which this sensor will
apply. The default is all addresses.
0. 0. 0. 0
0. 0. 0. 0
act i on {bl ock | pass |
r eset }
Specify the action to be taken for this override.
bl ock will drop the session.
pass will allow the traffic.
r eset will reset the session.
pass
l og {di sabl e | enabl e} Specify whether the log should record when the override occurs. di sabl e
l og- packet {di sabl e |
enabl e}
When enabled, packet logging will save the packet that triggers the
override. You can download the packets in pcap format for
diagnostic use. This feature is only available in FortiGate units with
internal hard drives.
di sabl e
st at us {di sabl e | enabl e} Enable or disable the override. di sabl e
comment <comment _st r > Enter a description of the IPS sensor. This description will appear in
the ISP sensor list. Descriptions with spaces must be enclosed in
quotes.
FortiOS v4.0.0 Added the quar ant i ne option.
sensor ips
206 01-400-93051-20090415
log
01-400-93051-20090415 207
log
Use the conf i g l og commands to set the logging type, the logging severity level, and the logging
location for the FortiGate unit.
Note: In Transparent mode, certain log settings and options may not be available because certain
features do not support logging or are not available in this mode. For example, SSL VPN events are not
available in Transparent mode.
custom-field
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}filter
disk setting
fortianalyzer setting
fortiguard setting
memory setting
memory global setting
syslogd setting
webtrends setting
trafficfilter
custom-field log
208 01-400-93051-20090415
custom-field
Use the following command to customize the log fields with a name and/or value. The custom name and/or
value will appear in the log message.
Syntax
conf i g l og cust om- f i el d
edi t i d 
set name <name>
set val ue 
end
Example
This example shows how to configure a customized field for logs for branch offices in a company and are
associated with specific firewall policies.
conf i g l og cust om- f i el d
edi t 1
set name company_br anch1
set val ue 2
next
edi t 2
set val ue 4
next
edi t 3
set val ue 5
end
History
Related topics
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}filter
i d Enter the identification number for the log field. No default
name <name> Enter a name to identify the log. You can use letters, numbers,
(_), but no characters such as the number symbol (#). The
name cannot exceed 16 characters.
No default
val ue Enter a firewall policy number to associate a firewall policy
with the logs.
No default
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
01-400-93051-20090415 209
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}
filter
Use this command to configure log filter options. Log filters define the types of log messages sent to each
log location. Use the ? command to view each filter setting since not all filter settings display for each
device.
Filter settings include commands for multiple Syslog servers or multiple FortiAnalyzer units. For example,
conf i g l og f or t i anal yzer 2 f i l t er . For more information about configuring multiple fortianalyzer
units, see fortianalyzer setting on page 218 and for more information about configuring multiple Syslog
servers, see syslogd setting on page 222.
Filter settings for f or t i guar d are only available when FortiGuard Analysis and Management Service is
enabled. Filter settings for di sk is available only for FortiGate units with hard disks.
Syntax
conf i g l og {di sk | f or t i anal yzer | memor y | sysl ogd | webt r ends |
set admi n {di sabl e | enabl e}
set al l owed {di sabl e | enabl e}
set anomal y {di sabl e | enabl e}
set app- cr t l {di sabl e | enabl e}
set app- cr t l - al l {di sabl e | enabl e}
set at t ack {di sabl e | enabl e}
set aut h {di sabl e | enabl e}
set amc- i nt f - bypass {di sabl e | enabl e}
set bl ocked {di sabl e | enabl e}
set dl p {di sabl e | enabl e}
set dl p- al l {di sabl e | enabl e}
set cpu- memor y- usage {di sabl e | enabl e}
set dhcp {di sabl e | enabl e}
set emai l {di sabl e | enabl e}
set emai l - l og- i map {di sabl e | enabl e}
set emai l - l og- pop3 {di sabl e | enabl e}
set emai l - l og- smt p {di sabl e | enabl e}
set event {di sabl e | enabl e}
set f t gd- wf - bl ock {di sabl e | enabl e}
set f t gd- wf - er r or s {di sabl e | enabl e}
set ha {di sabl e | enabl e}
set i nf ect ed {di sabl e | enabl e}
set i psec {di sabl e | enabl e}
set l db- moni t or {di sabl e | enabl e}
set ot her - t r af f i c {di sabl e | enabl e}
set over si zed {di sabl e | enabl e}
set pat t er n {di sabl e | enabl e}
set ppp {di sabl e | enabl e}
set sever i t y {al er t | cr i t i cal | debug | emer gency | er r or | i nf or mat i on |
set si gnat ur e {di sabl e | enabl e}
set ssl vpn- l og- adm{di sabl e | enabl e}
set ssl vpn- l og- aut h {di sabl e | enabl e}
set ssl vpn- l og- sessi on {di sabl e | enabl e}
set syst em{di sabl e | enabl e}
set t r af f i c {di sabl e | enabl e}
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log
210 01-400-93051-20090415
set ur l - f i l t er {di sabl e | enabl e}
set vi ol at i on {di sabl e | enabl e}
set vi r us {di sabl e | enabl e}
set vi p- ssl {di sabl e | enabl e}
set wanopt {di sabl e | enabl e}
set web {di sabl e | enabl e}
set web- cont ent {di sabl e | enabl e}
set web- f i l t er - act i vex {di sabl e | enabl e}
set web- f i l t er - appl et {di sabl e | enabl e}
set web- f i l t er - cooki e {di sabl e | enabl e}
set cont ent - l og {di sabl e | enabl e}
set cont ent - l og- f t p {di sabl e | enabl e}
set cont ent - l og- ht t p {di sabl e | enabl e}
set cont ent - l og- i map {di sabl e | enabl e}
set cont ent - l og- pop3 {di sabl e | enabl e}
set cont ent - l og- smt p {di sabl e | enabl e}
end
admi n
Enable or disable logging all administrative events, such as user
logins, resets, and configuration updates in the event log. This
keyword is available when event is enabled.
enabl e
al l owed
Enable or disable logging all traffic that is allowed according to
the firewall policy settings in the traffic log. This keyword is
available when t r af f i c is enabled.
enabl e
anomal y
Enable or disable logging all detected and prevented attacks
based on unknown or suspicious traffic patterns, and the action
taken by the FortiGate unit in the attack log. This keyword is
available when at t ack is enabled.
enabl e
app- cr t l
Enable or disable logging of application control logs. enable
app- cr t l - al l
Enable or disable logging of the sub-category of application
control logs.
disable
at t ack
Enable or disable the attack log. enabl e
aut h
Enable or disable logging all firewall-related events, such as user
authentication in the event log. This keyword is available when
event is enabled.
enabl e
amc- i nt f - bypass
Enable or disable logging of an AMC interface entering bypass
mode messages.
enable
bl ocked
Enable or disable logging all instances of blocked files. enabl e
dl p {di sabl e | enabl e} Enable or disable logging of data leak prevention logs. enabl e
dl p- al l
Enable or disable logging of all data leak prevention
subcategories.
di sabl e
cpu- memor y- usage
Enable or disable to log CPU usage every five minutes. di sabl e
dhcp
Enable or disable logging of DHCP service messages. enabl e
emai l
Enable or disable the spam filter log. enabl e
emai l - l og- i map
Enable or disable logging of spam detected in IMAP traffic.
emai l enabl e only.
enabl e
01-400-93051-20090415 211
emai l - l og- pop3
Enable or disable logging of spam detected in POP3 traffic.
enabl e
emai l - l og- smt p
Enable or disable logging of spam detected in SMTP traffic.
enabl e
event
Enable or disable writing event log messages. This option is
available only for memory and disk logs.
enabl e
f t gd- wf - bl ock
Enable or disable logging of web pages blocked by FortiGuard
category filtering in the web filter log. This keyword is available
when web is enabled.
enabl e
f t gd- wf - er r or s
Enable or disable logging all instances of FortiGuard category
filtering rating errors. This keyword is available when web is
enabled.
enabl e
ha
Enable or disable HA activity messages. enabl e
i nf ect ed
Enable or disable logging of all virus infections in the antivirus
log. This keyword is available when vi r us is enabled.
enabl e
i psec
Enable or disable logging of IPSec negotiation events, such as
progress and error reports in the event log. This keyword is
available when event is enabled.
enabl e
l db- moni t or
Enable or disable logging of VIP realserver health monitoring
messages.
di sabl e
ot her - t r af f i c
Enable or disable ICSA compliant logs. This setting is
independent from the t r af f i c setting. Traffic log entries include
generating traffic logs:
for all dropped ICMP packets
for all dropped invalid IP packets
for session start and on session deletion
This setting is not rate limited. A large volume of invalid packets
can dramatically increase the number of log entries.
di sabl e
over si zed
Enable or disable logging of oversized files in the antivirus log.
This keyword is available when vi r us is enabled.
enabl e
pat t er n
Enable or disable logging of all pattern update events, such as
antivirus and IPS pattern updates and update failures in the event
log. This keyword is available when event is enabled.
enabl e
ppp
Enable or disable logging of all L2TP, PPTP, and PPPoE-related
events, such as manager and socket creation processes, in the
event log. This keyword is available when event is enabled.
enabl e
sever i t y
{al er t | cr i t i cal | debug
| emer gency | er r or |
i nf or mat i on |
Select the logging severity level. The FortiGate unit logs all
messages at and above the logging severity level you select. For
example, if you select er r or , the unit logs er r or , cr i t i cal ,
al er t and emer gency level messages.
emer gency - The system is unusable.
al er t - Immediate action is required.
cr i t i cal - Functionality is affected.
er r or - An erroneous condition exists and functionality is
probably affected.
war ni ng - Functionality might be affected.
not i f i cat i on - Information about normal events.
i nf or mat i on - General information about system operations.
debug - Information used for diagnosing or debugging the
FortiGate unit.
i nf or ma
t i on
si gnat ur e
Enable or disable logging of detected and prevented attacks
based on the attack signature, and the action taken by the
FortiGate unit, in the attack log. This keyword is available when
at t ack is enabled.
enabl e
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log
212 01-400-93051-20090415
ssl vpn- l og- adm
Enable or disable logging of SSL-VPN administration. enabl e
ssl vpn- l og- aut h
Enable or disable logging of SSL-VPN user authentication. enabl e
ssl vpn- l og- sessi on
Enable or disable logging of SSL-VPN sessions. enabl e
syst em
Enable or disable logging of system activity messages. enabl e
t r af f i c
Enable or disable the traffic log. enabl e
ur l - f i l t er
Enable or disable logging of blocked URLs (specified in the URL
block list) in the web filter log. This keyword is available when
web is enabled.
enabl e
vi ol at i on
Enable or disable logging of all traffic that violates the firewall
policy settings in the traffic log. This keyword is available when
t r af i c is enabled.
enabl e
vi r us
Enable or disable the antivirus log. enabl e
vi p- ssl
Enable or disable logging of VIP SSL messages. enable
wanopt
Enable or disable logging of wan optimization messages. disable
web
Enable or disable the web filter log. enabl e
web- cont ent
Enable or disable logging of blocked content (specified in the
banned words list) in the web filter log. This keyword is available
when web is enabled.
enabl e
web- f i l t er - act i vex
Enable or disable the logging of Active X block messages enabl e
web- f i l t er - appl et
Enable or disable the logging of java applet block messages enabl e
web- f i l t er - cooki e
Enable or disable the logging of cookie block messages enabl e
cont ent - l og
Enable or disable to log content archiving with an AMC hard disk. enabl e
cont ent - l og- f t p
Enable or disable to archive FTP logs. enabl e
cont ent - l og- ht t p
Enable or disable to archive HTTP logs. enabl e
cont ent - l og- i map
Enable or disable to archive IMAP logs. enabl e
cont ent - l og- pop3
Enable or disable to archive POP3 logs. enabl e
cont ent - l og- smt p
Enable or disable to archive SMTP logs. enabl e
01-400-93051-20090415 213
Example
This example shows how to set the logging severity level to warning, enable virus logging for infected files,
and enable event logging for anomaly and IPSec events.
conf i g l og di sk f i l t er
set sever i t y war ni ng
set vi r us enabl e
set i nf ect ed enabl e
set event enabl e
set anomal y enabl e
set i psec enabl e
end
History
Related topics
log fortianalyzer setting
log memory setting
log syslogd setting
log webtrends setting
log trafficfilter
firewall
FortiOS v2.80 MR2 Removed emai l _cont ent keyword.
Added emai l _l og_i map, emai l _l og_pop3, and emai l _l og_smt p keywords.
FortiOS v3.0 cat - moni t or , exempt , and cont ent - keywor ds commands removed.
ur l - bl ock command renamed to ur l - f i l t er .
cat - bl ock and cat - er r or s commands renamed to f t gd- wf - bl ock and f t gd- wf -
er r or s respectively.
New keywords i m, i m- al l and ssl vpn- aut h, ssl vpn- adm, ssl vpn- sessi on, web-
f i l t er - act i vex, web- f i l t er - appl et and web- f i l t er - cooki e added.
FortiOS v.3.0 MR4 Added the FortiGuard Log and Analysis command, f or t i guar d for configuring the filter
settings for the FortiGuard Log & Analysis server. Also added VoIP commands.
FortiOS v3.0 MR7 Added l db- moni t or and cpu- memor y- usage keywords.
FortiOS v4.0 Added the following keywords:
app- cr t l
app- cr t l - al l
dl p
dl p- al l
wanopt
amc- i nt f - bypass
cont ent - l og
cont ent - l og- f t p
cont ent - l og- ht t p
cont ent - l og- i map
cont ent - l og- pop3
cont ent - l og- smt p
Removed the following keywords:
i m
i m- al l
voi p
voi p- al l
disk setting log
214 01-400-93051-20090415
disk setting
Use this command to configure log settings for logging to the local disk. Disk logging is only available for
FortiGate units with an internal hard disk. You can also use this command to configure the FortiGate unit to
upload current log files to an FTP server every time the log files are rolled.
If you have an AMC disk installed on your FortiGate unit, you can use di sk set t i ng to configure logging
of traffic to the AMC disk. The AMC disk behaves as a local disk after being inserted into the FortiGate unit
and the FortiGate unit rebooted. You can view logs from Log&Report > Log Access > Disk when logging to
an AMC disk.
Syntax
conf i g l og di sk set t i ng
set max- l og- f i l e- si ze 
set r ol l - schedul e {dai l y | weekl y}
set r ol l - t i me <hh: mm>
set di skf ul l {nol og | over wr i t e}
set upl oad {enabl e | di sabl e}
set upl oad- dest i nat i on {f or t i anal yzer | f t p- ser ver }
set upl oadi p <cl ass_i p>
set upl oadpor t <por t _i nt eger >
set upl oaduser <user _st r >
set upl oadpass <passwd>
set upl oaddi r <di r _name_st r >
set upl oadt ype {at t ack event i mspamf i l t er t r af f i c vi r us voi p webf i l t er }
set upl oadzi p {di sabl e | enabl e}
set upl oadsched {di sabl e | enabl e}
set upl oadt i me <t i me_i nt eger >
set upl oad- del et e- f i l es {enabl e | di sabl e}
set f ul l - f i r st - war ni ng t hr eshol d
set f ul l - second- war ni ng t hr eshol d
set f ul l - f i nal - war ni ng t hr eshol d
set dr i ve- st andby- t i me <0- 19800>
end
Note: AMC disk is supported on all FortiGate units that have single-wide AMC slots.
st at us
Enter to either enable or disable logging to the local disk. di sabl e
max- l og- f i l e- si ze

Enter the maximum size of the log file (in MB) that is saved to
the local disk.
When the log file reaches the specified maximum size, the
FortiGate unit saves the current log file and starts a new active
log file. The default minimum log file size is 1 MB and the
maximum log file size allowed is 1024MB.
100
r ol l - schedul e
{dai l y | weekl y}
Enter the frequency of log rolling. When set, the FortiGate unit
will roll the log event if the maximum size has not been
reached.
dai l y
r ol l - t i me
<hh: mm>
Enter the time of day, in the format hh: mm, when the FortiGate
unit saves the current log file and starts a new active log file.
00: 00
log disk setting
01-400-93051-20090415 215
di skf ul l
{nol og | over wr i t e}
Enter the action to take when the local disk is full. When you
enter nol og, the FortiGate unit will stop logging; over wr i t e
will begin overwriting the oldest file once the local disk is full.
over wr i t e
upl oad
Enable or disable uploading log files to a remote directory.
Enable upl oad to upload log files to an FTP server whenever
a log file rolls.
Use the upl oaddi r , upl oadi p, upl oadpass, upl oadpor t ,
and upl oaduser keywords to add this information required to
connect to the FTP server and upload the log files to a specific
location on the server.
Use the upl oadt ype keyword to select the type of log files to
upload.
Use the upl oad- del et e- f i l es keyword to delete the files
from the hard disk once the FortiGate unit completes the file
transfer.
All upl oad keywords are available after enabling the upload
command.
di sabl e
upl oad- dest i nat i on
{f or t i anal yzer | f t p-
ser ver }
Select to upload log files directly to a FortiAnalyzer unit or to an
FTP server. When you select to upload log files directly to a
FortiAnalyzer unit, you can also schedule when to upload the
log files, when the log file rolls, and so on.
di sabl e
upl oadi p
<cl ass_i p>
Enter the IP address of the FTP server. This is required. 0. 0. 0. 0
upl oadpor t
<por t _i nt eger >
Enter the port number used by the FTP server. The default port
is 21. Port 21 is the standard FTP port.
21
upl oaduser
<user _st r >
Enter the user account for the upload to the FTP server. This is
required.
No default.
upl oadpass
<passwd>
Enter the password required to connect to the FTP server. This
is required.
No default
upl oaddi r
<di r _name_st r >
Enter the name of the path on the FTP server where the log
files will be transferred to. If you do not specify a remote
directory, the log files are uploaded to the root directory of the
FTP server.
No default
upl oadt ype
{at t ack event i m
spamf i l t er t r af f i c
vi r us voi p webf i l t er }
Select the log files to upload to the FTP server. You can enter
one or more of the log file types separated by spaces. Use a
space to separate the log file types. If you want to remove a log
file type from the list or add a log file type to the list, you must
retype the list with the log file type removed or added.
t r af f i c
event
spamf i l t er
vi r us
webf i l t er
voi p
i m
upl oadzi p
Enter enabl e to compress the log files after uploading to the
FTP server. If disable is entered, the log files are uploaded to
the FTP server in plain text format.
di sabl e
upl oadsched
Enable log uploads at a specific time of the day. When set to
disable, the FortiGate unit uploads the logs when the logs are
rolled.
di sabl e
upl oadt i me
<t i me_i nt eger >
Enter the time of day when the FortiGate unit uploads the logs.
The upl oadsched setting must first be set to enabl e.
0
upl oad- del et e- f i l es
Enable or disable the removal of the log files once the
FortiGate unit has uploaded the log file to the FTP server.
enabl e
f ul l - f i r st - war ni ng
t hr eshol d
Enter to configure the first warning before reaching the
threshold. You can enter a number between 1 and 100.
75
f ul l - second- war ni ng
t hr eshol d
Enter to configure the second warning before reaching the
90
disk setting log
216 01-400-93051-20090415
Example
This example shows how to enable logging to the local disk, set the action to stop logging when the disk is
full, log files have a maximum size of 300MB, roll log files daily and start a new one at 1:30pm every day.
set di skf ul l nol og
set max- l og- f i l e- si ze 300
set r ol l - schedul e dai l y
set r ol l - t i me 01: 30
end
This example shows how to enable uploading the traffic log and content archive files to an FTP server. The
FTP server has the IP address 172.30.120.24, the user name is ftpone, the password is ftppass1, and the
directory on the FTP server is fortigate\login.
set upl oad enabl e
set upl oadi p 172. 30. 120. 24
set upl oaduser f t pone
set upl oadpass f t ppass1
set upl oadt ype t r af f i c cont ent
set upl oaddi r f or t i gat e\ l ogs
end
History
f ul l - f i nal - war ni ng
t hr eshol d
Enter to configure the final warning before reaching the
95
dr i ve- st andby- t i me
<0- 19800>
Set the power management for the hard disk. Enter the number
of seconds, up to 19800. If there is no hard disk activity within
the defined time frame, the hard disk will spin down to conserve
energy. Setting the value to 0 disables the setting.
0
FortiOS v2.80 MR2 Removed f t ppasswd, f t pser ver , and f t puser keywords.
Added upl oad keyword.
Added upl oad, upl oaddi r , upl oadi p, upl oadpass, upl oadpor t , upl oadt ype,
and upl oaduser keywords.
FortiOS v3.0 Renamed keyword f i l esi ze to max- l og- f i l e- si ze.
Removed dur at i on and uni t keywords.
Added upl oad- del et e- f i l es command.
FortiOS v3.0 MR2 Removed r ol l - day command.
FortiOS v3.0 MR4 Additional log files new to FortiOS 3.0 MR4 were added to upl oadt ype keyword, voi p
and i m.
FortiOS v3.0 MR5 Removed the keyword, cont ent , from upl oadt ype command.
Added keyword, upl oad- dest i nat i on, for uploading log files to a FortiAnalyzer unit.
FortiOS v3.0 MR6 Added the following keywords:
f ul l - f i r st - war ni ng t hr eshol d
f ul l - second- war ni ng t hr eshol d
f ul l - f i nal - war ni ng t hr eshol d
log disk setting
01-400-93051-20090415 217
Related topics
log memory setting
log syslogd setting
log trafficfilter
fortianalyzer setting log
218 01-400-93051-20090415
Use this command to enable the FortiGate unit to send log files to a FortiAnalyzer unit. See fortianalyzer,
fortianalyzer2, fortianalyzer3 on page 355 to configure the FortiAnalyzer configuration settings.
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data
storage. Detailed log reports provide historical as well as current analysis of network and email activity to
help identify security issues and reduce network misuse and abuse.
Using the CLI, you can send logs to up to three different FortiAnalyzer units for maximum fail-over
protection of log data. After configuring logging to FortiAnalyzer units, the FortiGate unit will send the same
log packets to all configured FortiAnalyzer units. Additional FortiAnalyzer units are configured using the
f or t i anal yzer 2 and f or t i anal yzer 3 commands.
Syntax
end
Example
This example shows how to enable logging to a FortiAnalyzer unit.
end
History
Related topics
system fortianalyzer, fortianalyzer2, fortianalyzer3
log memory setting
log syslogd setting
log trafficfilter
Note: The FortiAnalyzer CLI commands are not cumulative. Using a syntax similar to the following is not
valid: conf i g l og f or t i anal yzer f or t i anal yzer 2 f or t i anal yzer 3 set t i ng
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a FortiAnalyzer unit. di sabl e
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added l ocal i d and pksecr et keywords.
FortiOS v3.0 Moved all FortiAnalyzer configuration keywords under conf i g syst emf or t i anal yzer .
Command includes up to three FortiAnalyzer units, f or t i anal yzer 2 and
f or t i anal yzer 3.
Changed FortiLog product name to FortiAnalyzer.
FortiOS v3.0 MR4 Added mul t i - r epor t keyword.
FortiOS v3.0 MR7 Removed mul t - r epor t keyword and max- buf f er - si ze keyword.
log fortiguard setting
01-400-93051-20090415 219
fortiguard setting
Use this command for configuring FortiGuard Analysis Service settings. For more information about
logging to a FortiGuard Analysis server, (including the subscription-based service), FortiGuard Analysis
and Management Service, see the FortiGate Administration Guide Service, including enabling logging to a
FortiGuard Analysis server.
Syntax
set quot af ul l {nol og | over wr i t e}
end
Example
In this example, the FortiGate unit is logging to a FortiGuard Analysis server, and will stop logging when
the maximum storage space on the server is reached.
set quot af ul l nol og
end
History
Related topics
Note: The f or t i guar d set t i ng command is only available when FortiGuard Analysis and
Management Service subscription-based services are enabled. The storage space is a specified amount,
and varies, depending on the services requested.
quot af ul l {nol og |
over wr i t e}
Enter the action to take when the specified storage space on
the FortiGuard Analysis server is full. When you enter nol og,
the FortiGate unit will stop logging, and over wr i t e will
begin overwriting the oldest file.
overwrite
st at us {di sabl e | enabl e} Enter to enable the FortiGuard Analysis server. di sabl e
memory setting log
220 01-400-93051-20090415
memory setting
Use this command to configure log settings for logging to the FortiGate system memory.
The FortiGate system memory has a limited capacity and only displays the most recent log entries. Traffic
logs are not stored in the memory buffer, due to the high volume of traffic information. After all available
memory is used, by default, the FortiGate unit begins to overwrite the oldest messages. All log entries are
deleted when the FortiGate unit restarts.
Syntax
set di skf ul l <over wr i t e>
end
Example
This example shows how to enable logging to the FortiGate system memory.
set di skf ul l over wr i t e
end
History
Related topics
log syslogd setting
log trafficfilter
log memory global setting
di skf ul l <over wr i t e> Enter the action to take when the memory is reaching its
capacity. The only option available is over wr i t e, which
means that the FortiGate unit will begin overwriting the oldest
file.
over wr i t e
st at us {di sabl e | enabl e} Enter enabl e to enable logging to the FortiGate system
memory.
di sabl e
FortiOS 2.80 Substantially revised.
FortiOS v3.0 Added di skf ul l keyword.
FortiOS v3.0 MR6 Removed bl ockt r af f i c and nol og keywords.
log memory global setting
01-400-93051-20090415 221
Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the
FortiGate system memory.
The FortiGate system memory has a limited capacity and displays only the most recent log entries. Traffic
logs are not stored in the memory buffer, due to the high volume of traffic information. After all available
memory is used, by default, the FortiGate unit begins to overwrite the oldest log messages. All log entries
are deleted when the FortiGate unit restarts.
Syntax
set f ul l - f i nal - war ni ng- t hr eshol d
set f ul l - f i r st - war ni ng- t hr eshol d
set f ul l - second- war ni ng- t hr eshol d
set max- l i nes
end
Example
This example shows how to configure the first, second, and final threshold warnings as well as the
maximum lines for the memory buffer log.
set f i r st - f ul l - war ni ng- t hr eshol d 40
set second- f ul l - war ni ng- t hr eshol d 60
set f i nal - f ul l - war ni ng- t hr eshol d 80
set max- l i nes 60
end
History
Related topics
log syslogd setting
log trafficfilter
log memory setting
f ul l - f i nal - war ni ng-
t hr eshol d
Enter to configure the final warning before reaching the
95
f ul l - f i r st - war ni ng-
t hr eshol d
Enter to configure the first warning before reaching the
75
f ul l - second- war ni ng-
t hr eshol d
Enter to configure the second warning before reaching the
90
max- l i nes Enter the maximum number of lines in the memory buffer log. No default
syslogd setting log
222 01-400-93051-20090415
syslogd setting
Use this command to configure log settings for logging to a remote syslog server. You can configure the
FortiGate unit to send logs to a remote computer running a syslog server.
Using the CLI, you can send logs to up to three different syslog servers. Configure additional syslog
servers using sysl ogd2 and sysl ogd3 commands and the same keywords outlined below.
Syntax
set ser ver <addr ess_i pv4>
set csv {di sabl e | enabl e}
set f aci l i t y {al er t | audi t | aut h | aut hpr i v | cl ock | cr on | daemon | f t p
| ker nel | l ocal 0 | l ocal 1 | l ocal 2 | l ocal 3 | l ocal 4 | l ocal 5 | l ocal 6
| l ocal 7 | l pr | mai l | news | nt p | sysl og | user | uucp}
end
Note: Syslog CLI commands are not cumulative. Using a syntax similar to the following is not valid:
conf i g l og sysl ogd sysl ogd2 sysl ogd3 set t i ng
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a remote syslog server. di sabl e
ser ver <addr ess_i pv4> Enter the IP address of the syslog server that stores the logs. No default.
por t <por t _i nt eger > Enter the port number for communication with the syslog server. 514
csv {di sabl e | enabl e} Enter enabl e to enable the FortiGate unit to produce the log in
Comma Separated Value (CSV) format. If you do not enable
CSV format the FortiGate unit produces plain text files.
di sabl e
f aci l i t y {al er t | audi t |
aut h | aut hpr i v | cl ock |
cr on | daemon | f t p |
ker nel | l ocal 0 | l ocal 1
| l ocal 2 | l ocal 3 |
l ocal 4 | l ocal 5 | l ocal 6
| l ocal 7 | l pr | mai l |
news | nt p | sysl og |
user | uucp}
Enter the facility type. f aci l i t y identifies the source of the log
message to syslog. You might want to change f aci l i t y to
distinguish log messages from different FortiGate units.
Available facility types are:
al er t : l og al er t
audi t : log audit
aut h: security/authorization messages
aut hpr i v: security/authorization messages (private)
cl ock: clock daemon
cr on: cron daemon performing scheduled commands
daemon: system daemons running background system
processes
f t p: File Transfer Protocol (FTP) daemon
ker nel : kernel messages
l ocal 0 l ocal 7: reserved for local use
l pr : line printer subsystem
mai l : email system
news: network news subsystem
nt p: Network Time Protocol (NTP) daemon
sysl og: messages generated internally by the syslog
daemon
l ocal 7
log syslogd setting
01-400-93051-20090415 223
Example
This example shows how to enable logging to a remote syslog server, configure an IP address and port for
the server, and enable logging in CSV format.
set ser ver 192. 168. 201. 199
set por t 601
set csv enabl e
end
History
Related topics
log memory setting
log trafficfilter
FortiOS 2.80 MR3 Added al er t and audi t keywords for use with f aci l i t y keyword.
FortiOS v3.0 Command includes up to three syslog servers, sysl ogd2 and sysl ogd3.
webtrends setting log
224 01-400-93051-20090415
webtrends setting
Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends
firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with
NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.
Syntax
set ser ver <addr ess_i pv4>
end
Example
This example shows how to enable logging to and set an IP address for a remote WebTrends server.
set ser ver 192. 168. 21. 155
end
History
Related topics
log memory setting
log syslogd setting
log trafficfilter
ser ver <addr ess_i pv4> Enter the IP address of the WebTrends server that stores the
logs.
No default.
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a WebTrends server. di sabl e
log trafficfilter
01-400-93051-20090415 225
trafficfilter
Use this command to configure the following global settings for traffic logging:
resolve IP addresses to host names
display the port number or service (protocol) in the log message
Syntax
conf i g l og t r af f i cf i l t er
set di spl ay {name | por t }
set r esol ve {di sabl e | enabl e}
end
Example
This example shows how to display the service name and enable resolving IP addresses to host names in
log messages.
conf i g l og t r af f i cf i l t er
set di spl ay name
set r esol ve enabl e
end
History
Related topics
log memory setting
log syslogd setting
di spl ay {name | por t } Enter name to enable the display of the service name in the
traffic log messages. Enter por t to display the port number
used by traffic in traffic log messages.
por t
r esol ve
Enter enabl e to enable resolving IP addresses to host names
in traffic log messages.
di sabl e
FortiOS v3.0 MR7 Removed the conf i g r ul e sub-command.
trafficfilter log
226 01-400-93051-20090415
router
01-400-93051-20090415 227
router
Routers move packets from one network segment to another towards a network destination. When a
packet reaches a router, the router uses data in the packet header to look up a suitable route on which to
forward the packet to the next segment. The information that a router uses to make routing decisions is
stored in a routing table. Other factors related to the availability of routes and the status of the network may
influence the route selection that a router makes when forwarding a packet to the next segment.
The FortiGate unit supports many advanced routing functions and is compatible with industry standard
Internet routers. The FortiGate unit can communicate with other routers to determine the best route for a
packet.
The following r out er commands are available to configure options related to FortiGate unit router
communications and packet forwarding:
access-list
aspath-list
auth-path
bgp
community-list
key-chain
multicast
ospf
policy
prefix-list
rip
route-map
setting
static
static6
access-list router
228 01-400-93051-20090415
access-list
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate unit routing
processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for
example, a process that supports RIP or OSPF).
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix
(permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific
prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the
list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the
default action is deny.
Syntax
conf i g r out er access- l i st
edi t <access_l i st _name>
set comment s <st r i ng>
conf i g r ul e
edi t <access_l i st _i d>
set act i on {deny | per mi t }
set exact - mat ch {enabl e | di sabl e}
set pr ef i x { <pr ef i x_i pv4mask> | any }
set wi l dcar d <addr ess_i pv4> <wi l dcar d_mask>
end
end
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can
not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more
information, see prefix-list on page 282.
Note: The act i on and pr ef i x keywords are required. The exact - mat ch keyword is optional.
edi t <access_l i st _name> Enter a name for the access list. An access list and a
prefix list cannot have the same name.
No default.
comment s <st r i ng> Enter a descriptive comment. The max length is 127
characters.
No default.
config rule variables
edi t <access_l i st _i d> Enter an entry number for the rule. The number must be
an integer.
No default.
act i on {deny | per mi t } Set the action to take for this prefix. per mi t
exact - mat ch {enabl e | di sabl e} By default, access list rules are matched on the prefix or
any more specific prefix. Enable exact - mat ch to match
only the configured prefix.
di sabl e
pr ef i x {
<pr ef i x_i pv4mask> | any }
Enter the prefix for this access list rule, either:
Type the IP address and network mask.
Type any to match any prefix.
any
router access-list
01-400-93051-20090415 229
Example
This example shows how to add an access list named acc_l i st 1 with two rules. The first rule denies the
subnet that exactly matches the prefix 192. 168. 50. 0 255. 255. 255. 0 and permits all other subnets
that match the prefix 192. 168. 0. 0 255. 255. 0. 0.
edi t acc_l i st 1
conf i g r ul e
edi t 1
set pr ef i x 192. 168. 50. 0 255. 255. 255. 0
set act i on deny
set exact - mat ch enabl e
next
edi t 2
set pr ef i x 192. 168. 0. 0 255. 255. 0. 0
set exact - mat ch di sabl e
end
end
The next example shows how to add an access list that permits all subnets matching network address
10.20.4.1 through 10.20.4.255 (addresses 10.20.4.x are processed):
edi t acc_l i st 2
conf i g r ul e
edi t 1
set wi l dcar d 10. 20. 4. 0 0. 0. 0. 255
end
end
The next example shows how to add an access list that permits odd subnets according to the third-octet
of network address 172.16.x.0 (networks 172.16.1.0, 172.16.3.0, 172.16.5.0, and so on are processed):
edi t acc_l i st 3
conf i g r ul e
edi t 1
set wi l dcar d 172. 16. 1. 0 0. 0. 254. 0
end
end
wi l dcar d <addr ess_i pv4>
<wi l dcar d_mask>
Enter the IP address and reverse (wildcard) mask to
process. The value of the mask (for example,
0. 0. 255. 0) determines which address bits to match. A
value of 0 means that an exact match is required, while a
binary value of 1 indicates that part of the binary network
address does not have to match. You can specify
discontinuous masks (for example, to process even or
odd networks according to any network address octet).
For best results, do not specify a wi l dcar d attribute
unless pr ef i x is set to any.
No default.
access-list router
230 01-400-93051-20090415
History
Related topics
router ospf
router prefix-list
router rip
FortiOS v2.80 New.
FortiOS v3.0 Added wi l dcar d attribute. Changed exact _mat ch keyword to exact - mat ch.
FortiOS v3.0 MR6 Added comment s attribute.
router aspath-list
01-400-93051-20090415 231
aspath-list
Use this command to set or unset BGP AS-path list parameters. By default, BGP uses an ordered list of
Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list
of AS numbers is called an AS path. You can filter BGP routes using AS path lists.
When the FortiGate unit receives routing updates from other autonomous systems, it can perform
operations on updates from neighbors and choose the shortest path to a destination. The shortest path is
determined by counting the number of AS numbers in the AS path. The path that has the least number of
AS numbers is considered the shortest AS path.
Use the conf i g r out er aspat h- l i st command to define an access list that examines the AS_PATH
attributes of BGP routes to match routes. Each entry in the AS-path list defines a rule for matching and
selecting routes based on the setting of the AS_PATH attribute. The default rule in an AS path list (which
the FortiGate unit applies last) denies the matching of all routes.
Syntax
conf i g r out er aspat h- l i st
edi t <aspat h_l i st _name>
conf i g r ul e
edi t <as_r ul e_i d>
set r egexp <r egexp_st r >
end
end
Example
This example shows how to create an AS-path list named ebgp_i n. The list contains a single rule that
permits operations on BGP routes whose AS_PATH attribute references an AS number of 333, 334, 338,
or 71. The AS path list will match routes that originate in AS 333, AS 334, AS 338, or AS 71.
conf i g r out er aspat h- l i st
edi t ebgp_i n
conf i g r ul e
edi t 1
set r egexp _( 333| 334| 338| 71) $
end
end
Note: The act i on and r egexp keywords are required.
edi t <aspat h_l i st _name> Enter a name for the AS path list. No default.
edi t <as_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Deny or permit operations on a route based on the value of
the routes AS_PATH attribute.
No default.
r egexp <r egexp_st r > Specify the regular expression that will be compared to the
AS_PATH attribute (for example, ^730$).
The value is used to match AS numbers. Delimit a complex
r egexp_st r value using double-quotation marks.
Nul l .
aspath-list router
232 01-400-93051-20090415
History
Related topics
router bgp
router community-list
Using route maps with BGP
router key-chain
FortiOS v3.0 New.
router auth-path
01-400-93051-20090415 233
auth-path
Authentication based routing allows firewall policies to direct network traffic flows.
This command configures a RADIUS object on your FortiGate unit. The same object is required to be
configured on the RADIUS server.
To configure authentication based routing on your FortiGate unit
1 Configure your FortiGate unit to communicate with a RADIUS authentication server.
2 Configure a user that uses the RADIUS server.
3 Add that user to a user group configured to use the RADIUS server.
4 Configure the router aut h- pat h object.
5 Configure a custom service for RADIUS traffic.
6 Configure a service group that includes RADIUS traffic along with other types of traffic that will be
allowed to pass through the firewall.
7 Configure a firewall policy that has route based authentication enabled.
The Fortinet Knowledge Center has an article on authentication based routing that provides a sample
configuration for these steps.
Syntax
conf i g r out er aut h- pat h
edi t <aspat h_l i st _name>
set devi ce 
set gat eway <gway_i pv4>
end
Example
This example shows how to configure an auth-path object called aut h_r out e that routes traffic over the
dmz interface using 172.20.120.4. These settings also need to be configured on the RADIUS server used
to authenticate.
conf i g r out er aut h- pat h
edi t aut h_r out e
set devi ce dmz
set gat eway 172. 20. 120. 4
next
end
History
Note: The auth-path command is not available when the FortiGate unit is in Transparent mode.
edi t <aut h_pat h_name> Enter a name for the authentication path. No default.
devi ce Specify the interface for this path. No default.
gat eway <gway_i pv4> Specify the gateway IP address for this path. Nul l .
auth-path router
234 01-400-93051-20090415
Related topics
user local
user radius
router bgp
01-400-93051-20090415 235
bgp
Use this command to set or unset BGP-4 routing parameters. BGP can be used to perform Classless
Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains using
an alternative route if a link between a FortiGate unit and a BGP peer (such as an ISP router) fails. Fortinet
BGP-4 complies with RFC 1771 and supports IPv4 addressing.
When BGP is enabled, the FortiGate unit sends routing table updates to the upstream ISP router
whenever any part of the routing table changes. The update advertises which routes can be used to reach
the FortiGate unit. In this way, routes are made known from the border of the internal network outwards
(routes are pushed forward) instead of relying on upstream routers to propagate alternative paths to the
FortiGate unit.
FortiGate unit BGP supports the following extensions to help manage large numbers of BGP peers:
Communities The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to
predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY attribute of
learned routes to perform local filtering and/or redistribution.
Internal BGP (IBGP) route reflectors The FortiGate unit can operate as a route reflector or participate
as a client in a cluster of IBGP peers (see RFC 1966).
External BGP (EBGP) confederations The FortiGate unit can operate as a confederation member,
using its AS confederation identifier in all transactions with peers that are not members of its
confederation (see RFC 3065).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate
hardware failures in the network. Routers running BFD communicate with each other, and if a timer runs
out on a connection then that router is declared down. BFD then communicates this information to the
routing protocol and the routing information is updated. BFD support was added in FortiOS v3.0 MR4, and
can only be configured through the CLI.
Syntax
conf i g r out er bgp
set al ways- compar e- med {enabl e | di sabl e}
set as <l ocal _as_i d>
set best pat h- aspat h- i gnor e {enabl e | di sabl e}
set best pat h- cmp- conf ed- aspat h {enabl e | di sabl e}
set best pat h- cmp- r out er i d {enabl e | di sabl e}
set best pat h- med- conf ed {enabl e | di sabl e}
set best pat h- med- mi ssi ng- as- wor st {enabl e | di sabl e}
set cl i ent - t o- cl i ent - r ef l ect i on {enabl e | di sabl e}
set cl ust er - i d <addr ess_i pv4>
set conf eder at i on- i dent i f i er <peer i d_i nt eger >
set dampeni ng {enabl e | di sabl e}
set dampeni ng- max- suppr ess- t i me <mi nut es_i nt eger >
set dampeni ng- r eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
set dampeni ng- r euse <r euse_i nt eger >
set dampeni ng- r out e- map <r out emap- name_st r >
set dampeni ng- suppr ess <l i mi t _i nt eger >
set dampeni ng- unr eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
set def aul t - l ocal - pr ef er ence <pr ef er ence_i nt eger >
set det er mi ni st i c- med {enabl e | di sabl e}
set di st ance- ext er nal <di st ance_i nt eger >
set di st ance- i nt er nal <di st ance_i nt eger >
set di st ance- l ocal <di st ance_i nt eger >
set enf or ce- f i r st - as {enabl e | di sabl e}
bgp router
236 01-400-93051-20090415
set f ast - ext er nal - f ai l over {enabl e | di sabl e}
set gr acef ul _r est ar t {enabl e | di sabl e}
set hol dt i me- t i mer <seconds_i nt eger >
set i gnor e_opt i onal _capabi l i t y {enabl e | di sabl e}
set keepal i ve- t i mer <seconds_i nt eger >
set l og- nei ghbor - changes {enabl e | di sabl e}
set net wor k- i mpor t - check {enabl e | di sabl e}
set r out er - i d <addr ess_i pv4>
set scan- t i me <seconds_i nt eger >
set synchr oni zat i on {enabl e | di sabl e}
conf i g admi n- di st ance
edi t <r out e_ent r y_i d>
set di st ance 
set nei ghbor - pr ef i x 
set r out e- l i st <st r i ng>
end
conf i g aggr egat e- addr ess
edi t <aggr _addr _i d>
set as- set {enabl e | di sabl e}
set pr ef i x <addr ess_i pv4mask>
set summar y- onl y {enabl e | di sabl e}
end
conf i g nei ghbor
edi t <nei ghbor _addr ess_i pv4>
set act i vat e {enabl e | di sabl e}
set adver t i sement - i nt er val <seconds_i nt eger >
set al l owas- i n <max_num_AS_i nt eger >
set al l owas- i n- enabl e {enabl e | di sabl e}
set at t r i but e- unchanged [ aspat h] [ med] [ next - hop]
set bf d {enabl e | di sabl e}
set capabi l i t y- def aul t - or i gi nat e {enabl e | di sabl e}
set capabi l i t y- dynami c {enabl e | di sabl e}
set capabi l i t y- gr acef ul - r est ar t {enabl e | di sabl e}
set capabi l i t y- or f {bot h | none | r eci eve | send}
set capabi l i t y- r out e- r ef r esh {enabl e | di sabl e}
set connect - t i mer <seconds_i nt eger >
set descr i pt i on <t ext _st r >
set di st r i but e- l i st - i n <access- l i st - name_st r >
set di st r i but e- l i st - out <access- l i st - name_st r >
set dont - capabi l i t y- negot i at e {enabl e | di sabl e}
set ebgp- enf or ce- mul t i hop {enabl e | di sabl e}
set ebgp- mul t i hop- t t l <seconds_i nt eger >
set f i l t er - l i st - i n <aspat h- l i st - name_st r >
set f i l t er - l i st - out <aspat h- l i st - name_st r >
set hol dt i me- t i mer <seconds_i nt eger >
set i nt er f ace 
set keepal i ve- t i mer <seconds_i nt eger >
set maxi mum- pr ef i x <pr ef i x_i nt eger >
set maxi mum- pr ef i x- t hr eshol d <per cent age_i nt eger >
set maxi mum- pr ef i x- war ni ng- onl y {enabl e | di sabl e}
set next - hop- sel f {enabl e | di sabl e}
set over r i de- capabi l i t y {enabl e | di sabl e}
set passi ve {enabl e | di sabl e}
set passwor d <st r i ng>
router bgp
01-400-93051-20090415 237
set pr ef i x- l i st - i n <pr ef i x- l i st - name_st r >
set pr ef i x- l i st - out <pr ef i x- l i st - name_st r >
set r emot e- as 
set r emove- pr i vat e- as {enabl e | di sabl e}
set r et ai n- st al e- t i me <seconds_i nt eger >
set r out e- map- i n <r out emap- name_st r >
set r out e- map- out <r out emap- name_st r >
set r out e- r ef l ect or - cl i ent {enabl e | di sabl e}
set r out e- ser ver - cl i ent {enabl e | di sabl e}
set send- communi t y {bot h | di sabl e | ext ended | st andar d}
set shut down {enabl e | di sabl e}
set sof t - r econf i gur at i on {enabl e | di sabl e}
set st r i ct - capabi l i t y- mat ch {enabl e | di sabl e}
set unsuppr ess- map <r out e- map- name_st r >
set updat e- sour ce 
set wei ght <wei ght _i nt eger >
end
conf i g net wor k
edi t <net wor k_i d>
set backdoor {enabl e | di sabl e}
set r out e- map <r out emap- name_st r >
end
conf i g r edi st r i but e {connect ed | st at i c | r i p | ospf }
set r out e- map <r out e- map- name_st r >
end
end
config router bgp
Use this command to enable a Border Gateway Protocol version 4 (BGP-4) process on the FortiGate unit,
define the interfaces making up the local BGP network (see config network on page 245), and set
operating parameters for communicating with BGP neighbors (see config neighbor on page 241).
When multiple routes to the FortiGate unit exist, BGP attributes determine the best route and the FortiGate
unit communicates this information to its BGP peers. The best route is added to the IP routing table of the
BGP peer, which in turn propagates this updated routing information to upstream routers.
FortiGate units maintain separate entries in their routing tables for BGP routes. See Using route maps
with BGP on page 295. To reduce the size of the BGP routing table and conserve network resources, you
can optionally aggregate routes to the FortiGate unit. An aggregate route enables the FortiGate unit to
advertise one block of contiguous IP addresses as a single, less-specific address. You can implement
aggregate routing either by redistributing an aggregate route (see config redistribute on page 246) or by
using the conditional aggregate routing feature (see config aggregate-address on page 241).
Note: In the following table, the as and r out er - i d keywords are required. All other keywords are optional.
bgp router
238 01-400-93051-20090415
al ways- compar e- med
Enable or disable the comparison of MULTI_EXIT_DISC
(Multi Exit Discriminator or MED) attributes for identical
destinations advertised by BGP peers in different
autonomous systems.
di sabl e
as <l ocal _as_i d> Enter an integer to specify the local autonomous system (AS)
number of the FortiGate unit. The range is from 1 to 65 535.
When the l ocal _as_i d number is different than the AS
number of the specified BGP neighbor (see remote-as
<id_integer> on page 244), an External BGP (EBGP)
session is started. Otherwise, an Internal BGP (IBGP)
session is started. A value of 0 is not allowed.
0
best pat h- aspat h- i gnor e
Enable or disable the inclusion of an AS path in the selection
algorithm for choosing a BGP route.
di sabl e
best pat h- cmp- conf ed-
aspat h {enabl e | di sabl e}
Enable or disable the comparison of the
AS_CONFED_SEQUENCE attribute, which defines an
ordered list of AS numbers representing a path from the
FortiGate unit through autonomous systems within the local
confederation.
di sabl e
best pat h- cmp- r out er i d
Enable or disable the comparison of the router-ID values for
identical EBGP paths.
di sabl e
best pat h- med- conf ed
Enable or disable the comparison of MED attributes for routes
advertised by confederation EBGP peers.
di sabl e
best pat h- med- mi ssi ng- as-
wor st {enabl e | di sabl e}
This keyword is available when best pat h- med- conf ed is
set to enabl e.
When best pat h- med- conf ed is enabled, treat any
confederation path with a missing MED metric as the least
preferred path.
di sabl e
cl i ent - t o- cl i ent -
r ef l ect i on
Enable or disable client-to-client route reflection between
IBGP peers. If the clients are fully meshed, route reflection
may be disabled.
enabl e
cl ust er - i d <addr ess_i pv4> Set the identifier of the route-reflector in the cluster ID to
which the FortiGate unit belongs. If 0 is specified, the
FortiGate unit operates as the route reflector and its
r out er - i d value is used as the cl ust er - i d value. If the
FortiGate unit identifies its own cluster ID in the
CLUSTER_LIST attribute of a received route, the route is
ignored to prevent looping.
0. 0. 0. 0
conf eder at i on- i dent i f i er
<peer i d_i nt eger >
Set the identifier of the confederation to which the FortiGate
unit belongs. The range is from 1 to 65 535.
0
dampeni ng {enabl e |
di sabl e}
Enable or disable route-flap dampening on all BGP routes.
See RFC 2439. (A flapping route is unstable and continually
transitions down and up.) If you set dampening, you may
optionally set dampeni ng- r out e- map or define the
associated values individually using the dampeni ng- *
keywords.
di sabl e
dampeni ng- max- suppr ess-
t i me <mi nut es_i nt eger >
This keyword is available when dampeni ng is set to
enabl e.
Set the maximum time (in minutes) that a route can be
suppressed. The range is from 1 to 255. A route may
continue to accumulate penalties while it is suppressed.
However, the route cannot be suppressed longer than
mi nut es_i nt eger .
60
dampeni ng- r eachabi l i t y-
hal f - l i f e
<mi nut es_i nt eger >
enabl e.
Set the time (in minutes) after which any penalty assigned to
a reachable (but flapping) route is decreased by half. The
range is from 1 to 45.
15
router bgp
01-400-93051-20090415 239
dampeni ng- r euse
<r euse_i nt eger >
enabl e.
Set a dampening-reuse limit based on accumulated
penalties. The range is from 1 to 20 000. If the penalty
assigned to a flapping route decreases enough to fall below
the specified r euse_i nt eger , the route is not suppressed.
750
dampeni ng- r out e- map
<r out emap- name_st r >
enabl e.
Specify the route-map that contains criteria for dampening.
You must create the route-map before it can be selected
here. See route-map on page 294 and Using route maps
with BGP on page 295.
Nul l .
dampeni ng- suppr ess
<l i mi t _i nt eger >
enabl e.
Set a dampening-suppression limit. The range is from 1 to
20 000. A route is suppressed (not advertised) when its
penalty exceeds the specified limit.
2 000
dampeni ng- unr eachabi l i t y-
hal f - l i f e
<mi nut es_i nt eger >
enabl e.
Set the time (in minutes) after which the penalty on a route
that is considered unreachable is decreased by half. The
15
def aul t - l ocal - pr ef er ence
<pr ef er ence_i nt eger >
Set the default local preference value. A higher value
signifies a preferred route. The range is from 0 to
4 294 967 295.
100
det er mi ni st i c- med
Enable or disable deterministic comparison of the MED
attributes of routes advertised by peers in the same AS.
di sabl e
di st ance- ext er nal
<di st ance_i nt eger >
Set the administrative distance of EBGP routes. The range is
from 1 to 255. If you set this value, you must also set values
for di st ance- i nt er nal and di st ance- l ocal .
20
di st ance- i nt er nal
This keyword is available when di st ance- ext er nal is set.
Set the administrative distance of IBGP routes. The range is
from 1 to 255.
200
di st ance- l ocal
This keyword is available when di st ance- ext er nal is set.
Set the administrative distance of local BGP routes. The
200
enf or ce- f i r st - as
Enable or disable the addition of routes learned from an
EBGP peer when the AS number at the beginning of the
routes AS_PATH attribute does not match the AS number of
the EBGP peer.
di sabl e
f ast - ext er nal - f ai l over
Immediately reset the session information associated with
BGP external peers if the link used to reach them goes down.
enabl e
gr acef ul _r est ar t
Graceful restart capability limits the effects of software
problems by allowing forwarding to continue when the control
plane of the router fails. It also reduces routing flaps by
stabilizing the network.
disable
hol dt i me- t i mer
<seconds_i nt eger >
The maximum amount of time (in seconds) that may expire
before the FortiGate unit declares any BGP peer down. A
keepalive message must be received every
seconds_i nt eger seconds, or the peer is declared down.
The value can be 0 or an integer in the 3 to 65535 range.
180
i gnor e_opt i onal _capabi l i t
y {enabl e | di sabl e}
Dont send unknown optional capability notification message. disable
keepal i ve- t i mer
The frequency (in seconds) that a keepalive message is sent
from the FortiGate unit to any BGP peer. The range is from 0
to 65 535. BGP peers exchange keepalive messages to
maintain the connection for the duration of the session.
60
bgp router
240 01-400-93051-20090415
Example
The following example defines the number of the AS of which the FortiGate unit is a member. It also
defines an EBGP neighbor at IP address 10. 0. 1. 2.
set as 65001
set r out er - i d 172. 16. 120. 20
conf i g nei ghbor
edi t 10. 0. 1. 2
set r emot e- as 65100
end
end
config admin-distance
Use this subcommand to set administrative distance modifications for bgp routes.
Example
This example shows how to manually adjust the distance associated with a route. It shows adding 25 to
the weight of the route, that it will apply to neighbor routes with an IP address of 192.168.0.0 and a
netmask of 255.255.0.0, that are also permitted by the access-list downtown_office.
conf i g admi n- di st ance
edi t 1
set di st ance 25
set nei ghbour - pr ef i x 192. 168. 0. 0 255. 255. 0. 0
set r out e- l i st downt own_of f i ce
next
l og- nei ghbor - changes
Enable or disable the logging of changes to BGP neighbor
status.
di sabl e
net wor k- i mpor t - check
Enable or disable the advertising of the BGP network in IGP
(see config network on page 245).
enabl e
r out er - i d <addr ess_i pv4> Specify a fixed identifier for the FortiGate unit. A value of
0. 0. 0. 0 is not allowed.
If r out er - i d is not explicitly set, the highest IP address of
the VDOM will be used as the default r out er - i d.
0. 0. 0. 0
scan- t i me
Configure the background scanner interval (in seconds) for
next-hop route scanning. The range is from 5 to 60.
60
synchr oni zat i on
Only advertise routes from iBGP if routes are present in an
interior gateway protocol (IGP) such as RIP or OSPF.
disable
edi t <r out e_ent r y_i d> Enter an ID number for the entry. The number must be an integer. No default.
di st ance The administrative distance to apply to the route. This value can
be from 1 to 255.
No default.
nei ghbor - pr ef i x

Neighbor address prefix. This variable must be a valid IP address
and netmask.
No default.
r out e- l i st <st r i ng> The list of routes this distance will be applied to.
The routes in this list can only come from the access-list which can
be viewed at conf i g r out er access- l i st .
No default.
router bgp
01-400-93051-20090415 241
end
end
config aggregate-address
Use this subcommand to set or unset BGP aggregate-address table parameters. The subcommand
creates a BGP aggregate entry in the FortiGate unit routing table.
When you aggregate routes, routing becomes less precise because path details are not readily available
for routing purposes. The aggregate address represents addresses in several autonomous systems.
Aggregation reduces the length of the network mask until it masks only the bits that are common to all of
the addresses being summarized.
Example
This example shows how to define an aggregate prefix of 192. 168. 0. 0/ 16. The as- set command
enables the generation of an unordered list of AS numbers to include in the path information.
conf i g aggr egat e- addr ess
edi t 1
set pr ef i x 192. 168. 0. 0/ 16
set as- set enabl e
end
end
config neighbor
Use this subcommand to set or unset BGP neighbor configuration settings. The subcommand adds a BGP
neighbor configuration to the FortiGate unit.
You can add up to 1000 BGP neighbors, and optionally use MD5 authentication to password protect BGP
sessions with those neighbors. (see RFC 2385)
You can clear all or some BGP neighbor connections (sessions) using the exec r out er cl ear bgp
command (see router clear bgp on page 653).
Note: The pr ef i x keyword is required. All other keywords are optional.
edi t <aggr _addr _i d> Enter an ID number for the entry. The number must be an
integer.
No default.
as- set {enabl e | di sabl e} Enable or disable the generation of an unordered list of AS
numbers to include in the path information. When as- set is
enabled, a set - at omi c- aggr egat e value (see Using
route maps with BGP on page 295) does not have to be
specified.
disable
pr ef i x <addr ess_i pv4mask> Set an aggregate prefix. Include the IP address and netmask. 0. 0. 0. 0
0. 0. 0. 0
summar y- onl y
Enable or disable the advertising of aggregate routes only
(the advertising of specific routes is suppressed).
disable
Note: The r emot e- as keyword is required. All other keywords are optional.
bgp router
242 01-400-93051-20090415
edi t <nei ghbor _addr ess_i pv4> Enter the IP address of the BGP neighbor.
You can have up to 1000 configured neighbors.
No default.
act i vat e {enabl e | di sabl e} Enable or disable the address family for the BGP neighbor. enabl e
adver t i sement - i nt er val
Set the minimum amount of time (in seconds) that the
FortiGate unit waits before sending a BGP routing update
to the BGP neighbor. The range is from 0 to 600.
30
al l owas- i n
<max_num_AS_i nt eger >
This keyword is available when al l owas- i n- enabl e is
set to enabl e.
Set the maximum number of occurrences your AS number
as allowed in.
.
unset
al l owas- i n- enabl e
Enable or disable the readvertising of all prefixes containing
duplicate AS numbers. Set the amount of time that must
expire before readvertising through the al l owas- i n
keyword.
di sabl e
at t r i but e- unchanged [ aspat h]
[ med] [ next - hop]
Propagate unchanged BGP attributes to the BGP neighbor.
To advertise unchanged AS_PATH attributes, select
aspat h.
To advertise unchanged MULTI_EXIT_DISC attributes,
select med.
To advertise the IP address of the next-hop router
interface (even when the address has not changed),
select next - hop.
An empty set is a supported value.
Empty set.
bf d {enabl e | di sabl e} Enable to turn on Bi-Directional Forwarding Detection
(BFD) for this neighbor. This indicates that this neighbor is
using BFD.
di sabl e
capabi l i t y- def aul t - or i gi nat e
Enable or disable the advertising of the default route to
BGP neighbors.
di sabl e
capabi l i t y- dynami c
Enable or disable the advertising of dynamic capability to
BGP neighbors.
di sabl e
capabi l i t y- gr acef ul - r est ar t
Enable or disable the advertising of graceful-restart
capability to BGP neighbors.
di sabl e
capabi l i t y- or f {bot h | none |
r ecei ve | send}
Enable or disable the advertising of Outbound Routing
Filter (ORF) prefix-list capability to the BGP neighbor.
To enable send and receive capability, select bot h.
To enable receive capability, select r ecei ve.
To enable send capability, select send.
To disable the advertising of ORF prefix-list capability,
select none.
di sabl e
capabi l i t y- or f {bot h | none |
r eci eve | send}
Accept/Send outbound router filter (ORF) lists to/from this
neighbor:
both - both accept and send ORF lists
none - do not accept or send ORF lists
recieve - only accept ORF lists
send - only send ORF lists
none
capabi l i t y- r out e- r ef r esh
Enable or disable the advertising of route-refresh capability
to the BGP neighbor.
enabl e
connect - t i mer
Set the maximum amount of time (in seconds) that the
FortiGate unit waits to make a connection with a BGP
neighbor before the neighbor is declared unreachable. The
range is from 0 to 65 535.
- 1 (not set)
descr i pt i on <t ext _st r > Enter a one-word (no spaces) description to associate with
the BGP neighbor configuration settings.
Nul l .
router bgp
01-400-93051-20090415 243
di st r i but e- l i st - i n
<access- l i st - name_st r >
Limit route updates from the BGP neighbor based on the
Network Layer Reachability Information (NLRI) defined in
the specified access list. You must create the access list
before it can be selected here. See access-list on
page 228.
Nul l .
di st r i but e- l i st - out
<access- l i st - name_st r >
Limit route updates to the BGP neighbor based on the NLRI
defined in the specified access list. You must create the
access list before it can be selected here. See access-list
on page 228.
Nul l .
dont - capabi l i t y- negot i at e
Enable or disable capability negotiations with the BGP
neighbor.
di sabl e
ebgp- enf or ce- mul t i hop
Enable or disable the enforcement of Exterior BGP (EBGP)
multihops.
di sabl e
ebgp- mul t i hop- t t l
This keyword is available when ebgp- mul t i hop is set to
enabl e.
Define a TTL value (in hop counts) for BGP packets sent to
the BGP neighbor. The range is from 1 to 255.
255
f i l t er - l i st - i n
<aspat h- l i st - name_st r >
Limit inbound BGP routes according to the specified AS-
path list. You must create the AS-path list before it can be
selected here. See aspath-list on page 231.
Nul l .
f i l t er - l i st - out
Limit outbound BGP routes according to the specified AS-
path list. You must create the AS-path list before it can be
selected here. See aspath-list on page 231.
Nul l .
hol dt i me- t i mer
The amount of time (in seconds) that must expire before the
FortiGate unit declares the BGP neighbor down. This value
overrides the global hol dt i me- t i mer value (see
hol dt i me- t i mer <seconds_i nt eger > on page 239).
A keepalive message must be received every
seconds_i nt eger from the BGP neighbor or it is
declared down. The value can be 0 or an integer in the 3 to
65 535 range.
This keyword is available when gr acef ul - r est ar t is set
to enabl ed.
- 1 (not set)
i nt er f ace Specify a descriptive name for the BGP neighbor interface. Nul l .
keepal i ve- t i mer
The frequency (in seconds) that a keepalive message is
sent from the FortiGate unit to the BGP neighbor. This
value overrides the global keepal i ve- t i mer value (see
keepal i ve- t i mer <seconds_i nt eger > on
page 239). The range is from 0 to 65 535.
- 1 (not set)
maxi mum- pr ef i x
<pr ef i x_i nt eger >
Set the maximum number of NLRI prefixes to accept from
the BGP neighbor. When the maximum is reached, the
FortiGate unit disconnects the BGP neighbor. The range is
from 1 to 4 294 967 295.
Changing this value on the FortiGate unit does not
disconnect the BGP neighbor. However, if the neighbor
goes down because it reaches the maximum number of
prefixes and you increase the maximum-prefix value
afterward, the neighbor will be reset.
unset
maxi mum- pr ef i x- t hr eshol d
<per cent age_i nt eger >
This keyword is available when maxi mum- pr ef i x is set.
Specify the threshold (as a percentage) that must be
exceeded before a warning message about the maximum
number of NLRI prefixes is displayed. The range is from 1
to 100.
75
maxi mum- pr ef i x- war ni ng- onl y
This keyword is available when maxi mum- pr ef i x is set.
Enable or disable the display of a warning when the
maxi mum- pr ef i x- t hr eshol d has been reached.
disable
next - hop- sel f
Enable or disable advertising of the FortiGate units IP
address (instead of the neighbors IP address) in the
NEXT_HOP information that is sent to IBGP peers.
di sabl e
bgp router
244 01-400-93051-20090415
over r i de- capabi l i t y
Enable or disable IPv6 addressing for a BGP neighbor that
does not support capability negotiation.
di sabl e
passi ve {enabl e | di sabl e} Enable or disable the sending of Open messages to BGP
neighbors.
di sabl e
passwor d <st r i ng> Enter password used in MD5 authentication to protect BGP
sessions. (RFC 2385)
Nul l .
pr ef i x- l i st - i n
<pr ef i x- l i st - name_st r >
Limit route updates from a BGP neighbor based on the
Network Layer Reachability Information (NLRI) in the
specified prefix list. The prefix list defines the NLRI prefix
and length advertised in a route. You must create the prefix
list before it can be selected here. See prefix-list on
page 282.
Nul l .
pr ef i x- l i st - out
<pr ef i x- l i st - name_st r >
Limit route updates to a BGP neighbor based on the NLRI
in the specified prefix list. The prefix list defines the NLRI
prefix and length advertised in a route. You must create the
prefix list before it can be selected here. See prefix-list on
page 282.
Nul l .
r emot e- as Adds a BGP neighbor to the FortiGate unit configuration
and sets the AS number of the neighbor. The range is from
1 to 65 535. If the number is identical to the FortiGate unit
AS number, the FortiGate unit communicates with the
neighbor using internal BGP (IBGP). Otherwise, the
neighbor is an external peer and the FortiGate unit uses
EBGP to communicate with the neighbor.
unset
r emove- pr i vat e- as
Remove the private AS numbers from outbound updates to
the BGP neighbor.
di sabl e
r est ar t _t i me <seconds_i nt eger > Sets the time until a restart happens. The time until the
restart can be from 0 to 3600 seconds.
0
r et ai n- st al e- t i me
This keyword is available when capabi l i t y- gr acef ul -
r est ar t is set to enabl e.
Specify the time (in seconds) that stale routes to the BGP
neighbor will be retained. The range is from 1 to 65 535. A
value of 0 disables this feature.
0
r out e- map- i n
Limit route updates or change the attributes of route
updates from the BGP neighbor according to the specified
route map. You must create the route-map before it can be
selected here. See route-map on page 294 and Using
route maps with BGP on page 295.
Nul l .
r out e- map- out
Limit route updates or change the attributes of route
updates to the BGP neighbor according to the specified
route map. You must create the route-map before it can be
selected here. See route-map on page 294 and Using
route maps with BGP on page 295.
Nul l .
r out e- r ef l ect or - cl i ent
This keyword is available when r emot e- as is identical to
the FortiGate unit AS number (see as <l ocal _as_i d>
on page 238).
Enable or disable the operation of the FortiGate unit as a
route reflector and identify the BGP neighbor as a route-
reflector client.
Inbound routes for route reflectors can change the next -
hop, l ocal - pr ef er ence, med, and aspat h
attributes of IBGP routes for local route selection, while
outbound IBGP routes do not take into effect these
attributes.
di sabl e
r out e- ser ver - cl i ent
Enable or disable the recognition of the BGP neighbor as
route-server client.
di sabl e
router bgp
01-400-93051-20090415 245
Example
This example shows how to set the AS number of a BGP neighbor at IP address 10.10.10.167 and enter a
descriptive name for the configuration.
conf i g nei ghbor
edi t 10. 10. 10. 167
set r emot e- as 2879
set descr i pt i on BGP_nei ghbor _Si t e1
end
end
config network
Use this subcommand to set or unset BGP network configuration parameters. The subcommand is used to
advertise a BGP network (that is, an IP prefix)you specify the IP addresses making up the local BGP
network.
When you enable the net wor k- i mpor t - check attribute on the FortiGate unit (see net wor k- i mpor t -
check {enabl e | di sabl e} on page 240) and you specify a BGP network prefix through the conf i g
net wor k command, the FortiGate unit searches its routing table for a matching entry. If an exact match is
found, the prefix is advertised. A route-map can optionally be used to modify the attributes of routes before
they are advertised.
send- communi t y {bot h | di sabl e
| ext ended | st andar d}
Enable or disable the sending of the COMMUNITY attribute
to the BGP neighbor.
To advertise extended and standard capabilities, select
bot h.
To advertise extended capabilities, select ext ended.
To advertise standard capabilities, select st andar d.
To disable the advertising of the COMMUNITY attribute,
select di sabl e.
bot h
shut down {enabl e | di sabl e} Administratively enable or disable the BGP neighbor. di sabl e
sof t - r econf i gur at i on
Enable or disable the FortiGate unit to store unmodified
updates from the BGP neighbor to support inbound soft-
reconfiguration.
di sabl e
st r i ct - capabi l i t y- mat ch
Enable or disable strict-capability negotiation matching with
the BGP neighbor.
di sabl e
unsuppr ess- map
<r out e- map- name_st r >
Specify the name of the route-map to selectively
unsuppress suppressed routes. You must create the route-
map before it can be selected here. See route-map on
page 294 and Using route maps with BGP on page 295.
Nul l .
updat e- sour ce

Specify the name of the local FortiGate unit interface to use
for TCP connections to neighbors. The IP address of the
interface will be used as the source address for outgoing
updates.
Nul l .
wei ght <wei ght _i nt eger > Apply a weight value to all routes learned from a neighbor.
A higher number signifies a greater preference. The range
is from 0 to 65 535.
unset
bgp router
246 01-400-93051-20090415
Example
This example defines a BGP network at IP address 10. 0. 0. 0/ 8. A route map named BGP_r map1 is
used to modify the attributes of the local BGP routes before they are advertised.
conf i g net wor k
edi t 1
set pr ef i x 10. 0. 0. 0/ 8
set r out e- map BGP_r map1
end
end
conf i g r out er r out e- map
edi t BGP_r map1
conf i g r ul e
edi t 1
set set - communi t y no- expor t
end
end
config redistribute
Use this subcommand to set or unset BGP redistribution table parameters. You can enable BGP to provide
connectivity between connected, static, RIP, and/or OSPF routes. BGP redistributes the routes from one
protocol to another. When a large internetwork is divided into multiple routing domains, use the
subcommand to redistribute routes to the various domains. As an alternative, you can use the conf i g
net wor k subcommand to advertise a prefix to the BGP network (see config network on page 245).
The BGP redistribution table contains four static entries. You cannot add entries to the table. The entries
are defined as follows:
connect edRedistribute routes learned from a direct connection to the destination network.
st at i cRedistribute the static routes defined in the FortiGate unit routing table.
r i pRedistribute routes learned from RIP.
ospf Redistribute routes learned from OSPF.
When you enter the subcommand, end the command with one of the four static entry names (that is,
conf i g r edi st r i but e {connect ed | st at i c | r i p | ospf }).
edi t <net wor k_i d> Enter an ID number for the entry. The number must be an
integer.
No default.
backdoor
Enable or disable the route as a backdoor, which causes an
administrative distance of 200 to be assigned to the route.
Backdoor routes are not advertised to EBGP peers.
di sabl e
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask that identifies the BGP
network to advertise.
0. 0. 0. 0
0. 0. 0. 0
r out e- map
Specify the name of the route-map that will be used to modify
the attributes of the route before it is advertised. You must
create the route-map before it can be selected here. See
route-map on page 294 and Using route maps with BGP on
page 295.
Nul l .
Note: The st at us and r out e- map keywords are optional.
router bgp
01-400-93051-20090415 247
Example
The following example changes the st at us and r out e- map fields of the connect ed entry.
conf i g r edi st r i but e connect ed
set r out e- map r map1
end
end
History
Related topics
router aspath-list
router key-chain
st at us {enabl e | di sabl e} Enable or disable the redistribution of connected, static, RIP, or
OSPF routes.
di sabl e
r out e- map
<r out e- map- name_st r >
Specify the name of the route map that identifies the routes to
redistribute. You must create the route map before it can be
selected here. See route-map on page 294 and Using route
maps with BGP on page 295. If a route map is not specified, all
routes are redistributed to BGP.
Nul l .
FortiOS v3.0 New.
FortiOS v3.0 MR6 Changed ebgp- mul t i hop to ebgp- enf or ced- mut l i hop.
Changed conf i g nei ghbor capabi l i t y- or f keyword from di sabl e
to none.
FortiOS v3.0 MR7 Added passwor d to conf i g nei ghbor . Changed keep-alive-timer to
keepalive-timer. Default time for holdtime-timer changed from 240 to 180.
community-list router
248 01-400-93051-20090415
community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997).
Each entry in the community list defines a rule for matching and selecting routes based on the setting of
the COMMUNITY attribute. The default rule in a community list (which the FortiGate unit applies last)
denies the matching of all routes.
You add a route to a community by setting its COMMUNITY attribute. A route can belong to more than one
community. A route may be added to a community because it has something in common with the other
routes in the group (for example, the attribute could identify all routes to satellite offices).
When the COMMUNITY attribute is set, the FortiGate unit can select routes based on their COMMUNITY
attribute values.
Syntax
conf i g r out er communi t y- l i st
edi t <communi t y_name>
set t ype {st andar d | expanded}
conf i g r ul e
edi t <communi t y_r ul e_i d>
set mat ch <cr i t er i a>
set r egexp <r egul ar _expr essi on>
end
end
Note: The act i on keyword is required. All other keywords are optional.
edi t <communi t y_name> Enter a name for the community list. No default.
t ype {st andar d | expanded} Specify the type of community to match. If you select
expanded, you must also specify a conf i g r ul e r egexp
value. See r egexp <r egul ar _expr essi on> on
page 249.
standard
conf i g r ul e var i abl es
edi t <communi t y_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Deny or permit operations on a route based on the value of
the routes COMMUNITY attribute.
No default.
01-400-93051-20090415 249
Example
This example creates a community list named Sat el l i t e_of f i ces. The list permits operations on BGP
routes whose COMMUNITY attribute is set to no- adver t i se.
edi t Sat el l i t e_of f i ces
set t ype st andar d
conf i g r ul e
edi t 1
set mat ch no- adver t i se
end
end
The next example creates a community list named ext _communi t y. The list permits operations on BGP
routes whose COMMUNITY attribute has the number 3 in the second part of the first instance and the
number 86 in the second part of the second instance. For example, the community list could match routes
having the following COMMUNITY attribute values: 100:3 500:86 300:800, 1:3 4:86, or 69:3 69:86
69:69 70:800 600:333).
edi t ext _communi t y
set t ype expanded
conf i g r ul e
edi t 1
set r egexp . *: 3 . *: 86
end
end
History
mat ch <cr i t er i a> This keyword is available when set t ype is set to
st andar d.
Specify the criteria for matching a reserved community.
Use decimal notation to match one or more COMMUNITY
attributes having the syntax AA: NN, where AA represents
an AS, and NN is the community identifier. Delimit complex
expressions with double-quotation marks (for example,
123: 234 345: 456).
To match all routes in the Internet community, type
i nt er net .
To match all routes in the LOCAL_AS community, type
l ocal - AS. Matched routes are not advertised locally.
To select all routes in the NO_ADVERTISE community,
type no- adver t i se. Matched routes are not advertised.
To select all routes in the NO_EXPORT community, type
no- expor t . Matched routes are not advertised to EBGP
peers. If a confederation is configured, the routes are
advertised within the confederation.
Nul l .
r egexp
<r egul ar _expr essi on>
This keyword is available when set t ype is set to
expanded.
Specify an ordered list of COMMUNITY attributes as a regular
expression. The value or values are used to match a
community. Delimit a complex r egul ar _expr essi on value
using double-quotation marks.
Nul l .
FortiOS v3.0 New.
community-list router
250 01-400-93051-20090415
Related topics
router aspath-list
router bgp
router Using route maps with BGP
router key-chain
router key-chain
01-400-93051-20090415 251
key-chain
Use this command to manage RIP version 2 authentication keys. You can add, edit or delete keys
identified by the specified key number.
RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers
is reliable. For authentication to work both the sending and receiving routers must be set to use
authentication, and must be configured with the same keys.
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for
authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key
to the next according to the scheduled send and receive lifetimes. The sending and receiving routers
should have their system dates and times synchronized, but overlapping the key lifetimes ensures that a
key is always available even if there is some difference in the system times. See config system global on
page 243 to ensure that the FortiGate unit system date and time are correct.
Syntax
conf i g r out er keychai n
edi t <key_chai n_name>
conf i g key
edi t <key_i d>
set accept - l i f et i me <st ar t > <end>
set key- st r i ng <passwor d>
set send- l i f et i me <st ar t > <end>
end
end
Note: The accept - l i f et i me, key- st r i ng, and send- l i f et i me keywords are required.
edi t <key_chai n_name> Enter a name for the key chain list. No default.
config key variables
edi t <key_i d> Enter an ID number for the key entry. The number must be
an integer.
No default.
accept - l i f et i me <st ar t ><end> Set the time period during which the key can be received.
The st ar t time has the syntax hh: mm: ss day mont h
year . The end time provides a choice of three settings:
hh:mm:ss day month year
a duration from 1 to 2147483646 seconds
i nf i ni t e (for a key that never expires)
The valid settings for hh: mm: ss day mont h year are:
hh - 0 to 23
mm- 0 to 59
ss - 0 to 59
day - 1 to 31
mont h - 1 to 12
year - 1993 to 2035
No default.
key-chain router
252 01-400-93051-20090415
Example
This example shows how to add a key chain named t est 1 with three keys. The first two keys each have
send and receive lifetimes of 13 hours, and the 3rd key has send and receive lifetimes that never expire.
conf i g r out er keychai n
edi t t est 1
conf i g key
edi t 1
set accept - l i f et i me 10: 00: 00 1 6 2004 46800
set send- l i f et i me 10: 00: 00 1 6 2004 46800
set key- st r i ng 1a2b2c4d5e6f 7g8h
next
edi t 2
set accept - l i f et i me 22: 00: 00 1 6 2004 46800
set send- l i f et i me 22: 00: 00 1 6 2004 46800
set key- st r i ng 9i 1j 2k3l 4m5n6o7p
next
edi t 3
set accept - l i f et i me 10: 00: 00 2 6 2004 i nf i ni t e
set send- l i f et i me 10: 00: 00 2 6 2004 i nf i ni t e
set key- st r i ng 123abc456def 789g
end
end
History
Related topics
router rip
system global
key- st r i ng <passwor d> The <passwor d_st r >can be up to 35 characters long. No default.
send- l i f et i me <st ar t > <end> Set the time period during which the key can be sent. The
st ar t time has the syntax hh: mm: ss day mont h year .
The end time provides a choice of three settings:
hh:mm:ss day month year
a duration from 1 to 2147483646 seconds
i nf i ni t e (for a key that never expires)
The valid settings for hh: mm: ss day mont h year are:
hh - 0 to 23
mm- 0 to 59
ss - 0 to 59
day - 1 to 31
mont h - 1 to 12
year - 1993 to 2035
No default.
FortiOS v2.80 New.
router multicast
01-400-93051-20090415 253
multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual
domain. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can
service multicast servers or receivers on the network segment to which a FortiGate unit interface is
connected. Multicast routing is only available in the root virtual domain. It is not supported in Transparent
mode (TP mode).
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least
one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points (RPs) and
Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of
these functions at any time as configured.
Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to which
each RP sends the multicast address or addresses of the multicast group(s) that it can service. The
selected BSR chooses one RP per multicast group and makes this information available to all of the PIM
routers in the domain through bootstrap messages. PIM routers use the information to build packet
distribution trees, which map each multicast group to a specific RP. Packet distribution trees may also
contain information about the sources and receivers associated with particular multicast groups.
An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and
pruning the information contained in distribution trees, a single stream of multicast packets (for example, a
video feed) originating from the source can be forwarded to a certain RP to reach a multicast destination.
Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which
neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information that
reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally
elected DR registers the sender with the RP that is associated with the target multicast group. The RP
uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast
group. The IP packets are replicated only when necessary to distribute the data to branches of the RPs
distribution tree.
To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP)
version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a
particular multicast group. The locally elected DR receives the request and adds the host to the multicast
group that is associated with the connected network segment by sending a join message towards the RP
for the group. Afterward, the DR queries the hosts on the connected network segment continually to
determine whether the hosts are active. When the DR no longer receives confirmation that at least one
member of the multicast group is still active, the DR sends a prune message towards the RP for the group.
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in
between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode
must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense
mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is
connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast)
packets or decapsulated data (IP traffic) between the source and destination.
Note: When a FortiGate unit interface is configured as a multicast interface, sparse mode is enabled on it by
default to ensure that distribution trees are not built unless at least one downstream receiver requests multicast
traffic from a specific source. If the sources of multicast traffic and their receivers are close to each other and the
PIM domain contains a dense population of active receivers, you may choose to enable dense mode throughout
the PIM domain instead.
multicast router
254 01-400-93051-20090415
Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source
begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from the
multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM routers
initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers that have
requested traffic for multicast group address G can access the information if needed.
To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees
based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages
from downstream PIM routers to determine if receivers are actually present on directly connected network
segments. The PIM routers exchange state refresh messages to update their distribution trees. FortiGate
units store this state information in a Tree Information Base (TIB), which is used to build a multicast
forwarding table. The information in the multicast forwarding table determines whether packets are
forwarded downstream. The forwarding table is updated whenever the TIB is modified.
PIM routers receive data streams every few minutes and update their forwarding tables using the source
(S) and multicast group (G) information in the data stream. Superfluous multicast traffic is stopped by PIM
routers that do not have downstream receiversPIM routers that do not manage multicast groups send
prune messages to the upstream PIM routers. When a receiver requests traffic for multicast address G, the
closest PIM router sends a graft message upstream to begin receiving multicast packets.
Syntax
conf i g r out er mul t i cast
set i gmp- st at e- l i mi t <l i mi t _i nt eger >
set mul t i cast - r out i ng {enabl e | di sabl e}
set r out e- l i mi t <l i mi t _i nt eger >
set r out e- t hr eshol d <t hr eshol d_i nt eger >
conf i g i nt er f ace
set ci sco- excl ude- geni d {enabl e | di sabl e}
set dr - pr i or i t y <pr i or i t y_i nt eger >
set hel l o- hol dt i me <hol dt i me_i nt eger >
set hel l o- i nt er val <hel l o_i nt eger >
set nei ghbour - f i l t er <access_l i st _name>
set passi ve {enabl e | di sabl e}
set pi m- mode {spar se- mode | dense- mode}
set pr opagat i on- del ay <del ay_i nt eger >
set r p- candi dat e {enabl e | di sabl e}
set r p- candi dat e- gr oup <access_l i st _name>
set r p- candi dat e- i nt er val 
set r p- candi dat e- pr i or i t y <pr i or i t y_i nt eger >
set st at e- r ef r esh- i nt er val <r ef r esh_i nt eger >
set t t l - t hr eshol d <t t l _i nt eger >
end
conf i g j oi n- gr oup
edi t addr ess <addr ess_i pv4>
end
conf i g i gmp
set access- gr oup <access_l i st _name>
set i mmedi at e- l eave- gr oup <access_l i st _name>
set l ast - member - quer y- count <count _i nt eger >
set l ast - member - quer y- i nt er val 
set quer y- i nt er val 
set quer y- max- r esponse- t i me <t i me_i nt eger >
router multicast
01-400-93051-20090415 255
set quer y- t i meout <t i meout _i nt eger >
set r out er - al er t - check { enabl e | di sabl e }
set ver si on {1 | 2 | 3}
end
end
conf i g pi m- sm- gl obal
set accept - r egi st er - l i st <access_l i st _name>
set bsr - al l ow- qui ck- r ef r esh {enabl e | di sabl e}
set bsr - candi dat e {enabl e | di sabl e}
set bsr - pr i or i t y <pr i or i t y_i nt eger >
set bsr - i nt er f ace 
set bsr - hash <hash_i nt eger >
set ci sco- r egi st er - checksum{enabl e | di sabl e}
set ci sco- r egi st er - checksum- gr oup <access_l i st _name>
set ci sco- cr p- pr ef i x {enabl e | di sabl e}
set ci sco- i gnor e- r p- set - pr i or i t y {enabl e | di sabl e}
set message- i nt er val 
set r egi st er - r at e- l i mi t <r at e_i nt eger >
set r egi st er - r p- r eachabi l i t y {enabl e | di sabl e}
set r egi st er - sour ce {di sabl e | i nt er f ace | i p- addr ess}
set r egi st er - sour ce- i nt er f ace 
set r egi st er - sour ce- i p <addr ess_i pv4>
set r egi st er - suppr essi on <suppr ess_i nt eger >
set r p- r egi st er - keepal i ve <keepal i ve_i nt eger >
set spt - t hr eshol d {enabl e | di sabl e}
set spt - t hr eshol d- gr oup <access_l i st _name>
set ssm{enabl e | di sabl e}
set ssm- r ange <access_l i st _name>
conf i g r p- addr ess
edi t <r p_i d>
set i p- addr ess <addr ess_i pv4>
set gr oup <access_l i st _name>
end
end
config router multicast
You can configure a FortiGate unit to support PIM using the conf i g r out er mul t i cast CLI command.
When PIM is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate
unit communicates with neighboring PIM routers to acquire mapping information and if required, processes
the multicast traffic associated with specific multicast groups.
Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user
could type in a class D multicast group address, an alias for the multicast group address, or a call-
conference number to initiate the session. Rather than sending multiple copies of generated IP traffic to
more than one specific IP destination address, PIM-enabled routers encapsulate the data and use the one
multicast group address to forward multicast packets to multiple destinations. Because one destination
address is used, a single stream of data can be sent. Client applications receive multicast data by
requesting that the traffic destined for a certain multicast group address be delivered to them end-users
may use phone books, a menu of ongoing or future sessions, or some other method through a user
interface to select the address of interest.
Note: The end-user multicast client-server applications must be installed and configured to initiate
Internet connections and handle broadband content such as audio/video information.
multicast router
256 01-400-93051-20090415
A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group address,
subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D addresses
must be assigned in advance. Because there is no way to determine in advance if a certain multicast group
address is in use, collisions may occur (to resolve this problem, end-users may switch to a different
multicast address).
To configure a PIM domain
1 If you will be using sparse mode, determine appropriate paths for multicast packets.
2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing
protocol.
3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs,
record the IP addresses of the PIM-enabled interfaces on those RPs.
4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units,
use the conf i g r out er mul t i cast command to set global operating parameters.
5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate
BSRs.
6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
7 If required, adjust the default settings of PIM-enabled interface(s).
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation (sparse or
dense). Global settings do not override interface-specific settings.
Note: All keywords are optional.
i gmp- st at e- l i mi t
If memory consumption is an issue, specify a limit on the
number of IGMP states (multicast memberships) that the
FortiGate unit will store. The value represents the maximum
combined number of IGMP states (multicast memberships)
that can be handled by all interfaces. Traffic associated with
excess IGMP membership reports is not delivered. The range
is from 96 to 64 000.
3200
mul t i cast - r out i ng
Enable or disable PIM routing. di sabl e
r out e- l i mi t
If memory consumption is an issue, set a limit on the number
of multicast routes that can be added to the FortiGate unit
routing table. The range is from 1 to 2 147 483 674.
2147483674
r out e- t hr eshol d
<t hr eshol d_i nt eger >
Specify the number of multicast routes that can be added to
the FortiGate units routing table before a warning message is
displayed. The r out e- t hr eshol d value must be lower than
the r out e- l i mi t value. The range is from 1 to
2 147 483 674.
2147483674
router multicast
01-400-93051-20090415 257
edi t Enter the name of the FortiGate unit interface on which to
enable PIM protocols.
No default.
ci sco- excl ude- geni d
This keyword applies only when pi m- mode is spar se- mode.
Enable or disable including a generation ID in hello messages
sent to neighboring PIM routers. A GenID value may be
included for compatibility with older Cisco IOS routers.
disable
dr - pr i or i t y
<pr i or i t y_i nt eger >
This keyword applies only when pi m- mode is spar se- mode.
Assign a priority to FortiGate unit DR candidacy. The range is
from 1 to 4 294 967 294. The value is compared to that of
other DR interfaces connected to the same network segment,
and the router having the highest DR priority is selected to be
the DR. If two DR priority values are the same, the interface
having the highest IP address is selected.
1
hel l o- hol dt i me
<hol dt i me_i nt eger >
Specify the amount of time (in seconds) that a PIM neighbor
may consider the information in a hello message to be valid.
The range is from 1 to 65 535.
If the hel l o- i nt er val attribute is modified and the hel l o-
hol dt i me attribute has never been set explicitly, the hel l o-
hol dt i me attribute is set to 3.5 x hel l o- i nt er val
automatically.
105
hel l o- i nt er val
<hel l o_i nt eger >
Set the amount of time (in seconds) that the FortiGate unit
waits between sending hello messages to neighboring PIM
routers. The range is from 1 to 65 535. Changing the hel l o-
i nt er val attribute may update the hel l o- hol dt i me
attribute automatically.
30
nei ghbour - f i l t er
<access_l i st _name>
Establish or terminate adjacency with PIM neighbors having
the IP addresses given in the specified access list. See
access-list on page 228.
Nul l .
passi ve {enabl e |
di sabl e}
Enable or disable PIM communications on the interface
without affecting IGMP communications.
di sabl e
pi m- mode {spar se- mode |
dense- mode}
Select the PIM mode of operation:
Select spar se- mode to manage PIM packets through
distribution trees and multicast groups.
Select dense- mode to enable multicast flooding.
spar se-
mode
pr opagat i on- del ay
<del ay_i nt eger >
This keyword is available when pi m- mode is set to
dense- mode.
Specify the amount of time (in milliseconds) that the FortiGate
unit waits to send prune-override messages. The range is
from 100 to 5 000.
500
r p- candi dat e {enabl e |
di sabl e}
spar se- mode.
Enable or disable the FortiGate unit interface to offer
Rendezvous Point (RP) services.
disable
r p- candi dat e- gr oup
This keyword is available when r p- candi dat e is set to
enabl e and pi m- mode is set to spar se- mode.
Specify for which multicast groups RP candidacy is advertised
based on the multicast group prefixes given in the specified
access list. See access-list on page 228.
Nul l .
r p- candi dat e- i nt er val

waits between sending RP announcement messages. The
range is from 1 to 16 383.
60
multicast router
258 01-400-93051-20090415
r p- candi dat e- pr i or i t y
Assign a priority to FortiGate unit RP candidacy. The range is
from 0 to 255. The BSR compares the value to that of other
RP candidates that can service the same multicast group, and
the router having the highest RP priority is selected to be the
RP for that multicast group. If two RP priority values are the
same, the RP candidate having the highest IP address on its
RP interface is selected.
192
st at e- r ef r esh- i nt er val
<r ef r esh_i nt eger >
dense- mode.
This attribute is used when the FortiGate unit is connected
directly to the multicast source. Set the amount of time (in
seconds) that the FortiGate unit waits between sending state-
refresh messages. The range is from 1 to 100. When a state-
refresh message is received by a downstream router, the
prune state on the downstream router is refreshed.
60
t t l - t hr eshol d
<t t l _i nt eger >
Specify the minimum Time-To-Live (TTL) value (in hops) that
an outbound multicast packet must have in order to be
forwarded from the interface. Specifying a high value (for
example, 195) prevents PIM packets from being forwarded
through the interface. The range is from 0 to 255.
1
config join-group variables
edi t addr ess
<addr ess_i pv4>
Cause the FortiGate unit interface to activate (IGMP join) the
multicast group associated with the specified multicast group
address.
No default.
config igmp variables
access- gr oup
Specify which multicast groups hosts on the connected
network segment may join based on the multicast addresses
given in the specified access list. See access-list on
page 228.
Nul l .
i mmedi at e- l eave- gr oup
This keyword applies when ver si on is set to 2 or 3.
Configure a FortiGate unit DR to stop sending traffic and
IGMP queries to receivers after receiving an IGMP version 2
group-leave message from any member of the multicast
groups identified in the specified access list. See access-list
on page 228.
Nul l .
l ast - member - quer y- count
<count _i nt eger >
Specify the number of times that a FortiGate unit DR sends an
IGMP query to the last member of a multicast group after
receiving an IGMP version 2 group-leave message.
2
l ast - member - quer y-
i nt er val
Set the amount of time (in milliseconds) that a FortiGate unit
DR waits for the last member of a multicast group to respond
to an IGMP query. The range is from 1000 to 25 500. If no
response is received before the specified time expires and the
FortiGate unit DR has already sent an IGMP query l ast -
member - quer y- count times, the FortiGate unit DR
removes the member from the group and sends a prune
message to the associated RP.
1000
quer y- i nt er val
Set the amount of time (in seconds) that a FortiGate unit DR
waits between sending IGMP queries to determine which
members of a multicast group are active. The range is from 1
to 65 535.
125
quer y- max- r esponse- t i me
<t i me_i nt eger >
Set the maximum amount of time (in seconds) that a
FortiGate unit DR waits for a member of a multicast group to
respond to an IGMP query. The range is from 1 to 25. If no
response is received before the specified time expires, the
FortiGate unit DR removes the member from the group.
10
router multicast
01-400-93051-20090415 259
config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not
override interface-specific PIM settings.
If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by
specifying the IP address of the RP through the conf i g r p- addr ess subcommand. The IP address
must be directly accessible to the DR. If multicast packets from more than one multicast group can pass
through the same RP, you can use an access list to specify the associated multicast group addresses.
quer y- t i meout
Set the amount of time (in seconds) that must expire before a
FortiGate unit begins sending IGMP queries to the multicast
group that is managed through the interface. The range is
from 60 to 300. A FortiGate unit begins sending IGMP queries
if it does not receive regular IGMP queries from another DR
through the interface.
255
r out er - al er t - check {
enabl e | di sabl e }
Enable to require the Router Alert option in IGMP packets. disabled
ver si on {1 | 2 | 3} Specify the version number of IGMP to run on the interface.
The value can be 1, 2, or 3. The value must match the version
used by all other PIM routers on the connected network
segment.
3
Note: To send multicast packets to a particular RP using the conf i g r p- addr ess subcommand, the
i p- addr ess keyword is required. All other keywords are optional.
accept - r egi st er - l i st
Cause a FortiGate unit RP to accept or deny register
packets from the source IP addresses given in the specified
access list. See access-list on page 228.
Nul l .
bsr - al l ow- qui ck- r ef r esh
Enable or disable accepting bsr quick refresh packets from
neighbors.
disable
bsr - candi dat e {enabl e |
di sabl e}
Enable or disable the FortiGate unit to offer its services as a
Boot Strap Router (BSR) when required.
disable
bsr - pr i or i t y
This keyword is available when bsr - candi dat e is set to
enabl e.
Assign a priority to FortiGate unit BSR candidacy. The
range is from 0 to 255. The value is compared to that of
other BSR candidates and the candidate having the highest
priority is selected to be the BSR. If two BSR priority values
are the same, the BSR candidate having the highest IP
address on its BSR interface is selected.
0
bsr - i nt er f ace

This keyword is available when bsr - candi dat e is set to
enabl e.
Specify the name of the PIM-enabled interface through
which the FortiGate unit may announce BSR candidacy.
Nul l .
bsr - hash <hash_i nt eger > This keyword is available when bsr - candi dat e is set to
enabl e.
Set the length of the mask (in bits) to apply to multicast
group addresses in order to derive a single RP for one or
more multicast groups. The range is from 0 to 32. For
example, a value of 24 means that the first 24 bits of the
group address are significant. All multicast groups having
the same seed hash belong to the same RP.
10
multicast router
260 01-400-93051-20090415
ci sco- cr p- pr ef i x {enabl e
| di sabl e}
Enable or disable a FortiGate unit RP that has a group
prefix number of 0 to communicate with a Cisco BSR. You
may choose to enable the attribute if required for
compatibility with older Cisco BSRs.
disable
ci sco- i gnor e- r p- set -
pr i or i t y {enabl e |
di sabl e}
Enable or disable a FortiGate unit BSR to recognize Cisco
RP-SET priority values when deriving a single RP for one or
more multicast groups. You may choose to enable the
attribute if required for compatibility with older Cisco RPs.
disable
ci sco- r egi st er - checksum
Enable or disable performing a register checksum on entire
PIM packets. A register checksum is performed on the
header only by default. You may choose to enable register
checksums on the whole packet for compatibility with older
Cisco IOS routers.
disable
ci sco- r egi st er - checksum-
gr oup <access_l i st _name>
This keyword is available when ci sco- r egi st er -
checksumis set to enabl e.
Identify on which PIM packets to perform a whole-packet
register checksum based on the multicast group addresses
in the specified access list. See access-list on page 228.
You may choose to enable register checksums on entire
PIM packets for compatibility with older Cisco IOS routers.
Nul l .
message- i nt er val
waits between sending periodic PIM join/prune messages
(sparse mode) or prune messages (dense mode). The value
must be identical to the message interval value set on all
other PIM routers in the PIM domain. The range is from 1 to
65 535.
60
r egi st er - r at e- l i mi t
<r at e_i nt eger >
Set the maximum number of register messages per (S,G)
per second that a FortiGate unit DR can send for each PIM
entry in the routing table. The range is from 0 to 65 535,
where 0 means an unlimited number of register messages
per second.
0
r egi st er - r p- r eachabi l i t y
Enable or disable a FortiGate unit DR to check if an RP is
accessible prior to sending register messages.
enabl e
r egi st er - sour ce {di sabl e
| i nt er f ace | i p- addr ess}
If the FortiGate unit acts as a DR, enable or disable
changing the IP source address of outbound register
packets to one of the following IP addresses. The IP
address must be accessible to the RP so that the RP can
respond to the IP address with a Register-Stop message:
To retain the IP address of the FortiGate unit DR
interface that faces the RP, select di sabl e.
To change the IP source address of a register packet to
the IP address of a particular FortiGate unit interface,
select i nt er f ace. The r egi st er - sour ce-
i nt er f ace attribute specifies the interface name.
To change the IP source address of a register packet to
a particular IP address, select i p- addr ess. The
r egi st er - sour ce- i p attribute specifies the IP
address.
i p- addr ess
r egi st er - sour ce- i nt er f ace
This keyword is available when r egi st er - sour ce is set
to i nt er f ace.
Enter the name of the FortiGate unit interface.
Nul l .
r egi st er - sour ce- i p
<addr ess_i pv4>
This keyword is available when r egi st er - sour ce is set
to addr ess.
Enter the IP source address to include in the register
message.
0. 0. 0. 0
r egi st er - suppr essi on
<suppr ess_i nt eger >
Enter the amount of time (in seconds) that a FortiGate unit
DR waits to start sending data to an RP after receiving a
Register-Stop message from the RP. The range is from 1 to
65 535.
60
router multicast
01-400-93051-20090415 261
Examples
This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable
BSR candidacy on the dmz interface:
set mul t i cast - r out i ng enabl e
edi t dmz
set pi m- mode spar se- mode
end
end
conf i g pi m- sm- gl obal
set bsr - candi dat e enabl e
set bsr - pr i or i t y 1
set bsr - i nt er f ace dmz
set bsr - hash 24
end
r p- r egi st er - keepal i ve
<keepal i ve_i nt eger >
If the FortiGate unit acts as an RP, set the frequency (in
seconds) with which the FortiGate unit sends keepalive
messages to a DR. The range is from 1 to 65 535. The two
routers exchange keepalive messages to maintain a link for
as long as the source continues to generate traffic.
If the r egi st er - suppr essi on attribute is modified on the
RP and the r p- r egi st er - keepal i ve attribute has never
been set explicitly, the r p- r egi st er - keepal i ve attribute
is set to (3 x r egi st er - suppr essi on) +5 automatically.
185
spt - t hr eshol d {enabl e |
di sabl e}
Enable or disable the FortiGate unit to build a Shortest Path
Tree (SPT) for forwarding multicast packets.
enable
spt - t hr eshol d- gr oup
This keyword is available when spt - t hr eshol d is set to
enabl e.
Build an SPT only for the multicast group addresses given
in the specified access list. See access-list on page 228.
Nul l .
ssm{enabl e | di sabl e} This keyword is available when the IGMP ver si on is set
to 3.
Enable or disable Source Specific Multicast (SSM)
interactions (see RFC 3569).
enable
ssm- r ange
This keyword is available when ssmis set to enabl e.
Enable SSM only for the multicast addresses given in the
specified access list. See access-list on page 228. By
default, multicast addresses in the 232.0.0.0 to
232.255.255.255 (232/8) range are used to support SSM
interactions.
Nul l .
config rp-address variables Applies only when pi m- mode is spar se- mode.
edi t <r p_i d> Enter an ID number for the static RP address entry. The
number must be an integer.
No default.
i p- addr ess <addr ess_i pv4> Specify a static IP address for the RP. 0. 0. 0. 0
gr oup <access_l i st _name> Configure a single static RP for the multicast group
addresses given in the specified access list. See access-
list on page 228. If an RP for any of these group addresses
is already known to the BSR, the static RP address is
ignored and the RP known to the BSR is used instead.
Nul l .
multicast router
262 01-400-93051-20090415
This example shows how to enable RP candidacy on the por t 1 interface for the multicast group
addresses given through an access list named mul t i cast _por t 1:
set mul t i cast - r out i ng enabl e
edi t por t 1
set pi m- mode spar se- mode
set r p- candi dat e enabl e
set r p- candi dat e- gr oup mul t i cast _por t 1
set r p- candi dat e- pr i or i t y 15
end
end
History
Related topics
get router info multicast
execute modem trigger
FortiOS v3.0 New.
router ospf
01-400-93051-20090415 263
ospf
Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate unit.
More information on OSPF can be found in RFC 2328.
OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP
protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a
backbone area. A router connected to more than one area is an area border router (ABR). Routing
information is contained in a link state database. Routing information is communicated between routers
using link state advertisements (LSAs).
Syntax
conf i g r out er ospf
set abr - t ype {ci sco | i bm| shor t cut | st andar d}
set aut o- cost - r ef - bandwi dt h <mbps_i nt eger >
set bf d {enabl e | di sabl e | gl obal }
set dat abase- over f l ow {enabl e | di sabl e}
set dat abase- over f l ow- max- l sas <l sas_i nt eger >
set dat abase- over f l ow- t i me- t o- r ecover <seconds_i nt eger >
set def aul t - i nf or mat i on- met r i c <met r i c_i nt eger >
set def aul t - i nf or mat i on- met r i c- t ype {1 | 2}
set def aul t - i nf or mat i on- or i gi nat e {al ways | di sabl e | enabl e}
set def aul t - i nf or mat i on- r out e- map <name_st r >
set def aul t - met r i c <met r i c_i nt eger >
set di st ance <di st ance_i nt eger >
set di st ance- ext er nal <di st ance_i nt eger >
set di st ance- i nt er - ar ea <di st ance_i nt eger >
set di st ance- i nt r a- ar ea <di st ance_i nt eger >
set di st r i but e- l i st - i n <access_l i st _name>
set passi ve- i nt er f ace <name_st r >
set r est ar t - mode {gr acef ul - r est ar t | l l s | none}
set r f c1583- compat i bl e {enabl e | di sabl e}
set r out er - i d <addr ess_i pv4>
set spf - t i mer s <del ay_i nt eger > <hol d_i nt eger >
conf i g ar ea
edi t <ar ea_addr ess_i pv4>
set aut hent i cat i on {md5 | none | t ext }
set def aul t - cost <cost _i nt eger >
set nssa- def aul t - i nf or mat i on- or i gi nat e {enabl e | di sabl e}
set nssa- def aul t - i nf or mat i on- or i gi nat e- met r i c <met r i c>
set nssa- def aul t - i nf or mat i on- or i gi nat e- met r i c- t ype {1 | 2}
set nssa- r edi st r i but i on {enabl e | di sabl e}
set nssa- t r ansl at or - r ol e {al ways | candi dat e | never }
set shor t cut {def aul t | di sabl e | enabl e}
set st ub- t ype {no- summar y | summar y}
set t ype {nssa | r egul ar | st ub}
ospf router
264 01-400-93051-20090415
conf i g f i l t er - l i st
edi t <f i l t er - l i st _i d>
set di r ect i on {i n | out }
set l i st <name_st r >
end
conf i g r ange
edi t <r ange_i d>
set adver t i se {enabl e | di sabl e}
set subst i t ut e <addr ess_i pv4mask>
set subst i t ut e- st at us {enabl e | di sabl e}
end
conf i g vi r t ual - l i nk
edi t <vl i nk_name>
set aut hent i cat i on- key <passwor d_st r >
set dead- i nt er val <seconds_i nt eger >
set hel l o- i nt er val <seconds_i nt eger >
set md5- key <key_st r >
set peer <addr ess_i pv4>
set r et r ansmi t - i nt er val <seconds_i nt eger >
set t r ansmi t - del ay <seconds_i nt eger >
end
end
conf i g di st r i but e- l i st
edi t <di st r i but e- l i st _i d>
set access- l i st <name_st r >
set pr ot ocol {connect ed | r i p | st at i c}
end
end
conf i g nei ghbor
edi t <nei ghbor _i d>
set cost <cost _i nt eger >
set pol l - i nt er val <seconds_i nt eger >
set pr i or i t y <pr i or i t y_i nt eger >
end
end
conf i g net wor k
set ar ea 
end
end
conf i g ospf - i nt er f ace
edi t <ospf _i nt er f ace_name>
set aut hent i cat i on- key <passwor d_st r >
set
set cost <cost _i nt eger >
set dat abase- f i l t er - out {enabl e | di sabl e}
set dead- i nt er val <seconds_i nt eger >
set hel l o- i nt er val <seconds_i nt eger >
router ospf
01-400-93051-20090415 265
set md5- key <key_st r >
set mt u <mt u_i nt eger >
set mt u- i gnor e {enabl e | di sabl e}
set net wor k- t ype <t ype>
set r esync- t i meout 
set r et r ansmi t - i nt er val <seconds_i nt eger >
set t r ansmi t - del ay <seconds_i nt eger >
end
end
conf i g r edi st r i but e {bgp | connect ed | st at i c | r i p}
set met r i c <met r i c_i nt eger >
set met r i c- t ype {1 | 2}
set r out emap <name_st r >
set t ag <t ag_i nt eger >
end
conf i g summar y- addr ess
edi t <summar y- addr ess_i d>
set adver t i se {enabl e | di sabl e}
set t ag <t ag_i nt eger >
end
end
end
config router ospf
Use this command to set the router ID of the FortiGate unit. Additional configuration options are supported.
Note: The r out er - i d keyword is required. All other keywords are optional.
abr - t ype {ci sco | i bm|
shor t cut | st andar d}
Specify the behavior of a FortiGate unit acting as an
OSPF area border router (ABR) when it has multiple
attached areas and has no backbone connection.
Selecting the ABR type compatible with the routers on
your network can reduce or eliminate the need for
configuring and maintaining virtual links. For more
information, see RFC 3509.
st andar
d
aut o- cost - r ef - bandwi dt h
<mbps_i nt eger >
Enter the Mbits per second for the reference bandwidth.
Values can range from 1 to 65535.
1000
bf d {enabl e | di sabl e | gl obal } Select one of the Bidirectional Forwarding Detection
(BFD) options for this interface.
enable - start BFD on this interface
disable - stop BFD on this interface
global - use the global settings instead of explicitly
setting BFD per interface.
For the global settings see system bfd
{enable | disable} on page 454.
disable
ospf router
266 01-400-93051-20090415
dat abase- over f l ow
Enable or disable dynamically limiting link state
database size under overflow conditions. Enable this
command for FortiGate units on a network with routers
that may not be able to maintain a complete link state
database because of limited resources.
di sabl e
dat abase- over f l ow- max- l sas
<l sas_i nt eger >
If you have enabled dat abase- over f l ow, set the limit
for the number of external link state advertisements
(LSAs) that the FortiGate unit can keep in its link state
database before entering the overflow state. The
l sas_i nt eger must be the same on all routers
attached to the OSPF area and the OSPF backbone.
The valid range for l sas_i nt eger is 0 to 4294967294.
10000
dat abase- over f l ow- t i me- t o-
r ecover <seconds_i nt eger >
Enter the time, in seconds, after which the FortiGate unit
will attempt to leave the overflow state. If
seconds_i nt eger is set to 0, the FortiGate unit will
not leave the overflow state until restarted. The valid
range for seconds_i nt eger is 0 to 65535.
300
def aul t - i nf or mat i on- met r i c
<met r i c_i nt eger >
Specify the metric for the default route set by the
def aul t - i nf or mat i on- or i gi nat e command. The
valid range for met r i c_i nt eger is 1 to 16777214.
10
def aul t - i nf or mat i on- met r i c-
t ype {1 | 2}
Specify the OSPF external metric type for the default
route set by the def aul t - i nf or mat i on- or i gi nat e
command.
2
def aul t - i nf or mat i on- or i gi nat e
{al ways | di sabl e | enabl e}
Enter enabl e to advertise a default route into an OSPF
routing domain.
Use al ways to advertise a default route even if the
FortiGate unit does not have a default route in its routing
table.
di sabl e
def aul t - i nf or mat i on- r out e- map
<name_st r >
If you have set def aul t - i nf or mat i on- or i gi nat e
to al ways, and there is no default route in the routing
table, you can configure a route map to define the
parameters that OSPF uses to advertise the default
route.
Nul l .
def aul t - met r i c <met r i c_i nt eger > Specify the default metric that OSPF should use for
redistributed routes. The valid range for
met r i c_i nt eger is 1 to 16777214.
10
di st ance <di st ance_i nt eger > Configure the administrative distance for all OSPF
routes. Using administrative distance you can specify
the relative priorities of different routes to the same
destination. A lower administrative distance indicates a
more preferred route. The valid range for
di st ance_i nt eger is 1 to 255.
110
di st ance- ext er nal
Change the administrative distance of all external OSPF
routes. The range is from 1 to 255.
110
di st ance- i nt er - ar ea
Change the administrative distance of all inter-area
OSPF routes. The range is from 1 to 255.
110
di st ance- i nt r a- ar ea
Change the administrative distance of all intra-area
OSPF routes. The range is from 1 to 255.
110
di st r i but e- l i st - i n
Limit route updates from the OSPF neighbor based on
the Network Layer Reachability Information (NLRI)
defined in the specified access list. You must create the
access list before it can be selected here. See access-
list on page 228.
Nul l .
passi ve- i nt er f ace <name_st r > OSPF routing information is not sent or received through
the specified interface.
No
default.
router ospf
01-400-93051-20090415 267
Example
This example shows how to set the OSPF router ID to 1.1.1.1 for a standard area border router:
set abr - t ype st andar d
set r out er - i d 1. 1. 1. 1
end
config area
Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system
(AS) or routing domain are organized into logical groupings called areas. Areas are linked together by area
border routers (ABRs). There must be a backbone area that all areas can connect to. You can use a virtual
link to connect areas that do not have a physical connection to the backbone. Routers within an OSPF
area maintain link state databases for their own areas.
You can use the conf i g f i l t er - l i st subcommand to control the import and export of LSAs into and
out of an area. See config filter-list variables on page 269. You can use access or prefix lists for OSPF
area filter lists. For more information, see access-list on page 228 and prefix-list on page 282.
You can use the conf i g r ange subcommand to summarize routes at an area boundary. If the network
numbers in an area are contiguous, the ABR advertises a summary route that includes all the networks
within the area that are within the specified range. See config range variables on page 269.
r est ar t - mode {gr acef ul - r est ar t
| l l s | none}
Select the restart mode from:
graceful-restart - (also known as hitless restart) when
FortiGate unit goes down it advertises to neighbors how
long it will be down to reduce traffic
lls - Enable Link-local Signaling (LLS) mode
none - hitless restart (graceful restart) is disabled
none
r f c1583- compat i bl e
Enable or disable RFC 1583 compatibility. RFC 1583
compatibility should be enabled only when there is
another OSPF router in the network that only supports
RFC 1583.
When RFC 1583 compatibility is enabled, routers
choose the path with the lowest cost. Otherwise, routers
choose the lowest cost intra-area path through a non-
backbone area.
di sabl e
r out er - i d <addr ess_i pv4> Set the router ID. The router ID is a unique number, in IP
address dotted decimal format, that is used to identify an
OSPF router to other OSPF routers within an area. The
router ID should not be changed while OSPF is running.
A router ID of 0.0.0.0 is not allowed.
0. 0. 0. 0
spf - t i mer s <del ay_i nt eger >
<hol d_i nt eger >
Change the default shortest path first (SPF) calculation
delay time and frequency.
The del ay_i nt eger is the time, in seconds, between
when OSPF receives information that will require an
SPF calculation and when it starts an SPF calculation.
The valid range for del ay_i nt eger is 0 to
4294967295.
The hol d_i nt eger is the minimum time, in seconds,
between consecutive SPF calculations. The valid range
for hol d_i nt eger is 0 to 4294967295.
OSPF updates routes more quickly if the SPF timers are
set low; however, this uses more CPU. A setting of 0 for
spf - t i mer s can quickly use up all available CPU.
5 10
ospf router
268 01-400-93051-20090415
You can configure a virtual link using the conf i g vi r t ual - l i nk subcommand to connect an area to the
backbone when the area has no direct connection to the backbone (see config virtual-link variables on
page 269). A virtual link allows traffic from the area to transit a directly connected area to reach the
backbone. The transit area cannot be a stub area. Virtual links can only be set up between two ABRs.
Note: If you define a filter list, the di r ect i on and l i st keywords are required. If you define a range, the
pr ef i x keyword is required. If you define a virtual link, the peer keyword is required. All other keywords are
optional.
edi t <ar ea_addr ess_i pv4> Type the IP address of the area. An address of 0.0.0.0
indicates the backbone area.
No default.
aut hent i cat i on {md5 |
none | t ext }
Set the authentication type.
Use the aut hent i cat i on keyword to define the
authentication used for OSPF packets sent and received in
this area. If you select none, no authentication is used. If you
select t ext , the authentication key is sent as plain text. If you
select md5, an authentication key is used to generate an MD5
hash.
Both text mode and MD5 mode only guarantee the
authenticity of the OSPF packet, not the confidentiality of the
information in the packet.
In text mode the key is sent in clear text over the network. Text
mode is usually used only to prevent network problems that
can occur if an unwanted or misconfigured router is
mistakenly added to the area.
If you configure authentication for interfaces, the
authentication configured for the area is not used.
Authentication passwords or keys are defined per interface.
See config ospf-interface on page 273.
none
def aul t - cost
<cost _i nt eger >
Enter the metric to use for the summary default route in a stub
area or not so stubby area (NSSA). A lower default cost
indicates a more preferred route.
The valid range for cost _i nt eger is 1 to 16777214.
10
nssa- def aul t - i nf or mat i on-
or i gi nat e
Enter enabl e to advertise a default route in a not so stubby
area. Affects NSSA ABRs or NSSA Autonomous System
Boundary Routers only.
di sabl e
or i gi nat e- met r i c <met r i c>
Specify the metric (an integer) for the default route set by the
nssa- def aul t - i nf or mat i on- or i gi nat e keyword.
10
or i gi nat e- met r i c- t ype
{1 | 2}
Specify the OSPF external metric type for the default route set
by the nssa- def aul t - i nf or mat i on- or i gi nat e
keyword.
2
nssa- r edi st r i but i on
Enable or disable redistributing routes into a NSSA area. enabl e
nssa- t r ansl at or - r ol e
{al ways | candi dat e |
never }
A NSSA border router can translate the Type 7 LSAs used for
external route information within the NSSA to Type 5 LSAs
used for distributing external route information to other parts
of the OSPF routing domain. Usually a NSSA will have only
one NSSA border router acting as a translator for the NSSA.
You can set the translator role to al ways to ensure this
FortiGate unit always acts as a translator if it is in a NSSA,
even if other routers in the NSSA are also acting as
translators.
You can set the translator role to candi dat e to have this
FortiGate unit participate in the process for electing a
translator for a NSSA.
You can set the translator role to never to ensure this
FortiGate unit never acts as the translator if it is in a NSSA.
candi dat e
shor t cut {def aul t |
di sabl e | enabl e}
Use this command to specify area shortcut parameters. di sabl e
router ospf
01-400-93051-20090415 269
st ub- t ype
{no- summar y | summar y}
Enter no- summar y to prevent an ABR sending summary
LSAs into a stub area. Enter summar y to allow an ABR to
send summary LSAs into a stub area.
summar y
t ype
{nssa | r egul ar | st ub}
Set the area type:
Select nssa for a not so stubby area.
Select r egul ar for a normal OSPF area.
Select st ub for a stub area.
r egul ar
config filter-list variables
edi t <f i l t er - l i st _i d> Enter an ID number for the filter list. The number must be an
integer.
No default.
di r ect i on {i n | out } Set the direction for the filter. Enter i n to filter incoming
packets. Enter out to filter outgoing packets.
out
l i st <name_st r > Enter the name of the access list or prefix list to use for this
filter list.
Nul l .
config range variables
edi t <r ange_i d> Enter an ID number for the range. The number must be an
integer in the 0 to 4 294 967 295 range.
No default.
adver t i se
Enable or disable advertising the specified range. enabl e
pr ef i x <addr ess_i pv4mask> Specify the range of addresses to summarize. 0. 0. 0. 0
0. 0. 0. 0
subst i t ut e
Enter a prefix to advertise instead of the prefix defined for the
range. The prefix 0. 0. 0. 0 0. 0. 0. 0 is not allowed.
0. 0. 0. 0
0. 0. 0. 0
subst i t ut e- st at us {enabl e
| di sabl e}
Enable or disable using a substitute prefix. di sabl e
config virtual-link variables
edi t <vl i nk_name> Enter a name for the virtual link. No default.
aut hent i cat i on
{md5 | none | t ext }
Set the authentication type.
authentication used for OSPF packets sent and received over
this virtual link. If you select none, no authentication is used. If
you select t ext , the authentication key is sent as plain text. If
you select md5, an authentication key is used to generate an
MD5 hash.
Both text mode and MD5 mode only guarantee the
authenticity of the OSPF packet, not the confidentiality of the
mode is usually used only to prevent network problems that
can occur if an unwanted or misconfigured router is
mistakenly added to the area.
none
aut hent i cat i on- key
<passwor d_st r >
This keyword is available when aut hent i cat i on is set to
t ext .
Enter the password to use for t ext authentication.
The aut hent i cat i on- key must be the same on both ends
of the virtual link.
The maximum length for the aut hent i cat i on- key is 15
characters.
*
(No default.)
dead- i nt er val
The time, in seconds, to wait for a hello packet before
declaring a router down. The value of the dead- i nt er val
should be four times the value of the hel l o- i nt er val .
Both ends of the virtual link must use the same value for
dead- i nt er val .
The valid range for seconds_i nt eger is 1 to 65535.
40
ospf router
270 01-400-93051-20090415
Example
This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summar y, a default
cost of 20, and MD5 authentication.
conf i g ar ea
edi t 15. 1. 1. 1
set t ype st ub
set st ub- t ype summar y
set def aul t - cost 20
set aut hent i cat i on md5
end
end
This example shows how to use a filter list named acc_l i st 1 to filter packets entering area 15.1.1.1.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g f i l t er - l i st
edi t 1
set di r ect i on i n
set l i st acc_l i st 1
end
end
This example shows how to set the prefix for range 1 of area 15.1.1.1.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g r ange
edi t 1
The time, in seconds, between hello packets.
Both ends of the virtual link must use the same value for
hel l o- i nt er val .
10
md5- key
<key_st r >
md5.
Enter the key ID and password to use for MD5 authentication.
Both ends of the virtual link must use the same key ID and
key.
The valid range for i d_i nt eger is 1 to 255. key_st r is an
alphanumeric string of up to 16 characters.
No default.
peer <addr ess_i pv4> The router id of the remote ABR.
0. 0. 0. 0 is not allowed.
0. 0. 0. 0
r et r ansmi t - i nt er val
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The
valid range for seconds_i nt eger is 1 to 65535.
5
t r ansmi t - del ay
The estimated time, in seconds, required to send a link state
update packet on this virtual link.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the
virtual link.
Increase the value for t r ansmi t - del ay on low speed links.
1
router ospf
01-400-93051-20090415 271
set pr ef i x 1. 1. 0. 0 255. 255. 0. 0
end
end
This example shows how to configure a virtual link.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g vi r t ual - l i nk
edi t vl nk1
set peer 1. 1. 1. 1
end
end
config distribute-list
Use this subcommand to filter the networks in routing updates using an access list. Routes not matched by
any of the distribution lists will not be advertised.
You must configure the access list that you want the distribution list to use before you configure the
distribution list. To configure an access list, see access-list on page 228.
Example
This example shows how to configure distribution list 2 to use an access list named acc_l i st 1 for all
static routes.
edi t 2
set access- l i st acc_l i st 1
set pr ot ocol st at i c
end
end
config neighbor
Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. OSPF
packets are unicast to the specified neighbor address. You can configure multiple neighbors.
Note: The access- l i st and pr ot ocol keywords are required.
edi t <di st r i but e- l i st _i d> Enter an ID number for the distribution list. The number must
be an integer.
No default.
access- l i st <name_st r > Enter the name of the access list to use for this distribution
list.
Nul l .
pr ot ocol
{connect ed | r i p | st at i c}
Advertise only the routes discovered by the specified protocol
and that are permitted by the named access list.
connect e
d
Note: The i p keyword is required. All other keywords are optional.
ospf router
272 01-400-93051-20090415
Example
This example shows how to manually add a neighbor.
conf i g nei ghbor
edi t 1
set i p 192. 168. 21. 63
end
end
config network
Use this subcommand to identify the interfaces to include in the specified OSPF area. The pr ef i x
keyword can define one or multiple interfaces.
Example
Use the following command to enable OSPF for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.
conf i g net wor k
edi t 2
set ar ea 10. 1. 1. 1
set pr ef i x 10. 0. 0. 0 255. 255. 255. 0
end
end
edi t <nei ghbor _i d> Enter an ID number for the OSPF neighbor. The number must
be an integer.
No default.
bf d
cost <cost _i nt eger > Enter the cost to use for this neighbor. The valid range for
cost _i nt eger is 1 to 65535.
10
i p <addr ess_i pv4> Enter the IP address of the neighbor. 0. 0. 0. 0
pol l - i nt er val
Enter the time, in seconds, between hello packets sent to the
neighbor in the down state. The value of the poll interval must
be larger than the value of the hello interval. The valid range for
seconds_i nt eger is 1 to 65535.
10
pr i or i t y
Enter a priority number for the neighbor. The valid range for
pr i or i t y_i nt eger is 0 to 255.
1
Note: The ar ea and pr ef i x keywords are required.
edi t <net wor k_i d> Enter an ID number for the network. The number must be an
integer.
No default.
ar ea The ID number of the area to be associated with the prefix. 0. 0. 0. 0
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask for the OSPF network. 0. 0. 0. 0
0. 0. 0. 0
router ospf
01-400-93051-20090415 273
config ospf-interface
Use this subcommand to change interface related OSPF settings.
Note: The i nt er f ace keyword is required. All other keywords are optional.
edi t
<ospf _i nt er f ace_name>
Enter a descriptive name for this OSPF interface configuration.
To apply this configuration to a FortiGate unit interface, set the
i nt er f ace <name_st r >attribute.
No default.
aut hent i cat i on
{md5 | none | t ext }
authentication used for OSPF packets sent and received by this
interface. If you select none, no authentication is used. If you
select t ext , the authentication key is sent as plain text. If you
select md5, the authentication key is used to generate an MD5
hash.
Both text mode and MD5 mode only guarantee the authenticity
of the update packet, not the confidentiality of the routing
mode is usually used only to prevent network problems that can
occur if an unwanted or misconfigured router is mistakenly
added to the network.
If you configure authentication for the interface, authentication
for areas is not used.
All routers on the network must use the same authentication
type.
none
aut hent i cat i on- key
<passwor d_st r >
t ext .
Enter the password to use for t ext authentication.
The aut hent i cat i on- key must be the same on all
neighboring routers.
The maximum length for the aut hent i cat i on- key is 15
characters.
*
(No default.)
bf d {enabl e | di sabl e} Select to enable Bi-directional Forwarding Detection (BFD). It is
used to quickly detect hardware problems on the network.
This command enables this service on this interface.
cost <cost _i nt eger > Specify the cost (metric) of the link. The cost is used for shortest
path first calculations.
10
dat abase- f i l t er - out
Enable or disable flooding LSAs out of this interface. di sabl e
dead- i nt er val
The time, in seconds, to wait for a hello packet before declaring
a router down. The value of the dead- i nt er val should be
four times the value of the hel l o- i nt er val .
All routers on the network must use the same value for dead-
i nt er val .
40
The time, in seconds, between hello packets.
All routers on the network must use the same value for hel l o-
i nt er val .
10
i nt er f ace <name_st r > Enter the name of the interface to associate with this OSPF
configuration. The interface might be a virtual IPSec or GRE
interface.
Nul l .
ospf router
274 01-400-93051-20090415
i p <addr ess_i pv4> Enter the IP address of the interface named by the i nt er f ace
keyword.
It is possible to apply different OSPF configurations for different
IP addresses defined on the same interface.
0. 0. 0. 0
md5- key
 <key_st r >
md5.
Enter the key ID and password to use for MD5 authentication
You can add more than one key ID and key pair per interface.
However, you cannot unset one key without unsetting all of the
keys.
The key ID and key must be the same on all neighboring
routers.
The valid range for i d_i nt eger is 1 to 255. key_st r is an
alphanumeric string of up to 16 characters.
No default.
mt u <mt u_i nt eger > Change the Maximum Transmission Unit (MTU) size included in
database description packets sent out this interface. The valid
range for mt u_i nt eger is 576 to 65535.
1500
mt u- i gnor e
Use this command to control the way OSPF behaves when the
MTU in the sent and received database description packets
does not match.
When mt u- i gnor e is enabled, OSPF will stop detecting
mismatched MTUs and go ahead and form an adjacency.
When mt u- i gnor e is disabled, OSPF will detect mismatched
MTUs and not form an adjacency.
mt u- i gnor e should only be enabled if it is not possible to
reconfigure the MTUs so that they match.
di sabl e
net wor k- t ype <t ype> Specify the type of network to which the interface is connected.
OSPF supports four different types of network. This command
specifies the behavior of the OSPF interface according to the
network type, one of:
br oadcast
non- br oadcast
poi nt - t o- mul t i poi nt
poi nt - t o- poi nt
If you specify non- br oadcast , you must also configure
neighbors using config neighbor on page 113.
br oadcast
pr i or i t y
Set the router priority for this interface.
Router priority is used during the election of a designated router
(DR) and backup designated router (BDR).
An interface with router priority set to 0 can not be elected DR or
BDR. The interface with the highest router priority wins the
election. If there is a tie for router priority, router ID is used.
Point-to-point networks do not elect a DR or BDR; therefore,
this setting has no effect on a point-to-point network.
The valid range for pr i or i t y_i nt eger is 0 to 255.
1
r esync- t i meout

Enter the synchronizing timeout for graceful restart interval.
This is the period for this interface to synchronize with a
neighbor.
40
r et r ansmi t - i nt er val
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The
valid range for seconds_i nt eger is 1 to 65535.
5
router ospf
01-400-93051-20090415 275
Example
This example shows how to assign an OSPF interface configuration named t est to the interface named
i nt er nal and how to configure text authentication for this interface.
conf i g ospf - i nt er f ace
edi t t est
set i p 192. 168. 20. 3
set aut hent i cat i on t ext
set aut hent i cat i on- key a2b3c4d5e
end
end
config redistribute
Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to
the destination network.
The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries
are defined as follows:
bgpRedistribute routes learned from BGP.
r i pRedistribute routes learned from RIP.
conf i g r edi st r i but e {bgp | connect ed | st at i c | r i p}).
st at us
Enable or disable OSPF on this interface. enabl e
t r ansmi t - del ay
The estimated time, in seconds, required to send a link state
update packet on this interface.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the
interface.
Increase the value for t r ansmi t - del ay on low speed links.
1
met r i c <met r i c_i nt eger > Enter the metric to be used for the redistributed routes. The
met r i c_i nt eger range is from 1 to 16777214.
10
met r i c- t ype {1 | 2} Specify the external link type to be used for the redistributed
routes.
2
r out emap <name_st r > Enter the name of the route map to use for the redistributed
routes. For information on how to configure route maps, see
route-map on page 294.
Nul l .
st at us {enabl e | di sabl e} Enable or disable redistributing routes. di sabl e
t ag <t ag_i nt eger > Specify a tag for redistributed routes.
The valid range for t ag_i nt eger is 0 to 4294967295.
0
ospf router
276 01-400-93051-20090415
Example
This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map
named r t mp2.
conf i g r edi st r i but e r i p
set met r i c 3
set r out emap r t mp2
end
config summary-address
Use this subcommand to summarize external routes for redistribution into OSPF. This command works
only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information
on summarization between areas, see config range variables on page 269. By replacing the LSAs for
each route with one aggregate route, you reduce the size of the OSPF link-state database.
Example
This example shows how to summarize routes using the prefix 10.0.0.0 255.0.0.0.
conf i g summar y- addr ess
edi t 5
set pr ef i x 10. 0. 0. 0 255. 0. 0. 0
end
end
History
edi t <summar y- addr ess_i d> Enter an ID number for the summary address. The number
must be an integer.
No default.
adver t i se
Advertise or suppress the summary route that matches the
specified prefix.
enabl e
pr ef i x <addr ess_i pv4mask> Enter the prefix (IP address and netmask) to use for the
summary route. The prefix 0. 0. 0. 0 0. 0. 0. 0 is not allowed.
0. 0. 0. 0
0. 0. 0. 0
t ag <t ag_i nt eger > Specify a tag for the summary route.
The valid range for t ag_i nt eger is 0 to 4294967295.
0
FortiOS v2.80 New.
FortiOS v3.0 Added di st ance- ext er nal , di st ance- i nt er - ar ea, di st ance- i nt r a- ar ea,
and di st r i but e- l i st - i n keywor ds. Changed def aul t val ue of abr - t ype
at t r i but e t o st andar d.
FortiOS v3.0 MR4 Added bf d, r est ar t - mode, r esynch- t i meout , and r est ar t - per i od
keywor ds.
router ospf
01-400-93051-20090415 277
Related topics
router access-list
get router info ospf
get router info protocols
get router info routing-table
router prefix-list
router route-map
policy router
278 01-400-93051-20090415
policy
Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets
that match the policy are forwarded to the IP address of the next-hop gateway through the specified
outbound interface.
You can configure the FortiGate unit to route packets based on:
a source address
a protocol, service type, or port range
the inbound interface
type of service (TOS)
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to
match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit
routes the packet using the routing table. Route policies are processed before static routing. You can
change the order of policy routes using the move command. See config branch on page 36.
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram
should be delivered, with such criteria as delay, priority, reliability, and minimum cost. Each of these
qualities help gateways determine the best way to route datagrams. A router maintains a ToS value for
each route in its routing table.The lowest priority TOS is 0, the highest is 7 - when bits 3,4,and 5 are all set
to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the
destination. If there is no match, the datagram is sent over a zero TOS route. Using increased quality may
increase the cost of delivery because better performance may consume limited network resources. For
more information see RFC 791 and RFC 1349.
The two keywords t os and t os- mask enable you to configure type of service support on your FortiGate
unit. t os- mask enables you to only look at select bits of the 8-bit TOS field in the IP header. This is useful
as you may only care about reliability for some traffic, and not about the other TOS criteria.
The value in t os is used to match the pattern from t os- mask. If it matches, then the rest of the policy is
applied. If the mask doesnt match, the next policy tries to match if its configured, and eventually default
routing is applied if there are no other matches.
Note: For static routing, any number of static routes can be defined for the same destination. When multiple
routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative
distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded
according to the route specified in the policy.
Table 6: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important traffic.
Precedence should only be used within a network, and can be used
differently in each network. Typically you do not care about these bits.
bit 3 Delay When set to 1, this bit indicates low delay is a priority. This is useful for
such services as VoIP where delays degrade the quality of the sound.
bit 4 Throughput When set to 1, this bit indicates high throughput is a priority. This is
useful for services that require lots of bandwidth such as video
conferencing.
bit 5 Reliability When set to 1, this bit indicates high reliability is a priority. This is useful
when a service must always be available such as with DNS servers.
bit 6 Cost When set to 1, this bit indicates low cost is a priority. Generally there is
a higher delivery cost associated with enabling bits 3,4, or 5, and bit 6
indicates to use the lowest cost route.
bit 7 Reserved for
future use
Not used at this time.
router policy
01-400-93051-20090415 279
Syntax
conf i g r out er pol i cy
move <seq- num1> {bef or e | af t er } <seq- num2>
edi t <pol i cy_i nt eger >
set dst <dest - addr ess_i pv4mask>
set end- por t <por t _i nt eger >
set gat eway <addr ess_i pv4>
set i nput - devi ce 
set out put - devi ce 
set pr ot ocol <pr ot ocol _i nt eger >
set sr c <sour ce- addr ess_i pv4mask>
set st ar t - por t <por t _i nt eger >
set t os <hex_mask>
set t os- mask <hex_mask>
end
Note: You need to use t os- mask to remove bits from the pattern you dont care about, or those bits will
prevent a match with your t os pattern.
Note: The i nput - devi ce keyword is required. All other keywords are optional.
move <seq- num1>
{bef or e | af t er } <seq- num2>
Move one policy before or after another. No default.
edi t <pol i cy_i nt eger > Enter an ID number for the route policy. The number must
be an integer.
No default.
dst <dest - addr ess_i pv4mask> Match packets that have this destination IP address and
netmask.
0. 0. 0. 0
0. 0. 0. 0
end- por t <por t _i nt eger > The end port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the st ar t - por t and end- por t
keywords for destination-port-range matching to take
effect. To specify a range, the st ar t - por t value must be
lower than the end- por t value. To specify a single port,
the st ar t - por t value must be identical to the end- por t
value. The por t _i nt eger range is 0 to 65 535.
For protocols other than TCP and UDP, the port number is
ignored.
65 535
gat eway <addr ess_i pv4> Send packets that match the policy to this next hop router. 0. 0. 0. 0
i nput - devi ce
Match packets that are received on this interface. Nul l .
out put - devi ce
Send packets that match the policy out this interface. Nul l .
pr ot ocol <pr ot ocol _i nt eger > Match packets that have this protocol number. The range is
0 to 255.
ignored.
0
sr c
<sour ce- addr ess_i pv4mask>
Match packets that have this source IP address and
netmask.
0. 0. 0. 0
0. 0. 0. 0
policy router
280 01-400-93051-20090415
Example
If a FortiGate unit provides Internet access for multiple internal subnets, you can use policy routing to
control the route that traffic from each network takes to the Internet. For example, if the internal network
includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following route policies:
Enter the following command to route traffic from the 192. 168. 10. 0 subnet to the 100. 100. 100. 0
subnet. Force the packets to the next hop gateway at IP address 1. 1. 1. 1 through the interface
named ext er nal .
edi t 1
set i nput - devi ce i nt er nal
set sr c 192. 168. 10. 0 255. 255. 255. 0
set dst 100. 100. 100. 0 255. 255. 255. 0
set out put - devi ce ext er nal
set gat eway 1. 1. 1. 1
end
Enter the following command to route traffic from the 192. 168. 20. 0 subnet to the 200.200.200.0
subnet. Force the packets to the next hop gateway at IP address 2. 2. 2. 1 through the interface
named ext er nal .
edi t 2
set sr c 192. 168. 20. 0 255. 255. 255. 0
set dst 200. 200. 200. 0 255. 255. 255. 0
end
st ar t - por t <por t _i nt eger > The start port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the st ar t - por t and end- por t
keywords for destination-port-range matching to take
effect. To specify a range, the st ar t - por t value must be
lower than the end- por t value. To specify a single port,
the st ar t - por t value must be identical to the end- por t
value. The por t _i nt eger range is 0 to 65 535.
ignored.
1
t os <hex_mask> The type of service (TOS) mask to match after applying the
t os- mask. This is an 8-bit hexadecimal pattern that can
be from 00 to FF.
The t os mask attempts to match the quality of service for
this profile. Each bit in the mask represents a different
aspect of quality. A t os mask of 0010 would indicate
reliability is important, but with normal delay and
throughput. The hex mask for this pattern would be 04.
Null.
t os- mask <hex_mask> This value determines which bits in the IP headers TOS
field are significant. This is an 8-bit hexadecimal mask that
can be from 00 to FF.
Typically, only bits 3 through 6 are used for TOS, so it is
necessary to mask out the other bits. To mask out
everything but bits 3 through 6, the hex mask would be
1E.
Null.
router policy
01-400-93051-20090415 281
Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP
address 1. 1. 1. 1 i f i t has t he TOS l ow del ay bi t set .
edi t 1
set sr c 0. 0. 0. 0 0. 0. 0. 0
set dst 0. 0. 0. 0 0. 0. 0. 0
set pr ot ocol 6
set st ar t - por t 80
set end- por t 80
set t os- mask 10
set t os 10
end
Enter the following command to direct all other traffic to the next hop gateway at IP address 2. 2. 2. 1.
edi t 2
set sr c 0. 0. 0. 0 0. 0. 0. 0
set dst 0. 0. 0. 0 0. 0. 0. 0
end
History
Related topics
router static
FortiOS v3.0 Replaced all underscore characters in keywords with hyphens. Changed default st ar t -
poi nt number to 1. Changed default endpoi nt number to 65535.
FortiOS v3.0 MR7 Added t os, and t os- mask.
prefix-list router
282 01-400-93051-20090415
prefix-list
Use this command to add, edit, or delete prefix lists. A prefix list is an enhanced version of an access list
that allows you to control the length of the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix
(permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list.
If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default
action is deny. A prefix-list should be used to match the default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate unit routing feature such as RIP or
OSPF.
conf i g r out er set t i ng uses prefix-list to filter the displayed routes. For more information, see
setting on page 300.
Syntax
conf i g r out er pr ef i x- l i st
edi t <pr ef i x_l i st _name>
conf i g r ul e
edi t <pr ef i x_r ul e_i d>
set ge <l engt h_i nt eger >
set l e <l engt h_i nt eger >
set pr ef i x {<addr ess_i pv4mask> | any}
end
end
Note: The act i on and pr ef i x keywords are required. All other keywords are optional.
edi t <pr ef i x_l i st _name> Enter a name for the prefix list. A prefix list and an access list
cannot have the same name.
No default.
edi t <pr ef i x_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Set the action to take for this prefix. per mi t
comment s <st r i ng> Enter a description of this access list entry. The description
can be up to 127 characters long.
ge <l engt h_i nt eger > Match prefix lengths that are greater than or equal to this
number. The setting for ge should be less than the setting for
l e. The setting for ge should be greater than the netmask set
for pr ef i x. l engt h_i nt eger can be any number from 0 to
32.
0
l e <l engt h_i nt eger > Match prefix lengths that are less than or equal to this number.
The setting for l e should be greater than the setting for ge.
l engt h_i nt eger can be any number from 0 to 32.
32
pr ef i x
{<addr ess_i pv4mask> | any}
Enter the prefix (IP address and netmask) for this prefix list
rule or enter any to match any prefix. The length of the
netmask should be less than the setting for ge. If prefix is set
to any, ge and l e should not be set.
0. 0. 0. 0
0. 0. 0. 0
router prefix-list
01-400-93051-20090415 283
Examples
This example shows how to add a prefix list named pr f _l i st 1 with three rules. The first rule permits
subnets that match prefix lengths between 26 and 30 for the prefix 192. 168. 100. 0 255. 255. 255. 0.
The second rule denies subnets that match the prefix lengths between 20 and 25 for the prefix 10. 1. 0. 0
255. 255. 0. 0. The third rule denies all other traffic.
edi t pr f _l i st 1
conf i g r ul e
edi t 1
set pr ef i x 192. 168. 100. 0 255. 255. 255. 0
set ge 26
set l e 30
next
edi t 2
set pr ef i x 10. 1. 0. 0 255. 255. 0. 0
set act i on deny
set ge 20
set l e 25
next
edi t 3
set pr ef i x any
set act i on deny
end
end
The following example shows how to create a prefix-list that will drop the default route but allow all other
prefixes to be passed. The first rule matches the default route only and is set to deny, the second rule will
match all other prefixes and allow them to be passed.
edi t " dr op_def aul t "
conf i g r ul e
edi t 1
set act i on deny
set pr ef i x 0. 0. 0. 0 0. 0. 0. 0
unset ge
unset l e
next
edi t 2
set pr ef i x any
unset ge
unset l e
next
end
next
end
History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Changed default for l e from 0 to 32.
prefix-list router
284 01-400-93051-20090415
Related topics
router access-list
router rip
router setting
router rip
01-400-93051-20090415 285
rip
Use this command to configure the Routing Information Protocol (RIP) on the FortiGate unit. RIP is a
distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count
as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15
hops with 16 hops.
Syntax
conf i g r out er r i p
set def aul t - i nf or mat i on- or i gi nat e {enabl e | di sabl e}
set def aul t - met r i c <met r i c_i nt eger >
set gar bage- t i mer <t i mer _i nt eger >
set passi ve- i nt er f ace <name_st r >
set t i meout - t i mer <t i mer _i nt eger >
set updat e- t i mer <t i mer _i nt eger >
set ver si on {1 2}
conf i g di st ance
edi t <di st ance_i d>
set di st ance <di st ance_i nt eger >
end
edi t <di st r i but e_l i st _i d>
set l i st name <access/ pr ef i x- l i st name_st r >
end
set aut h- keychai n <name_st r >
set aut h- mode {none | t ext | md5}
set aut h- st r i ng <passwor d_st r >
set r ecei ve- ver si on {1 2}
set send- ver si on {1 2}
set send- ver si on1- compat i bl e {enabl e | di sabl e}
set spl i t - hor i zon {poi soned | r egul ar }
set spl i t - hor i zon- st at us {enabl e | di sabl e}
end
conf i g nei ghbor
edi t <nei ghbor _i d>
end
conf i g net wor k
end
conf i g of f set - l i st
edi t <of f set _l i st _i d>
Note: updat e_t i mer cannot be larger than t i meout _t i mer and gar bage_t i mer . Attempts to do so
will generate an error.
rip router
286 01-400-93051-20090415
set of f set <met r i c_i nt eger >
end
conf i g r edi st r i but e {connect ed | st at i c | ospf | bgp}
set met r i c <met r i c_i nt eger >
set r out emap <name_st r >
end
config router rip
Use this command to specify RIP operating parameters. The FortiGate unit implementation of RIP
supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP
version 2 enables RIP messages to carry more information, and to support simple authentication and
subnet masks.
def aul t - i nf or mat i on-
or i gi nat e
Enter enabl e to advertise a default static route into RIP. di sabl e
def aul t - met r i c
For non-default routes in the static routing table and directly
connected networks the default metric is the metric that the
FortiGate unit advertises to adjacent routers. This metric is
added to the metrics of learned routes. The default metric can
be a number from 1 to 16.
1
gar bage- t i mer
<t i mer _i nt eger >
The time in seconds that must elapse after the timeout interval
for a route expires, before RIP deletes the route. If RIP receives
an update for the route after the timeout timer expires but before
the garbage timer expires then the entry is switched back to
reachable.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than the garbage
timer interval.
120
passi ve- i nt er f ace
<name_st r >
Block RIP broadcasts on the specified interface. You can use
config neighbor on page 290 and the passive interface
command to allow RIP to send unicast updates to the specified
neighbor while blocking broadcast updates on the specified
interface.
No
default.
router rip
01-400-93051-20090415 287
Example
This example shows how to enable the advertising of a default static route into RIP, enable the sending
and receiving of RIP version 1 packets, and raise the preference of local routes in the static routing table
(the default metric) from the default of 1 to 5 - those routes well be less preferred.
set def aul t - i nf or mat i on- or i gi nat e enabl e
set ver si on 1
set def aul t - met r i c 5
end
config distance
Use this subcommand to specify an administrative distance. When different routing protocols provide
multiple routes to the same destination, the administrative distance sets the priority of those routes. The
lowest administrative distance indicates the preferred route. If you specify a prefix, RIP uses the specified
distance when the source IP address of a packet matches the prefix.
t i meout - t i mer
The time interval in seconds after which a route is declared
unreachable. The route is removed from the routing table. RIP
holds the route until the garbage timer expires and then deletes
the route. If RIP receives an update for the route before the
timeout timer expires, then the timeout-timer is restarted. If RIP
receives an update for the route after the timeout timer expires
but before the garbage timer expires then the entry is switched
back to reachable. The value of the timeout timer should be at
least three times the value of the update timer.
The update timer interval can not be larger than the timeout
timer interval.
180
updat e- t i mer
The time interval in seconds between RIP updates.
The update timer interval can not be larger than timeout or
garbage timer intervals.
30
ver si on {1 2} Enable sending and receiving RIP version 1 packets, RIP
version 2 packets, or both for all RIP-enabled interfaces. You
can override this setting on a per interface basis using the
receive-version {1 2}and send-version {1 2}keywords described
under config interface on page 289.
2
Note: The di st ance keyword is required. All other keywords are optional.
edi t <di st ance_i d> Enter an entry number for the distance. The number must be
an integer.
No default.
access- l i st <name_st r > Enter the name of an access list. The distances associated
with the routes in the access list will be modified. To create an
access list, see access-list on page 228.
Nul l .
rip router
288 01-400-93051-20090415
Example
This example shows how to change the administrative distance to 10 for all IP addresses that match the
i nt er nal _exampl e access-list.
conf i g di st ance
edi t 1
set di st ance 10
set access- l i st i nt er nal _exampl e
end
end
config distribute-list
Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. If you do
not specify an interface, the filter will be applied to all interfaces. You must configure the access list or
prefix list that you want the distribution list to use before you configure the distribution list. For more
information on configuring access lists and prefix lists, see access-list on page 228 and prefix-list on
page 282.
Example
This example shows how to configure and enable a distribution list to use an access list named
acc_l i st 1 for incoming updates on the ext er nal interface.
edi t 1
set i nt er f ace ext er nal
set l i st name acc_l i st 1
di st ance
Enter a number from 1 to 255, to set the administrative
distance.
This keyword is required.
0
pr ef i x
Optionally enter a prefix to apply the administrative distance to. 0. 0. 0. 0
0. 0. 0. 0
Note: The di r ect i on and l i st name keywords are required. All other keywords are optional.
edi t <di st r i but e_l i st _i d> Enter an entry number for the distribution list. The number
must be an integer.
No default.
di r ect i on {i n | out } Set the direction for the filter. Enter i n to filter incoming
packets. Enter out to filter outgoing packets.
out
i nt er f ace <name_st r > Enter the name of the interface to apply this distribution list to.
If you do not specify an interface, this distribution list will be
used for all interfaces.
Nul l .
l i st name
<access/ pr ef i x-
l i st name_st r >
Enter the name of the access list or prefix list to use for this
distribution list.
Nul l .
st at us {enabl e | di sabl e} Enable or disable this distribution list. di sabl e
router rip
01-400-93051-20090415 289
end
end
config interface
Use this subcommand to configure RIP version 2 authentication, RIP version send and receive for the
specified interface, and to configure and enable split horizon.
Authentication is only available for RIP version 2 packets sent and received by an interface. You must set
aut h- mode to none when r ecei ve- ver si on or send- ver si on are set to 1 or 1 2 (both are set to 1
by default).
A split horizon occurs when a router advertises a route it learns over the same interface it learned it on. In
this case the router that gave the learned route to the last router now has two entries to get to another
location. However, if the primary route fails that router tries the second route to find itself as part of the
route and an infinite loop is created. A poisoned split horizon will still advertise the route on the interface it
received it on, but it will mark the route as unreachable. Any unreachable routes are automatically
removed from the routing table. This is also called split horizon with poison reverse.
edi t Type the name of the FortiGate unit interface that is linked to the
RIP network. The interface might be a virtual IPSec or GRE
interface.
No default.
aut h- keychai n
<name_st r >
Enter the name of the key chain to use for authentication for RIP
version 2 packets sent and received by this interface. Use key
chains when you want to configure multiple keys. For information
on how to configure key chains, see key-chain on page 251.
Nul l .
aut h- mode
{none | t ext | md5}
Use the aut h- mode keyword to define the authentication used
for RIP version 2 packets sent and received by this interface. If
you select none, no authentication is used. If you select t ext ,
the authentication key is sent as plain text. If you select md5, the
authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity of
the update packet, not the confidentiality of the routing
mode is usually used only to prevent network problems that can
occur if an unwanted or misconfigured router is mistakenly added
to the network.
Use the aut h- st r i ng keyword to specify the key.
none
aut h- st r i ng
<passwor d_st r >
Enter a single key to use for authentication for RIP version 2
packets sent and received by this interface. Use aut h- st r i ng
when you only want to configure one key. The key can be up to
35 characters long.
Nul l .
r ecei ve- ver si on {1 2} RIP routing messages are UDP packets that use port 520.
Enter 1 to configure RIP to listen for RIP version 1 messages on
an interface.
Enter 2 to configure RIP to listen for RIP version 2 messages on
an interface.
Enter 1 2 to configure RIP to listen for both RIP version 1 and
RIP version 2 messages on an interface.
No default.
rip router
290 01-400-93051-20090415
Example
This example shows how to configure the external interface to send and receive RIP version 2, to use MD5
authentication, and to use a key chain called t est 1.
edi t ext er nal
set r ecei ve- ver si on 2
set send- ver si on 2
set aut h- mode md5
set aut h- keychai n t est 1
end
end
config neighbor
Use this subcommand to enable RIP to send unicast routing updates to the router at the specified address.
You can use the nei ghbor subcommand and passive-interface <name_str> on page 286 to allow RIP to
send unicast updates to the specified neighbor while blocking broadcast updates on the specified
interface. You can configure multiple neighbors.
send- ver si on {1 2} RIP routing messages are UDP packets that use port 520.
Enter 1 to configure RIP to send RIP version 1 messages from an
interface.
Enter 2 to configure RIP to send RIP version 2 messages from an
interface.
Enter 1 2 to configure RIP to send both RIP version 1 and RIP
version 2 messages from an interface.
No default.
send-
ver si on1- compat i bl e
Enable or disable sending broadcast updates from an interface
configured for RIP version 2.
RIP version 2 normally multicasts updates. RIP version 1 can
only receive broadcast updates.
di sabl e
spl i t - hor i zon
{poi soned | r egul ar }
Configure RIP to use either regular or poisoned split horizon on
this interface.
Select r egul ar to prevent RIP from sending updates for a route
back out on the interface from which it received that route.
Select poi soned to send updates with routes learned on an
interface back out the same interface but mark those routes as
unreachable.
poi soned
spl i t - hor i zon- st at us
Enable or disable split horizon for this interface. Split horizon is
enabled by default.
Disable split horizon only if there is no possibility of creating a
counting to infinity loop when network topology changes.
enabl e
Note: The i p keyword is required. All other keywords are optional.
edi t <nei ghbor _i d> Enter an entry number for the RIP neighbor. The number must
be an integer.
No default.
i p <addr ess_i pv4> Enter the IP address of the neighboring router to which to send
unicast updates.
0. 0. 0. 0
router rip
01-400-93051-20090415 291
Example
This example shows how to specify that the router at 192.168.21.20 is a neighbor.
conf i g nei ghbor
edi t 1
set i p 192. 168. 21. 20
end
end
config network
Use this subcommand to identify the networks for which to send and receive RIP updates. If a network is
not specified, interfaces in that network will not be advertised in RIP updates.
Example
Use the following command to enable RIP for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0.
conf i g net wor k
edi t 2
set pr ef i x 10. 0. 0. 0 255. 255. 255. 0
end
end
config offset-list
Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset list.
Note: The pr ef i x keyword is optional.
edi t <net wor k_i d> Enter an entry number for the RIP network. The number must
be an integer.
No default.
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask for the RIP network. 0. 0. 0. 0
0. 0. 0. 0
Note: The access- l i st , di r ect i on, and of f set keywords are required. All other keywords are
optional.
edi t <of f set _l i st _i d> Enter an entry number for the offset list. The number must be an
integer.
No default.
access- l i st <name_st r > Enter the name of the access list to use for this offset list. The
access list is used to determine which routes to add the metric
to.
Nul l .
di r ect i on {i n | out } Enter i n to apply the offset to the metrics of incoming routes.
Enter out to apply the offset to the metrics of outgoing routes.
out
i nt er f ace <name_st r > Enter the name of the interface to match for this offset list. Nul l .
rip router
292 01-400-93051-20090415
Example
This example shows how to configure and enable offset list number 5 that adds a metric of 3 to incoming
routes that match the access list named acc_l i st 1 on the external interface.
conf i g of f set - l i st
edi t 5
set access- l i st acc_l i st 1
set i nt er f ace ext er nal
set of f set 3
end
end
config redistribute
Use this subcommand to redistribute routes learned from OSPF, BGP, static routes, or a direct connection
to the destination network.
The RIP redistribution table contains four static entries. You cannot add entries to the table. The entries are
defined as follows:
bgpRedistribute routes learned from BGP.
ospf Redistribute routes learned from OSPF.
conf i g r edi st r i but e {bgp | connect ed | ospf | st at i c}).
of f set <met r i c_i nt eger > Enter the offset number to add to the metric. The metric is the
hop count. The met r i c_i nt eger range is from 1 to 16, with
16 being unreachable.
0
st at us {enabl e | di sabl e} Enable or disable this offset list. di sabl e
met r i c <met r i c_i nt eger > Enter the metric value to be used for the redistributed routes. The
met r i c_i nt eger range is from 0 to 16.
0
r out emap <name_st r > Enter the name of the route map to use for the redistributed
routes. For information on how to configure route maps, see
route-map on page 294.
Nul l .
st at us {enabl e | di sabl e} Enable or disable redistributing routes. di sabl e
router rip
01-400-93051-20090415 293
Example
This example shows how to enable route redistribution from OSPF, using a metric of 3 and a route map
named r t mp2.
conf i g r edi st r i but e ospf
set met r i c 3
set r out emap r t mp2
end
History
Related topics
router access-list
router key-chain
router prefix-list
router route-map
get router info rip
FortiOS v2.80 MR7 Added access- l i st keyword to conf i g di st ance subcommand.
route-map router
294 01-400-93051-20090415
route-map
Use this command to add, edit, or delete route maps. To use the command to limit the number of received
or advertised BGP route and routing updates using route maps, see Using route maps with BGP on
page 295.
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or
suppressing the routing of packets to particular destinations. Compared to access lists, route maps support
enhanced packet-matching criteria. In addition, route maps can be configured to permit or deny the
addition of routes to the FortiGate unit routing table and make changes to routing information dynamically
as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in
ascending order until one or more of the rules in the route map are found to match one or more of the route
attributes:
When a single matching mat ch- * rule is found, changes to the routing information are made as
defined through the rules set - i p- next hop, set - met r i c, set - met r i c- t ype, and/or set - t ag
settings.
If no matching rule is found, no changes are made to the routing information.
When more than one mat ch- * rule is defined, all of the defined mat ch- * rules must evaluate to TRUE
or the routing information is not changed.
If no mat ch- * rules are defined, the FortiGate unit makes changes to the routing information only
when all of the default mat ch- * rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map
to take effect, it must be called by a FortiGate unit routing process.
Syntax
edi t <r out e_map_name>
conf i g r ul e
edi t <r out e_map_r ul e_i d>
set mat ch- i nt er f ace <name_st r >
set mat ch- i p- addr ess <access/ pr ef i x- l i st name_st r >
set mat ch- i p- next hop <access/ pr ef i x- l i st name_st r >
set mat ch- met r i c <met r i c_i nt eger >
set mat ch- r out e- t ype {1 | 2}
set mat ch- t ag <t ag_i nt eger >
set set - i p- next hop <addr ess_i pv4>
set set - met r i c <met r i c_i nt eger >
set set - met r i c- t ype {1 | 2}
set set - t ag <t ag_i nt eger >
end
end
Note: Any keywords and rules that to not appear here can be found in the BGP route-map section. See
Using route maps with BGP on page 295.
router route-map
01-400-93051-20090415 295
Example
This example shows how to add a route map list named r t mp2 with two rules. The first rule denies routes
that match the IP addresses in an access list named acc_l i st 2. The second rule permits routes that
match a metric of 2 and changes the metric to 4.
edi t r t mp2
conf i g r ul e
edi t 1
set mat ch- i p- addr ess acc_l i st 2
set act i on deny
next
edi t 2
set mat ch- met r i c 2
set set - met r i c 4
end
end
When a connection is established between BGP peers, the two peers exchange all of their BGP route
entries. Afterward, they exchange updates that only include changes to the existing routing information.
Several BGP entries may be present in a route-map table. You can limit the number of received or
advertised BGP route and routing updates using route maps. Use the conf i g r out er r out e- map
command to create, edit, or delete a route map.
edi t <r out e_map_name> Enter a name for the route map. No default.
comment s <st r i ng> Enter a description for this route map name. No default.
edi t <r out e_map_r ul e_i d> Enter an entry number for the rule. The number
must be an integer.
No default.
act i on {deny | per mi t } Enter per mi t to permit routes that match this rule.
Enter deny to deny routes that match this rule.
per mi t
mat ch- i nt er f ace <name_st r > Enter the name of the local FortiGate unit interface
that will be used to match route interfaces.
Nul l .
mat ch- i p- addr ess
<access/ pr ef i x- l i st name_st r >
Match a route if the destination address is included
in the specified access list or prefix list.
Nul l .
mat ch- i p- next hop
<access/ pr ef i x- l i st name_st r >
Match a route that has a next-hop router address
included in the specified access list or prefix list.
Nul l .
mat ch- met r i c
Match a route with the specified metric. The metric
can be a number from 1 to 16.
0
mat ch- r out e- t ype {1 | 2} Match a route that has the external type set to 1 or
2.
ext er nal - t ype1
mat ch- t ag <t ag_i nt eger > This keyword is available when set - t ag is set.
Match a route that has the specified tag.
0
set - i p- next hop
<addr ess_i pv4>
Set the next-hop router address for a matched
route.
0. 0. 0. 0
set - met r i c <met r i c_i nt eger > Set a metric value of 1 to 16 for a matched route. 0
set - met r i c- t ype {1 | 2} Set the type for a matched route. ext er nal - t ype1
set - t ag <t ag_i nt eger > Set a tag value for a matched route. 0
route-map router
296 01-400-93051-20090415
Syntax
edi t <r out e_map_name>
conf i g r ul e
edi t <r out e_map_r ul e_i d>
set mat ch- as- pat h <aspat h- l i st - name_st r >
set mat ch- communi t y <communi t y- l i st - name_st r >
set mat ch- communi t y- exact {enabl e | di sabl e}
set mat ch- or i gi n {egp | i gp | i ncompl et e | none}
set set - aggr egat or - as 
set set - aggr egat or - i p <addr ess_i pv4>
set set - aspat h . . .
set set - at omi c- aggr egat e {enabl e | di sabl e}
set set - communi t y- del et e <communi t y- l i st - name_st r >
set set - communi t y <cr i t er i a>
set set - communi t y- addi t i ve {enabl e | di sabl e}
set set - dampeni ng- r eachabi l i t y- hal f - l i f e <mi nut es>
set set - dampeni ng- r euse <r euse_i nt eger >
set set - dampeni ng- suppr ess <suppr ess_i nt eger >
set set - dampeni ng- max- suppr ess <mi nut es>
set set - dampeni ng- unr eachabi l i t y- hal f - l i f e <mi nut es>
set set - ext communi t y- r t <AA: NN> <AA: NN> <AA: NN> . . .
set set - ext communi t y- soo <AA: NN> <AA: NN> <AA: NN> . . .
set set - l ocal - pr ef er ence <pr ef er ence_i nt eger >
set set - or i gi nat or - i d <addr ess_i pv4>
set set - or i gi n {egp | i gp | i ncompl et e | none}
set set - wei ght <wei ght _i nt eger >
end
Note: When you specify a route map for the dampeni ng- r out e- map value through the conf i g r out er bgp
command (see dampeni ng- r out e- map <r out emap- name_st r > on page 239), the FortiGate unit ignores
global dampening settings. You cannot set global dampening settings for the FortiGate unit and then override
those values through a route map.
edi t <r out e_map_name> Enter a name for the route map. No default.
comment s <st r i ng> Enter a description for this route map name. No default.
edi t <r out e_map_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
mat ch- as- pat h
Enter the AS-path list name that will be used to match BGP
route prefixes. You must create the AS-path list before it
can be selected here. See aspath-list on page 231.
Nul l .
mat ch- communi t y
<communi t y- l i st - name_st r >
Enter the community list name that will be used to match
BGP routes according to their COMMUNITY attributes.
You must create the community list before it can be
selected here. See community-list on page 248.
Nul l .
router route-map
01-400-93051-20090415 297
mat ch- communi t y- exact
This keyword is available when mat ch- communi t y is set.
Enable or disable an exact match of the BGP route
community specified by the mat ch- communi t y keyword.
di sabl e
mat ch- or i gi n {egp | i gp |
i ncompl et e | none}
Enter a value to compare to the ORIGIN attribute of a
routing update:
To compare the NLRI learned from the Exterior
Gateway Protocol (EGP), select egp. The FortiGate
unit has the second-highest preference for routes of
this type.
To compare the NLRI learned from a protocol internal to
the originating AS, select i gp. The FortiGate unit has
the highest preference for routes learned through
Internal Gateway Protocol (IGP).
To match routes that were learned some other way (for
example, through redistribution), select i ncompl et e.
To disable the matching of BGP routes based on the
origin of the route, select none.
none
set - aggr egat or - as

Set the originating AS of an aggregated route. The value
specifies at which AS the aggregate route originated. The
range is from 1 to 65 535. The set - aggr egat or - i p
value must also be set to further identify the originating AS.
unset
set - aggr egat or - i p
<addr ess_i pv4>
This keyword is available when set - aggr egat or - as is
set.
Set the IP address of the BGP router that originated the
aggregate route. The value should be identical to the
FortiGate unit r out er - i d value (see r out er - i d
<addr ess_i pv4> on page 240).
0. 0. 0. 0
set - aspat h
 
 . . .
Modify the FortiGate unit AS_PATH attribute and add to it
the AS numbers of the AS path belonging to a BGP route.
The resulting path describes the autonomous systems
along the route to the destination specified by the NLRI.
The set - aspat h value is added to the beginning of the
AS_SEQUENCE segment of the AS_PATH attribute of
incoming routes, or to the end of the AS_SEQUENCE
segment of the AS_PATH attribute of outgoing routes.
Enclose all AS numbers in quotes if there are multiple
occurrences of the same id_integer. Otherwise the AS path
may be incomplete.
No default.
set - at omi c- aggr egat e
Enable or disable a warning to upstream routers through
the ATOMIC_AGGREGATE attribute that address
aggregation has occurred on an aggregate route. This
value does not have to be specified when an as- set
value is specified in the aggregate-address table (see
config aggregate-address on page 241).
di sabl e
set - communi t y- del et e
<communi t y- l i st - name_st r >
Remove the COMMUNITY attributes from the BGP routes
identified in the specified community list. You must create
the community list first before it can be selected here (see
community-list on page 248).
Nul l .
route-map router
298 01-400-93051-20090415
set - communi t y <cr i t er i a> Set the COMMUNITY attribute of a BGP route.
Use decimal notation to set a specific COMMUNITY
attribute for the route. The value has the syntax AA: NN,
where AA represents an AS, and NN is the community
identifier. Delimit complex expressions with double-
quotation marks (for example, 123: 234 345: 456).
To make the route part of the Internet community, select
i nt er net .
To make the route part of the LOCAL_AS community,
select l ocal - AS.
To make the route part of the NO_ADVERTISE
community, select no- adver t i se.
To make the route part of the NO_EXPORT community,
select no- expor t .
No default.
set - communi t y- addi t i ve
This keyword is available when set - communi t y is set.
Enable or disable the appending of the set - communi t y
value to a BGP route.
di sabl e
set - dampeni ng- r eachabi l i t y-
hal f - l i f e
<mi nut es>
Set the dampening reachability half-life of a BGP route (in
minutes). The range is from 1 to 45.
0
set - dampeni ng- r euse
<r euse_i nt eger >
Set the value at which a dampened BGP route will be
reused. The range is from 1 to 20 000. If you set set -
dampeni ng- r euse, you must also set set - dampeni ng-
suppr ess and set - dampeni ng- max- suppr ess.
0
set - dampeni ng- suppr ess
<suppr ess_i nt eger >
Set the limit at which a BGP route may be suppressed. The
range is from 1 to 20 000. See also dampeni ng-
suppr ess <l i mi t _i nt eger > on page 239.
0
set - dampeni ng- max- suppr ess
<mi nut es>
Set maximum time (in minutes) that a BGP route can be
suppressed. The range is from 1 to 255. See also
dampeni ng- max- suppr ess- t i me in dampeni ng-
max- suppr ess- t i me <mi nut es_i nt eger > on
page 238.
0
set - dampeni ng-
unr eachabi l i t y- hal f - l i f e
<mi nut es>
Set the unreachability half-life of a BGP route (in minutes).
The range is from 1 to 45. See also dampeni ng-
unr eachabi l i t y- hal f - l i f e in dampeni ng-
unr eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
on page 239.
0
set - ext communi t y- r t
<AA: NN> <AA: NN> <AA: NN> . . .
Set the target extended community (in decimal notation) of
a BGP route. The COMMUNITY attribute value has the
syntax AA: NN, where AA represents an AS, and NN is the
community identifier.
No default.
set - ext communi t y- soo
<AA: NN> <AA: NN> <AA: NN> . . .
Set the site-of-origin extended community (in decimal
notation) of a BGP route. The COMMUNITY attribute value
has the syntax AA: NN, where AA represents an AS, and NN
is the community identifier.
No default.
set - l ocal - pr ef er ence
<pr ef er ence_i nt eger >
Set the LOCAL_PREF value of an IBGP route. The value
is advertised to IBGP peers. The range is from 0 to
4294 967 295. A higher number signifies a preferred route
among multiple routes to the same destination.
0
set - or i gi nat or - i d
<addr ess_i pv4>
Set the ORIGINATOR_ID attribute, which is equivalent to
the r out er - i d of the originator of the route in the local
AS. Route reflectors use this value to prevent routing
loops.
0. 0. 0. 0
router route-map
01-400-93051-20090415 299
Example
This example shows how to create a route map named BGP_r t mp2. The route map contains two rules.
The first rule permits operations on routes that match the IP addresses in an access list named
acc_l i st 2. The second rule permits operations on routes according to a community list named
com_l i st 3.
edi t BGP_r t mp2
set comment s exampl e BGP r out e map
conf i g r ul e
edi t 1
set mat ch- i p- addr ess acc_l i st 2
next
edi t 2
set mat ch- communi t y com_l i st 3
end
end
History
Related topics
router access-list
router prefix-list
router rip
router aspath-list
router bgp
router key-chain
set - or i gi n {egp | i gp |
i ncompl et e | none}
Set the ORIGIN attribute of a local BGP route.
To set the value to the NLRI learned from the Exterior
Gateway Protocol (EGP), select egp.
To set the value to the NLRI learned from a protocol
internal to the originating AS, select i gp.
If you did not specify egp or i gp, select i ncompl et e.
To disable the ORIGIN attribute, select none.
none
set - wei ght
<wei ght _i nt eger >
Set the weight of a BGP route. A routes weight has the
most influence when two identical BGP routes are
compared. A higher number signifies a greater preference.
0
FortiOS v2.80 New.
FortiOS v3.0 Added support for BGP.
FortiOS v3.0 MR6 Added comment s keyword.
setting router
300 01-400-93051-20090415
setting
Use this command to use a prefix list as a filter to show routes.
Command
conf i g r out er set t i ng
set show- f i l t er <pr ef i x_l i st >
end
History
Related topics
router prefix-list
FortiOS v4.0 New.
router static
01-400-93051-20090415 301
static
Use this command to add, edit, or delete static routes for IPv4 traffic. For IPv6 traffic, use the st at i c6
command. You add static routes to control traffic exiting the FortiGate unit. You configure routes by
specifying destination IP addresses and network masks and adding gateways for these destination
addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in
the route are forwarded.
You can adjust the administrative distance of a route to indicate preference when more than one route to
the same destination is available. The lower the administrative distance, the greater the preferability of the
route. If the routing table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the administrative distances of
those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate
unit forwarding table. Any ties are resolved by comparing the routes priority, with lowest priority being
preferred. As a result, the FortiGate unit forwarding table only contains routes having the lowest distances
to every possible destination.If both administrative distance and priority are both tied for two or more
routes, an equal cost multi-path (ECMP) situation occurs. In this case, the egress index for the routes will be
used to determine the selected route.
After the FortiGate unit selects static routes for the forwarding table based on their administrative
distances, the sequence numbers of those routes determines routing priority. When two routes to the same
destination exist in the forwarding table, the FortiGate unit selects the route having the lowest sequence
number.
Syntax
conf i g r out er st at i c
edi t <sequence_number >
set bl ackhol e {enabl e | di sabl e}
set devi ce 
set di st ance <di st ance>
set dst <dest i nat i on- addr ess_i pv4mask>
set dynami c- gat eway {enabl e | di sabl e}
set gat eway <gat eway- addr ess_i pv4>
set pr i or i t y 
end
Note: The dst and gat eway keywords are required when bl ackhol e is disabled. When bl ackhol e is
enabled, the dst keyword is required. All other keywords are optional.
edi t <sequence_number > Enter a sequence number for the static route. The sequence
number may influence routing priority in the FortiGate unit
forwarding table.
No default.
bl ackhol e {enabl e |
di sabl e}
Enable or disable dropping all packets that match this route.
This route is advertised to neighbors through dynamic routing
protocols as any other static route.
di sabl e
devi ce This keyword is available when bl ackhol e is set to di sabl e.
Enter the name of the FortiGate unit interface through which to
route traffic. Use ? to see a list of interfaces.
Nul l .
di st ance <di st ance> Enter the administrative distance for the route. The distance
value may influence route preference in the FortiGate unit
routing table. The range is an integer from 1-255. See also
config system interface distance <distance_integer> on
page 259.
10
static router
302 01-400-93051-20090415
Example
This example shows how to add a static route that has the sequence number 2.
conf i g r out er st at i c
edi t 2
set dev i nt er nal
set dst 192. 168. 22. 0 255. 255. 255. 0
set gat eway 192. 168. 22. 44
end
This example shows how to add a static route for a dynamic modem interface with a administrative
distance of 1 and a priority of 1. These settings makes this the preferred route.
conf i g r out e st at i c
edi t 3
set dev modem
set dynami c- gat eway enabl e
set dst 10. 0. 0. 7 255. 255. 255. 0
set di st ance 1
set pr i or i t y 1
end
History
Related topics
system interface
dst <dest i nat i on-
addr ess_i pv4mask>
Enter the destination IP address and network mask for this
route.
You can enter 0. 0. 0. 0 0. 0. 0. 0 to create a new static
default route.
0. 0. 0. 0
0. 0. 0. 0
dynami c- gat eway {enabl e |
di sabl e}
When enabled, dynamic-gateway hides the gateway variable
for a dynamic interface, such as a DHCP or PPPoE interface.
When the interface connects or disconnects, the corresponding
routing entries are updated to reflect the change.
disable
gat eway <gat eway-
addr ess_i pv4>
This keyword is available when bl ackhol e is set to di sabl e.
Enter the IP address of the next-hop router to which traffic is
forwarded.
0. 0. 0. 0
pr i or i t y The administrative priority value is used to resolve ties in route
selection. In the case where both routes have the same priority,
such as equal cost multi-path (ECMP), the egress index for the
routes will be used to determine the selected route. The range
is an integer from 0 to 4294967295.
Lower priority routes are preferred routes.
This field is only accessible through the CLI.
0
FortiOS v3.0 Added bl ackhol e attribute.
FortiOS v3.0 MR2 Added dynami c- gat eway attribute.
FortiOS v3.0 MR6 Added default value for pr i or i t y.
router static6
01-400-93051-20090415 303
static6
Use this command to add, edit, or delete static routes for IPv6 traffic. You add static routes to specify the
destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses
and network masks and adding gateways for these destination addresses. The gateways are the next-hop
routers to which traffic that matches the destination addresses in the route are forwarded.
Syntax
conf i g r out er st at i c6
edi t <sequence_number >
set dst <dest i nat i on- addr ess_i pv6mask>
set gat eway <gat eway- addr ess_i pv6>
end
Example
This example shows how to add an IPv6 static route that has the sequence number 2.
conf i g r out er st at i c6
edi t 2
set dev i nt er nal
set dst 2001: DB8: : / 32
set gat eway 2001: DB8: 0: CD30: 123: 4567: 89AB: CDEF
end
History
Related topics
system interface
Note: You can configure static routes for IPv6 traffic on FortiGate units that run in NAT/Route mode.
Note: The devi ce, dst , and gat eway keywords are all required.
edi t <sequence_number > Enter a sequence number for the static route. No default.
devi ce The name of the FortiGate unit interface through which to route
traffic.
Nul l .
dst <dest i nat i on-
addr ess_i pv6mask>
The destination IPv6 address and netmask for this route.
You can enter : : / 0 to create a new static default route for
IPv6 traffic.
: : / 0
gat eway
<gat eway- addr ess_i pv6>
The IPv6 address of the next-hop router to which traffic is
forwarded.
: :
FortiOS v2.80 New.
static6 router
304 01-400-93051-20090415
spamfilter
01-400-93051-20090415 305
spamfilter
Use spamfilter commands to create a banned word list, configure filters based on email addresses, ip
addresses, and MIME headers, and to configure the FortiGuard-Antispam service.
bword
emailbwl
fortishield
ipbwl
iptrust
mheader
options
DNSBL
bword spamfilter
306 01-400-93051-20090415
bword
Use this command to add or edit and configure options for the spam filter banned word list.
The FortiGate spam filters are applied in the following order:
For SMTP
1 IP address BWL check - Last hop IP
2 DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
3 E-mail address BWL check
4 MIME headers check
5 IP address BWL check (for IPs extracted from Received headers)
6 Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from Received headers, and
URLs in email content)
7 Banned word check
For POP3 and IMAP
2 MIME headers check, IP BWL check
3 Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
4 Banned word check
For SMTP, POP3, and IMAP
Control spam by blocking email messages containing specific words or patterns. If enabled in the
protection profile, the FortiGate unit searches for words or patterns in email messages. If matches are
found, values assigned to the words are totalled. If a user-defined threshold value is exceeded, the
message is marked as spam. If no match is found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list. See Using Perl regular
expressions on page 48. Add one or more banned words to sort email containing those words in the email
subject, body, or both. Words can be marked as spam or clear. Banned words can be one word or a phrase
up to 127 characters long.
If a single word is entered, the FortiGate unit blocks all email that contain that word. If a phrase is entered,
the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl
regular expressions.
Syntax
conf i g spamf i l t er bwor d
edi t <l i st _i nt >
set name <l i st _st r >
conf i g ent r i es
edi t <banned_wor d_i nt >
set act i on {cl ear | spam}
set l anguage {f r ench | j apanese | kor ean | si mch | t hai | t r ach |
west er n}
Note: Perl regular expression patterns are case sensitive for Spam Filter banned words. To make a word or
phrase case insensitive, use the regular expression / i . For example, / bad l anguage/ i blocks all instances of
bad l anguage regardless of case. Wildcard patterns are not case sensitive.
spamfilter bword
01-400-93051-20090415 307
set pat t er n <banned_wor d_st r >
set pat t er n- t ype {r egexp | wi l dcar d}
set scor e 
set wher e {al l | body | subj ect }
end
History
Related topics
spamfilter emailbwl
spamfilter fortishield
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
<l i st _i nt > A unique number to identify the banned word list.
<l i st _st r > The name of the banned word list.
<comment _st r > The comment attached to the banned word list.
<banned_wor d_i nt > A unique number to identify the banned word or pattern.
act i on {cl ear | spam} Enter cl ear to allow the email. Enter spamto apply the spam
action configured in the protection profile.
spam
l anguage {f r ench |
j apanese | kor ean | si mch
| t hai | t r ach | west er n}
Enter the language character set used for the banned word or
phrase. Choose from French, J apanese, Korean, Simplified
Chinese, Thai, Traditional Chinese, or Western.
west er n
pat t er n <banned_wor d_st r > Enter the banned word or phrase pattern using regular
expressions or wildcards.
No default.
pat t er n- t ype {r egexp |
wi l dcar d}
Enter the pattern type for the banned word (pattern). Choose
from regular expressions or wildcard.
wildcard
scor e A numerical weighting applied to the banned word. The score
values of all the matching words appearing in an email
message are added, and if the total is greater than the
spamwor dt hr eshol d value set in the protection profile, the
message is processed according to the spam action setting in
the protection profile. The score for a banned word is counted
once even if the word appears multiple times in an email
message.
10
st at us {enabl e | di sabl e} Enable or disable scanning email for each banned word. enable
wher e {al l | body |
subj ect }
Enter where in the email to search for the banned word or
phrase.
al l
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added Fr ench and Thai variables to the l anguage keyword.
FortiOS v3.0 Added scor e variable. Added multiple-list capability for models 800 and above.
FortiOS v3.0 MR4 All models have the same CLI syntax now.
emailbwl spamfilter
308 01-400-93051-20090415
emailbwl
Use this command to filter email based on the senders email address or address pattern.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the
email address or domain of the sender to the list in sequence. If a match is found, the corresponding action
is taken. If no match is found, the email is passed on to the next spam filter.
The FortiGate unit can filter email from specific senders or all email from a domain (such as example.net).
Each email address can be marked as clear or spam.
Use Perl regular expressions or wildcards to add email address patterns to the list. See Using Perl regular
expressions on page 48.
Syntax
conf i g spamf i l t er emai l bwl
conf i g ent r i es
edi t <emai l _i nt >
set emai l - pat t er n <emai l _st r >
end
<l i st _i nt > A unique number to identify the email black/white list.
<l i st _st r > The name of the email black/white list.
<comment _st r > The comment attached to the email black/white list.
spamfilter emailbwl
01-400-93051-20090415 309
History
Related topics
spamfilter bword
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
<emai l _i nt > A unique number to identify the email pattern.
act i on {cl ear | spam} Enter cl ear to exempt the email from the rest of the spam
filters. Enter spamto apply the spam action configured in the
protection profile.
spam
emai l - pat t er n
<emai l _st r >
Enter the email address pattern using wildcards or Perl regular
expressions.
pat t er n- t ype
{r egexp | wi l dcar d}
Enter the pattern-type for the email address. Choose from
wi l dcar d
st at us {enabl e | di sabl e} Enable or disable scanning for each email address. enable
FortiOS v2.80 New.
FortiOS v3.0 Added multiple-list capability for models 800 and above.
FortiOS v3.0
MR4
All models have the same CLI syntax now.
fortishield spamfilter
310 01-400-93051-20090415
fortishield
Use this command to configure the settings for the FortiGuard-Antispam Service.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black list, a
URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers
known to be used to generate Spam. The URL black list contains found in Spam email.
FortiGuard-Antispam Service compiles the IP address and URL list from email captured by spam probes
located around the world. Spam probes are email addresses purposely configured to attract spam and
identify known spam sources to create the antispam IP address and URL list. FortiGuard-Antispam Service
combines IP address and URL checks with other spam filter techniques in a two-pass process.
On the first pass, if spamf si p is selected in the protection profile, FortiGuard-Antispam Service extracts
the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam Service server
to see if this IP address matches the list of known spammers. If spamf sur l is selected in the protection
profile, FortiGuard-Antispam Service checks the body of email messages to extract any URL links. These
URL links will be sent to a FortiGuard-Antispam Service server to see if any of them is listed. Typically
Spam messages contain URL links to advertisements (also called spamvertizing).
If an IP address or URL match is found, FortiGuard-Antispam Service terminates the session. If
FortiGuard-Antispam Service does not find a match, the mail server sends the email to the recipient.
As each email is received, FortiGuard-Antispam Service performs the second antispam pass by checking
the header, subject, and body of the email for common spam content. If FortiGuard-Antispam Service finds
spam content, the email is tagged or dropped according to the configuration in the firewall protection
profile.
Both FortiGuard-Antispam Service antispam processes are completely automated and configured by
Fortinet. With constant monitoring and dynamic updates, FortiGuard-Antispam Service is always current.
Enable or disable FortiGuard-Antispam Service in a firewall protection profile.
01-400-93051-20090415 311
Syntax
conf i g spamf i l t er f or t i shi el d
set r epor t s- st at us {enabl e | di sabl e}
set spam- submi t - f or ce {enabl e | di sabl e}
set spam- submi t - sr v <ur l _st r >
set spam- submi t - t xt 2ht m{enabl e | di sabl e}
end
History
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
r epor t s- st at us {enabl e |
di sabl e}
Enable to have the FortiGate unit maintain FortiGuard
Antispam statistics. These statistics will be compiled only on
FortiGate units equipped with a hard drive.
View these statistics with the di agnose spamf i l t er
f or t i shi el d r epor t command.
enabl e
spam- submi t - f or ce
Enable or disable force insertion of a new mime entity for the
submission text.
enabl e
spam- submi t - sr v <ur l _st r > The host name of the FortiGuard-Antispam Service server.
The FortiGate unit comes preconfigured with the host name.
Use this command only to change the host name.
www.nospa
mmer.net
spam- submi t - t xt 2ht m
Enable or disable converting text email to HTML. enable
FortiOS v3.0 Some revisions and added por t and t i meout .
FortiOS v3.0 MR1 Restructured -- some commands were moved to syst emf or t i guar d and some new
commands were added.
FortiOS 4.0.0 Added the r epor t s- st at us command.
ipbwl spamfilter
312 01-400-93051-20090415
ipbwl
Use this command to filter email based on the IP or subnet address.
The FortiGate spam filters are generally applied in the following order:
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP
address of the sender to the list in sequence. If a match is found, the corresponding protection profile
action is taken. If no match is found, the email is passed on to the next spam filter.
Enter an IP address and mask in one of two formats:
x.x.x.x/x.x.x.x, for example 192.168.10.23/255.255.255.0
x.x.x.x/x, for example 192.168.10.23/24
Configure the FortiGate unit to filter email from specific IP addresses. Mark each IP address as clear,
spam, or reject. Filter single IP addresses, or a range of addresses at the network level by configuring an
address and mask.
Syntax
conf i g spamf i l t er i pbwl
conf i g ent r i es
edi t <addr ess_i nt >
set act i on {cl ear | r ej ect | spam}
set i p/ subnet {<addr ess_i pv4> | <addr ess_i pv4>/ <addr ess_i pv4mask>}
end
spamfilter ipbwl
01-400-93051-20090415 313
History
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
<l i st _i nt > A unique number to identify the IP black/white list.
<l i st _st r > The name of the IP black/white list.
<comment _st r > The comment attached to the IP black/white list.
<addr ess_i nt > A unique number to identify the address.
act i on
{cl ear | r ej ect | spam}
Enter cl ear to exempt the email from the rest of the spam
filters. Enter r ej ect to drop any current or incoming sessions.
Enter spamto apply the spam action configured in the
protection profile.
spam
i p/ subnet {<addr ess_i pv4>|
<addr ess_i pv4>/ <addr ess_i p
v4mask>}
The IP address to filter. A subnet mask in the format
192.168.10.23/255.255.255.0 or 192.168.10.23/24 can also be
included.
No default.
st at us {enabl e | di sabl e} Enable or disable scanning email for each IP address. enable
FortiOS v2.80 New.
iptrust spamfilter
314 01-400-93051-20090415
iptrust
Use this command to add an entry to a list of trusted IP addresses.
If the FortiGate unit sits behind a companys Mail Transfer Units, it may be unnecessary to check email IP
addresses because they are internal and trusted. The only IP addresses that need to be checked are
those from outside of the company. In some cases, external IP addresses may be added to the list if it is
known that they are not sources of spam.
Syntax
conf i g spamf i l t er i pt r ust
conf i g ent r i es
edi t <addr ess_i nt >
set i p/ subnet {<addr ess_i pv4> | <addr ess_i pv4>/ <addr ess_i pv4mask>}
end
History
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter mheader
spamfilter options
spamfilter DNSBL
<l i st _i nt > A unique number to identify the IP trust list.
<l i st _st r > The name of the IP trust list.
<comment _st r > The comment attached to the IP trust list.
<addr ess_i nt > A unique number to identify the address.
i p/ subnet {<addr ess_i pv4>|
<addr ess_i pv4>/ <addr ess_i p
v4mask>}
The trusted IP address. A subnet mask in the format
192.168.10.23/255.255.255.0 or 192.168.10.23/24 can also
be included.
No default
st at us
Enable or disable the IP address. enable
FortiOS v3.0 New.
spamfilter mheader
01-400-93051-20090415 315
mheader
Use this command to configure email filtering based on the MIME header. MIME header settings are
configured with this command but MIME header filtering is enabled within each protection profile.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in
sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed
on to the next spam filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and
content encoding, such as the type of text in the email body or the program that generated the email.
Some examples of MIME headers include:
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The second part is called the
value. Spammers often insert comments into header values or leave them blank. These malformed
headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content
that are common in spam messages. Mark the email as spam or clear for each header configured.
Use Perl regular expressions or wildcards to add MIME header patterns to the list. See Using Perl regular
Note: MIME header entries are case sensitive.
mheader spamfilter
316 01-400-93051-20090415
Syntax
conf i g spamf i l t er mheader
conf i g ent r i es
edi t <mi me_i nt >
set f i el dbody <mi me_st r >
set f i el dname <mi me_st r >
end
end
History
Related topics
spamfilter bword
spamfilter ipbwl
spamfilter iptrust
spamfilter options
spamfilter DNSBL
<l i st _i nt > A unique number to identify the MIME header list.
<l i st _st r > The name of the MIME header list.
<comment _st r > The comment attached to the MIME header list.
<mi me_i nt > A unique number to identify the MIME header.
act i on {cl ear | spam} Enter cl ear to exempt the email from the rest of the spam
filters. Enter spamto apply the spam action configured in the
protection profile.
spam
f i el dbody <mi me_st r > Enter the MIME header (key, header field body) using wildcards
or Perl regular expressions.
No default.
f i el dname <mi me_st r > Enter the MIME header value (header field name) using
wildcards or Perl regular expressions. Do not include a trailing
colon.
No default.
pat t er n- t ype
Enter the pattern-type for the MIME header. Choose from
wi l dcar d
st at us
Enable or disable scanning email headers for the MIME header
and header value defined in the f i el dbody and f i el dname
strings.
enable
FortiOS v2.80 New.
spamfilter options
01-400-93051-20090415 317
options
Use this command to set the spamfilter dns query timeout.
Syntax
conf i g spamf i l t er opt i ons
set dns- t i meout <t i meout _i nt >
end
Example
This example shows how to set the dns timeout.
conf i g spamf i l t er opt i ons
set dns- t i meout 15
end
History
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter DNSBL
dns- t i meout <t i meout _i nt > Set the DNS query timeout in the range 1 to 30 seconds. 7
FortiOS v3.0 New.
DNSBL spamfilter
318 01-400-93051-20090415
DNSBL
Use this command to configure email filtering using DNS-based Blackhole List (DNSBL) or Open Relay
Database List (ORDBL) servers. DSNBL and ORDBL settings are configured with this command but
DSNBL and ORDBL filtering is enabled within each protection profile.
The FortiGate spam filters are generally applied in the following order:
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit compares the IP address or domain name of the sender to any database lists
configured in sequence. If a match is found, the corresponding action is taken. If no match is found, the
email is passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. Using DNSBLs
and ORDBLs is an effective way to tag or reject spam as it enters the network. These lists act as domain
name servers that match the domain of incoming email to a list of IP addresses known to send spam or
allow spam to pass through.
There are several free and subscription servers available that provide reliable access to continually
updated DNSBLs and ORDBLs. Please check with the service being used to confirm the correct domain
name for connecting to the server.
Syntax
conf i g spamf i l t er dnsbl
conf i g ent r i es
edi t <ser ver _i nt >
set act i on {r ej ect | spam}
set ser ver <FQDN>
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server, it
must be able to look up this name on the DNS server. For information on configuring DNS, see system dns on
page 352.
spamfilter DNSBL
01-400-93051-20090415 319
end
History
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
system dns
<l i st _i nt > A unique number to identify the DNSBL list.
<l i st _st r > The name of the DNSBL header list.
<comment _st r > The comment attached to the DNSBL header list.
<ser ver _i nt > A unique number to identify the DNSBL server.
act i on {r ej ect | spam} Enter r ej ect to stop any further processing of the current
session and to drop an incoming connection at once. Enter
spamto identify email as spam.
spam
ser ver <FQDN> Enter the domain name of a DNSBL server or an ORDBL
server.
No default.
st at us {enabl e | di sabl e} Enable or disable querying the server named in the server
string.
enabl e
FortiOS v2.80 New.
FortiOS v3.0 MR2 Multiple-list feature is available for all models.
FortiOS v3.0 MR5 Changed RBL to DNSBL.
DNSBL spamfilter
320 01-400-93051-20090415
system
01-400-93051-20090415 321
system
Use syst emcommands to configure options related to the overall operation of the FortiGate unit,
including:
Administrative access
Automatic updating of antivirus and attack definitions
High availability (HA)
Network interfaces
Replacement messages
VLANs and virtual domains
accprofile
admin
alertemail
amc
arp-table
auto-install
autoupdate clientoverride
autoupdate override
autoupdate push-update
autoupdate schedule
autoupdate tunneling
aux
bug-report
central-management
console
dhcp reserved-address
dhcp server
dns
fips-cc
fortianalyzer, fortianalyzer2,
fortianalyzer3
fortiguard
fortiguard-log
global
gre-tunnel
ha
interface
ipv6-tunnel
management-tunnel
modem
npu
ntp
proxy-arp
replacemsg admin
replacemsg alertmail
replacemsg auth
replacemsg ec
replacemsg fortiguard-wf
replacemsg ftp
replacemsg http
replacemsg im
replacemsg mail
replacemsg nac-quar
replacemsg nntp
replacemsg spam
replacemsg sslvpn
resource-limits
session-helper
session-sync
session-ttl
settings
sit-tunnel
snmp community
snmp sysinfo
snmp user
switch-interface
tos-based-priority
vdom-link
vdom-property
wccp
wireless mac-filter
wireless settings
zone
accprofile system
322 01-400-93051-20090415
accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each
FortiGate administrator account must include an access profile. You can create access profiles that deny
access, allow read only, or allow both read and write access to FortiGate features.
You cannot delete or modify the super_admin access profile, but you can use the super_admin profile with
more than one administrator account.
Syntax
edi t <pr of i l e- name>
set <access- gr oup> <access- l evel >
set syst emmenu- f i l e <f i l edat a>
set r adi us- vdom- over r i de {di sabl e | enabl e}
set r adi us- accpr of i l e- over r i de {di sabl e | enabl e}
conf i g f wgr p- per mi ssi on
set addr ess {none | r ead | r ead- wr i t e}
set ot her s {none | r ead | r ead- wr i t e}
set pol i cy {none | r ead | r ead- wr i t e}
set pr of i l e {none | r ead | r ead- wr i t e}
set schedul e {none | r ead | r ead- wr i t e}
set ser vi ce {none | r ead | r ead- wr i t e}
end
conf i g l oggr p- per mi ssi on
set conf i g {none | r ead | r ead- wr i t e}
set dat a- access {none | r ead | r ead- wr i t e}
end
conf i g ut mgr p- per mi ssi on
set syst emant i vi r us {none | r ead | r ead- wr i t e}
set syst emappl i cat i on- cont r ol {none | r ead | r ead- wr i t e}
set syst emdat a- l oss- pr event i on {none | r ead | r ead- wr i t e}
set syst emi ps {none | r ead | r ead- wr i t e}
set syst emspamf i l t er {none | r ead | r ead- wr i t e}
set syst emwebf i l t er {none | r ead | r ead- wr i t e}
end
edi t <pr of i l e- name> Enter a new profile name to create a new profile. Enter an
existing profile name to edit that profile.
No default.
<access- gr oup> Enter the feature group for which you are configuring access: No default.
admi ngr p administrator accounts and access profiles
aut hgr p user authentication, including local users,
RADIUS servers, LDAP servers, and user
groups
endpoi nt -
cont r ol -
gr p
endpoint control configuration
f wgr p firewall configuration
i psgr p intrusion prevention system configuration
system accprofile
01-400-93051-20090415 323
<access- gr oup> ( cont i nued) l oggr p log and report configuration including log
settings, viewing logs and alert email settings
execut e bat ch commands
mnt gr p maintenance commands: reset to factory
defaults, format log disk, reboot, restore and
shutdown
net gr p interfaces, dhcp servers, zones
get syst emst at us
get syst emar p t abl e
No default.
r out egr p router configuration
sysgr p system configuration except accprofile,
admin and autoupdate
updat egr p FortiGuard antivirus and IPS updates,
manual and automatic
ut mgr p UTM configuration
vpngr p VPN configuration
wanopt gr p WAN optimization configuration
webgr p webfilter configuration
<access- l evel > Enter the level of administrator access to this feature: none
cust om configures custom access for f wgr p,
l oggr p or ut mgr p access selections only
none no access
r ead read-only access
r ead- wr i t e read and write access
conf i g f wgr p- per mi ssi on keywords. Available if f wgr p is set to cust om.
addr ess
{none | r ead | r ead- wr i t e}
Enter the level of administrator access to firewall addresses. none
ot her s
Enter the level of administrator access to virtual IP
configurations.
none
pol i cy
Enter the level of administrator access to firewall policies. none
pr of i l e
Enter the level of administrator access to firewall profiles. none
schedul e
Enter the level of administrator access to firewall schedules. none
ser vi ce
Enter the level of administrator access to firewall service
definitions.
none
conf i g l oggr p- per mi ssi on keywords. Available if l oggr p is set to cust om.
conf i g
Enter the level of administrator access to the logging
configuration.
none
dat a- access
Enter the level of administrator access to the log data. none
accprofile system
324 01-400-93051-20090415
Examples
Use the following commands to add a new access profile named pol i cy_pr of i l e that allows read and
write access to firewall policies and that denies access to all other FortiGate features. An administrator
account with this access profile can view and edit firewall policies, but cannot view or change any other
FortiGate settings or features.
edi t pol i cy_pr of i l e
set f wgr p r ead- wr i t e
end
Use the following commands to add a new access profile named pol i cy_pr of i l e_cu that allows
customized read and write access to firewall policies and that denies access to all other FortiGate features.
An administrator account with this access profile can view and edit the selected custom firewall
permissions (addr ess, pol i cy, and schedul e), but cannot view or change any other FortiGate
settings or features.
edi t pol i cy_pr of i l e_cu
set f wgr p cust om
conf i g f wgr p- per mi ssi on
set addr ess r ead- wr i t e
set pol i cy r ead- wr i t e
set schedul e r ead- wr i t e
end
end
end
History
conf i g ut mgr p- per mi ssi on keywords. Available if ut mgr p is set to cust om.
ant i vi r us
Enter the level of administrator access to antivirus
configuration data.
none
appl i cat i on- cont r ol
Enter the level of administrator access to application control
data.
none
dat a- l oss- pr event i on
Enter the level of administrator access to data loss prevention
(DLP) data.
none
i ps
Enter the level of administrator access to intrusion prevention
(IP) data.
none
spamf i l t er
Enter the level of administrator access to spamfilter data. none
webf i l t er
Enter the level of administrator access to web filter data. none
menu- f i l e <f i l edat a> Enter the name of the base64-encoded file of data to
configure the menu display on the FortiGate unit.;
none
FortiOS v2.80 New
FortiOS v3.0 MR1 Removed secgr p feature group.
FortiOS v3.0 MR2 Modifications for super _admi n profile and read-write access-level changes
(no write only).
FortiOS v3.0 MR4 Modifications for custom f wgr p firewall permissions, execut e bat ch
command control assigned to mnt gr p (Maintenance) access control group.
system accprofile
01-400-93051-20090415 325
Related topics
system admin
FortiOS v3.0 MR6 Added i mp2pgr p access profile. Added conf i g f wgr p- per mi ssi on
and conf i g l oggr p- per mi ssi on subcommands.
FortiOS v4.0 Removed avgr p, i mp2pgr p and spamgr p from access profiles. Added
endpoi nt - cont r ol - gr p, ut mgr p, and wanopt gr p.
admin system
326 01-400-93051-20090415
admin
Use this command to add, edit, and delete administrator accounts. Administrators can control what data
modules appear in the FortiGate unit system dashboard by using the conf i g syst emadmi n command.
Administrators must have read and write privileges to make dashboard GUI modifications.
Use the default admin account or an account with system configuration read and write privileges to add
new administrator accounts and control their permission levels. Each administrator account except the
default admin must include an access profile. You cannot delete the default super admin account or
change the access profile (super_admin). In addition, there is also an access profile that allows read-only
super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or
changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where
it is necessary to troubleshoot a customer configuration without making changes.
You can authenticate administrators using a password stored on the FortiGate unit or you can use a
RADIUS server to perform authentication. When you use RADIUS authentication, you can authenticate
specific administrators or you can allow any account on the RADIUS server to access the FortiGate unit as
an administrator.
You can configure an administrator to only be allowed to log in at certain times. The default setting allows
administrators to log in any time.
A vdom/access profile override feature supports authentication of administrators via RADIUS. The admin
user will be have access depending on which vdom they are restricted to and their associated access
profile. This feature is only available to wildcard admins. There can only be one vdom-override user per
system.
For detailed information about configuring administrators, see the System Administration chapter of the
FortiGate Administration Guide for your model.
Syntax
edi t <name_st r >
set accpr of i l e <pr of i l e- name>
set comment s <comment s_st r i ng>
set passwor d <admi n_passwor d>
set peer - aut h <peer _aut h>
set peer - gr oup <peer - gr p>
Note: For users with super _admi n access profile, you can reset the password in the CLI.
For a user ITAdmin with the access profile super_admin, to set the password to 123456:
conf i g sys admi n
edi t I TAdmi n
set passwor d 123456
end
For a user ITAdmin with the access profile super_admin, to reset the password from 123456 to the
default empty or null:
conf i g sys admi n
edi t I TAdmi n
unset passwor d 123456
end
If you type set password ? in the CLI, you will have to enter the new password and the old password in
order for the change to be effective. In this case, you will NOT be able to reset the password to empty or
null.
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.
system admin
01-400-93051-20090415 327
set r adi us- accpr of i l e- over r i de {di sabl e | enabl e}
set r adi us- vdom- over r i de {di sabl e | enabl e}
set r emot e- aut h {enabl e | di sabl e}
set r emot e- gr oup <name>
set schedul e <schedul e- name>
set ssh- publ i c- key1 " <key- t ype> <key- val ue>"
set t r ust host 1 <addr ess_i pv4mask>
set vdom<vdom_name>
set syst emwi l dcar d {enabl e | di sabl e}
conf i g dashboar d
edi t modul ei d <modul e_name>
set col umn <col umn_number >
set st at us <modul e_st at us>
end
end
end
accpr of i l e <pr of i l e- name> Enter the name of the access profile to assign to this
administrator account. Access profiles control
administrator access to FortiGate features.
No default.
comment s
<comment s_st r i ng>
Enter the last name, first name, email address, phone
number, mobile phone number, and pager number for
this administrator. Separate each attribute with a comma,
and enclose the string in double-quotes. The total length
of the string can be up to 128 characters. (Optional)
null
passwor d <admi n_passwor d> Enter the password for this administrator. null
peer - aut h <peer _aut h> Set to enable peer certificate authentication (for HTTPS
admin access).
disable
peer - gr oup <peer - gr p> Name of peer group defined under conf i g user
peer gr p or user group defined under conf i g user
gr oup. Used for peer certificate authentication (for
HTTPS admin access).
null
r adi us- accpr of i l e-
over r i de
Enable RADIUS authentication override for the access
profile of the administrator.
di sabl e
r adi us- vdom- over r i de
Enable RADIUS authentication override for the (wildcard
only) administrator.
di sabl e
r emot e- aut h
Enable or disable authentication of this administrator
using a remote RADIUS, LDAP, or TACACS+server.
di sabl e
r emot e- gr oup <name> Enter the administrator user group name, if you are using
RADIUS, LDAP, or TACACS+authentication.
This is only available when r emot e- aut h is enabled.
No default.
schedul e <schedul e- name> Restrict times that an administrator can log in. Defined in
conf i g f i r ewal l schedul e. Null indicates that the
administrator can log in at any time.
null
admin system
328 01-400-93051-20090415
ssh- publ i c- key1
" <key- t ype> <key- val ue>"
You can specify the public keys of up to three SSH
clients. These clients are authenticated without being
asked for the administrator password. You must create
the public-private key pair in the SSH client application.
<key t ype>is ssh- dss for a DSA key or ssh- r sa for
an RSA key.
<key- val ue>is the public key string of the SSH client.
No default.
ssh- publ i c- key2
No default.
ssh- publ i c- key3
No default.
t r ust host 1
Any IP address or subnet address and netmask from
which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the
FortiGate unit from any address, set the trusted hosts to
0.0.0.0 and the netmask to 0.0.0.0.
0.0.0.0 0.0.0.0
t r ust host 2
0.0.0.0 0.0.0.0
t r ust host 3
127. 0. 0. 1
255. 255. 255. 255
vdom<vdom_name> Enter the name of the VDOM this account belongs to.
(Optional)
No default.
wi l dcar d
Enable wi l dcar d to allow all accounts on the RADIUS
server to log on to the FortiGate unit as administrator.
Disable wi l dcar d if you want to allow only the specified
administrator to log on.
This is available when r emot e- aut h is enabled.
di sabl e
dashboar d Use conf i g dashboar d to configure the dashboard
GUI of the FortiGate unit. Administrator must have read
and write privileges to make changes.
modul ei d <modul e_name> Name of the dashboard module. Includes the following
selections:
al er t - System restart/firmware change alerts
sessi ons - Top sessions
sysi nf o - System information
l i ci nf o - License information
j sconsol e - CLI console
sysr es - System resource information
sysop - Unit operation information
st at i st i cs - System operational statistics
t op- at t acks -Top system attacks
t op- vi r uses - Top viruses by month
t r - hi st or y - Interface traffic history
col umn <col umn_number > Column in which the dashboard module appears. Values
1 or 2. Available for all dashboard modules.
0
st at us <modul e_st at us> Status of module on dashboard. Values open or cl ose.
Available for all dashboard modules.
dashboar d modul e sel ect i ons
al er t show- conser ve- mode: display conserve mode on alert
message console
show- f i r mwar e- change: display firmware
upgrade/downgrade on alert message console
show- syst em- r est ar t : display system restart on alert
message console
system admin
01-400-93051-20090415 329
Example
Use the following commands to add a new administrator account named new_admi n with the password
set to p8ssw0r d and that includes an access profile named pol i cy_pr of i l e. It is accessible on the
mai n_of f i ce VDOM. Administrators that log in to this account will have administrator access to the
FortiGate unit from any IP address. The dashboard setting al er t >show- syst em- r est ar t is enabled
and displays in column 2 of the FortiOS GUI.
edi t new_admi n
set passwor d p8ssw0r d
set accpr of i l e pol i cy_pr of i l e
set vdommai n_of f i ce
conf i g dashboar d
edi t al er t
set col umn 2
set st at us open
show- syst em- r est ar t enabl e
end
end
end
j sconsol e col umn and st at us settings available. st at us default
open.
l i ci nf o col umn and st at us settings available. st at us default
open.
sessi ons r ef r esh- i nt er val : time in between refresh of
session data. Values between 10 and 1200, 0 to disable.
set - sor t - by: sort top sessions by either destination
address or source address.
t op- sessi ons: number of top sessions to display.
Values between 5 and 20.
st at i st i cs col umn and st at us settings available. st at us default
open.
sysi nf o col umn and st at us settings available. st at us default
open.
sysop col umn and st at us settings available. st at us default
open.
sysr es show- f ds- char t : display the FortiGuard log disk
usage chart
show- f or t i anal yzer - char t : display the
FortiAnalyzer disk usage chart
t op- at t acks r ef r esh- i nt er val : time in between refresh of top
attacks data. Values between 10 and 1200, 0 to disable.
t op- sessi ons: number of top attacks to display. Values
between 5 and 20.
t op- vi r uses r ef r esh- i nt er val : time in between refresh of top
viruses data. Values between 10 and 1200, 0 to disable.
t op- sessi ons: number of top viruses to display. Values
between 5 and 20.
t r - hi st or y i nt er f ace: name of interface monitored for traffic
history data.
r ef r esh: set to refresh traffic history data automatically.
admin system
330 01-400-93051-20090415
History
Related topics
system accprofile
FortiOS v3.0 Added emai l - addr ess, f i r st - name, l ast - name, mobi l e- number ,
pager - number , phone- number , r adi us- aut h, r adi us- gr oup,
wi l dcar d keywords.
FortiOS v3.0 MR1 Added i s- admi n and vdomkeywords.
FortiOS v3.0 MR3 Removed is-admin. Combined f i r st - name, l ast - name, emai l -
addr ess, phone- number , mobi l e- number ,pager - number and put in
keyword comment s (concatenated).
FortiOS v3.0 MR4 Added dashboard configuration keywords/variables, passwor d.
FortiOS v3.0 MR5 Added description of passwor d setup.
FortiOS v3.0 MR6 Added schedul e. Included description of ReadOnl yAdmi n.
Added conf i g dashboar d subcommand.
Renamed keyword r adi us- aut h to r emot e- aut h.
Renamed keyword r adi us- gr oup to r emot e- gr oup.
FortiOS v3.0 MR7 Added r adi us- vdom- over r i de and r adi us- accpr of i l e- over r i de.
system alertemail
01-400-93051-20090415 331
alertemail
Use this command to configure the FortiGate unit to access an SMTP server to send alert emails. This
command is global in scope.
To configure alertemail settings you must first configure the server, and enable authenticate. Then you will
be able to see all the keywords.
Syntax
set aut hent i cat e {di sabl e | enabl e}
set passwor d <passwor d_st r >
set ser ver {<name- st r > | <addr ess_i pv4>}
set user name <user name_st r >
end
Examples
This example shows how to configure the FortiGate unit to send alert emails using the SMTP server
smt p. exampl e. com. The order of the keywords is important. The server must be defined first. Then
authentication needs to be next. The FortiGate unit uses the user name admi n2 and the password
h8r dt 0g3uss to connect to the SMTP server.
set ser ver smt p. exampl e. com
set aut hent i cat e enabl e
set passwor d h8r dt 0g3uss
set user name admi n2
end
Note: You must configure the server setting under conf i g syst emal er t emai l before the
commands under conf i g al er t emai l become accessible. For more information on conf i g
al er t emai l , see alertemail on page 65.
aut hent i cat e
Enable SMTP authentication if the FortiGate unit is
required to authenticate before using the SMTP server.
This variable is accessible only if ser ver is defined.
di sabl e
passwor d <passwor d_st r > Enter the password that the FortiGate unit needs to
access the SMTP server.
This variable is accessible only if aut hent i cat e is
enabled and ser ver is defined.
No default.
por t <por t _i nt eger > Change the TCP port number that the FortiGate unit
uses to connect to the SMTP server. The standard
SMTP port is 25. You can change the port number if the
SMTP server has been configured to use a different
port.
25
ser ver
{<name- st r > | <addr ess_i pv4>}
Enter the name of the SMTP server, in the format
smt p. domai n. com, to which the FortiGate unit should
send email. Alternately, the IP address of the SMTP
server can be entered. The SMTP server can be located
on any network connected to the FortiGate unit.
No default.
user name <user name_st r > Enter the user name for the SMTP server that the
FortiGate unit uses to send alert emails.
This variable is accessible only if aut hent i cat e is
enabled and ser ver is defined.
No default.
alertemail system
332 01-400-93051-20090415
History
FortiOS v3.0 Command created from al er t emai l command.
FortiOS v3.0 MR7 Added the por t keyword.
system amc
01-400-93051-20090415 333
amc
Use this command to configure AMC ports on your FortiGate unit. The number of AMC ports on your
FortiGate unit will vary by model.
When you first get your FortiGate unit with AMC ports, the AMC ports must be configured before the ports
can be used. The settings are different for single width and double width ports.
The auto setting will recognize any card used in the AMC port, but when you remove the card it will not
retain any configuration settings.
The asm- cx4, asm- di sk, asm- f b4, asm- cx4, adm- xb2, and adm- f b8 settings will retain any
configurations related to that card until a different type of card is inserted. For example if the port is set to
asm- di sk with configurations for that disk, and if the disk needs to be replaced it can be removed and it or
one of the same type can be re-inserted with the FortiGate unit retaining all the related configurations.
To use an AMC slot that is configured for one type of card with a different type of card, you must first set
the slot to none, and then reconfigure the slot for the new type of card. This will remove all configuration
that was associated with the previous AMC card.
Syntax
conf i g syst emamc
set {sw1 | sw2} {asm- cx4 | asm- di sk | asm- f b4 | asm- f x2 | aut o | none}
set {dw1 | dw2} {adm- f b8 | adm- xb2 | aut o | none}
end
History
{sw1 | sw2} {asm- cx4 |
asm- di sk | asm- f b4 |
asm- f x2 | aut o | none}
Configure this single width AMC port for the following type of card.
asm-cx4 - AMC single width, 4G bypass
asm-disk - AMC Single width SCSI hard disk card, such as
ASM-S08
asm-fb4 - AMC single width 4G NP2 network interface card
asm-fx2 - AMC single width, 2G bypass
auto - support any single width card
none - not configured, disable slot
none
{dw1 | dw2} {adm- f b8 |
adm- xb2 | aut o | none}
Configure this double width AMC port for the following type of card.
adm-fb8 - AMC double width 8G NP2 network interface card
adm-xb2 - AMC double width 2XG NP2 card
auto - support any card that is inserted
none - not configured, disable slot
none
FortiOS v3.0 MR7 New command.
FortiOS v4.0 Added asm- cx4 and asm- f x2 to list of supported AMC single width cards.
arp-table system
334 01-400-93051-20090415
arp-table
Use this command to manually configure the ARP table entries on the FortiGate unit. You can only access
the arp-table values from the CLI.
This command is not available when VDOMs are enabled or in TP mode.
Syntax
edi t <t abl e_val ue>
set i nt er f ace <por t >
set mac <mac_addr ess>
end
Examples
This example adds an entry to the arp table with a MAC address of 00-09-0f-69-00-7c and an IP address of
172.20.120.161 on the port2 interface.
edi t 3
set i nt er f ace por t 2
set i p 172. 20. 120. 161
set mac 00:09:0f:69:00:7c
end
History
Related topics
get system arp
i nt er f ace <por t > Enter the interface this ARP entry is associated with No
def aul t
i p <addr ess_i pv4> Enter the IP address of the ARP entry. No
default.
mac <mac_addr ess> Enter the MAC address of the device entered in the table,
in the form of xx:xx:xx:xx:xx:xx.
No
default.
system auto-install
01-400-93051-20090415 335
auto-install
Use this command to configure automatic installation of firmware and system configuration from a USB
disk when the FortiGate unit restarts. This command is available only on units that have a USB disk
connection.
If you set both configuration and firmware image update, both occur on the same reboot. The FortiGate
unit will not reload a firmware or configuration file that is already loaded.
Third-party USB disks are supported; however, the USB disk must be formatted as a FAT16 drive. No other
partition type is supported.
To format your USB Disk when its connected to your FortiGate unit, at the CLI prompt type
exe usb- di sk f or mat .
To format your USB disk when it is connected to a Windows system, at the command prompt type
f or mat <dr i ve_l et t er >: / FS: FAT / V: <dr i ve_l abel > where <dr i ve_l et t er >is the letter of
the connected USB drive you want to format, and <dr i ve_l abel >is the name you want to give the USB
disk volume for identification.
Syntax
conf i g syst emaut o- i nst al l
set aut o- i nst al l - conf i g {di sabl e | enabl e}
set aut o- i nst al l - i mage {di sabl e | enabl e}
set def aul t - conf i g- f i l e
set def aul t - i mage- f i l e
end
History
Note: This command is available only when a USB key is installed on the FortiGate unit. Formatting your
USB disk will delete all information on your USB disk.
aut o- i nst al l - conf i g
Enable or disable automatic loading of the system
configuration from a USB disk on the next reboot.
di sabl e
aut o- i nst al l - i mage
Enable or disable automatic installation of firmware from a
USB disk on the next reboot.
di sabl e
def aul t - conf i g- f i l e Enter the name of the configuration file on the USB disk. f gt _syst em. conf
def aul t - i mage- f i l e Enter the name of the image file on the USB disk. i mage. out
FortiOS v3.0 New.
autoupdate clientoverride system
336 01-400-93051-20090415
Use this command to receive updates on a different interface than the interface connected to the
FortiGuard Distribution Network (FDN). This command changes the source IP address of update requests
to the FortiGuard server, causing it to send the update to the modified source address.
This is useful if your company uses an internal updates server instead of FDN.
Syntax
set addr ess <addr ess_i pv4>
end
Example
This example shows how to add a push update client IP address 192.168.21.145 which is on the port 4
interface.
set addr ess 192. 168. 21. 145
end
History
Related topics
system autoupdate override
system autoupdate push-update
system autoupdate tunneling
execute update-ase
st at us {enabl e | di sabl e} Enable or disable the ability to override the FDN interface
address.
di sabl e
addr ess <addr ess_i pv4> Enter the IP address or fully qualified domain name to receive
updates from.
No
default.
FortiOS v2.80 MR6 Added.
01-400-93051-20090415 337
autoupdate override
Use this command to specify an override FDS server.
If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides
updates using their own FortiGuard server, you can specify an override FDS server so that the FortiGate
unit connects to this server instead of the FDN.
Syntax
set addr ess <FDS_addr ess>
set f ai l over {enabl e | di sabl e}
end
Example
This example shows how to add and enable your companys own FDS override server with an IP address
of 192.168.87.145.
set addr ess 192. 168. 87. 145
end
History
Related topics
execute update-ase
execute update-ips
Note: If you are unable to connect to the FDS server, even after specifying an override server, it is
possible your ISP is blocking the lower TCP and UDP ports for security reasons. Contact your ISP to
make sure they unblock TCP and UDP ports 1025 to 1035 to enable FDS server traffic.
st at us {enabl e | di sabl e} Enable or disable overriding the default FDS server. di sabl e
addr ess <FDS_addr ess> Enter the IP address or fully qualified domain name of the
override FDS server.
No
default.
f ai l over
Enable or disable FDS server failover. If you enable failover, if
the FortiGate unit cannot reach the override FDS server it will
failover to the public FDS servers.
enabl e
autoupdate push-update system
338 01-400-93051-20090415
Use this command to configure push updates. The FortiGuard Distribution Network (FDN) can push
updates to FortiGate units to provide the fastest possible response to critical situations such as software
exploits or viruses. You must register the FortiGate unit before it can receive push updates.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to
the FDN. The next time an update is released, the FDN notifies all FortiGate units that are configured for
push updates that a new update is available. Within 60 seconds of receiving a push notification, the
FortiGate unit requests an update from the FDN.
By using this command, you can enable or disable push updates. You can also configure push IP address
and port overrides. If the FDN must connect to the FortiGate unit through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding information to the push update
override configuration.
Syntax
set syst emst at us {enabl e | di sabl e}
set syst emover r i de {enabl e | di sabl e}
set syst emaddr ess <push_i pv4>
set syst empor t <FDN_por t >
end
Example
This example shows how to enable push updates on port 9993.
set por t 9993
end
History
Related topics
system autoupdate override, system autoupdate schedule, system autoupdate tunneling
execute update-ase, execute update-ips
Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is
dynamic (for example, set using PPPoE or DHCP).
st at us {enabl e | di sabl e} Enable or disable FDN push updates. di sabl e
over r i de
Enable an override of push updates. Select enable if the
FortiGate unit connects to the FDN through a NAT device.
di sabl e
addr ess <push_i pv4> Enter the External IP address that the FDN connects to if you
want to enable push override. This is the address of the external
interface of your NAT device.
0. 0. 0. 0
por t <FDN_por t > Enter the port that the FDN connects to. This can be port 9443
by default or a different port that you assign.
9443
01-400-93051-20090415 339
autoupdate schedule
Use this command to enable or disable scheduled FDN updates at regular intervals throughout the day,
once a day, or once a week.
To have your FortiGate unit to update at a random time during a particular hour, select a time that includes
60 minutes as this will choose a random time during that hour for the scheduled update.
Syntax
set syst emst at us {enabl e | di sabl e}
set syst emf r equency {ever y | dai l y | weekl y}
set syst emt i me <hh: mm>
set syst emday <day_of _week>
end
Example
This example shows how to configure the FortiGate unit to check the FortiGuard Distribution Network
(FDN) for updates once a day at 3:00 in the morning.
set f r equency dai l y
set t i me 03: 00
end
This example is the same as the above example but it will check for updates once a day at sometime
between 3:00 and 4:00 in the morning.
set f r equency dai l y
set t i me 03: 60
end
st at us {enabl e | di sabl e} Enable or disable scheduled updates. di sabl e
f r equency
{ever y | dai l y | weekl y}
Schedule the FortiGate unit to check for updates every hour,
once a day, or once a week. Set i nt er val to one of the
following:
ever y Check for updates periodically. Set t i me to the time
interval to wait between updates.
dai l y Check for updates once a day. Set t i me to the time
of day to check for updates.
weekl y Check for updates once a week. Set day to the day
of the week to check for updates. Set t i me to the time of day
to check for updates.
ever y
t i me <hh: mm> Enter the time at which to check for updates.
hh can be 00 to 23
mmcan be 00-59, or 60 for random minute
00: 00
day <day_of _week> Enter the day of the week on which to check for updates. Enter
one of: Sunday, Monday, Tuesday, Wednesday, Thur sday,
Fr i day, or Sat ur day.
This option is available only when f r equency is set to
weekl y.
Monday
autoupdate schedule system
340 01-400-93051-20090415
History
Related topics
system global
FortiOS v2.80 MR2 Can set t i me as well as day for weekly updates.
01-400-93051-20090415 341
Use this command to configure the FortiGate unit to use a proxy server to connect to the FortiGuard
Distribution Network (FDN). You must enable tunneling so that you can use the proxy server, and also add
the IP address and port required to connect to the proxy server. If the proxy server requires authentication,
add the user name and password required to connect to the proxy server.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC
2616. The FortiGate unit sends a HTTP CONNECT request to the proxy server (optionally with
authentication information) specifying the IP address and port required to connect to the FDN. The proxy
server establishes the connection to the FDN and passes information between the FortiGate unit and the
FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow
CONNECT to connect to any port; proxy servers restrict the allowed ports to the well known ports for
HTTPS and perhaps some other similar services. FortiGate autoupdates use HTTPS on port 8890 to
connect to the FDN, so your proxy server may need to be configured to allow connections on this port.
Syntax
set addr ess <pr oxy_addr ess>
set passwor d <passwor d>
set por t <pr oxy_por t >
set user name <name>
end
Example
This example shows how to enable tunneling where the FortiGate unit must connect to a proxy server with
IP address 192.168.50.134 that uses port 8080, requires the user id pr oxy_user and the password
pr oxy_pwd.
set addr ess 192. 168. 50. 134
set por t 8080
set user name pr oxy_user
set passwor d pr oxy_pwd
end
History
st at us {enabl e | di sabl e} Enable or disable tunneling. di sabl e
addr ess <pr oxy_addr ess> The IP address or fully qualified domain name of the proxy
server.
No
default.
por t <pr oxy_por t > The port required to connect to the proxy server. 0
user name <name> The user name used to connect to the proxy server. No
default.
passwor d <passwor d> The password to connect to the proxy server if one is required. No
default.
autoupdate tunneling system
342 01-400-93051-20090415
Related topics
system aux
01-400-93051-20090415 343
aux
Use this command to configure the AUX port. You can use a modem connected to the AUX port to
remotely connect to a console session on the FortiGate unit. The AUX port is located near the console
port, but not all FortiGate models have an AUX port.
The main difference between the standard console port and the AUX port is that the standard console port
is for local serial console connections only. An AUX port cannot accept a modem connection to establish a
remote console connection. The AUX console port allows you to establish a local connection, but it has
some limitations the standard console port does not have.
The AUX port will not display the booting messages that the standard console connection displays.
The AUX port will send out modem initializing strings (AT strings) that will appear on an AUX console
session at the start.
Syntax
conf i g syst emaux
set baudr at e <baudr at e>
end
<baudrate>is the speed of the connection. It can be set to one of the following: 9600, 19200, 38400,
57600, or 115200. The default is 9600.
Ensure devices on both ends of the connection are set to the same baudrate.
History
Related topics
system console
bug-report system
344 01-400-93051-20090415
bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer
support.
Syntax
set aut h {no | yes}
set mai l t o <emai l _addr ess>
set ser ver <ser ver name>
set user name <name>
set user name- smt p <account _name>
end
Example
This example shows how to configure the FortiGate unit to send bug report email from the
ourmailserver.com email server to bug_report@ourcompany.com using the User1 account. The email
server requires authentication.
set aut h yes
set mai l t o bug_r epor t @our company. com
set passwor d 123456
set ser ver our mai l ser ver . com
set user name Our Admi n
end
History
Related topics
system dns
aut h {no | yes} Enter yes if the SMTP server requires authentication or no if it
does not.
no
mai l t o <emai l _addr ess> The email address for bug reports. The default is
bug_r epor t @f or t i net vi r ussubmi t . com.
See
description.
passwor d <passwor d> If the SMTP server requires authentication, enter the
password required.
No default.
ser ver <ser ver name> The SMTP server to use for sending bug report email. The
default server is f or t i net vi r ussubmi t . com
See
description.
user name <name> A valid user name on the specified SMTP server. The default
user name is bug_r epor t .
See
description.
user name- smt p
<account _name>
A valid user name on the specified SMTP server. The default
user name is bug_r epor t .
See
description.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Command changed from conf i g bug- r epor t to conf i g syst embug- r epor t .
FortiOS v3.0 Changed user name_smt p to user name- smt p.
FortiOS v3.0 MR1 Added mai l t o keyword.
system central-management
01-400-93051-20090415 345
central-management
Use this command to configure a central management server for this FortiGate unit. Central management
uses a remote server to backup, restore configuration, and monitor the FortiGate unit. The remote server
can be either a FortiManager or a FortiGuard server.
You should review information about the command, system management-tunnel on page 406 because its
used to configure the remote management tunnel between the remote services.
This command replaces the conf i g syst emf or t i manager command from earlier versions.
Syntax
set al l ow- moni t or {enabl e | di sabl e}
set al l ow- push- conf i gur at i on {enabl e | di sabl e}
set al l ow- pushd- f i r mwar e {enabl e | di sabl e}
set al l ow- r emot e- f i r mwar e- upgr ade {enabl e | di sabl e}
set aut hor i zed- manager - onl y {enabl e | di sabl e}
set aut o- backup {enabl e | di sabl e}
set f mg <f mg_i pv4>
set schedul e- conf i g- r est or e {enabl e | di sabl e}
set schedul e- scr i pt - r est or e {enabl e | di sabl e}
set ser i al - number <f mg_ser i al _number >
set t ype { f or t i guar d | f or t i manager }
set vdom<name_st r i ng>
end
al l ow- moni t or {enabl e |
di sabl e}
Select to allow the remote service to monitor your FortiGate
unit.
di sabl e
al l ow- push-
conf i gur at i on {enabl e |
di sabl e}
Select to enable firmware image push updates for your
FortiGate unit.
di sabl e
al l ow- pushd- f i r mwar e
Select to enable push firmware. di sabl e
al l ow- r emot e- f i r mwar e-
upgr ade {enabl e |
di sabl e}
Select to allow the remote service to upgrade your
FortiGate unit with a new firmware image.
di sabl e
aut hor i zed- manager - onl y
Select to restrict access to the authorized manger only. di sabl e
aut o- backup {enabl e |
di sabl e}
Select to enable automatic uploading of your FortiGate
configuration to the remote service. This creates a back up
of your current configuration every time you log out of your
FortiGate unit and uploads the backed up configuration file
to the remote service.
di sabl e
f mg <f mg_i pv4> Enter the IP address or FQDN of the remote FortiManager
server.
nul l
schedul e- conf i g- r est or e
Select to enable scheduling the restoration of your
FortiGate units configuration.
di sabl e
schedul e- scr i pt - r est or e
Select to enable the restoration of your FortiGate units
configuration through scripts.
di sabl e
ser i al - number
<f mg_ser i al _number >
Enter the serial number of the remote FortiManager server. nul l
central-management system
346 01-400-93051-20090415
Example
This example shows how to configure remote service between a FortiGate unit and a FortiManager unit
that has an IP address of 172.16.55.121 and a serial number of FMG40A3906500505. The connection
between the FortiGate and FortiManager units is over vdom_1 VDOM.
set t ype f or t i manager
set f mg 172. 16. 55. 121
set ser i al - number FMG40A3906500505
set aut o- backup enabl e
set vdomvdom_1
end
History
Related topics
system dns
system management-tunnel
st at us {enabl e |
di sabl e}
Select to enable remote management service for your
FortiGate unit.
di sabl e
t ype { f or t i guar d |
f or t i manager }
Select the type of management server as one of -
f or t i guar d or f or t i manager . You can enable remote
management from a FortiManager unit or the FortiGuard
Analysis and Management Service.
f or t i manager
vdom<name_st r i ng> Enter the name of the vdom to use when communicating
with the FortiManager unit.
This keyword is optional.
r oot
FortiOS v4.0 New. Replaces the older conf i g syst emf or t i manager command.
system console
01-400-93051-20090415 347
console
Use this command to set the console command mode, the number of lines displayed by the console, and
the baud rate.
Fortigate-1000A, 1000AFA2, and 3000A models have an AUX port that can be used for remote console
connections using a modem. This port on these models is configured with the system aux command, see
aux on page 343.
If this FortiGate unit is connected to a FortiManager unit running scripts, out put must be set to st andar d
for scripts to execute properly.
Syntax
set baudr at e <speed>
set mode {bat ch | l i ne}
set out put {st andar d | mor e}
end
Example
This example shows how to set the baudrate to 38400 and set the output style to more so it will pause after
each screen full of information.
set baudr at e 38400
set out put mor e
end
History
Related topics
system aux
Note: If this FortiGate unit is connected to a FortiManager unit running scripts, out put must be set to
st andar d for scripts to execute properly.
baudr at e <speed> Set the console port baudrate. Select one of 9600, 19200,
38400, 57600, or 115200.
9600
mode {bat ch | l i ne} Set the console mode to line or batch. Used for autotesting only. l i ne
out put {st andar d | mor e} Set console output to standard (no pause) or more (pause after
each screen is full, resume on keypress).
This setting applies to showor get commands only.
more
FortiOS v2.80 MR2 Command changed from conf i g consol e to conf i g syst emconsol e.
FortiOS v2.80 MR4 page keyword removed. out put keyword added.
dhcp reserved-address system
348 01-400-93051-20090415
Use this command to reserve an IP address for a particular client identified by its device MAC address and
type of connection. The DHCP server then always assigns the reserved IP address to the client. You can
define up to 200 reserved addresses.
Syntax
edi t <name_st r >
set mac <addr ess_hex>
set t ype {r egul ar | i psec}
end
Example
Use the following command to add a reserved address named cl i ent _1 consisting of IP address
192.168.110.3 and MAC address 00:09:0F:0A:01:BC for a regular ethernet connection.
edi t cl i ent _1
set i p 192. 168. 110. 3
set mac 00: 09: 0F: 0A: 01: BC
set t ype r egul ar
end
History
Related topics
system dhcp server
system interface
Note: For this configuration to take effect, you must configure at least one DHCP server using the
conf i g syst emdhcp ser ver command, see dhcp server on page 349.
i p <addr ess_i pv4> Enter the IP address. 0.0.0.0
mac <addr ess_hex> Enter the MAC address. 00:00:00:00:00:00
t ype {r egul ar | i psec} Enter the type of the connection to be reserved:
r egul ar Client connecting through regular Ethernet
I PSec Client connecting through IPSec VPN
r egul ar
FortiOS v3.0 MR7 Maximum number of reserved addresses increased to 200 for all models.
system dhcp server
01-400-93051-20090415 349
dhcp server
Use this command to add one or more DHCP servers for any FortiGate interface. As a DHCP server, the
interface dynamically assigns IP addresses to hosts on a network connected to the interface. On FortiGate
models numbered 100 and below, you can configure up to 8 DHCP servers. On all other models, you can
configure up to 32 DHCP servers.
You can use the conf i g syst emdhcp r eser ved command to reserve an address for a specific MAC
address. All FortiGate models support up to 200 reserved IP addresses for DHCP. For more information
see system dhcp reserved-address on page 348.
You can add more than one DHCP server to a single interface to be able to provide DHCP services to
multiple networks. For more information on configuring your network and FortiGate unit to use multiple
DHCP servers on one interface, see the System DHCP chapter in the FortiGate Administration Guide.
This command is available in NAT/Route mode only.
Syntax
edi t <dhcpser ver name>
set conf l i ct ed- i p- t i meout <t i meout _i nt >
set def aul t - gat eway <addr ess_i pv4>
set dns- ser ver 1 <addr ess_i pv4>
set domai n <domai n_name_st r >
set enabl e {enabl e | di sabl e}
set end- i p <addr ess_i pv4>
set i nt er f ace 
set i psec- l ease- hol d <r el ease_seconds>
set l ease- t i me <seconds>
set net mask <mask>
set opt i on1 <opt i on_code> [ <opt i on_hex>]
set ser ver - t ype <t ype>
set st ar t - i p <addr ess_i pv4>
set wi ns- ser ver 1 <wi ns_i pv4>
set wi ns- ser ver 2 <wi ns_i pv4>
conf i g excl ude- r ange
edi t <excl _r ange_num>
set end- i p <excl _i pv4>
set st ar t - i p <excl _i pv4>
end
end
conf l i ct ed- i p- t i meout
<t i meout _i nt >
Enter the time in seconds to wait before a conflicted IP
address is removed from the DHCP range. Valid range is
from 60 to 8640000 seconds (1 minute to 100 days).
1800
def aul t - gat eway <addr ess_i pv4> The IP address of the default gateway that the DHCP
server assigns to DHCP clients.
0.0.0.0
dns- ser ver 1 <addr ess_i pv4> The IP address of the first DNS server that the DHCP
0.0.0.0
dhcp server system
350 01-400-93051-20090415
dns- ser ver 2 <addr ess_i pv4> The IP address of the second DNS server that the DHCP
0.0.0.0
dns- ser ver 3 <addr ess_i pv4> The IP address of the third DNS server that the DHCP
0.0.0.0
domai n <domai n_name_st r > Domain name suffix for the IP addresses that the DHCP
No
default.
enabl e {enabl e | di sabl e} Enable or disable this DHCP server. enable
end- i p <addr ess_i pv4> The ending IP for the range of IP addresses that this
DHCP server assigns to DHCP clients. The IP range is
defined by the st ar t - i p and the end- i p keywor ds
which should both be in the same subnet.
0.0.0.0
i nt er f ace The interface of the DHCP server. internal
i psec- l ease- hol d
<r el ease_seconds>
Set the DHCP lease release delay in seconds for DHCP-
over-IPSec tunnels when the tunnel goes down.
A value of 0 disables the forced expiry of the DHCP-
over-IPSec leases.
Visible only when ser ver - t ype is set to i psec.
60
l ease- t i me <seconds> The interval in seconds after which a DHCP client must
ask the DHCP server for new settings. The lease
duration must be between 300 and 864,000 seconds (10
days).
Set l ease- t i me to 0 for an unlimited lease time.
604,800
(7 days)
net mask <mask> The DHCP client netmask assigned by the DHCP server. 0.0.0.0
opt i on1 <opt i on_code>
[ <opt i on_hex>]
[ <opt i on_hex>]
[ <opt i on_hex>]
The first, second, and third custom DHCP options that
can be sent by the DHCP server. opt i on_code is the
DHCP option code in the range 1 to 255. opt i on_hex is
an even number of hexadecimal characters. For detailed
information about DHCP options, see RFC 2132, DHCP
Options and BOOTP Vendor Extensions.
No
default.
ser ver - t ype <t ype> Enter the type of client to serve:
r egul ar Client connects through regular Ethernet
I PSec Client connects through IPSec VPN
r egul ar
st ar t - i p <addr ess_i pv4> The starting IP for the range of IP addresses that this
DHCP server assigns to DHCP clients. The IP range is
defined by the st ar t - i p and the end- i p keywords
which should both be in the same subnet.
0.0.0.0
wi ns- ser ver 1 <wi ns_i pv4> The IP address of the first WINS server that the DHCP
0.0.0.0
wi ns- ser ver 2 <wi ns_i pv4> The IP address of the second WINS server that the
DHCP server assigns to DHCP clients.
0.0.0.0
conf i g excl ude- r ange Configure a range of IP addresses to exclude from the
list of DHCP addresses that are available.
edi t <excl _r ange_num> Enter an integer ID for this exclusion range.
You can add up to 16 exclusion ranges of IP addresses
that the FortiGate DHCP server cannot assign to DHCP
clients
None
st ar t - i p <excl _i pv4> The start IP address in the exclusion range. The start IP
and end IP must be in the same subnet.
This keyword applies to excl ude- r ange.
0.0.0.0
end- i p <excl _i pv4> The end IP address in the exclusion range. The start IP
and end IP must be in the same subnet.
This keyword applies to excl ude- r ange.
0.0.0.0
system dhcp server
01-400-93051-20090415 351
Example
Use the following command to add a DHCP server named new_dhcp. This DHCP server assigns IP
addresses to computers connected to the same network as the internal interface. The IP addresses
assigned are in the range 192.168.33.100 to 192.168.33.200. The example DHCP configuration also sets
the netmask, default gateway, two DNS server IP addresses, the lease time, and one WINS server.
edi t new_dhcp
set st ar t - i p 192. 168. 33. 100
set end- i p 192. 168. 33. 200
set net mask 255. 255. 255. 0
set def aul t - gat eway 192. 168. 33. 1
set dns- ser ver 1 56. 34. 56. 96
set dns- ser ver 2 56. 34. 56. 99
set l ease- t i me 4000
set wi ns- ser ver 1 192. 168. 33. 45
end
The following command shows how to add an exclusion range from 192.168.20.22 to 192.168.20.25.
edi t new_dhcp
conf i g excl ude- r ange
edi t 1
set st ar t - i p 192. 168. 20. 22
set end- i p 192. 168. 20. 25
end
end
History
Related topics
system dhcp reserved-address
system interface
FortiOS v2.80 MR2 Added domai n keyword.
Removed di scar d- age keyword.
FortiOS v2.80 MR8 def aul t - r out er changed to def aul t - gat eway
conf i g excl ude_r ange subcommand added (formerly
conf i g dhcp excl ude_r ange command)
FortiOS v3.0 Changed excl ude_r ange to excl ude- r ange.
FortiOS v3.0 MR1 Removed edi t keyword.
FortiOS v3.0 MR3 Added edi t keyword.
FortiOS v3.0 MR5 Added conf l i ct ed- i p- t i meout keyword.
FortiOS v3.0 MR6 Added i psec- l ease- hol d keyword.
dns system
352 01-400-93051-20090415
dns
Use this command to set the DNS server addresses. Several FortiGate functions, including sending email
alerts and URL blocking, use DNS.
On models numbered 100 and lower, you can use this command to configure DNS forwarding. The
aut osvr and f wdi nt f keywords are only available on FortiGate models numbered 100 and lower.
Syntax
conf i g syst emdns
set aut osvr {enabl e | di sabl e}
set cache- not f ound- r esponses {enabl e | di sabl e}
set dns- cache- l i mi t 
set dns- cache- t t l 
set domai n <domai n_name>
set f wdi nt f 
set pr i mar y <dns_i pv4>
set secondar y <dns_i p4>
end
Example
This example shows how to set the primary FortiGate DNS server IP address to 45. 37. 121. 76 and the
secondary FortiGate DNS server IP address to 45. 37. 121. 77.
conf i g syst emdns
set pr i mar y 45. 37. 121. 76
set secondar y 45. 37. 121. 77
end
aut osvr
Enable or disable DNS forwarding.
Available only on models numbered 100 and lower in
NAT/Route mode.
disable
cache- not f ound- r esponses
Enable to cache NOTFOUND responses from the DNS
server.
disable
dns- cache- l i mi t

Set maximum number of entries in the DNS cache. 5000
dns- cache- t t l Enter the duration, in seconds, that the DNS cache
retains information.
1800
domai n <domai n_name> Set the local domain name (optional). No default.
f wdi nt f Enter the interface to which forwarding applies:
i nt er nal
dmz
Available on models numbered 100 and lower in
NAT/Route mode.
No default.
pr i mar y <dns_i pv4> Enter the primary DNS server IP address. 65. 39. 139. 53
secondar y <dns_i p4> Enter the secondary DNS IP server address. 65. 39. 139. 63
system dns
01-400-93051-20090415 353
History
FortiOS v2.80 MR2 Added aut osvr and f wdi nt f keywords for models numbered 100 and lower.
FortiOS v2.80 MR8 Added cache- not f ound- r esponses keyword.
FortiOS v3.0 MR7 Added dns- cache- t t l keyword. aut osvr disabled by default.
fips-cc system
354 01-400-93051-20090415
fips-cc
Use this command to set the FortiGate unit into FIPS-CC mode.
Enable Federal Information Processing Standards-Common Criteria (FIPS-CC) mode. This is an
enhanced security mode that is valid only on FIPS-CC-certified versions of the FortiGate firmware.
When switching to FIPS-CC mode, you will be prompted to confirm, and you will have to login.
For more information on FIPS-CC mode, see the FIPS-CC technote on the Knowledge Center website.
Syntax
conf i g syst emf i ps- cc
set st at us <enabl e | di sabl e>
end
History
Note: When you enable FIPS-CC mode, all of the existing configuration is lost.
st at us <enabl e |
di sabl e>
Enable to select FIPS-CC mode operation for the
FortiGate unit.
di sabl e
FortiOS v3.0 MR6 Command moved from conf i g syst emgl obal set CC- mode.
system fortianalyzer, fortianalyzer2, fortianalyzer3
01-400-93051-20090415 355
fortianalyzer, fortianalyzer2, fortianalyzer3
Use this command to configure the FortiGate unit to communicate with up to three FortiAnalyzer units.
Once communication with the FortiAnalyzer unit(s) has been configured, you then need to configure
logging to the FortiAnalyzer units using the l og f or t i anal yzer f i l t er and l og f or t i anal yzer
set t i ng command.
st at us must be set to enable for the other keywords to be visible.
Syntax
The command syntax is the same for f or t i anal yzer , f or t i anal yzer 2 and f or t i anal yzer 3.
conf i g syst emf or t i anal yzer
set addr ess- mode {aut o- di scover y | st at i c}
set conn- t i meout <seconds>
set encr ypt {enabl e | di sabl e}
set f dp- devi ce <ser i al _number >
set l ocal i d 
set psksecr et <pr e- shar ed_key>
set ser ver <f or t i anal yzer _i pv4>
set ver - 1 {enabl e | di sabl e}
end
Note: If the FortiGate unit is connected to a FortiAnalyzer device and a FortiManager device through a
NAT device, changing any fortianalyzer setting on the FortiGate unit will reset the connection with the
FortiManager device. To resolve this issue, create separate virtual IP address for the FortiAnalyzer and
FortiManager to ensure they do not have the same IP address.
addr ess- mode {aut o-
di scover y | st at i c}
Select auto-discovery to have the FortiAnalyzer device
automatically detect the IP address of this FortiGate unit.
Select static if the FortiGate unit has a static IP address.
static
conn- t i meout <seconds> Enter the number of seconds before the FortiAnalyzer
connection times out.
10
encr ypt {enabl e | di sabl e} Enable to use IPSec VPN tunnel for communication.
Disable to send data as plain text.
disable
f dp- devi ce <ser i al _number > Enter the serial number of the Fortianalyzer unit to connect
to. This keyword is only available when address-mode is set
to auto-discovery.
No default
l ocal i d Enter an identifier up to 64 characters long. You must use
the same identifier on the FortiGate unit and the
FortiAnalyzer unit.
No default.
psksecr et <pr e- shar ed_key> Enter the pre-shared key for the IPSec VPN tunnel.
This is needed only if encr ypt is set to enabl e.
No default.
ser ver
<f or t i anal yzer _i pv4>
Enter the IP address of the FortiAnalyzer unit.
This keyword is only available when address-mode is set to
static.
0.0.0.0
st at us {enabl e | di sabl e} Enable or disable communication with the FortiAnalyzer
unit.
The other keywords are available only if st at us is set to
enabl e.
disable
ver - 1 {enabl e | di sabl e} Enable for FortiAnalyzer 1.0 unit, otherwise disable. disable
fortianalyzer, fortianalyzer2, fortianalyzer3 system
356 01-400-93051-20090415
Example
This example shows how to set the FortiGate unit to communicate with a FortiAnalyzer-400 unit that is
using a static IP address of 192.20.120.100:
conf i g syst emf or t i anal yzer
set addr ess- mode st at i c
set encr ypt enabl e
set l ocal i d f or t i anal yzer - 400
set psksecr et <128- char act er st r i ng>
set ser ver 192. 20. 120. 100
set ver - 1 di sabl e
set conn- t i meout 60
end
History
Related topics
FortiOS v3.0 New
FortiOS v3.0 MR1 Added addr ess- mode variable.
FortiOS v3.0 MR4 Added conn- t i meout variable.
system fortiguard
01-400-93051-20090415 357
fortiguard
Use this command to configure communications with the FortiGuard Distribution Network (FDN) for
FortiGuard subscription services such as:
FortiGuard Antivirus and IPS
FortiGuard Web Filtering and Antispam
FortiGuard Analysis and Management Service
For FortiGuard Antivirus and IPS, Web Filtering and Antispam, you can alternatively use this command to
configure the FortiGate unit to communicate with a FortiManager system, which can act as a private
FortiGuard Distribution Server (FDS) for those services.
By default, FortiGate units connect to the FDN using a set of default connection settings. You can override
these settings to use IP addresses and port numbers other than the defaults. For example, if you have a
FortiManager unit, you might download a local copy of FortiGuard service updates to the FortiManager
unit, then redistribute those updates by configuring each FortiGate units server override feature to connect
to the FortiManager units private FDS IP address. For more information about configuring the
FortiManager system to act as a private FDS, see the FortiManager Administration Guide.
IP address and port number overrides for FortiGuard Analysis and Management Service are configured
separately from other FortiGuard services. For more information, see system fortiguard-log on page 362.
For additional information on the FortiGuard Analysis and Management Service, see the FortiGuard
Analysis and Management Service Administration Guide.
Syntax
set host name <ur l _st r >
set por t {53 | 8888}
set sr v- ovr d {enabl e | di sabl e}
set cl i ent - over r i de- i p <ovr d_i pv4>
set cl i ent - over r i dest at us {enabl e | di sabl e}
set ser vi ce- account - i d 
set l oadbal ance- ser ver s <number >
set anal ysi s- ser vi ce {enabl e | di sabl e}
set ant i spam- st at us {enabl e | di sabl e}
set ant i spam- cache {enabl e | di sabl e}
set ant i spam- cache- t t l <t t l _i nt >
set ant i spam- cache- mper cent <r am_i nt >
set ant i spam- t i meout <t i meout _i nt >
set avquer y- st at us {enabl e | di sabl e}
set avquer y- cache {enabl e | di sabl e}
set avquer y- cache- t t l <t t l _i nt >
set avquer y- cache- mper cent <max_i nt >
set avquer y- t i meout <t i meout _i nt >
set cent r al - mgmt - aut o- backup {enabl e | di sabl e}
set cent r al - mgmt - schedul ed- conf i g- r est or e {enabl e | di sabl e}
set cent r al - mgmt - schedul ed- upgr ade {enabl e | di sabl e}
Note: If the FortiGate unit is unable to connect to the FDN, verify connectivity on required ports. For a list
of required ports, see the Fortinet Knowledge Center article Traffic Types and TCP/UDP Ports Used by
Fortinet Products.
Remote administration by a FortiManager system is mutually exclusive with remote administration by
FortiGuard Analysis and Management Service. For information about configuring remote administration
by a FortiManager system instead, see system central-management on page 345.
fortiguard system
358 01-400-93051-20090415
set cent r al - mgmt - st at us {enabl e | di sabl e}
set webf i l t er - cache {enabl e | di sabl e}
set webf i l t er - cache- t t l <t t l _i nt >
set webf i l t er - st at us {enabl e | di sabl e}
set webf i l t er - t i meout <t i meout _i nt >
conf i g ser v- ovr d- l i st
set i p <ovr d_i pv4>
end
end
end
host name <ur l _st r > Enter the host name of the primary FortiGuard server.
FortiGate unit defaults include the host name. Use this command
only when required to change the host name. Alternatively
configure sr v- ovr d.
This keyword is available only if sr v- ovr d is di sabl e.
ser vi ce.
f or t i guar d
. net
por t {53 | 8888} Enter the port to use for rating queries to the FortiGuard Web
Filtering or FortiGuard Antispam service.
53
sr v- ovr d
Enable to override the primary FortiGuard server set in
host name. Specify override server(s) using conf i g
sr v- ovr d- l i st . Alternatively, configure host name.
host name is not used and unavailable for configuration when
this keyword is enabl e.
di sabl e
cl i ent - over r i de- i p
<ovr d_i pv4>
Enter the IP address on this FortiGate unit that will be used to
connect to the FortiGuard servers.
This keyword is available only if cl i ent - over r i dest at us is
enabl e.
No default.
cl i ent - over r i dest at us
Enable to force your FortiGate unit to connect to the FortiGuard
servers using a specific IP address. You must also configure
cl i ent - over r i de- i p.
di sabl e
ser vi ce- account - i d

Enter the Service Account ID to use with communications with
FortiGuard Analysis Service or FortiGuard Management Service.
No default.
l oadbal ance- ser ver s
<number >
Enter the number of FortiGuard servers to connect to. By default,
the FortiGate unit always uses the first server in its FortiGuard
server list to connect to the FortiGuard network and l oad-
bal ance- ser ver s is set to 1. You can increase this number up
to 20 if you want the FortiGate unit to use a different FortiGuard
server each time it contacts the FortiGuard network. If you set
l oadbal ance- ser ver s to 2, the FortiGate unit alternates
between checking the first two servers in the FortiGuard server
list.
1
anal ysi s- ser vi ce
Enable or disable for the FortiGuard Analysis and Management
Service.
di sabl e
ant i spam- st at us
Enable or disable use of FortiGuard Antispam. di sabl e
ant i spam- cache
Enable or disable caching of FortiGuard Antispam query results,
including IP address and URL block list.
Enabling the cache can improve performance because the
FortiGate unit does not need to access the FDN or FortiManager
unit each time the same IP address or URL appears as the
source of an email. When the cache is full, the least recently
used cache entry is replaced.
di sabl e
system fortiguard
01-400-93051-20090415 359
ant i spam- cache- t t l
<t t l _i nt >
Enter a time to live (TTL), in seconds, for antispam cache
entries. When the TTL expires, the cache entry is removed,
requiring the FortiGate unit to query the FDN or FortiManager
unit the next time that item occurs in scanned traffic. Valid TTL
ranges from 300 to 86400 seconds.
1800
ant i spam- cache-
mper cent <r am_i nt >
Enter the maximum percentage of memory (RAM) to use for
antispam caching. Valid percentage ranges from 1 to 15.
2
ant i spam- expi r at i on The expiration date of the FortiGuard Antispam service contract.
This variable can be viewed with the get command, but cannot
be set .
N/A
ant i spam- l i cense The interval of time between license checks for the FortiGuard
Antispam service contract.
be set .
7
ant i spam- t i meout
<t i meout _i nt >
Enter the FortiGuard Antispam query timeout. Valid timeout
7
avquer y- st at us
Enable or disable use of FortiGuard Antivirus. di sabl e
avquer y- cache
Enable or disable caching of FortiGuard Antivirus query results.
FortiGate unit does not need to access the FDN each time the
same IP address or URL appears as the source of an email.
When the cache is full, the least recently used cache entry is
replaced.
enabl e
avquer y- cache- t t l
<t t l _i nt >
Enter a time to live (TTL), in seconds, for antivirus cache entries.
When the TTL expires, the cache entry is removed, requiring the
FortiGate unit to query the FDN or FortiManager unit the next
time that item occurs in scanned traffic. Valid TTL ranges from
300 to 86400 seconds.
1800
avquer y- cache- mper cent
<max_i nt >
Enter the maximum memory to be used for FortiGuard Antivirus
query caching. Valid percentage ranges from 1 to 15.
2
avquer y- l i cense The interval of time between license checks for the FortiGuard
Antivirus service contract.
be set .
Unknown
avquer y- expi r at i on The expiration date of the FortiGuard Antivirus service contract.
be set .
N/A
avquer y- t i meout
<t i meout _i nt >
Enter the time limit in seconds for the FortiGuard Antivirus
service query timeout. Valid timeout ranges from 1 to 30.
7
cent r al - mgmt - aut o-
backup
Enable automatic backup of the FortiGate units configuration to
FortiGuard Analysis and Management Service upon an
administrators logout or session timeout.
This keyword is available only if cent r al - mgmt - st at us is
enabl e.
di sabl e
cent r al - mgmt -
schedul ed- conf i g-
r est or e
Enable scheduled restoration of the FortiGate units
configuration from FortiGuard Analysis and Management
Service.
enabl e.
di sabl e
cent r al - mgmt -
schedul ed- upgr ade
Enable scheduled upgrades of the FortiGate units firmware by
FortiGuard Analysis and Management Service.
enabl e.
di sabl e
fortiguard system
360 01-400-93051-20090415
Example
This example shows how to configure the FortiGate unit for remote administration by FortiGuard Analysis
and Management Service.
set cent r al - mgmt - st at us enabl e
set ser vi ce- account - i d Exampl eCo
set cent r al - mgmt - aut o- backup enabl e
set cent r al - mgmt - conf i g- r est or e enabl e
set cent r al - mgmt - schedul ed- upgr ade enabl e
end
conf i g syst emmanagement - t unnel
end
cent r al - mgmt - st at us
Enable remote administration of the FortiGate unit by FortiGuard
Analysis and Management Service. You must also configure
ser vi ce- account - i d.
For more information about validating or updating the FortiGuard
Analysis and Management contract, see execute fortiguard-log
update on page 625. For more information about configuring the
remote management tunnel and connections initiated by the
FortiGuard Analysis and Management Service rather than the
FortiGate unit, see system management-tunnel on page 406.
di sabl e
webf i l t er - cache
Enable or disable caching of FortiGuard Web Filtering query
results, including category ratings for URLs.
FortiGate unit does not need to access the FDN or FortiManager
unit each time the same IP address or URL is requested. When
the cache is full, the least recently used cache entry is replaced.
di sabl e
webf i l t er - cache- t t l
<t t l _i nt >
Enter a time to live (TTL), in seconds, for web filtering cache
entries. When the TTL expires, the cache entry is removed,
requiring the FortiGate unit to query the FDN or FortiManager
unit the next time that item occurs in scanned traffic. Valid TTL
3600
webf i l t er - expi r at i on The expiration date of the FortiGuard Web Filtering service
contract.
be set .
N/A
webf i l t er - l i cense The interval of time between license checks for the FortiGuard
Web Filtering service contract. Initially, this value is unknown,
and is set after contacting the FDN to validate the FortiGuard
Web Filtering license.
be set .
Unknown
webf i l t er - st at us
Enable or disable use of FortiGuard Web Filtering service. di sabl e
webf i l t er - t i meout
<t i meout _i nt >
Enter the FortiGuard Web Filtering query timeout. Valid timeout
15
conf i g ser v- ovr d- l i st
This command is available only if sr v- ovr d is enabl e.
 Enter the index number of a FortiGuard Antivirus and IPS server
override.
No default.
i p <ovr d_i pv4> Enter the IP address that will override the default server IP
address. This may be the IP address of a FortiManager unit or a
specific FDN server.
0. 0. 0. 0
system fortiguard
01-400-93051-20090415 361
History
Related topics
get system dashboard
system fortiguard-log
fortiguard setting
FortiOS v3.0 New.
FortiOS v3.0 MR2 Added get syst emf or t i guar d- ser vi ce st at us command reference.
FortiOS v3.0 MR5 Added ser vi ce- account i d, cent r al - mgmt - st at us, cent r al - mgmt -
schedul e- upgr ade, cent r al - mgmt - aut o- backup, and cent r al - mgmt -
schedul ed- conf i g- r est or e for FortiGuard Analysis and Management Service
and future FortiManager system features.
FortiOS v3.0 MR7 Added l oadbal ance- ser ver s keyword and the anal ysi s- ser vi ce keyword.
fortiguard-log system
362 01-400-93051-20090415
fortiguard-log
Use this command to override default ports and IP addresses that the FortiGate unit connects to for
FortiGuard Analysis and Management Service.
Syntax
conf i g syst emf or t i guar d- l og
set cont r ol l er - i p <addr ess_i pv4>
set cont r ol l er - por t <por t _i nt >
set over r i de- cont r ol l er {enabl e | di sabl e}
end
Example
This example shows how to override the default IP address and port number to which the FortiGate unit
connects when communicating with the FortiGuard Analysis and Management Service for features such as
remote logging and reporting.
conf i g syst emf or t i guar d- l og
set over r i de- cont r ol l er enabl e
set cont r ol l er - i p 172. 16. 21. 155
set cont r ol l er - por t 1234
end
History
Related topics
system fortiguard
fortiguard setting
cont r ol l er - i p
<addr ess_i pv4>
Enter the IP address of the FortiGuard Analysis and
Management Service controller.
This option appears only if over r i de- cont r ol l er is
enabl e.
0. 0. 0. 0
cont r ol l er - por t <por t _i nt > Enter the port number of the FortiGuard Analysis and
Management Service controller. Valid ports range from 0 to
65535.
This option appears only if over r i de- cont r ol l er is
enabl e.
0
over r i de- cont r ol l er
Select to override the default FortiGuard Analysis and
Management Service controller IP address and/or port.
di sabl e
system global
01-400-93051-20090415 363
global
Use this command to configure global settings that affect various FortiGate systems and configurations.
Runtime-only config mode was introduced in FortiOS v3.0 MR2. This mode allows you to try out
commands that may put your FortiGate unit into an unrecoverable state normally requiring a physical
reboot. In runtime-only config mode you can set a timeout so after a period of no input activity the
FortiGate unit will reboot with the last saved configuration. Another option in runtime-only configuration
mode is to manually save your configuration periodically to preserve your changes. For more information
see set cf g- save {aut omat i c | manual | r ever t }, set cf g- r ever t - t i meout <seconds>,
and execut e cf g r el oad.
Switch mode is available on FortiWiFi 60B, FortiGate 60B, FortiGate 100A (Rev2.0 and higher), and
FortiGate 200A (Rev2.0 and higher) models where the internal interface is a four or six port switch.
Normally the internal interface is configured as one interface shared by all four ports. Switch mode allows
you to configure each interface on the switch separately with their own interfaces. A VLAN can not be
configured on a switch interface. Consult your release notes for the most current list of supported models
for this feature. The keywords i nt er nal - swi t ch- mode {i nt er f ace | swi t ch} and i nt er nal -
swi t ch- speed {100f ul l | 100hal f | 10f ul l | 10hal f | aut o} apply only to switch mode
enabled FortiGate models.
Syntax
set access- banner {enabl e | di sabl e}
set admi n- ht t ps- pki - r equi r ed {enabl e | di sabl e}
set admi n- l ockout - dur at i on <t i me_i nt >
set admi n- l ockout - t hr eshol d <f ai l ed_i nt >
set admi n- mai nt ai ner {enabl e | di sabl e}
set admi n- por t <por t _number >
set admi n- scp {enabl e | di sabl e}
set admi n- ser ver - cer t { sel f - si gn | <cer t i f i cat e> }
set admi n- spor t <por t _number >
set admi n- ssh- por t <por t _number >
set admi n- ssh- v1 {enabl e | di sabl e}
set admi n- t el net - por t <por t _number >
set admi nt i meout <admi n_t i meout _mi nut es>
set aut h- cer t <cer t - name>
set aut h- ht t p- por t <ht t p_por t >
set aut h- ht t ps- por t <ht t ps_por t >
set aut h- keepal i ve {enabl e | di sabl e}
set aut h- pol i cy- exact - mat ch {enabl e | di sabl e}
set av- f ai l open {i dl edr op | of f | one- shot | pass}
set av- f ai l open- sessi on {enabl e | di sabl e}
set bat ch- cmdb {enabl e | di sabl e}
set cf g- save {aut omat i c | manual | r ever t }
set cf g- r ever t - t i meout <seconds>
set check- pr ot ocol - header {l oose | st r i ct }
set check- r eset - r ange {enabl e | di sabl e}
set cl t - cer t - r eq {enabl e | di sabl e}
set conn- t r acki ng {enabl e | di sabl e}
set dai l y- r est ar t {enabl e | di sabl e}
set det ect i on- summar y {enabl e | di sabl e}
set dst {enabl e | di sabl e}
set endpoi nt - cont r ol - por t al - por t <endpoi nt _por t >
global system
364 01-400-93051-20090415
set f ai l t i me <f ai l ur es_count >
set f ds- st at i st i cs {enabl e | di sabl e}
set f ds- st at i st i cs- per i od <mi nut es>
set f or t i cl i ent - por t al - por t <por t >
set f or t i swi t ch- hear t beat {enabl e | di sabl e}
set f sae- bur st - si ze <packet s>
set f sae- r at e- l i mi t ( pkt _sec)
set gui - i pv6 {enabl e | di sabl e}
set gui - l i nes- per - page <gui _l i nes>
set host name <uni t host name>
set ht t p- obf uscat e {header - onl y | modi f i ed | no- er r or | none}
set i e6wor kar ound {enabl e | di sabl e}
set i nt er nal - swi t ch- mode {i nt er f ace | swi t ch}
set i nt er nal - swi t ch- speed {100f ul l | 100hal f | 10f ul l | 10hal f | aut o}
set i nt er val <deadgw_det ect _seconds>
set i p- sr c- por t - r ange <st ar t _por t >- <end_por t >
set l anguage <l anguage>
set l cdpi n <pi n_number >
set l cdpr ot ect i on {enabl e | di sabl e}
set l dapconnt i meout <l dapt i meout _msec>
set l ogl ocal deny {enabl e | di sabl e}
set management - vdom<domai n>
set nt pser ver <nt p_ser ver _addr ess>
set nt psync {enabl e | di sabl e}
set opt i mi ze {ant i vi r us | t hr oughput }
set phase1- r ekey {enabl e | di sabl e}
set r adi us- por t <r adi us_por t >
set r ef r esh <r ef r esh_seconds>
set r emot eaut ht i meout <r emot eaut h_t i meout _mi ns>
set r eset - sessi onl ess- t cp {enabl e | di sabl e}
set r est ar t - t i me <hh: mm>
set send- pmt u- i cmp {enabl e | di sabl e}
set show- backpl ane- i nt f {enabl e | di sabl e}
set ssl vpn- spor t <por t _number >
set st r ong- cr ypt o {enabl e | di sabl e}
set synci nt er val <nt psync_mi nut es>
set t cp- hal f cl ose- t i mer <seconds>
set t cp- hal f open- t i mer <seconds>
set t cp- opt i on {enabl e | enabl e}
set t cp- t i mewai t - t i mer <seconds_i nt >
set t i mezone <t i mezone_number >
set t os- based- pr i or i t y {l ow | medi um| hi gh}
set t p- mc- ski p- pol i cy {enabl e | di sabl e}
set udp- i dl e- t i mer <seconds>
set user - ser ver - cer t <cer t _name>
set vdom- admi n {enabl e | di sabl e}
set vi p- ar p- r ange {unl i mi t ed | r est r i ct ed}
end
system global
01-400-93051-20090415 365
access- banner
Enable to display the admin access disclaimer
message.
For more information see system replacemsg admin
on page 415.
di sabl e
admi n- ht t ps- pki - r equi r ed
Enable to allow user to login by providing a valid
certificate if PKI is enabled for HTTPS administrative
access. Default setting di sabl e al l ows admi n
user s t o l og i n by pr ovi di ng a val i d
cer t i f i cat e or passwor d.
di sabl e
admi n- l ockout - dur at i on
<t i me_i nt >
Set the administration accounts lockout duration in
seconds for the firewall. Repeated failed login attempts
will enable the lockout. Use admin-lockout-threshold to
set the number of failed attempts that will trigger the
lockout.
60
admi n- l ockout - t hr eshol d
<f ai l ed_i nt >
Set the threshold, or number of failed attempts, before
the account is locked out for the admin-lockout-
duration.
3
admi n- mai nt ai ner
Enabled by default. Disable for CC. enabl e
admi n- por t <por t _number > Enter the port to use for HTTP administrative access. 80
admi n- scp
Enable to allow system configuration download by the
secure copy (SCP) protocol.
di sabl e
admi n- ser ver - cer t {
sel f - si gn | <cer t i f i cat e>
}
Select the admin https server certificate to use. Choices
include self-sign, and the filename of any installed
certificates. Default setting is For t i net _Fact or y, if
available, otherwise sel f - si gn.
See definition
under Description.
admi n- spor t <por t _number > Enter the port to use for HTTPS administrative access. 443
admi n- ssh- por t
<por t _number >
Enter the port to use for SSH administrative access. 22
admi n- ssh- v1
Enable compatibility with SSH v1.0. di sabl e
admi n- t el net - por t
<por t _number >
Enter the port to use for telnet administrative access. 21
admi nt i meout
<admi n_t i meout _mi nut es>
Set the number of minutes before an idle administrator
times out. This controls the amount of inactive time
before the administrator must log in again. The
maximum admi nt i meout interval is 480 minutes (8
hours).
To improve security keep the idle timeout at the default
value of 5 minutes.
5
aut h- cer t <cer t - name> Https server certificate for policy authentication.
Self-sign is the built in certificate but others will be listed
as you add them.
self-sign
aut h- ht t p- por t
<ht t p_por t >
Set the HTTP authentication port. <ht t p_por t >can
be from 1 to 65535.
1000
aut h- ht t ps- por t
<ht t ps_por t >
Set the HTTPS authentication port. <ht t ps_por t >
can be from 1 to 65535.
1003
aut h- keepal i ve
Enable to extend the authentication time of the session
through periodic traffic to prevent an idle timeout.
di sabl e
aut h- pol i cy- exact - mat ch
Enable to require traffic to exactly match an
authenticated policy with a policy id and IP address to
pass through. When disabled, only the IP needs to
match.
di sabl e
global system
366 01-400-93051-20090415
av- f ai l open
{i dl edr op | of f | one-
shot | pass}
Set the action to take if there is an overload of the
antivirus system. Valid options are off, one-shot, and
pass.
Enter i dl edr op to drop connections based on the
clients that have the most connections open. This is
most useful for Windows applications, and can
prevent malicious bots from keeping a connection
open to a remote server.
Enter of f to stop accepting new AV sessions when
entering conserve mode, but continue to process
current active sessions.
Enter one- shot to bypass the antivirus system
when memory is low. You must enter of f or pass
to restart antivirus scanning.
Enter pass to bypass the antivirus system when
memory is low. Antivirus scanning resumes when
the low memory condition is resolved.
This applies to FortiGate models numbered 300A and
higher.
pass
av- f ai l open- sessi on
When enabl ed and a proxy for a protocol runs out of
room in its session table, that protocol goes into
failopen mode and enacts the action specified by av-
f ai l open.
This applies to models numbered 300A and higher.
di sabl e
bat ch- cmdb
Enable/disable batch mode.
Batch mode is used to enter a series of commands, and
executing the commands as a group once they are
loaded. For more information, see execute batch on
page 611.
enabl e
cf g- save {aut omat i c |
manual | r ever t }
Set the method for saving the FortiGate system
configuration and enter into runtime-only configuration
mode. Methods for saving the configuration are:
aut omat i c automatically save the configuration
after every change
manual l y manually save the configuration using
the execute cfg save command
r ever t manually save the current configuration and
then revert to that saved configuration after cf g-
r ever t - t i meout expires
Switching to automatic mode disconnects your session.
This command is used as part of the runtime-only
configuration mode.
See execute cfg reload on page 613 for more
information.
automatic
cf g- r ever t - t i meout
<seconds>
Enter the timeout interval in seconds. If the
administrator makes a change and there is no activity
for the timeout period, the FortiGate unit will
automatically revert to the last saved configuration.
Default timeout is 600 seconds.
This command is available only when cf g- save is set
to r ever t .
This command is part of the runtime-only configuration
mode. See execute cfg reload on page 613 for more
information.
600
check- r eset - r ange
Set whether RST out-of-window checking is performed.
If set to strict (enable), RST must fall between the last
ACK and the next send. If set to disable, no check is
performed.
disable
check- pr ot ocol - header
{l oose | st r i ct }
Select the level of checking performed on protocol
headers.
loose
system global
01-400-93051-20090415 367
cl t - cer t - r eq
Enable to require a client certificate before an
administrator logs on to the web-based manager using
HTTPS.
disable
conn- t r acki ng
Enable to have the firewall drop SYN packets after the
connection has been established with the remote
system. This will help prevent a SYN flood and free up
system resources.
enabl e
dai l y- r est ar t
Enable to restart the FortiGate unit every day.
The time of the restart is controlled by r est ar t - t i me.
di sabl e
det ect i on- summar y
Disable to prohibit the collection of detection summary
statistics for FortiGuard.
enabl e
dst {enabl e | di sabl e} Enable or disable daylight saving time.
If you enable daylight saving time, the FortiGate unit
adjusts the system time when the time zone changes to
daylight saving time and back to standard time.
di sabl e
endpoi nt - cont r ol - por t al -
por t <endpoi nt _por t >
Enter the port number from 1 to 65535 for the endpoint
control portal port for FortiClient downloads.
8009
f ai l t i me <f ai l ur es_count > Set the dead gateway detection failover interval. Enter
the number of times that ping fails before the FortiGate
unit assumes that the gateway is no longer functioning.
0 disables dead gateway detection.
5
f ds- st at i st i cs
Enable or disable AV/IPS signature reporting.
If necessary, disable to avoid error messages on HA
subordinate units during an AV/IPS update.
enable
f ds- st at i st i cs- per i od
<mi nut es>
Select the number of minutes in the FDS report period.
Range is 1 to 1440 minutes.
60
f or t i cl i ent - por t al - por t
<por t >
Enter the HTTP port used to download a copy of
FortiClient. Valid numbers are from 0 to 65535.
On the FortiGate models 1000A, 3600A, and 5005FA2,
firewall policies can deny access for hosts that do not
have FortiClient Host Security software installed and
operating.
For more information see the Firewall chapter and
System Maintenance chapter of the FortiGate
Administration Guide.
8009
f or t i swi t ch- hear t beat
Enable or disable sending heartbeat packets from
FortiGate unit backplane fabric interfaces. This
keyword is only available for FortiGate-5001A and
FortiGate-5005FA2 boards.
A FortiSwitch-5003A board receives the heartbeat
packets to verify that the FortiGate board is still active.
The FortiGate board sends 10 packets per second from
each fabric interface. The packets are type 255 bridge
protocol data unit (BPDU) packets.
disable
f sae- bur st - si ze <packet s> Set the FSAE burst size in packets. 300
f sae- r at e- l i mi t ( pkt _sec) Set the FSAE message rate limit in packets per second. 100
gui - i pv6 {enabl e |
di sabl e}
Enable or disable ability to configure IPv6 using the
web-based manager.
disable
gui - l i nes- per - page
<gui _l i nes>
Set the number of lines displayed on table lists. Range
is from 20 - 1000 lines per page.
50
global system
368 01-400-93051-20090415
host name <uni t host name> Enter a name to identify this FortiGate unit. A hostname
can only include letters, numbers, hyphens, and
underlines. No spaces are allowed.
While the hostname can be longer than 16 characters,
if it is longer than 16 characters it will be truncated and
end with a ~ to indicate it has been truncated. This
shortened hostname will be displayed in the CLI, and
other locations the hostname is used.
FortiGate 5000 models support longer hostnames -
some up to 35 characters.
By default the hostname of your FortiGate unit is its
serial number which includes the model.
FortiGate serial
number.
ht t p- obf uscat e
{header - onl y | modi f i ed |
no- er r or | none}
Set the level at which the identity of the FortiGate web
server is hidden or obfuscated.
none does not hide the FortiGate web server
identity
header - onl y hides the HTTP server banner
modi f i ed provides modified error responses
no- er r or suppresses error responses
none
i e6wor kar ound
Enable or disable the work around for a navigation bar
freeze issue caused by using the FortiGate web-based
manager with Internet Explorer 6.
di sabl e
i nt er nal - swi t ch- mode
{i nt er f ace | swi t ch}
Set the mode for the internal switch to be one of
interface, or switch.
The internal interface refers to a switch that has 4
network connections. The switch option is regular
operation with one internal interface that all 4 network
connections access. The interface option splits the
internal interface into 4 separate interfaces, one for
each network connection. A VLAN can not be
configured on a switch interface.
The default value is swi t ch.
This applies to all
swi t ch
i nt er nal - swi t ch- speed
{100f ul l | 100hal f |
10f ul l | 10hal f | aut o}
Set the speed of the switch used for the internal
interface. Choose one of:
100full
100half
10full
10half
auto
100 and 10 refer to 100M or 10M bandwidth. Full and
half refer to full or half duplex.
Default value is auto.
This applies only to FortiWiFi 60B, FortiGate 60B, 100A
(Rev2.0 and higher), and 200A (Rev2.0 and higher)
models.
aut o
i nt er val
<deadgw_det ect _seconds>
Select the number of seconds between pings the
FortiGate unit sends to the target for dead gateway
detection.
Selecting 0 disables dead gateway detection.
5
i p- sr c- por t - r ange
<st ar t _por t >- <end_por t >
Specify the IP source port range used for traffic
originating from the FortiGate unit. The valid range f or
<st ar t _por t >and <end_por t > is from 1 to 65535
inclusive.
You can use this setting to avoid problems with
networks that block some ports, such as FDN ports.
1024-4999
l anguage <l anguage> Set the web-based manager display language. You can
set <l anguage>to one of engl i sh, f r ench,
j apanese, kor ean, por t uguese, si mch (Simplified
Chinese) or t r ach (Traditional Chinese).
engl i sh
system global
01-400-93051-20090415 369
l cdpi n <pi n_number > Set the 6 digit PIN administrators must enter to use the
LCD panel.
This applies to FortiGate models numbered 300 to
3600.
123456
l cdpr ot ect i on
Enable or disable LCD panel PIN protection.
This applies to FortiGate models numbered 300 to
3600.
di sabl e
l dapconnt i meout
<l dapt i meout _msec>
LDAP connection timeout in msec 500
l ogl ocal deny
Enable or disable logging of failed connection attempts
to the FortiGate unit that use TCP/IP ports other than
the TCP/IP ports configured for management access
(443 for https, 22 for ssh, 23 for telnet, and 80 for HTTP
by default).
di sabl e
management - vdom<domai n> Enter the name of the management virtual domain.
Management traffic such as FortiGuard traffic
originates from the management VDOM.
r oot
nt pser ver
<nt p_ser ver _addr ess>
Enter the domain name or IP address of a Network
Time Protocol (NTP) server.
132.246.168.148
nt psync
Enable or disable automatically updating the system
date and time by connecting to a Network Time
Protocol (NTP) server. For more information about NTP
and to find the IP address of an NTP server that you
can use, see http://www.ntp.org.
di sabl e
opt i mi ze
{ant i vi r us | t hr oughput }
Set firmware performance optimization to either
ant i vi r us or t hr oughput .
This is available on FortiGate models numbered 1000
and higher.
antivirus
phase1- r ekey
Enable or disable automatic rekeying between IKE
peers before the phase 1 keylife expires.
enable
r adi us- por t <r adi us_por t > Change the default RADIUS port. The default port for
RADIUS traffic is 1812. If your RADIUS server is using
port 1645 you can use the CLI to change the default
RADIUS port on your FortiGate unit.
1812
r ef r esh <r ef r esh_seconds> Set the Automatic Refresh Interval, in seconds, for the
web-based manager System Status Monitor.
Enter 0 for no automatic refresh.
0
r emot eaut ht i meout
<r emot eaut h_t i meout _mi ns>
Timeout for RADIUS/LDAP authentication in minutes.
To improve security keep the remote authentication
timeout at the default value of 5 minutes.
5
global system
370 01-400-93051-20090415
r eset - sessi onl ess- t cp
Enabling this option may help resolve issues with a
problematic server, but it can make the FortiGate unit
more vulnerable to denial of service attacks. In most
cases you should leave r eset - sessi onl ess- t cp
disabled.
The r eset - sessi onl ess- t cp command
determines what action the FortiGate unit performs if it
receives a TCP packet but cannot find a corresponding
session in its session table. This happens most often
because the session has timed out.
If you disable r eset - sessi onl ess- t cp, the
FortiGate unit silently drops the packet. The packet
originator does not know that the session has expired
and might re-transmit the packet several times before
attempting to start a new session. This is normal
network operation.
If you enable r eset - sessi onl ess- t cp, the
FortiGate unit sends a RESET packet to the packet
originator. The packet originator ends the current
session, but it can try to establish a new session.
This is available in NAT/Route mode only.
disable
r est ar t - t i me <hh: mm> Enter daily restart time in hh:mm format (hours and
minutes).
This is available only when dai l y- r est ar t is
enabled.
No default.
send- pmt u- i cmp
Select enable to send a path maximum transmission
unit (PMTU) - ICMP destination unreachable packet.
Enable if you need to support PTMUD protocol on your
network to reduce fragmentation of packets.
Disabling this command will likely result PMTUD
packets being blocked by the unit.
show- backpl ane- i nt f
Select enable to show FortiGate-5000 backplane
interfaces as port9 and port10. Once these backplanes
are visible they can be treated as regular physical
interfaces.
This is only available on FortiGate-5000 models.
di sabl e
ssl vpn- spor t
<por t _number >
Enter the port to use for SSL-VPN access (HTTPS). 443
st r ong- cr ypt o
Enable to use strong encryption and only allow strong
ciphers (AES, 3DES) and digest (SHA1) for
HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is
supported by the following web browsers: Netscape
7.2, Netscape 8.0, Firefox, and Microsoft Internet
Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are
not supported in strong encryption.
disable
synci nt er val
<nt psync_mi nut es>
Enter how often, in minutes, the FortiGate unit should
synchronize its time with the Network Time Protocol
(NTP) server. The synci nt er val number can be from
1 to 1440 minutes. Setting to 0 disables time
synchronization.
0
t cp- hal f cl ose- t i mer
<seconds>
Enter how many seconds the FortiGate unit should wait
to close a session after one peer has sent a FIN packet
but the other has not responded. The valid range is
from 1 to 86400 seconds.
120
t cp- hal f open- t i mer
<seconds>
Enter how many seconds the FortiGate unit should wait
to close a session after one peer has sent an open
session packet but the other has not responded. The
valid range is from 1 to 86400 seconds.
60
system global
01-400-93051-20090415 371
Example
This example shows how to change to enable daylight savings time.
set dst enabl e
end
History
t cp- opt i on
{enabl e | enabl e}
Enable SACK, timestamp and MSS TCP options. For
normal operation t cp- opt i on should be enabled.
Disable for performance testing or in rare cases where
it impairs performance.
enabl e
t cp- t i mewai t - t i mer
<seconds_i nt >
Select the number of seconds the TCP TTL timer will
wait before timing out and ending the session.
The valid range is 0 to 300 seconds. A value of 0
disables the timer.
120 sec
t i mezone
<t i mezone_number >
The number corresponding to your time zone from 00
to 72. Press ? to list time zones and their numbers.
Choose the time zone for the FortiGate unit from the list
and enter the correct number.
00
t os- based- pr i or i t y
{l ow | medi um| hi gh}
Select the default system-wide level of priority for Type
of Service (TOS). TOS determines the priority of traffic
for scheduling. Typically this is set on a per service type
level. See system tos-based-priority for more
information.
The value of this keyword is the default setting for when
TOS is not configured on a per service level.
high
t p- mc- ski p- pol i cy
Enable to allow skipping of the policy check, and to
enable multicast through.
disable
udp- i dl e- t i mer <seconds> Enter the number of seconds before an idle udp
connection times out. The valid range is from 1 to
86400 seconds.
180
user - ser ver - cer t
<cer t _name>
Select the certificate to use for https user
authentication.
Default setting is For t i net _Fact or y, if available,
otherwise sel f - si gn.
See definition
under Description.
vdom- admi n
Enable to configure multiple virtual domains. di sabl e
vi p- ar p- r ange
{unl i mi t ed | r est r i ct ed}
vi p- ar p- r ange controls the number of ARP packets
the FortiGate unit sends for a VIP range.
If r est r i ct ed, the FortiGate unit sends ARP packets
for only the first 8192 addresses in a VIP range.
If unl i mi t ed, the FortiGate unit sends ARP packets
for every address in the VIP range.
r est r i ct ed
FortiOS v2.80 New.
FortiOS v2.80 MR2 The i p- over l ap keyword was changed to al l ow- i nt er f ace- subnet - over l ap.
FortiOS v2.80 MR3 Added av_f ai l open and r eset _sessi onl ess_t cp keywords.
FortiOS v2.80 MR4 Moved dat e and t i me to execut e branch.
Added phase1- r ekey keyword.
FortiOS v2.80 MR6 Added i ps- open keyword.
global system
372 01-400-93051-20090415
Related topics
execute cfg reload
execute cfg save
FortiOS v3.0 Removed management - vdom, opmode keywords.
Added det ect i on- summar y, f sae- bur st - si ze, f sae- r at e- l i mi t ,
l dapconnt i meout , r emot eaut ht i meout .
Changed underscore to hyphen in av- f ai l open, conn- t r acki ng, i p_si gnat ur e,
l ocal _anomal y, mc- t t l - not change, r adi us- por t , r eset - sessi onl ess- t cp,
r est ar t - t i me, t cp- opt i on.
FortiOS v3.0 MR1 Removed ssl vpn- enabl e keyword.
Added av- f ai l open- sessi on, management - vdom, st r ong- cr ypt o keywords.
FortiOS v3.0 MR2 Added admi n- ssh- por t , admi n- t el net - por t , cf g- save, cf g- r ever t - t i meout ,
t cp- hal f open- t i mer , t os- based- pr i or i t y.
FortiOS v3.0 MR3 Added f ds- st at i st i cs and udp- i dl e- t i mer . Removed mc- t t l - not change,
bat ch_sl eep, and mul t i cast - f or war d.
FortiOS v3.0 MR4 Added access- banner , admi n- ser ver - cer t , admi n- t el net - por t ,
f or t i cl i ent - por t al - por t and t cp- hal f open- t i mer . Removed asymr out e.
FortiOS v3.0 MR5 Added admi n- ht t ps- pki - r equi r ed, admi n- mai nt ai ner , user - ser ver - cer t ,
i nt er nal - swi t ch- mode, i nt er nal - swi t ch- speed, f or t i cl i ent - por t al -
por t , t p- mc- ski p- pol i cy. Added aut h- cer t command.
FortiOS v3.0 MR6 Modified definition of admi n- ser ver - cer t and user - ser ver - cer t . Removed
l ocal - anomal y, and CC- mode. Moved aut ht i meout , aut h- secur e- ht t p, and
aut h- t ype to conf i g user set t i ngs. Added new i dl edr op option for
av- f ai l open command, and f ds- st at i st i cs- per i od command. Modified default
value of opt i mi ze keyword.
FortiOS v3.0 MR7 Removed al l ow- i nt er f ace- subnet - over l ap. Added t cp- t i mewai t - t i mer .
Added f or t i swi t ch- hear t beat .
FortiOS v3.0 MR7
Patch 1
Added por t uguese to l anguage keyword
FortiOS v4.0 Added check- pr ot ocol - header , admi n- l ockout - dur at i on, admi n- l ockout -
t hr eshol d, endpoi nt - cont r ol - por t al - por t , send- pmt u- i cmp, aut h- pol i cy-
exact - mat ch. Changed bat ch_cmdb to bat ch- cmdb.
system gre-tunnel
01-400-93051-20090415 373
gre-tunnel
Use this command to configure the tunnel for a GRE interface. A new interface of type tunnel with the
same name is created automatically as the local end of the tunnel. This command is available only in
NAT/Route mode.
To complete the configuration of a GRE tunnel, you need to:
configure a firewall policy to pass traffic from the local private network to the tunnel interface
configure a static route to the private network at the remote end of the tunnel using the GRE tunnel
device
optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the
tunnel or to enable pinging of each end of the tunnel for testing
Syntax
set l ocal - gw <l ocal gw_I P>
set r emot e- gw <r emot egw_I P>
end
Example
In this example, a GRE tunnel is needed between two sites using FortiGate units. Users on the
192.168.2.0/24 network at Site A need to communicate with users on the 192.168.3.0/24 network at Site
B. At both sites the private network is connected to Port 2 of the FortiGate unit and the connection to the
Internet is through Port 1. At Site A, the public IP address is 172.16.67.199 and at Site B it is
172.16.68.198.
edi t <t unnel _name> Enter a name for the tunnel. No default.
i nt er f ace Enter the physical or VLAN interface that functions as the
local end of the tunnel.
l ocal - gw <l ocal gw_I P> Enter the IP address of the local gateway.
r emot e- gw <r emot egw_I P> Enter the IP address of the remote gateway.
Site A configuration Site B configuration
edi t t oSi t eB
set l ocal - gw 172. 16. 67. 199
set r emot e- gw 172. 16. 68. 198
end
edi t t oSi t eA
set l ocal - gw 172. 16. 68. 198
set r emot e- gw 172. 16. 67. 199
end
gre-tunnel system
374 01-400-93051-20090415
History
Related topics
system interface
router static
edi t 1
set sr c- i nt f por t 2
set dst - i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
set schedul e al ways
next
edi t 1
set dst - i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 2
set sr c- i nt f t oSi t eB
set dst - i nt f por t 2
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 2
set sr c- i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 1
set devi ce t oSi t eB
set dst 192. 168. 3. 0/ 24
end
edi t 1
set devi ce t oSi t eA
set dst 192. 168. 2. 0/ 24
end
(Optional)
edi t t oSi t eB
set i p 10. 0. 0. 1/ 32
set r emot e- i p 10. 0. 0. 2
end
(Optional)
edi t t oSi t eA
set i p 10. 0. 0. 2/ 32
set r emot e- i p 10. 0. 0. 1
end
FortiOS v3.0 New
system ha
01-400-93051-20090415 375
ha
Use this command to enable and configure FortiGate high availability (HA) and virtual clustering. HA is
supported on FortiGate and FortiWiFi models numbered 60 and higher. Using the conf i g syst emha
command you must configure all cluster members with the same group name, mode, and password before
the FortiGate units can form a cluster.
Group name, mode, password, as well as priority and group ID are not synchronized between cluster units.
The primary unit synchronizes all other configuration settings, including the other HA configuration
settings.
When virtual domains are enabled for the FortiGate units to be operating in HA mode you are configuring
virtual clustering. Using virtual clustering you create two virtual clusters and add virtual domains to each
cluster. Configuring virtual clustering is very similar to configuring normal HA except that in a virtual cluster,
the HA mode can only be set to active-passive. As well additional options are available for adding virtual
domains to each virtual cluster and for setting the device priority for each device in each virtual cluster.
For complete information about how to configure and operate FortiGate HA clusters and more detail about
the conf i g syst emha CLI command, see the FortiGate HA Overview, the FortiGate HA Guide, and the
Fortinet Knowledge Center.
Syntax
conf i g syst emha
set ar ps <ar p_i nt eger >
set ar ps- i nt er val 
set aut hent i cat i on {di sabl e | enabl e}
set encr ypt i on {di sabl e | enabl e}
set gr oup- i d 
set gr oupname <name_st r >
set hb- i nt er val 
set hb- l ost - t hr eshol d <t hr eshol d_i nt eger >
set hbdev <pr i or i t y_i nt eger > [ 
<pr i or i t y_i nt eger >] . . .
set hel o- hol ddown <hol ddown_i nt eger >
set l i nk- f ai l ed- si gnal {di sabl e | enabl e}
set l oadbal ance- al l {di sabl e | enabl e}
set mode {a- a | a- p | st andal one}
set moni t or 
set over r i de {di sabl e | enabl e}
set pi ngser ver - f ai l over - t hr eshol d <t hr eshol d_i nt eger >
set pi ngser ver - f l i p- t i meout <t i meout _i nt eger >
set pi ngser ver - moni t or - i nt er f ace 
set r out e- hol d <hol d_i nt eger >
set r out e- t t l <t t l _i nt eger >
set r out e- wai t <wai t _i nt eger >
Note: You cannot enable HA mode if one of the FortiGate unit interfaces uses DHCP or PPPoE to acquire an IP
address. If DHCP or PPPoE is configured, the conf i g ha mode keyword is not available. You also cannot enable
HA mode if you have configured standalone session synchronization. See system session-sync on page 446.
Note: You cannot enable HA mode if you have configured standalone session synchronization. See system
session-sync on page 446.
ha system
376 01-400-93051-20090415
set schedul e {hub | i p | i ppor t | l east connect i on | none | r andom
| r ound- r obi n | wei ght - r ound- r obi n}
set sessi on- pi ckup {di sabl e | enabl e}
set sync- conf i g {di sabl e | enabl e}
set uni nt er r upt abl e- upgr ade {di sabl e | enabl e}
set wei ght <pr i or i t y_i nt eger > <wei ght _i nt eger >
set vdom<vdom_names>
set vcl ust er 2 {di sabl e | enabl e}
end
conf i g secondar y- vcl ust er
set moni t or 
set over r i de {di sabl e | enabl e}
set vdom<vdom_names>
set pi ngser ver - f ai l over - t hr eshol d <t hr eshol d_i nt eger >
set pi ngser ver - moni t or - i nt er f ace 
end
end
ar ps <ar p_i nt eger > Set the number of times that the primary unit sends gratuitous ARP
packets. Gratuitous ARP packets are sent when a cluster unit becomes
a primary unit (this can occur when the cluster is starting up or after a
failover). Gratuitous ARP packets configure connected network devices
to associate the cluster virtual MAC addresses and cluster IP address
with primary unit physical interfaces. (This is sometimes called using
gratuitous ARP packets to train the network.)
The ar ps range is 1 to 16. Normally you would not need to change the
ar ps setting. However you may need to increase the number of times
the primary unit sends gratuitous ARP packets if your cluster takes a
long time to failover or to train the network. Sending more gratuitous
ARP packets may help the failover happen faster.
There may be a number of reasons to reduce the number of times that
gratuitous ARP packets are sent. For example, if your cluster has a
large number of VLAN interfaces and virtual domains and because
gratuitous ARP packets are broadcast, sending gratuitous ARP packets
may generate a lot of network traffic. As long as the cluster still fails over
successfully you could reduce the number of time gratuitous ARP
packets are sent to reduce the amount of traffic produced after a
failover.
Depending on your network, you may be able to use both the ar ps and
the ar ps- i nt er val keywords to improve how quickly your cluster fails
over.
5
ar ps- i nt er val
Set the number of seconds to wait between sending gratuitous ARP
packets. When a cluster unit becomes a primary unit (this occurs when
the cluster is starting up or after a failover) the primary unit sends
gratuitous ARP packets immediately to inform connected network
equipment of the IP address and MAC address of the primary unit. The
primary unit then waits for the number of seconds in the ar ps-
i nt er val and sends the gratuitous ARP packets again. This happens
until the gratuitous ARP packets have been sent the number of times set
by the ar ps keyword.
The ar ps- i nt er val range is 1 to 20 seconds. Normally you would not
need to change the ar ps- i nt er val . However, you may need to
decrease the ar ps- i nt er val to send gratuitous ARP packets more
often if your cluster takes a long time to failover or to train the network.
There may be a number of reasons to set the ar ps- i nt er val higher.
For example, if your cluster has a large number of VLAN interfaces and
virtual domains and because gratuitous ARP packets are broadcast,
sending gratuitous ARP packets may generate a lot of network traffic. As
long as the cluster still fails over successfully you could increase ar ps-
i nt er val to reduce the amount of traffic produced after a failover.
8
system ha
01-400-93051-20090415 377
aut hent i cat i on
Enable/disable HA heartbeat message authentication. Enabling HA
heartbeat message authentication prevents an attacker from creating
false HA heartbeat messages. False HA heartbeat messages could
affect the stability of the cluster.
di sabl e
encr ypt i on
Enable/disable HA heartbeat message encryption. Enabling HA
heartbeat message encryption prevents an attacker from sniffing HA
packets to get HA cluster information.
di sabl e
gr oup- i d The HA group ID. The group ID range is from 0 to 63. All members of
the HA cluster must have the same group ID. Changing the Group ID
changes the cluster virtual MAC address.
0
gr oupname <name_st r > The HA group name. All cluster members must have the same group
name. The maximum length of the group name is 32 characters.
FGT- HA
hb- l ost - t hr eshol d
The lost heartbeat threshold, which is the number of seconds to wait to
receive a heartbeat packet from another cluster unit before assuming
that the cluster unit has failed. The lost heartbeat threshold range is 1 to
60 seconds.
6
hb- i nt er val
The heartbeat interval, which is the time between sending heartbeat
packets. The heartbeat interval range is 1 to 20 (100*ms).
2
hbdev 
[ 
<pr i or i t y_i nt eger >] . . .
Select the FortiGate interfaces to be heartbeat interfaces and set the
heartbeat priority for each interface. The heartbeat interface with the
highest priority processes all heartbeat traffic. If two or more heartbeat
interfaces have the same priority, the heartbeat interface that with the
lowest hash map order value processes all heartbeat traffic. The CLI
lists interfaces in alphanumeric order:
port1
port2 through 9
port10
Hash map order sorts interfaces in the following order:
port1
port10
port2 through port9
By default two interfaces are configured to be heartbeat interfaces and
the priority for both these interfaces is set to 50. The heartbeat interface
priority range is 0 to 512. In most cases you can maintain the default
hbdev configuration as long as you can connect the hbdev interfaces
together.
On the FortiGate-50B only one interface is configured as the default
heartbeat interface.
To change the heartbeat interface configuration, enter a list of interface
name and priority pairs. Enter the name of each interface followed by
the priority. Use a space to separate each interface name and priority
pair. If you want to remove an interface from the list, add an interface to
the list, or change a priority, you must retype the entire updated list.
Heartbeat communication must be enabled on at least one interface. If
heartbeat communication is interrupted the cluster stops processing
traffic.
You can select up to 8 heartbeat interfaces. This limit only applies to
FortiGate units with more than 8 physical interfaces.
Depends
on the
FortiGate
model.
hel o- hol ddown
<hol ddown_i nt eger >
The hello state hold-down time, which is the number of seconds that a
cluster unit waits before changing from hello state to work state. A
cluster unit changes from hello state to work state when it starts up.
The hello state hold-down time range is 5 to 300 seconds.
20
l i nk- f ai l ed- si gnal
Enable or disable shutting down all primary unit interfaces (except for
heartbeat device interfaces) for one second when a link failover occurs.
If all interfaces are not shut down in this way, some switches may not
detect that the primary unit has become a subordinate unit and may
keep sending packets to the former primary unit.
di sabl e
ha system
378 01-400-93051-20090415
l oadbal ance- al l
If mode is set to a- a, configure active-active HA to load balance TCP
sessions and sessions for firewall policies that include protection profiles
or to just load balance sessions for firewall policies that include
protection profiles. Enter enabl e to load balance TCP sessions and
sessions for firewall policies that include protection profiles. Enter
di sabl e to load balance only sessions for firewall policies that include
protection profiles. UDP, ICMP, multicast, and broadcast traffic is never
load balanced and is always processed by the primary unit. VoIP traffic,
IM traffic, IPSec VPN traffic, and SSL VPN traffic is also always
processed only by the primary unit.
di sabl e
mode {a- a | a- p |
st andal one}
Set the HA mode.
Enter a- p to create an Active-Passive HA cluster, in which the primary
cluster unit is actively processing all connections and the other cluster
units are passively monitoring the cluster status and remaining
synchronized with the primary cluster unit.
Enter a- a to create an Active-Active HA cluster, in which each cluster
unit is actively processing connections and monitoring the status of the
other FortiGate units.
All members of an HA cluster must be set to the same HA mode.
Not available if a FortiGate interface mode is set to dhcp or pppoe.
a- a mode is not available for virtual clusters.
st andal o
ne
moni t or

Enable or disable port monitoring for link failure. Port monitoring (also
called interface monitoring) monitors FortiGate interfaces to verify that
the monitored interfaces are functioning properly and connected to their
networks.
Enter the names of the interfaces to monitor. Use a space to separate
each interface name. If you want to remove an interface from the list or
add an interface to the list you must retype the list with the names
changed as required.
You can monitor physical interfaces, redundant interfaces, and 802.3ad
aggregated interfaces but not VLAN subinterfaces or IPSec VPN
interfaces. You cannot monitor interfaces that are 4-port switches. This
includes the internal interface of FortiGate models 50B, 60, 60M, 100A,
200A, and FortiWiFi-60. This also includes the LAN interface of the
FortiGate-500A.
You can monitor up to 16 interfaces. This limit only applies to FortiGate
units with more than 16 physical interfaces.
No default
over r i de {di sabl e |
enabl e}
Enable or disable forcing the cluster to renegotiate and select a new
primary unit every time a cluster unit leaves or joins a cluster, changes
status within a cluster, or every time the HA configuration of a cluster
unit changes. The override setting is not synchronized to all cluster
units.
Enabling override makes cluster operation more predictable but may
lead to the cluster negotiating more often. During cluster negotiation
traffic may be interrupted.
For a virtual cluster configuration, override is enabled by default for both
virtual clusters when you enter set vcl ust er 2 enabl e to enable
virtual cluster 2. Usually you would enable virtual cluster 2 and expect
one cluster unit to be the primary unit for virtual cluster 1 and the other
cluster unit to be the primary unit for virtual cluster 2. For this distribution
to occur over r i de must be enabled for both virtual clusters. Otherwise
you will need to restart the cluster to force it to renegotiate. You can
choose to disable over r i de for both virtual clusters once the cluster is
operating.
di sabl e
enabl e
when you
use set
vcl ust er
2 enabl e
to enable
virtual
cluster 2.
passwor d
<passwor d_st r >
Enter a password for the HA cluster. The password must be the same
for all FortiGate units in the cluster. The maximum password length is 15
characters.
If you have more than one FortiGate HA cluster on the same network,
each cluster must have a different password.
No default
system ha
01-400-93051-20090415 379
pi ngser ver - f ai l over -
t hr eshol d
Set the HA remote IP monitoring failover threshold. If HA remote
monitoring is enabled using the pi ngser ver - moni t or - i nt er f ace
set the failover threshold so that if one or more ping servers fails, cluster
failover occurs when the priority of all failed ping servers reaches or
exceeds this threshold. You set the priority for each remote IP
monitoring ping server using the ha- pr i or i t y keyword of the
command system interface on page 387.
The failover threshold range is 0 to 50. Setting the failover threshold to 0
means that if any ping server added to the HA remote IP monitoring
configuration fails an HA failover will occur.
0
pi ngser ver - f l i p-
t i meout
Set the HA remote IP monitoring flip timeout in minutes. If HA remote IP
monitoring fails on all cluster units because none of the cluster units can
connect to the monitored IP addresses, the flip timeout stops a failover
from occurring until the timer runs out. The range is 20 to 2147483647
minutes.
For example, setting the pi ngser ver - f l i p- t i meout to 120 means
that remote IP monitoring can only cause a failover every 120 minutes.
60
pi ngser ver - moni t or -
i nt er f ace

Enable HA remote IP monitoring by specifying the FortiGate unit
interfaces that will be used to monitor remote IP addresses. You can
configure remote IP monitoring for all types of interfaces including
physical interfaces, VLAN interfaces, redundant interfaces and
aggregate interfaces.
Use a space to separate each interface name. If you want to remove an
interface from the list or add an interface to the list you must retype the
list with the names changed as required.
For remote IP monitoring to work you must also:
Add ping servers to these interfaces. You can use the
det ect ser ver keyword of the command system interface on
page 387 or you can add ping servers from the web-based manager.
Set the ha- pr i or i t y keyword of the command system interface
on page 387 for each ping server.
Set the pi ngser ver - f ai l over - t hr eshol d and pi ngser ver -
f l i p- t i meout keywords.
For more information about configuring HA remote IP monitoring, see
Remote IP Monitoring Example on page 383.
pr i or i t y
Change the device priority of the cluster unit. Each cluster unit can have
a different device priority (the device priority is not synchronized among
cluster members). During HA negotiation, the cluster unit with the
highest device priority becomes the primary unit. The device priority
range is 0 to 255.
128
r out e- hol d
<hol d_i nt eger >
The time that the primary unit waits between sending routing table
updates to subordinate units in a cluster. The route hold range is 0 to
3600 seconds.
10
r out e- t t l
<t t l _i nt eger >
The time to live for routes in a cluster unit routing table.
The time to live range is 0 to 3600 seconds.
The time to live controls how long routes remain active in a cluster unit
routing table after the cluster unit becomes a primary unit. To maintain
communication sessions after a cluster unit becomes a primary unit,
routes remain active in the routing table for the route time to live while
the new primary unit acquires new routes.
10
r out e- wai t
<wai t _i nt eger >
The time the primary unit waits after receiving a routing table update
before sending the update to the subordinate units in the cluster.
For quick routing table updates to occur, set r out e- wai t to a relatively
short time so that the primary unit does not hold routing table changes
for too long before updating the subordinate units.
The r out e- wai t range is 0 to 3600 seconds.
0
ha system
380 01-400-93051-20090415
schedul e {hub | i p
| i ppor t
| l east connect i on |
none | r andom
| r ound- r obi n
| wei ght - r ound- r obi n}
Active-active load balancing schedule.
hub: load balancing if the cluster interfaces are connected to hubs.
Traffic is distributed to cluster units based on the Source IP and
Destination IP of the packet.
i p: load balancing according to IP address. If the cluster units are
connected using switches, use i p to distribute traffic to units in a cluster
based on the Source IP and Destination IP of the packet.
i ppor t : load balancing according to IP address and port. If the cluster
units are connected using switches, use i ppor t to distribute traffic to
units in a cluster based on the source IP, source port, destination IP, and
destination port of the packet.
l east connect i on: least connection load balancing. If the cluster units
are connected using switches, use l east connect i on to distribute
traffic to the cluster unit currently processing the fewest connections.
none: no load balancing. Use none when the cluster interfaces are
connected to load balancing switches.
r andom: random load balancing. If the cluster units are connected using
switches, use r andomto randomly distribute traffic to cluster units.
r ound- r obi n: round robin load balancing. If the cluster units are
connected using switches, use r ound- r obi n to distribute traffic to the
next available cluster unit.
wei ght - r ound- r obi n: weighted round robin load balancing. Similar
to round robin, but you can use the wei ght keyword to assign weighted
values to each of the units in a cluster based on their capacity and on
how many connections they are currently processing. For example, the
primary unit should have a lower weighted value because it handles
scheduling and forwards traffic. Weighted round robin distributes traffic
more evenly because units that are not processing traffic are more likely
to receive new connections than units that are very busy. You can
optionally use the wei ght keyword to set a weighting for each cluster
unit.
r ound-
r obi n
sessi on- pi ckup
Enable or disable session pickup. Enable sessi on- pi ckup so that if
the primary unit fails, all sessions are picked up by the new primary unit.
If you enable session pickup the subordinate units maintain session
tables that match the primary unit session table. If the primary unit fails,
the new primary unit can maintain all active communication sessions.
If you do not enable session pickup the subordinate units do not
maintain session tables. If the primary unit fails all sessions are
interrupted and must be restarted when the new primary unit is
operating.
You must enable session pickup for effective failover protection. If you
do not require effective failover protection, leaving session pickup
disabled may reduce HA CPU usage and reduce HA heartbeat network
bandwidth usage.
di sabl e
sync- conf i g {di sabl e |
enabl e}
Enable or disable automatic synchronization of primary unit
configuration changes to all cluster units.
enabl e
uni nt er r upt abl e-
upgr ade {di sabl e |
enabl e}
Enable or disable upgrading the cluster without interrupting cluster traffic
processing.
If uni nt er r upt abl e- upgr ade is enabled, traffic processing is not
interrupted during a normal firmware upgrade. This process can take
some time and may reduce the capacity of the cluster for a short time.
If uni nt er r upt abl e- upgr ade is disabled, traffic processing is
interrupted during a normal firmware upgrade (similar to upgrading the
firmware operating on a standalone FortiGate unit).
enabl e
system ha
01-400-93051-20090415 381
wei ght
<wei ght _i nt eger >
The weighted round robin load balancing weight to assign to each
cluster unit. When you set schedul e to wei ght - r ound- r obi n you
can use the wei ght keyword to set the weight of each cluster unit. The
weight is set according to the priority of the unit in the cluster. A
FortiGate HA cluster can contain up to four FortiGate units so you can
set up to four weights.
The default weight of 1 1 1 1 means that the four units in the cluster all
have the same weight of 1.
pr i or i t y_i nt eger is a number from 0 to 31 that identifies the priority
of the cluster unit.
wei ght - i nt eger is a number between 0 and 31 that is the weight
assigned to the cluster units according to their priority in the cluster.
Increase the weight to increase the number of connections processed
by the cluster unit with that priority.
You enter the weight for each unit separately. For example, if you have a
cluster of 4 FortiGate units you can set the weights for each unit as
follows:
set wei ght 1 5
set wei ght 2 10
set wei ght 3 15
set wei ght 4 20
1 1 1 1
vdom<vdom_names> Add virtual domains to virtual cluster 1 or virtual cluster 2. Virtual cluster
2 is also called the secondary virtual cluster.
In the conf i g syst emha shell, use set vdomto add virtual domains
to virtual cluster 1. Adding a virtual domain to virtual cluster 1 removes
that virtual domain from virtual cluster 2.
In the conf i g secondar y- vcl ust er shell, use set vdomto add
virtual domains to virtual cluster 2. Adding a virtual domain to virtual
cluster 2 removes it from virtual cluster 1.
You can use vdomto add virtual domains to a virtual cluster in any
combination. You can add virtual domains one at a time or you can add
multiple virtual domains at a time. For example, entering set vdom
domai n_1 followed by set vdomdomai n_2 has the same result as
entering set vdomdomai n_1 domai n_2.
All virtual
domains
are added
to virtual
cluster 1.
vcl ust er 2 {di sabl e |
enabl e}
Enable or disable virtual cluster 2.
In the global virtual domain configuration, virtual cluster 2 is enabled by
default. When virtual cluster 2 is enabled you can use conf i g
secondar y- cl ust er to configure virtual cluster 2.
Disable virtual cluster 2 to move all virtual domains from virtual cluster 2
back to virtual cluster 1.
Enabling virtual cluster 2 enables over r i de for virtual cluster 1 and
virtual cluster 2.
di sabl e
conf i g secondar y-
vcl ust er
Configure virtual cluster 2. You must enable vcl ust er 2. Then you can
use conf i g secondar y- vcl ust er to set moni t or , over r i de,
pr i or i t y, and vdomfor virtual cluster 2.
Same
defaults as
virtual
cluster 1
except that
the default
value for
over r i de
is enabl e.
ha system
382 01-400-93051-20090415
Examples
This example shows how to configure a FortiGate unit for active-active HA operation. The example shows
how to set up a basic HA configuration by setting the HA mode, changing the gr oupname, and entering a
passwor d. You would enter the exact same commands on every FortiGate unit in the cluster. In the
example virtual domains are not enabled.
conf i g syst emha
set mode a- a
set gr oupname myname
set passwor d HApass
end
The following example shows how to configure a FortiGate unit with virtual domains enabled for active-
passive HA operation. In the example, the FortiGate unit is configured with three virtual domains
(domain_1, domain_2, and domain_3) in addition to the root virtual domain. The example shows how to
set up a basic HA configuration similar to the previous example; except that the HA mode can only be set
to a- p. In addition, the example shows how to enable vcl ust er 2 and how to add the virtual domains
domain_2 and domain_3 to vcl ust er 2.
conf i g gl obal
conf i g syst emha
set mode a- p
set gr oupname myname
set passwor d HApass
set vcl ust er 2 enabl e
set vdomdomai n_2 domai n_3
end
end
end
The following example shows how to change the device priority of the primary unit to 200 so that this
cluster unit always becomes the primary unit. When you log into the cluster you are actually connecting to
the primary unit. When you change the device priority of the primary unit this change only affects the
primary unit because the device priority is not synchronized to all cluster units. After you enter the following
commands the cluster renegotiates and may select a new primary unit.
conf i g syst emha
set pr i or i t y 200
end
The following example shows how to change the device priority of a subordinate unit to 255 so that this
subordinate unit becomes the primary unit. This example involves connecting to the cluster CLI and using
the execut e ha manage 0 command to connect to the highest priority subordinate unit. After you enter
the following commands the cluster renegotiates and selects a new primary unit.
execut e ha manage 0
conf i g syst emha
end
The following example shows how to change the device priority of the primary unit in virtual cluster 2. The
example involves connecting to the virtual cluster CLI and changing the global configuration. In the
example virtual cluster 2 has already been enabled so all you have to do is use the conf i g secondar y-
vcl ust er command to configure virtual cluster 2.
conf i g gl obal
conf i g syst emha
system ha
01-400-93051-20090415 383
end
end
end
The following example shows how to change the default heartbeat interface configuration so that the port4
and port1 interfaces can be used for HA heartbeat communication and to give the port4 interface the
highest heartbeat priority so that port4 is the preferred HA heartbeat interface.
conf i g syst emha
set hbdev por t 4 100 por t 1 50
end
The following example shows how to enable monitoring for the external, internal, and DMZ interfaces.
conf i g syst emha
set moni t or ext er nal i nt er nal dmz
end
The following example shows how to configure weighted round robin weights for a cluster of three
FortiGate units. You can enter the following commands to configure the weight values for each unit:
conf i g syst emha
set schedul e wei ght - r ound- r obi n
set wei ght 0 1
set wei ght 1 3
set wei ght 2 3
end
These commands have the following results:
The first connection is processed by the primary unit (priority 0, weight 1)
The next three connections are processed by the first subordinate unit (priority 1, weight 3)
The next three connections are processed by the second subordinate unit (priority 2, weight 3)
The subordinate units process more connections than the primary unit, and both subordinate units, on
average, process the same number of connections.
This example shows how to display the settings for the syst emha command.
get syst emha
This example shows how to display the configuration for the syst emha command.
show syst emha
Remote IP Monitoring Example
HA Remote IP monitoring is similar to HA port monitoring. Port monitoring causes a cluster to failover if a
monitored primary unit interface fails or is disconnected. Remote IP monitoring uses ping servers
configured on FortiGate interfaces on the primary unit to test connectivity with IP addresses of network
devices. Usually these would be IP addresses of network devices not directly connected to the cluster.
Remote IP monitoring causes a failover if one or more of these remote IP addresses does not respond to a
ping server.
Table 7: Example weights for three cluster units
Cluster unit priority Weight
0 1
1 3
2 3
ha system
384 01-400-93051-20090415
Using remote IP monitoring to select a new primary unit can be useful in a number of ways depending on
your network configuration. For example, in a full mesh HA configuration, with remote IP monitoring the
cluster can detect failures in network equipment that is not directly connected to the cluster but that would
interrupt traffic processed by the cluster if the equipment failed. In the example topology shown in Figure 2,
the switch connected directly to the primary unit is operating normally but the link on the other side of the
switches fails. As a result traffic can no longer flow between the primary unit and the Internet.
To detect this failure you can create a remote IP monitoring configuration consisting of a ping server on
port2 of the cluster. The primary unit tests connectivity to 192.168.20.20. If the ping server cannot connect
to 192.268.20.20 the cluster to fails over and the subordinate unit becomes the new primary unit. The
remote HA monitoring ping server on the new primary unit can connect to 192.168.20.20 so the failover
maintains connectivity between the internal network and the Internet through the cluster.
Figure 2: Example HA remote IP monitoring topology
Router
Switch
port1
port2
Switch
Switch
Switch
Internet
Primary
Unit
Subordinate
Unit
Link Failure
Physical Link
Operating
Ping Server from
Primary unit
cannot Reach
Monitored IP,
Causing HA
Failover
Monitored
Remote IP
192.168.20.20
Internal Network
Router
system ha
01-400-93051-20090415 385
To configure remote IP monitoring
1 Enter the following commands to configure HA remote monitoring for the example topology.
Enter the pi ngser ver - moni t or - i nt er f ace keyword to enable HA remote IP monitoring on
port2.
Enter the pi ngser ver - f ai l over - t hr eshol d keyword to set the HA remote IP monitoring
failover threshold to 10. If one or more ping servers fails, cluster failover occurs when the priority of
all failed ping servers reaches or exceeds this threshold. You set the priority for each ping server
using the ha- pr i or i t y keyword as described in step 2 below.
Enter the pi ngser ver - f l i p- t i meout keyword to set the flip timeout to 120 minutes. After a
failover, if HA remote IP monitoring on the new primary unit also causes a failover, the flip timeout
prevents the failover from occurring until the timer runs out. Setting the
pi ngser ver - f l i p- t i meout to 120 means that remote IP monitoring can only cause a failover
every 120 minutes. This flip timeout is required to prevent repeating failovers if remote IP monitoring
causes a failover from all cluster units because none of the cluster units can connect to the
monitored IP addresses.
conf i g syst emha
set pi ngser ver - moni t or - i nt er f ace por t 2
set pi ngser ver - f ai l over - t hr eshol d 10
set pi ngser ver - f l i p- t i meout 120
end
2 Enter the following commands to add the ping server to the port2 interface and to set the HA remote IP
monitoring priority for this ping server.
Enter the det ect ser ver keyword to add the ping server and set the ping server IP address to
192.168.20.20.
Enter the ha- pr i or i t y keyword to set the HA remote IP monitoring priority of the ping server to 10
so that if this ping server does not connect to 192.168.20.20 the HA remote IP monitoring priority will
be high enough to reach the failover threshold and cause a failover.
edi t por t 2
set det ect ser ver 192. 168. 20. 20
set ha- pr i or i t y 10
end
3 You can also use the conf i g gl obal command to change the time interval between ping server
pings using the i nt er val keyword and to change the number of times that the ping fails before a
failure is detected using the f ai l t i me keyword.
4 You can also do the following to configure HA remote IP monitoring to test more IP addresses:
Enable HA remote IP monitoring on more interfaces by adding more interface names to the
pi ngser ver - moni t or - i nt er f ace keyword.
If your FortiGate configuration includes VLAN interfaces, aggregate interfaces and other interface
types, you can add the names of these interfaces to the pi ngser ver - moni t or - i nt er f ace
keyword to configure HA remote IP monitoring for these interfaces.
Add a second IP address to the det ect ser ver keyword to monitor two IP addresses on each
interface.
Note: If you add two IP addresses to the det ect ser ver keyword the ping will be sent to both at the same time,
and only when neither server responds will the ping server fail.
ha system
386 01-400-93051-20090415
Add secondary IPs to any interface and enter det ect ser ver and ha- pr i or i t y for each of the
secondary IPs. You can do this to monitor multiple IP addresses on any interface and set a different
HA priority for each one. By adding multiple ping servers to the remote HA monitoring configuration
and setting the HA priorities for each you can fine tune remote IP monitoring. For example, if its more
important to maintain connections to some remote IPs you can set the HA priorities higher for these
IPs. And if its less important to maintain connections to other remote IPs you can set the HA priorities
lower for these IPs. You can also adjust the pi ngser ver - f ai l over - t hr eshol d so that if the
cluster cannot connect to one or two high priority IPs a failover occurs. But a failover will not occur if
the cluster cannot connect to one or two low priority IPs.
Command History
FortiOS v2.80 MR2 Added l oadbal ance- al l keyword.
FortiOS v2.80 MR5 Added r out e- hol d, r out e- wai t , and r out e- t t l keywords.
FortiOS v2.80 MR6 Added aut hent i cat i on, ar ps, encr ypt i on, hb- l ost - t hr eshol d, hel o-
hol ddown, and hb- i nt er val keywords.
FortiOS v2.80 MR7 Changes to the wei ght keyword.
FortiOS v2.80 MR10 New l i nk- f ai l ed- si gnal keyword.
FortiOS v3.0 Added the gr oupname, sessi on- pi ckup, sync- conf i g, vdom, vcl ust er 2, and
conf i g secondar y- vcl ust er keywords. The moni t or and hbdev functionality has
been simplified; priority numbers are no longer supported.
FortiOS v3.0 MR3 Added uni nt er r upt abl e- upgr ade keyword.
FortiOS v3.0 MR4 Priorities added back to the hbdev keyword.
FortiOS v3.0 MR5 In a virtual cluster configuration over r i de is enabled for virtual cluster 1 and virtual cluster
2 when you enter set vcl ust er 2 enabl e to enable virtual cluster 2.
FortiOS v3.0 MR6 Added the ar ps- i nt er val , pi ngser ver - moni t or - i nt er f ace,
pi ngser ver - f ai l over - t hr eshol d, and pi ngser ver - f l i p- t i meout keywords.
Improved the description of the ar ps keyword.
FortiOS v3.0 MR7 The maximum length of the gr oupname increased from 7 to 32 characters.
system interface
01-400-93051-20090415 387
interface
Use this command to edit the configuration of a FortiGate physical interface, VLAN subinterface, IEEE
802.3ad aggregate interface, redundant interface, or IPSec tunnel interface.
In the following table, VLAN subinterface can be substituted for interface in most places except that you
can only configure VLAN subinterfaces with static IP addresses. Use the edit command to add a VLAN
subinterface.
Some keywords are specific to aggregate interfaces. These appear at the end of the list of commands
under variables for aggregate and redundant interfaces (models 300A, 310B, 400A, 500A, 620B, and 800
or higher) on page 401.
Some FortiGate models support switch mode for the internal interfaces. Switch mode allows you to
configure each interface on the switch separately with their own interfaces. A VLAN can not be configured
on a switch interface. For more information, see global on page 363.
Using the one-arm intrusion detection system (IDS), you can now configure a FortiGate unit to operate as
an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the
packets. For more information, see the ips-sniffer-mode {enable | disable}keyword.
Syntax
Entering a name string for the edi t keyword that is not the name of a physical interface adds a VLAN
subinterface.
set al i as <name_st r i ng>
set ar pf or war d {enabl e | di sabl e}
set aut h- t ype <ppp_aut h_met hod>
set bf d {enabl e | di sabl e | gl obal }
set bf d- desi r ed- mi n- t x 
set bf d- det ect - mul t <mul t i pl i er >
set bf d- r equi r ed- mi n- r x 
set br oadcast - f or war d {enabl e | di sabl e}
set ddns {enabl e | di sabl e}
set ddns- domai n <ddns_domai n_name>
set ddns- passwor d <ddns_passwor d>
set ddns- pr of i l e- i d <dnsar t _pr of i l e_i d>
set ddns- ser ver <ddns_ser vi ce>
set ddns- sn <ddns_sn>
set ddns- user name <ddns_user name>
set def aul t gw {enabl e | di sabl e}
set det ect ser ver <pi ngser ver _i pv4> [ pi ngser ver 2_i pv4]
set descr i pt i on <t ext >
set dhcp- r el ay- i p <dhcp_r el ay1_i pv4> {. . . <dhcp_r el ay8_i pv4>}
set dhcp- r el ay- ser vi ce {enabl e | di sabl e}
set dhcp- r el ay- t ype {i psec | r egul ar }
set di sc- r et r y- t i meout <pppoe_r et r y_seconds>
set di st ance <admi n_di st ance>
set dns- ser ver - over r i de {enabl e | di sabl e}
Note: VLAN communication over the backplane interfaces is available for FortiGate-5000 modules
installed in a FortiGate-5020 chassis. The FortiSwitch-5003 does not support VLAN-tagged packets so
VLAN communication is not available over the FortiGate-5050 and FortiGate-5140 chassis backplanes.
interface system
388 01-400-93051-20090415
set f or t i manager - di scover - hel per {enabl e | di sabl e}
set f or war d- domai n <col l i si on_gr oup_number >
set f p- anomal y [ . . . ]
set gwdet ect {enabl e | di sabl e}
set ha- pr i or i t y <pr i or i t y_i nt eger >
set i cmp- r edi r ect {enabl e | di sabl e}
set i dent - accept {enabl e | di sabl e}
set i dl e- t i meout <pppoe_t i meout _seconds>
set i nbandwi dt h <bandwi dt h_i nt eger >
set i nt er f ace <por t _name>
set i p 
set i pmac {enabl e | di sabl e}
set i ps- sni f f er - mode {enabl e | di sabl e}
set i punnumber ed <unnumber ed_i pv4>
set l 2f or war d {enabl e | di sabl e}
set l 2t p- cl i ent {enabl e | di sabl e}
set l acp- ha- sl ave {enabl e | di sabl e}
set l acp- mode {act i ve | passi ve | st at i c}
set l acp- speed {f ast | sl ow}
set l cp- echo- i nt er val <l cp_i nt er val _seconds>
set l cp- max- echo- f ai l <mi ssed_echoes>
set macaddr <mac_addr ess>
set medi at ype {ser des- sf p | sgmi i - sf p}
set member . . .
set mode 
set mt u <mt u_byt es>
set mt u- over r i de {enabl e | di sabl e}
set net bi os- f or war d {di sabl e | enabl e}
set nont p- web- pr oxy {di sabl e | enabl e}
set out bandwi dt h <bandwi dt h_i nt eger >
set padt - r et r y- t i meout <padt _r et r y_seconds>
set passwor d <pppoe_passwor d>
set peer - i nt er f ace 
set pppoe- unnumber ed- negot i at e {di sabl e | enabl e}
set ppt p- cl i ent {di sabl e | enabl e}
set ppt p- user <ppt p_user name>
set ppt p- passwor d <ppt p_user passwor d>
set ppt p- ser ver - i p <ppt p_ser ver i d>
set ppt p- aut h- t ype <ppt p_aut ht ype>
set ppt p- t i meout <ppt p_i dl et i meout >
set pr i or i t y <l ear ned_pr i or i t y>
set r emot e- i p 
set speed 
set st at us {down | up}
set st pf or war d {enabl e | di sabl e}
set subst {enabl e | di sabl e}
set subst i t ut e- dst - mac <dest i nat i on_mac_addr es>
set t cp- mss <max_send_byt es>
set t ype { aggr egat e | l oopback | physi cal | r edundant | t unnel | vl an |
wi r el ess}
set user name <pppoe_user name>
set vdom<vdom_name>
set vl anf or war d {enabl e | di sabl e}
system interface
01-400-93051-20090415 389
set vl ani d 
set wccp {enabl e | di sabl e}
set wi f i - acl {al l ow | deny}
set wi f i - aut h {PSK | RADI US}
set wi f i - br oadcast _ssi d {enabl e | di sabl e}
set wi f i - encr ypt {AES | TKI P}
set wi f i - f r agment _t hr eshol d <packet _si ze>
set wi f i - key <hex_key>
set wi f i - mac- f i l t er {enabl e | di sabl e}
set wi f i - passphr ase <pass_st r >
set wi f i - r adi us- ser ver <ser ver _name>
set wi f i - r t s_t hr eshol d 
set wi f i - secur i t y <sec_mode>
set wi f i - ssi d 
set wi ns- i p <wi ns_ser ver _i p>
conf i g i pv6
set aut oconf {enabl e | di sabl e}
set i p6- addr ess 
set i p6- al l owaccess <access_t ypes>
set i p6- def aul t - l i f e 
set i p6- hop- l i mi t 
set i p6- l i nk- mt u 
set i p6- manage- f l ag {di sabl e | enabl e}
set i p6- max- i nt er val <adver t s_max_seconds>
set i p6- mi n- i nt er val <adver t s_mi n_seconds>
set i p6- ot her - f l ag {di sabl e | enabl e}
set i p6- r eachabl e- t i me <r eachabl e_msecs>
set i p6- r et r ans- t i me <r et r ans_msecs>
set i p6- send- adv {enabl e | di sabl e}
conf i g i p6- pr ef i x- l i st
edi t 
set aut onomous- f l ag {enabl e | di sabl e}
set onl i nk- f l ag {enabl e | di sabl e}
set pr ef er r ed- l i f e- t i me <seconds>
set val i d- l i f e- t i me <seconds>
end
end
end
conf i g l 2t p- cl i ent - set t i ngs
set aut h- t ype {aut o | chap | mschapv1 | mschapv2 | pap}
set def aul t gw {enabl e | di sabl e}
set di st ance <admi n_di st ance>
set mt u 
set peer - host 
set peer - mask <net mask>
set peer - por t <por t _num>
set pr i or i t y 
set user <st r i ng>
end
interface system
390 01-400-93051-20090415
edi t <secondar y_i p_i d>
set det ect ser ver <pi ngser ver _i pv4> [ pi ngser ver 2_i pv4]
set gwdet ect {enabl e | di sabl e}
set ha- pr i or i t y <pr i or i t y_i nt eger >
set i p 
end
end
conf i g wi f i - mac_l i st
edi t <ent r y_number >
end
Note: A VLAN cannot have the same name as a zone or a virtual domain.
al l owaccess
<access_t ypes>
Enter the types of management access permitted on this
interface or secondary IP address.
Valid types are: ht t p ht t ps pi ng snmp ssh t el net .
Separate each type with a space.
To add or remove an option from the list, retype the complete list
as required.
Varies for
each interface.
al i as <name_st r i ng> Enter an alias name for the interface. Once configured, the alias
will be displayed with the interface name to make it easier to
distinguish. The alias can be a maximum of 25 characters.
This option is only available when interface type is physi cal .
ar pf or war d
Enable or disable forwarding of ARP packets on this interface.
ARP forwarding is required for DHCP relay and MS Windows
Client browsing.
enabl e
aut h- t ype
<ppp_aut h_met hod>
Select the PPP authentication method for this interface.
Enter aut o to select authentication method automatically
Enter chap for CHAP
Enter mschapv1 for Microsoft CHAP v1
Enter mschapv2 for Microsoft CHAP v2
Enter pap for PAP
This is available only when mode is pppoe, and t ype of interface
is physi cal .
auto
bf d {enabl e | di sabl e |
gl obal }
The status of Bidirectional Forwarding Detection (bfd) on this
interface:
enabl e - enable BFD and ignore global BFD configuration
di sabl e - disable BFD on this interface
gl obal - BFD behavior on this interface will be based on the
global configuration for BFD
The other bfd* keywords are visible only if bfd is enabled.
gl obal
bf d- desi r ed- mi n- t x

Enter the minimum desired interval for the BFD transmit interval.
Valid range is from 1 to 100 000 msec.
50
bf d- det ect - mul t
<mul t i pl i er >
Select the BFD detection multiplier. 3
bf d- r equi r ed- mi n- r x

Enter the minimum required interface for the BFD receive
interval. Valid range is from 1 to 100 000 msec.
50
system interface
01-400-93051-20090415 391
br oadcast - f or war d
Select to enable broadcast forwarding. Use with caution. di sabl e
ddns {enabl e | di sabl e} Enable or disable using a Dynamic DNS service (DDNS). If this
interface of your FortiGate unit uses a dynamic IP address, you
can arrange with a DDNS service provider to use a domain name
to provide redirection of traffic to your network whenever the IP
address changes.
DDNS is available only in NAT/Route mode.
di sabl e
ddns- domai n
<ddns_domai n_name>
Enter the fully qualified domain name to use for the DDNS. This
is the domain name you have registered with your DDNS.
This is available only when ddns is enabled, but ddns- ser ver
is not set to dnsar t . com.
No default.
ddns- passwor d
<ddns_passwor d>
Enter the password to use when connecting to the DDNS server.
This is available only when ddns is enabl ed, but ddns- ser ver
is not set to di pdns. net .
No default.
ddns- pr of i l e- i d
<dnsar t _pr of i l e_i d>
Enter your DDNS profile ID. This keyword is available instead of
ddns- domai n.
This is only available when ddns is enabled, and ddns- ser ver
is set to dnsar t . com.
No default.
ddns- ser ver
<ddns_ser vi ce>
Select a DDNS server to use. The client software for these
services is built into the FortiGate firmware. The FortiGate unit
can only connect automatically to a DDNS server for these
supported clients.
dhs. or g supports members.dhs.org and dnsalias.com.
di pdns. net supports dipdnsserver.dipdns.com.
dnsar t . comsupports www.dnsart.com.
dyndns. or g supports members.dyndns.org.
dyns. net supports www.dyns.net.
now. net . cn supports ip.todayisp.com.
ods. or g supports ods.org.
t zo. comsupports rh.tzo.com.
vavi c. comsupports ph001.oray.net.
This is available only when ddns is enabled.
No default.
ddns- sn <ddns_sn> Enter your DDNS serial number.
This is available only if ddns is enabl ed, and ddns- ser ver is
set to di pdns. net . This keyword is available instead of
ddns- user name and ddns- passwor d.
No default.
ddns- user name
<ddns_user name>
Enter the user name to use when connecting to the DDNS
server.
This is available when ddns is enabled, but ddns- ser ver is not
set to di pdns. net .
No default.
def aul t gw
Enable or disable getting the gateway IP address from the DHCP,
PPPoE, or PPPoA server.
This is valid only when the mode is one of DHCP, PPPoE, or
PPPoA.
di sabl e
descr i pt i on <t ext > Optionally, enter up to 63 characters to describe this interface. No default.
interface system
392 01-400-93051-20090415
det ect ser ver
<pi ngser ver _i pv4>
[ pi ngser ver 2_i pv4]
Add the IP address of a ping server. A ping server is usually the
next hop router on the network connected to the interface. If
gwdet ect is enabled, the FortiGate unit confirms connectivity
with the server at this IP address. Adding a ping server is
required for routing failover.
Optionally you can add 2 ping servers. The ping will be sent to
both at the same time, and only when neither server responds
will gwdet ect fail.
A primary and secondary ping server IP address can be the
same.
This is available only in NAT/Route mode.
No default.
dhcp- r el ay- i p
<dhcp_r el ay1_i pv4> {. . .
<dhcp_r el ay8_i pv4>}
Set DHCP relay IP addresses. You can specify up to eight DHCP
relays. Replies from all DHCP servers are forwarded back to the
client. The client responds to the offer it wants to accept.
Do not set dhcp- r el ay- i p to 0.0.0.0.
No default.
dhcp- r el ay- ser vi ce
Enable to provide DHCP relay service on this interface. The
DHCP type relayed depends on the setting of dhcp- r el ay-
t ype.
There must be no other DHCP server of the same type (regular
or ipsec) configured on this interface.
di sabl e
dhcp- r el ay- t ype {i psec |
r egul ar }
Set dhcp_t ype to i psec or r egul ar depending on type of
firewall traffic.
r egul ar
di sc- r et r y- t i meout
<pppoe_r et r y_seconds>
Set the initial discovery timeout in seconds. The time to wait
before retrying to start a PPPoE discovery. Set
di sc- r et r y- t i meout to 0 to disable.
mode must be set to pppoe.
1
di st ance
<admi n_di st ance>
Configure the administrative distance for routes learned through
PPPoE or DHCP. Using administrative distance you can specify
the relative priorities of different routes to the same destination. A
lower administrative distance indicates a more preferred route.
Distance can be an integer from 1-255. For more information,
see router static distance <distance> on page 301
mode must be set to dhcp or pppoe for this keyword to be
available.
1
dns- ser ver - over r i de
Disable to prevent the interface from using DNS server
addresses it acquires via DHCP or PPPoe.
mode must be set to dhcp or pppoe.
enabl e
edi t Edit an existing interface or create a new VLAN interface. None.
edi t Enter the IPv6 prefix you want to configure. For settings, see the
edit <ipv6_prefix>variables section of this table.
None.
edi t <secondar y_i p_i d> Enter an integer identifier, e.g., 1, for the secondary ip address
that you want to configure.
None.
f or t i manager - di scover -
hel per {enabl e |
di sabl e}
When enabled, this the FortiGate unit will act as a relay between
a FortiManager and FortiClient units if they are on different
networks.
di sabl e
f or war d- domai n
<col l i si on_gr oup_number >
Specify the collision domain to which this interface belongs.
Layer 2 broadcasts are limited to the same group. By default, all
interfaces are in group 0.
Collision domains prevent the forwarding of ARP packets to all
VLANs on an interface. Without collision domains, duplicate MAC
addresses on VLANs may cause ARP packets to be duplicated.
Duplicate ARP packets can cause some switches to reset.
This command is available in Transparent mode only. For more
information see Working with virtual domains on page 51.
0
system interface
01-400-93051-20090415 393
f p- anomal y [ . . . ] Enable NP2 hardware fast path anomaly checking on an
interface and specify whether to drop or allow (pass) different
types of anomalies.
When no options are specified, anomaly checking performed by
the network processor is disabled. If pass options are specified,
packets may still be rejected by other anomaly checks, including
policy-required IPS performed using the FortiGate unit main
processing resources.
Log messages are generated when packets are dropped due to
options in this setting.
The fp-anomaly option is available for NP2-enabled interfaces.
For more information, see the Fortinet Hardware Acceleration
Technical Note.
No opt i ons
speci f i ed
( di sabl ed)
gwdet ect
Enable or disable confirming connectivity with the server at the
det ect ser ver IP address. The frequency with which the
FortiGate unit confirms connectivity is set using the f ai l t i me
and i nt er val keywords in the command system global on
page 363.
di sabl e
ha- pr i or i t y
The HA priority to assign to the ping servers configured on an
interface when the interface is added to an HA remote IP
monitoring configuration. The priority range is 0 to 50.
You configure HA remote IP monitoring using the pi ngser ver -
moni t or - i nt er f ace keyword in the command system ha on
page 375.
You can set ha- pr i or i t y for all types of interfaces including
physical interfaces, VLAN interfaces, and secondary IPs.
This keyword is not available in Transparent mode.
0
i cmp- r edi r ect
Disable to stop ICMP redirect from sending from this interface. enable
i dent - accept
Enable or disable passing ident packets (TCP port 113) to the
firewall policy. If set to disable, the FortiGate unit sends a TCP
reset packet in response to an ident packet.
di sabl e
i dl e- t i meout
<pppoe_t i meout _seconds>
Disconnect if the PPPoE connection is idle for the specified
number of seconds. Set to zero to disable this feature.
This is available when mode is set to pppoe.
0
i nbandwi dt h
<bandwi dt h_i nt eger >
Enter the KB/sec limit for incoming traffic for this interface.
Use this command to configure inbound traffic shaping for an
interface. Inbound traffic shaping limits the bandwidth accepted
by the interface. Limiting inbound traffic takes precedence over
traffic shaping applied by firewall policies.
You can set inbound traffic shaping for any FortiGate interface
and it can be active for more than one FortiGate interface at a
time. Setting <bandwi dt h_i nt eger >to 0 (the default) means
unlimited bandwidth or no traffic shaping.
0
i nt er f ace <por t _name> Enter the physical interface the virtual interface is linked to.
This is available only when adding virtual interfaces such as
VLANs and VPNs.
None.
i p Enter the interface IP address and netmask.
This is not available if mode is set to dhcp or pppoe. You can set
the IP and netmask, but it will not display.
The IP address cannot be on the same subnet as any other
interface.
Varies for
each interface.
i pmac {enabl e | di sabl e} Enable or disable IP/MAC binding for the specified interface. For
information about configuring IP/MAC binding settings, see
ipmacbinding setting on page 112 and ipmacbinding table on
page 114.
di sabl e
interface system
394 01-400-93051-20090415
i ps- sni f f er - mode {enabl e
| di sabl e}
Enable to enable one-armed IPS as part of configuring a
FortiGate unit to operate as an IDS appliance by sniffing packets
for attacks without actually receiving and otherwise processing
the packets. Once the interface is enabled for ips sniffing, a DoS
sensor policy must be configured.
For more information on one-armed IPS, see interface-policy on
page 109.
di sabl e
i punnumber ed
<unnumber ed_i pv4>
Enable IP unnumbered mode for PPPoE. Specify the IP address
to be borrowed by the interface. This IP address can be the same
as the IP address of another interface or can be any IP address.
This is available only when mode is pppoe.
The Unnumbered IP may be used for PPPoE interfaces for which
no unique local address is provided. If you have been assigned a
block of IP addresses by your ISP for example, you can add any
of these IP addresses to the Unnumbered IP.
No default.
l 2f or war d
Set the state of layer 2 forwarding for this interface. Enter one of:
enabl e
di sabl e
di sabl e
l 2t p- cl i ent
Enable or disable this interface as an L2TP client.
Enabling makes config l2tp-client-settings visible.
This is available only on FortiGate 50 series, 60 series, and
100A.
The interface can not be part of an aggregate interface, and the
FortiGate unit can not be in Transparent mode, or HA mode. If
l 2t p- cl i ent is enabled on an interface, the FortiGate unit will
not enter HA mode until the L2TP client is disabled.
disable
l cp- echo- i nt er val
<l cp_i nt er val _seconds>
Set the interval in seconds between PPPoE LCP echo requests.
5
l cp- max- echo- f ai l
<mi ssed_echoes>
Set the maximum number of missed LCP echoes before the
PPPoE link is disconnected.
3
l og {enabl e | di sabl e} Enable or disable traffic logging of connections to this interface.
Traffic will be logged only when it is on an administrative port. All
other traffic will not be logged.
Enabling this setting may reduce system performance, and is
normally used only for troubleshooting.
di sabl e
macaddr <mac_addr ess> Override the factory set MAC address of this interface by
specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx.
Factory set.
medi at ype {ser des-
sf p | sgmi i - sf p}
Some FortiGate SFP interfaces can operate in SerDes
(Serializer/Deserializer) or SGMII (Serial Gigabit Media
Independent Interface) mode. The mode that the interface
operates in depends on the type of SFP transceiver installed.
Use this keyword to switch the interface between these two
modes.
Set medi at ype to ser des- sf p if you have installed a
SerDes transceiver. In SerDes mode an SFP interface can
only operate at 1000 Mbps.
Set medi at ype to sgmi i - sf p iff you have installed an
SGMII transceiver. In SGMII mode the interface can operate
at 10, 100, or 1000 Mbps.
This keyword is available for some FortiGate SFP interfaces. For
example, all FortiGate-ASM-FB4 interfaces and interfaces port3
to port18 of the FortiGate-3016B support both SerDes and SGMII
mode.
See your FortiGate unit install guide for more information about
what modes your FortiGate interfaces support.
ser des- sf p
system interface
01-400-93051-20090415 395
mode Configure the connection mode for the interface as one of:
st at i c, dhcp, pppoe, pppoa, eoa, or ipoa (as available).
st at i c - configure a static IP address for the interface.
dhcp - configure the interface to receive its IP address from
an external DHCP server.
pppoe -configure the interface to receive its IP address from
an external PPPoE server. This is available only in NAT/Route
mode.
eoa - Ethernet over ATM
ipoa - IP over ATM (also known as bridged mode).
This is only available in NAT/Route mode.
st at i c
mt u <mt u_byt es> Set a custom maximum transmission unit (MTU) size in bytes.
Ideally set mt u to the size of the smallest MTU of all the networks
between this FortiGate unit and the packet destination.
<mt u_byt es>valid ranges are:
68 to 1 500 bytes in st at i c mode
576 to 1 500 bytes in dhcp mode
576 to 1 492 bytes in pppoe mode
9 000 bytes for NP2-accelerated interfaces
up to 16 110 bytes in jumbo frames (only supported on high
end FortiGate models)
In Transparent mode, if you change the MTU of an interface, you
must change the MTU of all interfaces to match the new MTU.
If you configure jumbo frames on your FortiGate unit, all other
network equipment on the route to the destination must also
support jumbo frames.
You can only set the MTU of a physical interface. All virtual
interfaces will inherit that MTU from the physical parent interface.
mt u is available only when mt u- over r i de is enabled.
1 500
mt u- over r i de
Select enable to use custom MTU size instead of default (1 500).
This is available for physical interfaces only.
If you change the MTU, you must reboot the FortiGate unit to
update the MTU values of the VLANs on this interface.
FortiGate models 3000 and larger support jumbo frames. For
more information on jumbo frames, see Fortinet Administration
Guide.
di sabl e
net bi os- f or war d
Select enable to forward NetBIOS broadcasts to a WINS server.
Use wins-ip <wins_server_ip> to set the WINS server IP
address.
di sabl e
nont p- web- pr oxy
Select enable to turn on web cache support for this interface,
such as accepting HTTP proxies and DNS requests, when this
interface is in NAT/Route mode.
di sabl e
out bandwi dt h
<bandwi dt h_i nt eger >
Enter the KB/sec limit for outgoing (egress) traffic for this
interface.
Use this command to configure outbound traffic shaping for an
interface. Outbound traffic shaping limits the bandwidth accepted
by the interface. Limiting outbound traffic takes precedence over
traffic shaping applied by firewall policies.
You can set outbound traffic shaping for any FortiGate interface
and it can be active for more than one FortiGate interface at a
time.
Setting <bandwi dt h_i nt eger >to 0 (the default) means
unlimited bandwidth or no traffic shaping.
0
padt - r et r y- t i meout
<padt _r et r y_seconds>
Initial PPPoE Active Discovery Terminate (PADT) timeout in
seconds. Use this timeout to shut down the PPPoE session if it is
idle for this number of seconds. PADT must be supported by your
ISP.
This is available in NAT/Route mode when mode is pppoe.
1
interface system
396 01-400-93051-20090415
passwor d
<pppoe_passwor d>
Enter the password to connect to the PPPoE server.
This is available in NAT/Route mode when mode is pppoe.
No default.
peer - i nt er f ace

Select an interface to be used in TP mode, when the FortiGate
unit cannot find the destination MAC address in the local table.
This can happen during IPS test.
The peer-interface cannot be the same interface, but it must be in
the same VDOM.
This option is only available in Transparent mode.
pppoe- unnumber ed-
negot i at e
Disable to resolve problems when mode is set to PPPoE, and
ipunnumbered is set. The default configuration may not work in
some regions, such as J apan.
This is only available when mode is pppoe and i punnumber ed
is set.
enabl e
ppt p- cl i ent
Enable to configure and use a PPTP client.
This command is not available when in HA mode. If the pptp-
client is enabled on an interface, the FortiGate unit will not enter
HA mode until that pptp-client is disabled.
di sabl e
ppt p- user
<ppt p_user name>
Enter the name of the PPTP user. No default.
ppt p- passwor d
<ppt p_user passwor d>
Enter the password for the PPTP user. No default.
ppt p- ser ver - i p
<ppt p_ser ver i d>
Enter the IP address for the PPTP server. No default.
ppt p- aut h- t ype
<ppt p_aut ht ype>
Enter the authentication type for the PPTP user. No default.
ppt p- t i meout
<ppt p_i dl et i meout >
Enter the idle timeout in minutes. Use this timeout to shut down
the PPTP user session if it is idle for this number of seconds.
0for disabled.
No default.
pr i or i t y
<l ear ned_pr i or i t y>
Enter the priority of routes using this interface.
This is only available when mode is pppoe or dhcp.
No default.
r emot e- i p Enter an IP address for the remote end of a tunnel interface.
If you want to use dynamic routing with the tunnel, or be able to
ping the tunnel interface, you must specify an address for the
remote end of the tunnel in r emot e- i p and an address for this
end of the tunnel in i p.
This is available only if t ype is t unnel .
No default.
speed The interface speed:
aut o, the default speed. The interface uses auto-negotiation
to determine the connection speed. Change the speed only if
the interface is connected to a device that does not support
auto-negotiation.
10f ul l , 10 Mbps, full duplex
10hal f , 10 Mbps, half duplex
Speed options vary for different models and interfaces. Enter a
space and a ? after the speed keyword to display a list of
speeds available for your model and interface.
You cannot change the speed for interfaces that are 4-port
switches. This includes the internal interfaces of FortiGate
models 60, 60M, 100A, 200A, and FortiWiFi-60. This also
includes the LAN interface of the FortiGate-500A.
aut o
system interface
01-400-93051-20090415 397
st at us {down | up} Start or stop the interface. If the interface is stopped, it does not
accept or send packets.
If you stop a physical interface, associated virtual interfaces such
as VLAN interfaces will also stop.
up
( down for
VLANs)
st pf or war d
Enable or disable forward Spanning Tree Protocol (STP) packets
through this interface.
di sabl e
subst {enabl e | di sabl e} Enter enabl e to use a substitute destination MAC address for
this address.
di sabl e
subst i t ut e- dst - mac
<dest i nat i on_mac_addr es>
Enter the substitute destination MAC address to use when
subst is enabled. Use the xx:xx:xx:xx:xx:xx format.
No default.
t cp- mss <max_send_byt es> Enter the FortiGate units maximum sending size for TCP
packets.
No default.
t ype { aggr egat e |
l oopback | physi cal |
r edundant | t unnel |
vl an | wi r el ess}
Enter the type of interface. Note:
aggr egat e is available only on FortiGate models 800 and
higher. Aggregate links use the 802.3ad standard to group up
to 8 interfaces together. For aggregate specific keywords, see
variables for aggregate and redundant interfaces (models
300A, 310B, 400A, 500A, 620B, and 800 or higher) on
page 401.
l oopback is a virtual interface that is always up. This
interfaces status and link status are not affected by external
changes. It is primarily used for blackhole routing - dropping
all packets that match this route. This route is advertised to
neighbors through dynamic routing protocols as any other
static route. loopback interfaces have no dhcp settings, no
forwarding, no mode, or dns settings. You can only create a
loopback interface from the CLI.
r edundant is used to group 2 or more interfaces together for
reliability. Only one interface is in use at any given time. If the
first interface fails, traffic continues uninterrupted as it
switches to the next interface in the group. This is useful in
HA configurations. The order interfaces become active in the
group is determined by the order you specify using the set
member keyword.
t unnel is for reference only - you cannot create tunnel
interfaces using this command. Create GRE tunnels using the
system gre-tunnel command. Create IPSec tunnels using the
vpn i psec- i nt f phase1 command.
vl an is for virtual LAN interfaces. This is the type of interface
created by default on any existing physical interface. VLANs
increase the number of network interfaces beyond the
physical connections on the unit. VLANs cannot be
configured on a switch mode interface in Transparent mode.
wi r el ess applies only to FortiWiFi-60A, -60AM, and -60B
models.
vl an for
newly created
interface,
physi cal
otherwise.
user name
<pppoe_user name>
Enter the user name used to connect to the PPPoE server.
This is only available in NAT/Route mode when mode is set to
pppoe.
No default.
vdom<vdom_name> Enter the name of the virtual domain to which this interface
belongs.
When you change this keyword, the physical interface moves to
the specified virtual domain. Firewall IP pools and virtual IP
previously added for this interface are deleted. You should also
manually delete any routes that include this interface as they may
now be inaccessible.
For more about VDOMs, see Working with virtual domains on
page 51, and the FortiGate VLANs and VDOMs Guide.
root
vl anf or war d
Enable or disable forwarding of traffic between VLANs on this
interface. When disabled, all VLAN traffic will only be delivered to
that VLAN only.
enabl e
interface system
398 01-400-93051-20090415
vl ani d Enter a VLAN ID that matches the VLAN ID of the packets to be
received by this VLAN subinterface.
The VLAN ID can be any number between 1 and 4094, as 0 and
4095 are reserved, but it must match the VLAN ID added by the
IEEE 802.1Q-compliant router on the other end of the
connection. Two VLAN subinterfaces added to the same physical
interface cannot have the same VLAN ID. However, you can add
two or more VLAN subinterfaces with the same VLAN ID to
different physical interfaces, and you can add more multiple
VLANs with different VLAN IDs to the same physical interface.
This is available only when editing an interface with a type of
VLAN.
For more about VLANs, see the FortiGate VLANs and VDOMs
Guide.
No default.
wccp {enabl e | di sabl e} Enable to start the Web Cache Control Protocol (WCCP) on this
interface to optimize web traffic to reduce transmission costs and
downloading time.
di sabl e
wi ns- i p <wi ns_ser ver _i p> Enter the IP address of a WINS server to which to forward
NetBIOS broadcasts. This WINS server address is only used if
net bi os- f or war d is enabled.
No default.
WiFi keywords These keywords apply only to the FortiWiFi-60A and FortiWiFi-60AM unit when
t ype is wi r el ess.
mac <mac_addr ess> Enter a MAC address for the MAC filter list. This is used in the
conf i g wi f i - mac_l i st subcommand.
No default.
wi f i - acl {al l ow | deny} Select whether MAC filter list allows or denies access. deny
wi f i - aut h {PSK | RADI US} Select either Pre-shared Key (PSK) or RADIUS to authenticate
users connecting to this interface.
This is available only when wi f i - secur i t y is set to WPA.
PSK
wi f i - br oadcast _ssi d
Enable if you want FortiWiFi-60 to broadcast its SSID. di sabl e
wi f i - encr ypt
{AES | TKI P}
Select either Advanced Encryption Standard (AES) or Temporal
Key Integrity Protocol (TKIP) for encryption on this WLAN
interface.
This is available only when wi f i - secur i t y is set to WPA.
TKIP
wi f i - f r agment _t hr eshol d
<packet _si ze>
Set the maximum size of a data packet before it is broken into
smaller packets, reducing the chance of packet collisions. If the
packet size is larger than the threshold, the FortiWiFi unit will
fragment the transmission. If the packet size less than the
threshold, the FortiWiFi unit will not fragment the transmission.
Range 800-2346. A setting of 2346 bytes effectively disables this
option.
This is available in AP mode only.
2346
wi f i - key <hex_key> Enter a WEP key. The WEP key must be 10 or 26 hexadecimal
digits (0-9 a-f). For a 64-bit WEP key, enter 10 hexadecimal
digits. For a 128-bit WEP key, enter 26 hexadecimal digits.
wi f i - secur i t y must be set to WEP128 or WEP64.
No default.
wi f i - mac- f i l t er
Enable MAC filtering for the wireless interface. di sabl e
wi f i - passphr ase
<pass_st r >
Enter shared key for WPA_PSK security.
wi f i - secur i t y must be set to WPA_PSK.
No default.
wi f i - r adi us- ser ver
<ser ver _name>
Set RADIUS server name for WPA_RADIUS security.
wi f i - secur i t y must be set to WPA_RADI US.
No default.
system interface
01-400-93051-20090415 399
wi f i - r t s_t hr eshol d

The request to send (RTS) threshold is the maximum size, in
bytes, of a packet that the FortiWiFi will accept without sending
RTS/CTS packets to the sending wireless device. In some cases,
larger packets being sent may cause collisions, slowing data
transmissions.
The valid range is 256 to 2346. A setting of 2347 bytes effectively
disables this option.
2346
wi f i - secur i t y <sec_mode> Enter security (encryption) mode:
None Communication is not encrypted.
WEP64 WEP 64-bit encryption
WEP128 WEP 128-bit encryption
WPA_PSK WPA encryption with pre-shared key
WPA_RADI US WPA encryption via RADIUS server.
None
wi f i - ssi d Change the Service Set ID (SSID) as required.
The SSID is the wireless network name that this FortiWiFi-60A
WLAN broadcasts. Users who wish to use the wireless network
should configure their computers to connect to the network that
broadcasts this network name.
fortinet
config ipv6 variables
aut oconf
Enable or disable automatic configuration of the IPv6 address.
When enabled, and i p6- send- adv is disabled, the FortiGate
unit acts as a stateless address auto-configuration client
(SLAAC).
disable
i p6- addr ess

The interface IPv6 address and netmask. The format for IPv6
addresses and netmasks is described in RFC 3513.
::/0
i p6- al l owaccess
<access_t ypes>
Enter the types of management access permitted on this IPv6
interface.
Valid types are: pi ng or any. Both of these options only allow
ping access.
Varies for
each interface.
i p6- def aul t - l i f e

Enter the number, in seconds, to add to the Router Lifetime field
of router advertisements sent from the interface. The valid range
is 0 to 9000.
1800
i p6- hop- l i mi t

Enter the number to be added to the Cur Hop Limit field in the
router advertisements sent out this interface. Entering 0 means
no hop limit is specified. This is available in NAT/Route mode
only.
0
i p6- l i nk- mt u Enter the MTU number to add to the router advertisements
options field. Entering 0 means that no MTU options are sent.
0
i p6- manage- f l ag
Enable or disable the managed address configuration flag in
router advertisements.
di sabl e
i p6- max- i nt er val
<adver t s_max_seconds>
Enter the maximum time interval, in seconds, between sending
unsolicited multicast router advertisements from the interface.
The valid range is 4 to 1800.
600
i p6- mi n- i nt er val
<adver t s_mi n_seconds>
Enter the minimum time interval, in seconds, between sending
unsolicited multicast router advertisements from the interface.
The valid range is 4 to 1800.
198
interface system
400 01-400-93051-20090415
i p6- ot her - f l ag
Enable or disable the other stateful configuration flag in router
advertisements.
di sabl e
i p6- r eachabl e- t i me
<r eachabl e_msecs>
Enter the number to be added to the reachable time field in the
router advertisements. The valid range is 0 to 3600. Entering 0
means no reachable time is specified.
0
i p6- r et r ans- t i me
<r et r ans_msecs>
Enter the number to be added to the Retrans Timer field in the
router advertisements. Entering 0 means that the Retrans Timer
is not specified.
0
i p6- send- adv
Enable or disable the flag indicating whether or not to send
periodic router advertisements and to respond to router
solicitations.
When disabled, and autoconf is enabled, the FortiGate unit acts
as a stateless address auto-configuration client (SLAAC).
di sabl e
edit <ipv6_prefix> variables
aut onomous- f l ag
Set the state of the autonomous flag for the IPv6 prefix. Enter
one of:
enabl e
di sabl e
di sabl e
onl i nk- f l ag
Set the state of the on-link flag ("L-bit") in the IPv6 prefix. Enter
one of:
enabl e
di sabl e
pr ef er r ed- l i f e- t i me
<seconds>
Enter the preferred lifetime, in seconds, for this IPv6 prefix. 604800
val i d- l i f e- t i me
<seconds>
Enter the valid lifetime, in seconds, for this IPv6 prefix. 2592000
config l2tp-client-settings
aut h- t ype {aut o | chap |
mschapv1 | mschapv2 |
pap}
Select the type of authorization used with this client:
aut o automatically choose type of authorization
chap use Challenge-Handshake Authentication Protocol
mschapv1 use Microsoft version of CHAP version 1
mschapv2 use Microsoft version of CHAP version 2
pap use Password Authentication Protocol
auto
def aul t gw
Enable to use the default gateway. disable
di st ance
<admi n_di st ance>
Enter the administration distance of learned routes. 2
mt u Enter the Maximum Transmission Unit (MTU) for L2TP. 1460
passwor d <passwor d> Enter the password for L2TP. n/a
peer - host Enter the IP address of the L2TP host. n/a
peer - mask <net mask> Enter the netmask used to connect to L2TP peers connected to
this interface.
255.255.255.2
55
peer - por t <por t _num> Enter the port used to connect to L2TP peers on this interface. 1701
pr i or i t y Enter the priority of routes learned through L2TP. This will be
used to resolve any ties in the routing table.
0
user <st r i ng> Enter the L2TP user name used to connect. n/a
system interface
01-400-93051-20090415 401
variables for aggregate and redundant interfaces (models 300A, 310B, 400A, 500A, 620B, and 800 or higher)
These variables are available only when t ype is aggr egat e or r edundant .
al gor i t hm{L2 | L3 | L4} Enter the algorithm used to control how frames are distributed
across links in an aggregated interface. The choice of algorithm
determines what information is used to determine frame
distribution. Enter one of:
L2 use source and destination MAC addresses
L3 use source and destination IP addresses, fall back to L2
algorithm if IP information is not available
L4 use TCP, UDP or ESP header information
L4
l acp- ha- sl ave
This option affects how the aggregate interface participates in
Link Aggregation Control Protocol (LACP) negotiation when HA
is enabled for the VDOM. It takes effect only if Active-Passive HA
is enabled and l acp- mode is not st at i c. Enter enabl e to
participate in LACP negotiation as a sl ave or di sabl e to not
participate.
enabl e
l acp- mode {act i ve |
passi ve | st at i c}
Enter one of active, passive, or static.
act i ve send LACP PDU packets to negotiate link
aggregation connections. This is the default.
passi ve respond to LACP PDU packets and negotiate link
aggregation connections
st at i c link aggregation is configured statically
act i ve
l acp- speed {f ast | sl ow} Enter sl owto send LACP PDU packets every 30 seconds to
negotiate link aggregation connections. This is the default.
Enter f ast to send LACP PDU packets every second, as
recommended in the IEEE 802.3ad standard.
This is available only on FortiGate models 800 and higher when
t ype is aggr egat e.
sl ow
member
 
. . .
Specify a list of physical interfaces that are part of an aggregate
or redundant group. To modify a list, enter the complete revised
list.
If VDOMs are enabled, then vdommust be set the same for each
interface before you enter the member list.
An interface is available to be part of an aggregate or redundant
group only if
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the aggregated interface
it has no defined IP address and is not configured for DHCP
or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, IP Pool or
multicast policy
it is not an HA heartbeat device or monitored by HA
In a redundant group, failover to the next member interface
happens when the active interface fails or is disconnected.
The order you specify the interfaces in the member list is the
order they will become active in the redundant group. For
example if you enter set member por t 5 por t 1, then port5
will be active at the start, and when it fails or is disconnected
port1 will become active.
This is available only when t ype is aggr egat e or r edundant .
No default.
interface system
402 01-400-93051-20090415
Example
This example shows how to set the FortiGate-300 internal interface IP address and netmask to
192. 168. 100. 159 255. 255. 255. 0, and the management access to pi ng, ht t ps, and ssh.
edi t i nt er nal
set al l owaccess pi ng ht t ps ssh
set i p 192. 168. 110. 26 255. 255. 255. 0
end
This example shows how to add a loopback interface with a name of loop1. The IP address is set to
10.0.0.10 255.255.255.0 and bfd is set to global. Any traffic sent to this interface will be dropped, as it is a
blackhole route.
edi t l oop1
set t ype l oopback
set i p 10. 0. 0. 10 255. 255. 255. 0
set bf d gl obal
end
This example shows how to add a secondary IP address and netmask of 192. 176. 23. 180
255. 255. 255. 0 to the internal interface. Also configure pi ng and ht t ps management access to this
secondary IP address. You can not add a secondary IP that is part of the subnet of the original interface IP
address.
edi t i nt er nal
edi t 1
set al l owaccess pi ng ht t ps
set i p 192. 176. 23. 180 255. 255. 255. 0
end
end
system interface
01-400-93051-20090415 403
History
FortiOS v2.80 Substantially revised. IPv6 added.
FortiOS v2.80 MR2 Added net bi os- f or war d, wi ns- i p keywords.
Removed zone keyword, moved to system zone.
FortiOS v2.80 MR3 Added def aul t gwkeyword.
FortiOS v2.80 MR6 Added mt u- over r i de keyword.
FortiOS v3.0 Added i dent - accept keyword.
FortiOS v3.0 MR1 Added <pi ngser ver 2_i p4>to det ect ser ver , aggr egat e and r edundant to t ype
keyword, added pppoe- unnumber ed- negot i at e and pr i or i t y keywords.
FortiOS v3.0 MR3 DDNS retry interval increased to after 3 failed attempts. Added wi f i - aut h, wi f i -
encr ypt , and show- backpl ane- i nt f keywords. Removed def aul t gwkeyword.
FortiOS v3.0 MR4 Added bf d, bf d- desi r ed- mi n- t x, bf d- det ect - mul t , bf d- r equi r ed- mi n- r x
keywords.
FortiOS v3.0 MR5 Added peer - i nt er f ace, l oopback type, al i as, f p- anomal y, i cmp- r edi r ect ,
and medi at ype. Changes to parameters of aut h- t ype.
FortiOS v3.0 MR6 Changed gat eway_addr ess to gwaddr , and l cp- max- echo- f ai l ur es to l cp- max-
echo- f ai l . Changed i pv6- al l owaccess parameters. Added ppt p variable. Added
the ha- pr i or i t y keyword. Removed all l t 2p- cl i ent commands, and connect i on
command.
FortiOS v3.0 MR7 Added out bandwi dt h, IPv6 aut oconf keyword, and added any option to IPv6
al l owaccess keyword. Added l 2t p- cl i ent , and l 2t p- cl i ent - set t i ngs
subcommands. dns- ser ver - over r i de default value is now enabl e.
FortiOS v4.0 Added nont p- web- pr oxy, i ps- sni f f er - mode, and wccp keywords. Added FortiGate
310B and 610B to models that support aggregate links. Removed gwaddr , mux- t ype,
vci , and vpi keywords and the t ype keywords adsl option (no ADSL support).
ipv6-tunnel system
404 01-400-93051-20090415
ipv6-tunnel
Use this command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under
conf i g syst emi nt er f ace.
Syntax
set dest i nat i on <t unnel _addr ess>
set i nt er f ace <name>
set i p6 <addr ess_i pv6>
set sour ce <addr ess_i pv4>
end
Example
Use the following commands to set up an IPv6 tunnel.
edi t t est _t unnel
set dest i nat i on 10. 10. 10. 1
set i p6 12AB: 0: 0: CD30: : / 60
set sour ce 192. 168. 50. 1
end
History
Related topics
system interface
system sit-tunnel
Note: This command is not available in Transparent mode.
edi t <t unnel _name> Enter a name for the IPv6 tunnel. No default.
dest i nat i on <t unnel _addr ess> The destination IPv4 address for this tunnel. 0.0.0.0
i nt er f ace <name> The interface used to send and receive traffic for this tunnel. No default.
i p6 <addr ess_i pv6> The IPv6 address for this tunnel. No default.
sour ce <addr ess_i pv4> The source IPv4 address for this tunnel. 0.0.0.0
FortiOS v2.80 New.
FortiOS v3.0 Changed from ipv6_tunnel to ipv6-tunnel.
FortiOS v3.0 MR1 Removed vdomkeyword.
FortiOS v3.0 MR2 Added command syntax for multiple-vdom mode. Removed i pv6 and mode keywords.
FortiOS v3.0 MR5 Added i p6
FortiOS v3.0 MR6 Removed command.
FortiOS v3.0 MR7 Added command back.
system mac-address-table
01-400-93051-20090415 405
mac-address-table
Use this command to create a static MAC table. The table can hold up to 200 entries.
This command is available in Transparent mode only.
Syntax
conf i g syst emmac- addr ess- t abl e
edi t <macaddr ess_hex>
set i nt er f ace 
end
Example
Use the following commands to add a static MAC entry for the internal interface.
conf i g syst emmac- addr ess- t abl e
edi t 11: 22: 33: 00: f f : aa
end
History
edi t <macaddr ess_hex> Enter the MAC address as six pairs of hexadecimal digits
separated by colons, e.g.: 11: 22: 33: 00: f f : aa
No
default.
i nt er f ace Enter the name of the interface to which this MAC table entry
applies.
No
default.
FortiOS v2.80 Renamed and Revised. Formerly set syst embr ct l .
management-tunnel system
406 01-400-93051-20090415
management-tunnel
Use this command to configure the remote management tunnel that is required by some FortiGuard
Analysis and Management Service remote administration features, such as the real-time monitor, and
which remote management actions the FortiGate unit will allow from FortiGuard Analysis and Management
Service.
To complete remote management setup with FortiGuard Analysis and Management Service, also
configure their required settings, such as providing the service account ID. For details on enabling remote
administration and remote management connections initiated by the FortiGate unit rather than the
FortiGuard Analysis and Management Service, see system fortiguard on page 357.
Syntax
set al l ow- col l ect - st at i st i cs {enabl e | di sabl e}
set al l ow- conf i g- r est or e {enabl e | di sabl e}
set al l ow- push- conf i gur at i on {enabl e | di sabl e}
set al l ow- push- f i r mwar e {enabl e | di sabl e}
set aut hor i zed- manager - onl y {enabl e | di sabl e}
set ser i al - number <ser i al _st r >
end
Note: This command is currently only applicable to FortiGuard Analysis and Management Service; it will
also be applicable to FortiManager 4.0.
st at us {enabl e | di sabl e} Enable or disable the SSL-secured management tunnel
between the FortiGate unit and FortiGuard Analysis and
Management Service.
enabl e
al l ow- conf i g- r est or e
Enable or disable remote restoration of a previous
configuration.
This option appears only if st at us is enabl e.
enabl e
al l ow- push- conf i gur at i on
Enable or disable remote configuration.
enabl e
al l ow- push- f i r mwar e {enabl e
| di sabl e}
Enable or disable remote firmware upgrades.
enabl e
al l ow- col l ect - st at i st i cs
Enable or disable real-time monitor SNMP polls through
the tunnel.
enabl e
aut hor i zed- manager - onl y
Enable or disable remote management only by the
FortiManager unit with the specified serial number. Also
configure ser i al - number .
This option appears only if st at us is enabl e, and is
reserved for future use.
enable
ser i al - number <ser i al _st r > Enter up to five serial numbers of FortiManager unit that
are authorized to remotely manage this FortiGate unit.
Separate multiple serial numbers with a space.
This option appears only if st at us and aut hor i zed-
manager - onl y is enabl e, and is reserved for future use.
No default.
01-400-93051-20090415 407
Example
This example shows how to configure the remote management tunnel to allow FortiGuard Analysis and
Management Service to query for real-time monitor (SNMP) statistics, but not to initiate remote firmware
upgrades.
set cent r al - mgmt - st at us enabl e
set ser vi ce- account - i d Exampl eCo
end
set al l ow- col l ect - st at i st i cs enabl e
set al l ow- push- f i r mwar e di sabl e
end
History
Related topics
system fortiguard
system fortiguard-log
FortiOS v3.0 MR6 New command. Configures remote management tunnel and actions allowed from
the FortiGuard Management Service.
modem system
408 01-400-93051-20090415
modem
Use this command to configure a FortiGate-60M modem or a serial modem interface connected using a
serial converter to the USB port.
You can add the information to connect to up to three dialup accounts. The FortiGate-60 or FortiGate-60M
unit modem interface can act as a backup interface for one of the FortiGate ethernet interfaces or as a
standalone dialup interface.
A modem status is initially set to disabled. Disabled modems will not be displayed in the web-manager
interface list. CLI interface lists will display the modem no matter what the modem status is. Changing the
status to enabled will display the modem in the web-based manager.
These commands are available in NAT/Route mode only.
Some FortiGate and FortiWifi models have a PCMCIA slot for a 3G wireless modem card. Such a modem
can be used as a backup connection in case the land line goes down. The mode- dev keyword allows you
to select the 3G modem when its installed, and the wi r el ess- cust om- keywords allow you to configure
it.
Syntax
set account - r el at i on {equal | f al l back}
set al t mode {enabl e | di sabl e}
set aut o- di al {enabl e | di sabl e}
set connect _t i meout <seconds>
set di al - on- demand {enabl e | di sabl e}
set di st ance <di st ance>
set ext r a- i ni t 1, ext r a- i ni t 2, ext r a- i ni t 3 
set hol ddown- t i mer <seconds>
set i dl e- t i mer <mi nut es>
set mode {r edudant | st andal one}
set modem- dev1, modem- dev2, modem- dev3 {i nt er nal | pcmci a- wi r el ess}
set passwd1 <passwor d_st r >
set peer _modem1 {act i ont ec | ascendTNT | gener i c}
set phone1 <phone- number >
set pi n- i ni t 
set ppp- echo- r equest 1 {di sabl e | enabl e}
set pr i or i t y {di sabl e | enabl e}
set r edi al <t r i es_i nt eger >
set user name1 <name_st r >
set wi r el ess- cust om- pr oduct - i d <pi d_hex>
set wi r el ess- cust om- vendor - i d <vi d_hex>
end
system modem
01-400-93051-20090415 409
account - r el at i on {equal |
f al l back}
Set the account relationship as either equal or
f al l back.
equal Accounts are equal and keep using the first
successful account.
f al l back The first account takes priority, fall back to
the first account if possible
equal
al t mode {enabl e | di sabl e} Enable for installations using PPP in China. enabl e
aut o- di al
Enable to dial the modem automatically if the connection is
lost or the FortiGate unit is restarted.
This is available only when di al - on- demand is set to
di sabl ed, and mode is set to st andal one.
di sabl e
connect _t i meout <seconds> Set the connection completion timeout (30 - 255 seconds). 90
di al - on- demand
Enable to dial the modem when packets are routed to the
modem interface. The modem disconnects after the
i dl e- t i mer period.
Thi s i s avai l abl e onl y i f aut o- di al is set to
disabled, and mode is set to st andal one.
di sabl e
di st ance <di st ance> Enter the administrative distance (1-255) to use for the
default route that is automatically added when the modem
connects and obtains an IP address. A lower distance
indicates a more preferred route. For more information,
see router static distance <distance> on page 301
This keyword is useful for configuring redundant routes in
which the modem interface acts as a backup to another
interface.
1
ext r a- i ni t 1, ext r a- i ni t 2,
ext r a- i ni t 3 
Enter up to three extra initialization strings to send to the
modem.
null
hol ddown- t i mer <seconds> Used only when the modem is configured as a backup for
an interface. Set the time (1-60 seconds) that the FortiGate
unit waits before switching from the modem interface to the
primary interface, after the primary interface has been
restored.
This is available only when mode is set to r edundant .
60
i dl e- t i mer <mi nut es> Set the number of minutes the modem connection can be
idle before it is disconnected.
This is available only if mode is set to st andal one.
5
i nt er f ace <name> Enter an interface name to associate the modem interface
with the ethernet interface that you want to either back up
(backup configuration) or replace (standalone
configuration).
No default.
mode {r edudant |
st andal one}
Enter the required mode:
r edundant The modem interface automatically takes
over from a selected ethernet interface when that ethernet
interface is unavailable.
st andal one The modem interface is the connection
from the FortiGate unit to the Internet.
st andal one
modem- dev1, modem- dev2,
modem- dev3 {i nt er nal |
pcmci a- wi r el ess}
Select the modem interface to use either i nt er nal or
pcmci a- wi r el ess. There are three keywords, one for
each possible modem devices.
This keyword is only available on models that support
PCMCIA.
internal
passwd1 <passwor d_st r > Enter the password used to access the specified dialup
account.
No default.
account.
No default.
modem system
410 01-400-93051-20090415
account.
No default.
peer _modem1
{act i ont ec | ascendTNT
| gener i c}
If the modem at phone1 is Actiontec or AscendTNT, select
that type, otherwise leave setting as gener i c.
This setting applies to models 50AM, 60M and WiFi-60M
only.
generic
peer _modem2
| gener i c}
only.
generic
peer _modem3
| gener i c}
only.
generic
phone1
<phone- number >
Enter the phone number required to connect to the dialup
account. Do not add spaces to the phone number. Make
sure to include standard special characters for pauses,
country codes, and other functions as required by your
modem to connect to your dialup account.
No default.
phone2 <phone- number > Enter the phone number required to connect to the dialup
No default.
phone3 <phone- number > Enter the phone number required to connect to the dialup
No default.
pi n- i ni t Enter an AT command string to set the PIN.
Use this command only after a reboot or major settings
change.
nul l
ppp- echo- r equest 1
Disable ppp- echo- r equest 1 if the PPP echo request
feature is not supported by your wireless ISP. This applies
to the 1st modem, if connected.
PPP echo request is used to detect low level link down for
modems.
enabl e
to a 2nd modem, if connected.
modems.
enabl e
to a 3rd modem, if connected.
modems.
enabl e
pr i or i t y 
Enter the priority of learned routes on this interface.
Valid priorities are from 0 to 4294967295.
0
r edi al <t r i es_i nt eger > Set the maximum number of times (1-10) that the
FortiGate unit dials the ISP to restore an active connection
on the modem interface. Select none to allow the modem
to redial without a limit.
No default.
st at us
Enable or disable modem support. This is equivalent to
bringing an interface up or down.
di sabl e
user name1 <name_st r > Enter the user name used to access the specified dialup
account.
No default.
system modem
01-400-93051-20090415 411
Example
This example shows how to enable the modem and configure the modem to act as a backup for the WAN1
interface. Only one dialup account is configured. The FortiGate unit and modem will attempt to dial this
account 10 times. The FortiGate unit will wait 5 seconds after the WAN1 interface recovers before
switching back to the WAN1 interface.
set act i on di al
set hol ddown- t i mer 5
set i nt er f ace wan1
set passwd1 acct 1passwd
set phone1 1234567891
set r edi al 10
set user name1 acct 1user
end
This example shows how to display the settings, both system defaults and any settings that have been
changed for the modemcommand.
get syst emmodem
This example shows how to display the configuration, which is any settings that have been changed from
system defaults, for the modemcommand.
show syst emmodem
History
Related topics
system interface
account.
No default.
account.
No default.
wi r el ess- cust om- pr oduct - i d
<pi d_hex>
Configure the product ID of an installed 3G wireless
PCMCIA modem. Valid range is 0x0000 - 0xFFFF.
This keyword is available only on models that support
PCMCIA cards.
nul l
wi r el ess- cust om- vendor - i d
<vi d_hex>
Configure the vendor ID of an installed 3G wireless
PCMCIA modem. Valid range is 0x0000 - 0xFFFF
This keyword is available only on models that support
PCMCIA cards.
nul l
npu system
412 01-400-93051-20090415
npu
Use this command to configure the Network Processing Unit (NPU) for FortiGate units that support FB4.
Syntax
conf i g syst emnpu
set enc- of f l oad- ant i r epl ay {enabl e | di sabl e}
set dec- of f l oad- ant i r epl ay {enabl e | di sabl e}
set of f l oad- i psec- host {enabl e | di sabl e}
set t r af f i c- shapi ng- mode {uni di r ect i on | bi di r ect i on}
next
end
History
Note: If you use the traffic-shaping-mode command, the bi di r ect i on option counts twice as much
traffic. You need to allow twice the bandwidth as with unidirection.
enc- of f l oad- ant i r epl ay
Enable this option for the system to offload IPSEC
packet encryption to FB4 when the egress port of the
tunnel is on FB4.
di sabl e
dec- of f l oad- ant i r epl ay
Enable this option for the system to offload IPSEC
packet encryption to FB4 when the ingress port of the
tunnel is on FB4.
enabl e
of f l oad- i psec- host
Enable this option for the system to offload packet
encryption to FB4 when the egress port of this packet
is on FB4.
di sabl e
t r af f i c- shapi ng- mode
{uni di r ect i on | bi di r ect i on}
Select the fast path bandwidth calculation method.
In uni di r ect i on, traffic in each direction is counted
separately. In bi di r ect i on the traffic in both
directions is counted at the same time.
The default value on 3600A models is
bi di r ect i on.
The default value on 3810B models is
uni di r ect i on.
system ntp
01-400-93051-20090415 413
ntp
Use this command to configure Network Time Protocol (NTP) servers.
Syntax
conf i g syst emnt p
set nt psync en/ di s
set synci nt er val
conf i g nt pser ver
edi t <ser ver i d>
set ser ver [ / <name_st r i ng>]
next
end
History
nt psync {enabl e | di sabl e} Enable to synchronize FortiGate units system time
with the ntp server.
di sabl e
synci nt er val Enter the interval in minutes between contacting NTP
server to synchronize time. The range is from 1 to
1440 minutes.
Only valid when nt psync is enabled.
0
conf i g nt pser ver Configure multiple NTP servers
edi t <ser ver i d_i nt > Enter the number for this NTP server
set ser ver
[ / <host name_st r >
Enter the IPv4 address and hostname (optional) for
this NTP server.
proxy-arp system
414 01-400-93051-20090415
proxy-arp
Use this command to add IP addresses to MAC address translation entries to the proxy ARP table.
Syntax
edi t <t abl e_ent r y>
set i nt er f ace <por t >
set i p 
next
end
History
Related topics
system arp-table
get router info bgp
edi t <t abl e_ent r y> Enter the unique ID of the table entry to add or
modify.
No default.
i nt er f ace <por t > Enter the physical port this IP will be associated with. No default.
i p Enter the IP address to associate with this physical
port.
No default.
system replacemsg admin
01-400-93051-20090415 415
replacemsg admin
Use this command to change the administration disclaimer page.
If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer
whenever an administrator logs into the FortiGate unit web-based manager or CLI.
set access- banner enabl e
end
The web-based manager administrator login disclaimer contains the text of the Login Disclaimer
replacement message as well as Accept and Decline buttons. The administrator must select accept to
login.
These are HTML messages with HTTP headers.
Syntax
conf i g syst emr epl acemsg admi n admi n_di scl ai mer _t ext
set buf f er <message>
set f or mat <f or mat >
set header <header _t ype>
end
Replacement messages can include replacement message tags. When users receive the replacement
message, the replacement message tag is replaced with content relevant to the message. Generally there
is not a large call for these tags in disclaimer pages.
Note: If you unset the buffer for a replacement message, it will be cleared.
buf f er <message> Type a new replacement message to replace the current replacement
message. Maximum length 8 192 characters.
Depends on
message type.
f or mat <f or mat > Set the format of the message:
ht ml
t ext
none
No default
header
<header _t ype>
Set the format of the message header:
8bi t
ht t p
none
Depends on
message type.
Table 8: Replacement message tags
Tag Description
%%AUTH_REDI R_URL%% Link to open a new window. (optional).
%%AUTH_LOGOUT%% Immediately close the connection policy.
%%KEEPALI VEURL%% URL the keep alive page connects to that keeps the connection policy alive. Connects
every %%TI MEOUT%%seconds.
%%TI MEOUT%% Configured number of seconds between %%KEEPALI VEURL%%connections.
replacemsg admin system
416 01-400-93051-20090415
History
Related Commands
system global
system replacemsg alertmail
01-400-93051-20090415 417
replacemsg alertmail
The FortiGate unit adds the alert mail replacement messages listed to alert email messages sent to
administrators. For more information about alert email, see system alertemail on page 331.
Alert mail replacement messages are text messages.
Syntax
conf i g syst emr epl acemsg al er t mai l al er t _msg_t ype
end
al er t _msg_t ype FortiGuard replacement alertmail message type. See Table 9. No default
Depends on
message
type.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message
type.
Note: If you enable Send alert email for logs based on severity for alert email, whether or not
replacement messages are sent by alert email depends on how you set the alert email Minimum log
level.
Table 9: alertmail message types
Message Type Description
al er t mai l - bl ock Virus detected must be enabled for alert email. Antivirus File Filter must be enabled in
a protection profile, and block a file that matches an entry in a selected file filter list.
al er t mai l - cr i t - event Whenever a critical level event log message is generated, this replacement message
is sent unless you configure alert email to enable Send alert email for logs based on
severity and set the Minimum log level to Alert or Emergency.
al er t mai l - di sk- f ul l When Disk usage must be enabled and disk usage reaches the percent full amount
configured for alert email.
al er t mai l - ni ds- event Intrusion detected must be enabled for alert email. When an IPS Sensor or a DoS
Sensor detects an attack, this replacement message will be sent.
al er t mai l - vi r us Virus detected must be enabled for alert email. Antivirus Virus Scan must be enabled
in a protection profile and detect a virus.
replacemsg alertmail system
418 01-400-93051-20090415
message, the replacement message tag is replaced with content relevant to the message.
Example
The default message for a detected virus is:
Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%%
Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To:
%%EMAIL_TO%%
History
Related Commands
system alertemail
Tag Description
%%FI LE%% The name of a file that has been removed from a content stream. This could be a file
that contained a virus or was blocked by antivirus file blocking. %%FI LE%%can be
used in virus and file block messages.
%%VI RUS%% The name of a virus that was found in a file by the antivirus system. %%VI RUS%%can
be used in virus messages
%%URL%% The URL of a web page. This can be a web page that is blocked by web filter content
or URL blocking. %%URL%%can also be used in http virus and file block messages to
be the URL of the web page from which a user attempted to download a file that is
blocked.
%%CRI TI CAL_EVENT%% Added to alert email critical event email messages. %%CRI TI CAL_EVENT%%is
replaced with the critical event message that triggered the alert email.
%%PROTOCOL%% The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected.
%%PROTOCOL%%is added to alert email virus messages.
%%SOURCE_I P%% IP address of the email server that sent the email containing the virus.
%%DEST_I P%% IP address of the users computer that attempted to download the message from
which the file was removed.
%%EMAI L_FROM%% The email address of the sender of the message from which the file was removed.
%%EMAI L_TO%% The email address of the intended receiver of the message from which the file was
removed.
%%NI DS_EVENT%% The IPS attack message. %%NI DS_EVENT%%is added to alert email intrusion
messages.
FortiOS v2.8 New command.
FortiOS v3.0 MR2 Command removed.
FortiOS v3.0 MR3 Command added. Replacement messages increased in size from 4 096 to 8 192 bytes per
message.
system replacemsg auth
01-400-93051-20090415 419
replacemsg auth
The FortiGate unit uses the text of the authentication replacement messages listed in Table 12 for various
user authentication HTML pages that are displayed when a user is required to authenticate because a
firewall policy includes at least one identity-based policy that requires firewall users to authenticate. For
more information about identity-based policies, see Identity-based firewall policy options (non-SSL-VPN)
and Configuring SSL VPN identity-based firewall policies in the Firewall Policy chapter of the FortiGate
Administration Guide.
These pages are used for authentication using HTTP and HTTPS. Authentication replacement messages
are HTML messages. You cannot customize the firewall authentication messages for FTP and Telnet.
The authentication login page and the authentication disclaimer include replacement tags and controls not
found on other replacement messages.
Users see the authentication login page when they use a VPN or a firewall policy that requires
authentication. You can customize this page in the same way as you modify other replacement messages,
Administrators see the authentication disclaimer page when logging into the FortiGate web-based
manager or CLI. The disclaimer page makes a statement about usage policy to which the user must agree
before the FortiGate unit permits access. You should change only the disclaimer text itself, not the HTML
form code.
There are some unique requirements for these replacement messages:
The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
The form must contain the following hidden controls:



The form must contain the following visible controls:


Syntax
conf i g syst emr epl acemsg aut h aut h_msg_t ype
end
aut h_msg_t ype FortiGuard replacement message type. See Table 11 on page 420. No default
Depends on
message type.
replacemsg auth system
420 01-400-93051-20090415
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message type.
Table 11: auth message types
Message Type Description
aut h- chal l enge- page The HTML page displayed if firewall users are required to answer a question to
complete authentication. The page displays the question and includes a field in
which to type the answer. This feature is supported by RADIUS and uses the
generic RADIUS challenge-access auth response. Usually, challenge-access
responses contain a Reply-Message attribute that contains a message for the
user (for example, Please enter new PIN). This message is displayed on the
login challenge page. The user enters a response that is sent back to the RADIUS
server to be verified.
The Login challenge page is most often used with RSA RADIUS server for RSA
SecurID authentication. The login challenge appears when the server needs the
user to enter a new PIN. You can customize the replacement message to ask the
user for a SecurID PIN.
aut h- di scl ai mer [ 1| 2| 3] Prompts user to accept the displayed disclaimer when leaving protected network.
The web-based manager refers to this as User Authentication Disclaimer, and it
is enabled with a firewall policy that also includes at least one identity-based
policy. When a firewall user attempts to browse a network through the FortiGate
unit using HTTP or HTTPS this disclaimer page is displayed.
The extra pages seamlessly extend the size of the page from 8192 characters up
16 384 and 24 576 characters respectively.
aut h- keepal i ve- page The HTML page displayed with firewall authentication keepalive is enabled using
the following CLI command:
set aut h- keepal i ve enabl e
end
Authentication keepalive keeps authenticated firewall sessions from ending when
the authentication timeout ends. In the web-based manager, go to User > Options
to set the Authentication Timeout.
aut h- l ogi n- f ai l ed- page The HTML page displayed if firewall users enter an incorrect user name and
password combination.
This page includes a failed login message and a login prompt.
aut h- l ogi n- page The authentication HTML page displayed when firewall users who are required to
authenticate connect through the FortiGate unit using HTTP or HTTPS.
Prompts the user for their username and password to login.
aut h- r ej ect - page The Disclaimer page replacement message does not re-direct the user to a
redirect URL or the firewall policy does not include a redirect URL. When a firewall
user selects the button on the disclaimer page to decline access through the
FortiGate unit, the Declined disclaimer page is displayed.
system replacemsg auth
01-400-93051-20090415 421
Requirements for login page
The authentication login page is linked to FortiGate functionality and you must construct it according to the
following guidelines to ensure that it will work.
The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
The form must contain the following hidden controls:



The form must contain the following visible controls:


Example
This example shows how to change the authentication login page. You enter the web page content as one
long quoted string, using the backslash (\) character at the end of each line to continue the text on the
next line.
conf i g syst emr epl acemsg aut h aut h- l ogi n- page
set buf f er " <ht ml ><head> \
<t i t l e>Fi r ewal l Aut hent i cat i on</ t i t l e> \
</ head> \
<body><h4>You must aut hent i cat e t o use t hi s ser vi ce. </ h4> \
<f or mact i on=" / " met hod=" post " > \
 \
<t abl e al i gn=" cent er " bgcol or =" #00cccc" bor der =" 0" \
cel l paddi ng=" 15" cel l spaci ng=" 0" wi dt h=" 320" ><t body> \
<t r ><t h>User name: </ t h> \
<t d></ t d></ t r > \
<t r ><t h>Passwor d: </ t h> \
<t d></ t d> \
</ t r ><t r ><t d col span=" 2" al i gn=" cent er " bgcol or =" #00cccc" > \
Tag Description
%%AUTH_REDI R_URL%% Link to open a new window. (optional).
%%AUTH_LOGOUT%% Immediately close the connection policy.
%%FAI LED_MESSAGE%% Message displayed on failed login page after user login fails.
%%KEEPALI VEURL%% URL the keep alive page connects to that keeps the connection policy alive.
Connects every %%TI MEOUT%%seconds.
%%QUESTI ON%% The default login and rejected login pages use this text immediately preceding the
username and password fields. the default challenge page uses this as the challenge
question. These are treated as two different variables by the server.
If you want to use different text, replace %%QUESTI ON%%with the text that you prefer.
%%TI MEOUT%% Configured number of seconds between %%KEEPALI VEURL%%connections.
%%USERNAMEI D%% Username of the user logging in. This tag is used on the login and failed login pages.
%%PASSWORDI D%% Password of the user logging in. This tag is used on the challenge, login and failed
login pages.
replacemsg auth system
422 01-400-93051-20090415
 \
 \
</ t d></ t r ></ t body></ t abl e> \
</ f ont ></ f or m></ body></ ht ml >"
set f or mat ht ml
set header ht t p
end
History
Related Commands
system global
FortiOS v3.0 aut h category added.
FortiOS v3.0 MR2 Added aut h- chal l enge- page, aut h- di scl ai mer [ 1| 2| 3] - page, aut h-
keepal i ve- page, aut h- l ogi nf ai l ed- page and aut h- r ej ect - page keywor ds.
FortiOS v3.0 MR3 Replacement messages increased in size from 4 096 to 8 192 bytes per message.
system replacemsg ec
01-400-93051-20090415 423
replacemsg ec
The endpoint control (ec) download portal replacement message formats the FortiClient download portal
page that appears if you enable endpoint control in a firewall policy and select Redirect Non-conforming
Clients to Download Portal. The portal provides links to download a FortiClient application installer. The
endpoint control replacement message is an HTML message.
Message format is HTML by default.
Syntax
conf i g syst emr epl acemsg ec endpt - downl oadpor t al
end
Example
The default body of the ec replacement message is:
<HTML><HEAD><TI TLE>For t i Cl i ent Downl oad Por t al </ TI TLE></ HEAD>
<BODY>The secur i t y pol i cy r equi r es t he l at est For t i Cl i ent and si gnat ur e
package t o be i nst al l ed.
 The l at est For t i Cl i ent i nst al l at i on f i l e( s) may be downl oaded by
cl i cki ng: %%LI NK%%</ BODY></ HTML>
History
endpt - downl oadpor t al FortiGuard replacement message type. No default
buf f er <message> Type a new replacement message to replace the current
replacement message. Maximum length 8 192 characters.
Depends on
message type.
ht ml
t ext
none
ht ml
header <header _t ype> Set the format of the message header:
8bi t
ht t p
none
ht t p
Tag Description
%%LI NK%% The download URL for the FortiClient installer.
FortiOS v4.0 New
replacemsg fortiguard-wf system
424 01-400-93051-20090415
Use this command to change the default messages that replace a web pages that FortiGuard web filtering
has blocked.
The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in Table to web
browsers using the HTTP protocol when FortiGuard web filtering blocks a URL, provides details about
blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement
messages are HTTP pages.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS
Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also
replace web pages downloaded using the HTTPS protocol.
By default, these are HTML messages.
Syntax
conf i g syst emr epl acemsg f or t i guar d- wf <f or t i guar d_msg_t ype>
end
<f or t i guar d_msg_t ype> FortiGuard replacement message type. See Table 14. No default.
Depends on
message type.
f or mat <f or mat > Set the format of the message, one of:
ht ml
t ext
none
ht ml
8bi t
ht t p
none.
ht t p
Table 14: FortiGuard Web Filtering replacement messages
Message name Description
f t gd- bl ock Enable FortiGuard Web Filtering is enabled in a protection profile for HTTP or HTTPS, and blocks
a web page. The blocked page is replaced with the f t gd- bl ock web page.
ht t p- er r Provide details for blocked HTTP 4xx and 5xx errors is enabled in a protection profile for HTTP or
HTTPS, and blocks a web page. The blocked page is replaced with the ht t p- er r web page.
f t gd- ovr d Override selected filtering for a FortiGuard Web Filtering category and FortiGuard Web Filtering
blocks a web page in this category. displays this web page. Using this web page users can
authenticate to get access to the page. Go to UTM > Web Filter > Override to add override rules.
For more information, see webfilter ftgd-ovrd on page 601.
The %%OVRD_FORM%%tag provides the form used to initiate an override if FortiGuard Web
Filtering blocks access to a web page. Do not remove this tag from the replacement message.
system replacemsg fortiguard-wf
01-400-93051-20090415 425
History
Related Commands
webfilter
FortiOS v2.80 New
FortiOS v2.80 MR2 Changed cer b keyword to cat bl ock.
FortiOS v3.0 IM category added.
Changed:
f or t i guar d_wf to f or t i guar d- wf
f t gd_bl ock to f t gd- bl ock
f t gd_ovr d to f t gd- ovr d
ht t p_er r to ht t p- er r
replacemsg ftp system
426 01-400-93051-20090415
replacemsg ftp
The FortiGate unit sends the FTP replacement messages to FTP clients when an event occurs such as
antivirus blocking a file that contains a virus in an FTP session.
By default, these are text-format messages with no header.
Syntax
conf i g syst emr epl acemsg f t p <message- t ype>
end
<message- t ype> FTP replacement message type. See Table 15. No default.
Depends on
message type.
ht ml
t ext
none
t ext
header <header _t ype> Set the format of the message header, one of:
8bi t
ht t p
none.
none
Table 15: FTP replacement messages
f t p- dl - i nf ect ed Antivirus Virus Scan is enabled for FTP in a protection profile, and it deletes an infected file
being downloaded using FTP. The f t p- dl - i nf ect ed message is sent to the FTP client.
f t p- dl - bl ocked Antivirus File Filter enabled for FTP in a protection profile blocks a file being downloaded
using FTP that matches an entry in the selected file filter list and sends this message to the
FTP client.
f t p- dl - f i l esi ze Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks an oversize
file from being downloaded using FTP and sends this message to the FTP client.
f t p- dl - dl p In a DLP sensor, a rule with action set to Block replaces a blocked FTP download with this
message.
f t p- dl - dl p- ban In a DLP sensor, a rule with action set to Ban blocks an FTP session and displays this
message. This message is displayed whenever the banned user attempts to access until
the user is removed from the banned user list.
system replacemsg ftp
01-400-93051-20090415 427
Example
This example shows how to change the message sent when an FTP download is oversize.
conf i g syst emr epl acemsg f t p f t p- dl - f i l esi ze
set buf f er " Thi s f i l e downl oad was bl ocked because i t i s > 10MB. "
end
History
Tag Description
%%QUARFI LENAME%% The name of a file that has been removed from a content stream and added to the
quarantine. This could be a file that contained a virus or was blocked by antivirus file
blocking. %%QUARFI LENAME%%can be used in virus and file block messages.
Quarantining is only available on FortiGate units with a local disk.
blocked.
%%SOURCE_I P%% The IP address from which a virus was received. For email this is the IP address of the
email server that sent the email containing the virus. For HTTP this is the IP address
of the web page that sent the virus.
%%DEST_I P%% The IP address of the computer that would have received the blocked file. For email
this is the IP address of the users computer that attempted to download the message
from which the file was removed.
FortiOS v2.80 New
replacemsg http system
428 01-400-93051-20090415
replacemsg http
Use this command to change default replacement messages added to web pages when the antivirus engine
blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when web filter
blocks a web page.
The FortiGate unit sends the HTTP replacement messages listed to web browsers using the HTTP
protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session.
HTTP replacement messages are HTML pages.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS
Content Filtering Mode in the web-manager is set to Deep Scan in the protection profile, these
replacement messages can also replace web pages downloaded using the HTTPS protocol.
Syntax
conf i g syst emr epl acemsg ht t p <message- t ype>
end
<message- t ype> HTTP replacement message type. See Table 17. No default.
Depends on
message type.
ht ml
t ext
none
ht ml
8bi t
ht t p
none
ht t p
Table 17: HTTP replacement message types
ht t p- vi r us Antivirus Virus Scan is enabled for HTTP or HTTPS in a protection profile. It deletes
an infected file that is being downloaded using an HTTP GET and replaces the file
with the ht t p- vi r us web page that is displayed by the client browser.
i nf cache- bl ock Client comforting is enabled in a protection profile and the FortiGate unit blocks a
URL added to the client comforting URL cache. It replaces the blocked URL with the
i nf cache- bl ock web page. For more information about the client comforting
URL cache, seefirewall policy, policy6 on page 121.
ht t p- bl ock Antivirus File Filter is enabled for HTTP or HTTPS in a protection profile, and blocks
a file being downloaded using an HTTP GET that matches an entry in the selected
file filter list. The file is replaced with the ht t p- bl ock web page that is displayed
by the client browser.
ht t p- f i l esi ze Antivirus Oversized File/Email is set to Block for HTTP or HTTPS in a protection
profile, and blocks an oversized file being downloaded using an HTTP GET. The file
is replaced with the ht t p- f i l esi ze web page that is displayed by the client
browser.
system replacemsg http
01-400-93051-20090415 429
ht t p- dl p In a DLP sensor, a rule with action set to Block replaces a blocked web page or file
with the ht t p- dl p web page.
ht t p- dl p- ban In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file
with the ht t p- dl p- ban web page.
This web page also replaces any additional web pages or files that the banned user
attempts to access until the user is removed from the banned user list.
bannedwor d Web content blocking is enabled in a protection profile, and blocks a web page
being downloaded with an HTTP GET that contains content matching an entry in
the selected Web Content Block list. The blocked page is replaced with the
bannedwor d web page.
ur l - bl ock Web URL filtering is enabled in a protection profile, and blocks a web page with a
URL that matches an entry in the selected URL Filter list. The blocked page is
replaced with the ur l - bl ock web page.
ht t p- cl i ent - bl ock Antivirus File Filter is enabled for HTTP or HTTPS in a protection profile blocks a file
being uploaded by an HTTP POST that matches an entry in the selected file filter
list and replaces it with the ht t p- cl i ent - bl ock web page that is displayed by
the client browser.
ht t p- cl i ent - vi r us Antivirus Virus Scan is enabled for HTTP or HTTPS in a protection profile deletes
an infected file being uploaded using an HTTP PUT and replaces the file with this a
web page that is displayed by the client browser.
ht t p- cl i ent - f i l esi ze In a protection profile, antivirus Oversized File/Email is set to Block for HTTP or
HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked
and replaced with the ht t p- cl i ent - f i l esi ze web page.
ht t p- cl i ent - bannedwor d Web content blocking enabled in a protection profile blocks a web page being
uploaded with an HTTP PUT that contains content that matches an entry in the
selected Web Content Block list. The client browser displays the ht t p- cl i ent -
bannedwor d web page.
ht t p- post - bl ock HTTP POST Action is set to Block in a protection profile and the FortiGate unit
blocks an HTTP POST and displays the ht t p- post - bl ock web page.
Tag Description
blocked.
%%SOURCE_I P%% The IP address of the web page from which a virus was received.
Table 17: HTTP replacement message types
replacemsg http system
430 01-400-93051-20090415
Example
This example shows how to change the message that replaces a web page blocked for banned words.
conf i g syst emr epl acemsg ht t p ht t p- cl i ent - bannedwor d
set buf f er " Thi s web page was bl ocked. I t cont ai ns banned wor ds. "
end
History
FortiOS v2.80 New
FortiOS v3.0 MR2 Added infcache-block replacemsg.
system replacemsg im
01-400-93051-20090415 431
replacemsg im
Use this command to change default replacement messages added to instant messaging and peer-to-peer
sessions when either file-transfer or voice-chat is blocked.
By default, these are text messages with an 8-bit header.
Syntax
conf i g syst emr epl acemsg i m<message- t ype>
end
<message- t ype> im replacement message type. See Table 19. No default.
Depends on
message type.
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
Table 19: Instant messaging (IM) and peer to peer (P2P) message types
i m- f i l e- xf er - bl ock Antivirus File Filter enabled for IM in a protection profile deletes a file that matches
an entry in the selected file filter list and replaces it with this message.
i m- f i l e- xf er - name Antivirus File Filter enabled for IM in a protection profile deletes a file with a name
that matches an entry in the selected file filter list and replaces it with this message.
i m- f i l e- xf er - i nf ect ed Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file from
and replaces the file with this message.
i m- f i l e- xf er - si ze Antivirus Oversized File/Email set to Block for IM in a protection profile removes an
oversized file and replaces the file with this message.
i m- dl p In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P
message with this message.
i m- dl p- ban In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P
message with this message. This message also replaces any additional messages
that the banned user sends until they are removed from the banned user list.
i m- voi ce- chat - bl ock In an Application Control list, the Block Audio option is selected for AIM, ICQ, MSN,
or Yahoo! and the application control list is added to a protection profile.
i m- phot o- shar e- bl ock In an Application Control list, the bl ock- phot o CLI keyword is enabled for MSN, or
Yahoo and the application control list is added to a protection profile. You enable
photo blocking from the CLI.
replacemsg im system
432 01-400-93051-20090415
Example
This example shows how to change the message added to instant messaging sessions when voice chat is
blocked.
conf i g syst emr epl acemsg i mi m- voi ce- chat - bl ock
set buf f er " Use of chat appl i cat i ons i s not per mi t t ed. "
end
History
Tag Description
FortiOS v2.80 New
FortiOS v3.0 IM category added.
system replacemsg mail
01-400-93051-20090415 433
replacemsg mail
Use this command to change default replacement messages added to email messages when the antivirus
engine blocks a file either because of a matching file pattern or because a virus is detected; or when spam
filter blocks an email.
Syntax
conf i g syst emr epl acemsg mai l <message- t ype>
end
<message- t ype> mail replacement message type. See Table 21. No default.
Depends on
message type.
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
Table 21: mail message types
emai l - vi r us Antivirus Virus Scan is enabled for an email protocol in a protection profile, it deletes
an infected file from an email message and replaces the file with the emai l - vi r us
message.
emai l - bl ock The antivirus File Filter is enabled for an email protocol in a protection profile, and
deletes a file that matches an entry in the selected file filter list. The file is blocked and
the email is replaced with the emai l - bl ock message.
emai l - f i l esi ze When the antivirus Oversized File/Email is set to Block for an email protocol in a
protection profile and removes an oversized file from an email message, the file is
replaced with the emai l - f i l esi ze message.
par t i al In a protection profile, antivirus Pass Fragmented Emails is not enabled so a
fragmented email is blocked. The par t i al message replaces the first fragment of
the fragmented email.
emai l - dl p In a DLP sensor, a rule with action set to Block replaces a blocked email message with
the emai l - dl p message.
emai l - dl p- subj ect The emai l - dl p- subj ect message is added to the subject field of all email
messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP
address, and Quarantine interface actions.
emai l - dl p- ban In a DLP sensor, a rule with action set to Ban replaces a blocked email message with
this message. This message also replaces any additional email messages that the
banned user sends until they are removed from the banned user list.
replacemsg mail system
434 01-400-93051-20090415
Example
This example shows how to change the email message that is sent to test the alert email system.
conf i g syst emr epl acemsg mai l emai l - vi r us
set buf f er " The at t achment was bl ocked because i t cont ai ns a vi r us. "
end
History
emai l - dl - ban- sender In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email
message with this message. The emai l - dl p- ban message also replaces any
additional email messages that the banned user sends until the user is removed from
the banned user list.
smt p- vi r us Splice mode is enabled and the antivirus system detects a virus in an SMTP email
message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error
message to the sender that includes the smt p- vi r us replacement message.
smt p- bl ock Splice mode is enabled and the antivirus file filter deleted a file from an SMTP email
message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error
message to the sender that includes the smt p- bl ock replacement message.
smt p- f i l esi ze Splice mode is enabled and antivirus Oversized File/Email is set to Block. When the
FortiGate unit blocks an oversize SMTP email message, the FortiGate unit aborts the
SMTP session and returns a 554 SMTP error message to the sender that includes the
smt p- f i l esi ze replacement message.
Tag Description
%%SOURCE_I P%% IP address of the email server that sent the email containing the virus.
%%DEST_I P%% IP address of the users computer that attempted to download the message from
which the file was removed.
removed.
Table 21: mail message types
FortiOS v2.80 New
FortiOS v4.0 Added emai l - dl p, emai l - dl p- ban, emai l - dl p- ban- sender , and emai l - dl p-
subj ect message types.
system replacemsg nac-quar
01-400-93051-20090415 435
replacemsg nac-quar
Use this command to change the NAC quarantine pages for data leak (DLP), denial of service (DoS), IPS,
and virus detected.
Syntax
conf i g syst emr epl acemsg aut h aut h_msg_t ype
end
nac- quar _msg_t ype Replacement message type. See Table 23. No default
Depends on
message type.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message type.
Table 23: nac-quar message types
nac- quar - vi r us Antivirus Quarantine Virus Sender enabled in a protection profile adds a source IP address or
FortiGate interface to the banned user list. The FortiGate unit displays this replacement
message as a web page when the blocked user attempts to connect through the FortiGate unit
using HTTP on port 80 or when any user attempts to connect through a FortiGate interface
added to the banned user list using HTTP on port 80.
nac- quar - dos For a DoS Sensor the CLI quar ant i ne option set to at t acker or i nt er f ace and the DoS
Sensor added to a DoS firewall policy adds a source IP, a destination IP, or FortiGate interface
to the banned user list. The FortiGate unit displays this replacement message as a web page
when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or
when any user attempts to connect through a FortiGate interface added to the banned user list
using HTTP on port 80. This replacement message is not displayed if quar ant i ne is set to
bot h.
nac- quar - i ps Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor added to a
protection profile adds a source IP address, a destination IP address, or a FortiGate interface
to the banned user list. The FortiGate unit displays this replacement message as a web page
when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or
when any user attempts to connect through a FortiGate interface added to the banned user list
using HTTP on port 80. This replacement message is not displayed if method is set to Attacker
and Victim IP Address.
replacemsg nac-quar system
436 01-400-93051-20090415
History
nac- quar - dl p Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and the DLP
sensor added to a protection profile adds a source IP address or a FortiGate interface to the
banned user list. The FortiGate unit displays this replacement message as a web page when
the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when
any user attempts to connect through a FortiGate interface added to the banned user list using
HTTP on port 80.
Table 23: nac-quar message types
FortiOS v4.0 nac- quar category added.
system replacemsg nntp
01-400-93051-20090415 437
replacemsg nntp
Use this command to change the net news transfer protocol (NNTP) download pages including:
NNTP download blocked
NNTP download filesize error
NNTP download infected
Syntax
conf i g syst emr epl acemsg nnt p aut h_msg_t ype
end
aut h_msg_t ype FortiGuard replacement alertmail message type. One of: No default
nnt p- dl - bl ocked A file being downloaded has been blocked, and
quarantined.
nnt p- dl - f i l esi ze The article is larger than the configured size limit.
nnt p- dl - i nf ect ed An attached file has had a virus detected in it.
The file has been quarantined.
Depends on
message type.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message type.
replacemsg nntp system
438 01-400-93051-20090415
Table 24: net news transfer protocol (NNTP) message types
Example
The default message for a detected virus is:
Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%%
Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To:
%%EMAIL_TO%%
History
nnt p- dl - i nf ect ed Antivirus Virus Scan is enabled for NTTP in a protection profile that deletes an infected file
attached to an NNTP message and sends the nnt p- dl - i nf ect ed message to the FTP
client.
nnt p- dl - bl ocked Antivirus File Filter is enabled for NNTP in a protection profile, and blocks a file attached to
an NNTP message that matches an entry in the selected file filter list. The FortiGate unit
sends the nnt p- dl - bl ocked message to the FTP client.
nnt p- dl - f i l esi ze Antivirus Oversized File/Email is set to Block for NNTP in a protection profile. The FortiGate
unit removes an oversized file from an NNTP message and replaces the file with the nnt p-
dl - f i l esi ze message.
nnt p- dl p In a DLP sensor, a rule with action set to Block replaces a blocked NNTP message with the
nnt p- dl p message.
nnt p- dl p- subj ect The nnt p- dl p- subj ect message is added to the subject field of all NNTP messages
replaced by the DLP sensor Block, Ban, Quarantine IP address, and Quarantine interface
actions.
nnt p- dl p- ban In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP message with this
message. The nnt p- dl p- ban message also replaces any additional NNTP messages
that the banned user sends until they are removed from the banned user list.
Tag Description
that contained a virus or was blocked by antivirus file blocking. The file may have been
quarantined if a virus was detected. %%FI LE%%can be used in virus and file block
messages.
%%QUARFILENAME%
%
The name of a file that has been removed from a content stream and added to the
system replacemsg spam
01-400-93051-20090415 439
replacemsg spam
The FortiGate unit adds the Spam replacement messages listed in Table to SMTP server responses if the
email message is identified as spam and the spam action is discard. If the FortiGate unit supports SSL
content scanning and inspection these replacement messages can also be added to SMTPS server
responses.
Syntax
conf i g syst emr epl acemsg spam<message- t ype>
end
<message- t ype> spam replacement message type. See Table 26. No default.
Depends on
message type.
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
Table 26: spam message types
i pbl ockl i st Spam Filtering IP address BWL check enabled for an email protocol in a protection
profile identifies an email message as spam and adds this replacement message.
smt p- spam- dnsbl From the CLI, spamr bl enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
smt p- spamhel o Spam Filtering HELO DNS lookup enabled for SMTP in a protection profile
identifies an email message as spam and adds this replacement message. HELO
DNS lookup is not available for SMTPS.
smt p- spamemai l bl ack The spam filter email address blacklist marked an email as spam. The smt p-
spamemai l bl ack replaces the email.
smt p- spam- mi meheader From the CLI, spamhdr check enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
r ever sedns Spam Filtering Return e-mail DNS check enabled for an email protocol in a
protection profile identifies an email message as spam and adds this replacement
message.
smt p- spam- bannedwor d Spam Filtering Banned word check enabled for an email protocol in a protection
profile identifies an email message as spam and adds this replacement message.
replacemsg spam system
440 01-400-93051-20090415
Example
This example shows how to change the message added to SMTP mail that the spam filter has blocked.
conf i g syst emr epl acemsg spami pbl ockl i st
set buf f er " Thi s emai l was bl ocked as spam. "
end
History
submi t Any Spam Filtering option enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message. Spam
Filtering adds this message to all email tagged as spam. The message describes a
button that the recipient of the message can select to submit the email signatures to
the FortiGuard Antispam service if the email was incorrectly tagged as spam (a
false positive).
smtp-spam-ase The FortiGuard Antispam Engine (ASE) reports this message as spam.
smtp-spam-feip FortiGuard Antispam IP address checking identifies an email message as spam
and adds this replacement message to the server response.
Tag Description
removed.
Table 26: spam message types
FortiOS v2.80 New
FortiOS v3.0 MR2 Added smt p- spam- f schksumreplacement message.
FortiOS v4.0 Added smt p- spam- ase and smt p- spam- dnsbl replacement messages.
system replacemsg sslvpn
01-400-93051-20090415 441
replacemsg sslvpn
The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate
SSL VPN portal login page. You can customize this replacement message according to your organizations
needs. The page is linked to FortiGate functionality and you must construct it according to the following
guidelines to ensure that it will work.
This is an HTML message with an HTTP header.
Syntax
conf i g syst emr epl acemsg ssl vpn ssl vpn- l ogi n
end
Requirements for login page
The SSL login page is linked to FortiGate functionality and you must construct it according to the following
guidelines to ensure that it will work.
The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and
METHOD="%%SSL_METHOD%%"
The form must contain the %%SSL_LOGIN%% tag to provide the logon form.
The form must contain the %%SSL_HIDDEN%% tag.
History
Depends on
message type.
ht ml
t ext
none
No default
8bit
http
none
Depends on
message type.
FortiOS v3.0 sslvpn replacemsg category added.
resource-limits system
442 01-400-93051-20090415
resource-limits
Use this command to set limits on the global system resources, and customize limits for particular
resources. For example you could restrict firewall related limits to enable you to increase the number of
IPSec tunnels.
Typically this command is used in conjunction with vdom-property, which sets the resource limits per
VDOM including a maximum value and a guaranteed minimum value.
This command is available only when VDOMs are enabled.
Syntax
conf i g gl obal
conf i g syst emr esour ce- l i mi t s
set sessi on <sess_num>
set i psec- phase1 <t unn_num>
set i psec- phase2 <t unn_num>
set di al up- t unnel <t unn_num>
set f i r ewal l - pol i cy <pol _num>
set f i r ewal l - pr of i l e <pr of _num>
set f i r ewal l - addr ess <addr _num>
set f i r ewal l - addr gr p <gr oup_num>
set cust om- ser vi ce <sr vc_num>
set ser vi ce- gr oup <gr oup_num>
set onet i me- schedul e <sched_num>
set r ecur r i ng- schedul e <sched_num>
set user <user _num>
set user - gr oup <gr oup_num>
end
Note: The resource limits vary for different FortiGate models. The resources also are increased when
FortiGate units are in HA mode, due to the increased shared resources that are available.
sessi on <sess_num> Enter the maximum number of sessions. 0
i psec- phase1 <t unn_num> Enter the maximum number of IPSec phase1 tunnels. 6000
i psec- phase2 <t unn_num> Enter the maximum number of IPSec phase2 tunnels. 6000
di al up- t unnel <t unn_num> Enter the maximum number of dialup-tunnels. 0
f i r ewal l - pol i cy <pol _num> Enter the maximum number of firewall policies. 40000
f i r ewal l - pr of i l e
<pr of _num>
Enter the maximum number of firewall profiles. 1000
f i r ewal l - addr ess
<addr _num>
Enter the maximum number of firewall addresses. 12000
f i r ewal l - addr gr p
<gr oup_num>
Enter the maximum number of firewall address groups. 2500
cust om- ser vi ce <sr vc_num> Enter the maximum number of firewall custom services. 2048
ser vi ce- gr oup <gr oup_num> Enter the maximum number of firewall service groups. 1000
onet i me- schedul e
<sched_num>
Enter the maximum number of onetime schedules. 512
r ecur r i ng- schedul e
<sched_num>
Enter the maximum number of recurring schedules. 512
system resource-limits
01-400-93051-20090415 443
History
Related Commands
system vdom-property
user <user _num> Enter the maximum number of users. 2000
user - gr oup <gr oup_num> Enter the maximum number of user groups. 200
FortiOS v4.0 New.
session-helper system
444 01-400-93051-20090415
session-helper
A session helper binds a service to a TCP or UDP port. By default, there are session helpers that bind
services to standard ports. Use this command to configure a new session helper or to edit an existing one.
Syntax
edi t <hel per - number >
set name <hel per - name>
set pr ot ocol <pr ot ocol _number >
end
Example
Use the following commands to edit the file transfer protocol (FTP) and change it to port 111, but remain as
protocol 6:
edi t 8
set name f t p
set por t 111
set pr ot ocol 6
end
Table 28: Services, ports, and protocols
1 pptp port 1723 protocol 6 11 pmap port 111 protocol 17
2 h323 port 1720 protocol 6 12 sip 5060 protocol 17
3 ras port 1719 protocol 17 13 dns-udp 53 protocol 17
4 tns port 1521 protocol 6 14 rsh 514 protocol 6
5 tftp port 69 protocol 17 15 rsh 512 protocol 6
6 rtsp port 23 protocol 6 16 dcerpc 135 protocol 6
7 rtsp port 25 protocol 6 17 dcerpc 135 protocol 17
8 ftp port 21 protocol 6 18 mgcp 2427 protocol 17
9 rtsp port 554 protocol 6 19 mgcp 2727 protocol 17
10 rtsp port 7070 protocol 6
edi t <hel per - number > Enter the number of the session-helper that you want to
edit, or enter an unused number to create a new
session-helper.
No default.
name <hel per - name> The name of the session helper. One of:
dns-tcp, dns-udp, ftp, h245I, h245O, h323, ident, mms,
pmap, pptp, ras, rtsp, sip, tftp, tns.
No default.
por t <por t _number > Enter the port number to use for this protocol. No default.
pr ot ocol <pr ot ocol _number > The protocol number for this service, as defined in
RFC 1700.
No default.
system session-helper
01-400-93051-20090415 445
History
FortiOS v2.80 New
FortiOS v3.0 Changed dns_t cp to dns- t cp and dns_udp to dns- udp.
session-sync system
446 01-400-93051-20090415
session-sync
Use this command to configure TCP session synchronization between two standalone FortiGate units. You
can use this feature with external routers or load balancers configured to distribute or load balance TCP
sessions between two peer FortiGate units. If one of the peers fails, session failover occurs and active
TCP sessions fail over to the peer that is still operating. This failover occurs without any loss of data. As
well the external routers or load balancers will detect the failover and re-distribute all sessions to the peer
that is still operating.
Standalone session synchronization can be used instead of HA to provide TCP session synchronization
between two peer FortiGate units. If the external load balances direct all sessions to one peer the affect is
similar to active-passive HA. If external load balancers or routers load balance traffic to both peers, the
affect is similar to active-active HA. The load balancers should be configured so that all of the packets for
any given session are processed by the same peer. This includes return packets.
Figure 3: Standalone session synchronization
Note: TCP session synchronization between two standalone FortiGate units is also sometimes called standalone
session synchronization or session synchronization between non-HA FortiGate units.
Note: You cannot configure standalone session synchronization when HA is enabled.
Router or
Load Balancer
Session
Syncronization
Link
Internet
Internal Network
Router or
Load Balancer
system session-sync
01-400-93051-20090415 447
By default, standalone session synchronization synchronizes all TCP sessions. You can optionally add
filters to a configuration control which TCP sessions are synchronized. You can add filters to only
synchronize packets from specified source and destination addresses, specified source and destination
interfaces, and specified predefined firewall TCP services.
Unlike HA, standalone session synchronization does not include configuration synchronization. In fact, the
configuration of the two peers is not identical because in most cases the peers would have different IP
addresses. Also unlike HA, load balancing is done by external routers or load balancers. The FortiGate
units only perform session synchronization and session failover.
Notes and limitations
Standalone session synchronization has the following limitations:
Only TCP sessions accepted by firewall policies are synchronized. Due to their non-stateful nature,
UDP and ICMP sessions don't need to be synchronized to naturally failover.
Standalone session synchronization is a global configuration option. As a result you can only add one
predefined firewall TCP service to a filter configuration. You cannot add custom services or service
groups even if virtual domains are not enabled.
You can only add one filter configuration to a given standalone session synchronization configuration.
However, you can add multiple filters by adding multiple identical standalone session synchronization
configurations, each one with a different filter configuration.
Sessions accepted by firewall policies that contain protection profiles are not synchronized.
Sessions that include network address translation (NAT) applied by selecting NAT in firewall policies
are not synchronized because the address translation binds to a FortiGate unit address and the peers
have different IP addresses.
Session synchronization is a CLI only configuration.
Session synchronization is available for FortiGate units or virtual domains operating in NAT/Route or
Transparent mode. NAT sessions are not synchronized in either mode. In NAT/Route mode, only
sessions for route mode firewall policies are synchronized. In Transparent mode, only sessions for
normal Transparent mode policies are synchronized.
Session synchronization cannot be asymmetric. Session synchronization is stateful. So all of the
packets of a given session must be processed on the same peer. This includes return packets. You
must configure the load balancers so that they do not cause asymmetric routing.
Session synchronization is supported for traffic on physical interfaces, VLAN interfaces, zones, and
aggregate interfaces. Session synchronization has not been tested for inter-vdom links, accelerated
interfaces (FA2 and NP2), between HA clusters, and for redundant interfaces.
The names of the matching interfaces, including VLAN interfaces, aggregate interfaces and so on,
must be the same on both peers.
Configuring session synchronization
You configure session synchronization for each virtual domain to be synchronized. If virtual domain
configuration is not enabled, you configure session synchronization for the root virtual domain. When
virtual domain configuration is enabled and you have added virtual domains you configure session
synchronization for each virtual domain to be synchronized. You dont have to synchronize all of the virtual
domains.
You must configure session synchronization on both peers. The session synchronization configurations of
each peer should compliment the other. In fact you can manage and configure both peers as separate
FortiGate units. Using FortiManager, you can manage both peers as two separate FortiGate devices.
session-sync system
448 01-400-93051-20090415
On each peer, configuring session synchronization consists of selecting the virtual domains to be
synchronized using the syncvd keyword, selecting the virtual domain on the other peer that receives the
synchronization packets using the peer vd keyword, and setting IP address of the interface in the peer unit
that receives the synchronization packets using the peer i p keyword. The interface with the peer i p must
be in the peer vd virtual domain.
The syncvd and peer vd settings must be the same on both peers. However, the peer i p settings will be
different because the peer i p setting on the first peer includes the IP address of an interface on the
second peer. And the peer i p setting on the second peer includes the IP address of an interface on the
first peer.
Because session synchronization does not synchronize FortiGate configuration settings you must
configure both peers separately. For session synchronization to work properly all session synchronized
virtual domains must be added to both peers. The names of the matching interfaces in each virtual domain
must also be the same; this includes the names of matching VLAN interfaces. Note that the index numbers
of the matching interfaces and VLAN interfaces can be different. Also the VLAN IDs of the matching VLAN
interfaces can be different.
As well, the session synchronized virtual domains should have the same firewall policies so that sessions
can be resumed after a failover using the same firewall policies.
For a configuration example, see Basic example configuration on page 450.
Configuring the session synchronization link
When session synchronization is operating, the peers share session information over an Ethernet link
between the peers similar to an HA heartbeat link. Usually you would use the same interface on each peer
for session synchronization. You should connect the session synchronization interfaces directly without
using a switch or other networking equipment. If possible use a crossover cable for the session
synchronization link. For FortiGate-5000 systems you can use a backplane interface as the session
synchronization link.
You can use different interfaces on each peer for session synchronization links. Also, if you multiple
sessions synchronization configurations, you can have multiple session synchronization links between the
peers. In fact if you are synchronizing a lot of sessions, you may want to configure and connect multiple
session synchronization links to distribute session synchronization traffic to these multiple links.
You cannot configure backup session synchronization links. Each configuration only includes one session
synchronization link.
The session synchronization link should always be maintained. If session synchronization communication
is interrupted and a failure occurs, sessions will not failover and data could be lost.
Session synchronization traffic can use a considerable amount of network bandwidth. If possible, session
synchronization link interfaces should only be used for session synchronization traffic and not for data
traffic.
Syntax
edi t <sync_i d>
set peer i p <peer _i pv4>
set peer vd <vd_name>
set syncvd <vd_name>
conf i g f i l t er
set dst addr <di st _i p_i pv4> <di st _mask_i pv4>
set dst i nt f 
set ser vi ce <st r i ng>
set sr caddr <st r i ng>
set sr ci nt f 
system session-sync
01-400-93051-20090415 449
end
end
<sync_i d> Enter the unique ID number for the session synchronization configuration to
edit. The session synchronization configuration ID can be any number between
1 and 200. The session synchronization configuration IDs of the peers do not
have to match.
No
default
peer i p <peer _i pv4> Enter the IP address of the interface on the peer unit that is used for the
session synchronization link.
0.0.0.0
peer vd <vd_name> Enter the name of the virtual domain that contains the session synchronization
link interface on the peer unit. Usually both peers would have the same
peer vd. Multiple session synchronization configurations can use the same
peer vd.
root
syncvd <vd_name> Enter the names of one or more virtual domains so that the sessions processed
by these virtual domains are synchronized using this session synchronization
configuration.
conf i g f i l t er Add a filter to a standalone session synchronization configuration. You can add
a filter if you want to only synchronize some TCP sessions. Using a filter you
can configure synchronization to only synchronize sessions according to
source and destination address, source and destination interface, and
predefined firewall TCP service. You can only add one filter to a standalone
session synchronization configuration.
dst addr
<di st _i p_i pv4>
<di st _mask_i pv4>
Enter the destination IP address and netmask of the sessions to synchronize.
You can use <di st _i p_i pv4>and <di st _mask_i pv4> to specify a single
IP address or a range of IP addresses. The default IP address and netmask of
0. 0. 0. 0 and 0. 0. 0. 0 synchronizes sessions for all destination address. If
you want to specify multiple IP addresses or address ranges you can add
multiple standalone session synchronization configurations.
0.0.0.0
0.0.0.0
dst i nt f
Enter the name of a FortiGate interface (this can be any interface including a
VLAN interface, aggregate interface, redundant interface, virtual SSL VPN
interface, or inter-VDOM link interface). Only sessions destined for this
interface are synchronized. You can only enter one interface name. If you want
to synchronize sessions for multiple interfaces you can add multiple standalone
session synchronization configurations. The default dst i nt f setting
synchronizes sessions for all interfaces.
(null)
ser vi ce <st r i ng> Enter the name of a FortiGate firewall predefined service. Only sessions that
use this predefined service are synchronized. You can only enter one
predefined service name. If you want to synchronize sessions for multiple
services you can add multiple standalone session synchronization
configurations.
(null)
sr caddr <st r i ng> Enter the source IP address and netmask of the sessions to synchronize. You
can use <di st _i p_i pv4>and <di st _mask_i pv4> to specify a single IP
address or a range of IP addresses. The default IP address and netmask of
0. 0. 0. 0 and 0. 0. 0. 0 synchronizes sessions for all source address. If you
want to specify multiple IP addresses or address ranges you can add multiple
standalone session synchronization configurations.
0.0.0.0
0.0.0.0
sr ci nt f
Enter the name of a FortiGate interface (this can be any interface including a
VLAN interface, aggregate interface, redundant interface, virtual SSL VPN
interface, or inter-VDOM link interface). Only sessions from this interface are
synchronized. You can only enter one interface name. If you want to
synchronize sessions for multiple interfaces you can add multiple standalone
session synchronization configurations. The default sr ci nt f set t i ng
synchronizes sessions for all interfaces.
(null)
session-sync system
450 01-400-93051-20090415
Basic example configuration
The following configuration example shows how to configure a basic session synchronization configuration
for two peer FortiGate units shown in Figure 4 on page 450. The host names of peers are peer_1 and
peer_2. Both peers are configured with two virtual domains: root and vdom_1. All sessions processed by
vdom_1 are synchronized. The synchronization link interface is port3 which is in the root virtual domain.
The IP address of port3 on peer_1 is 10.10.10.1. The IP address of port3 on peer_2 is 10.10.10.2.
Also on both peers, port1 and port2 are added to vdom_1. On peer_1 the IP address of port1 is set to
192.168.20.1 and the IP address of port2 is set to 172.110.20.1. On peer_2 the IP address of port1 is set to
192.168.20.2 and the IP address of port2 is set to 172.110.20.2.
Figure 4: Example standalone session synchronization network configuration
Configuration steps
1 Configure the load balancer or router to send all sessions to peer_1.
2 Configure the load balancer or router to send all traffic to peer_2 if peer_1 fails.
3 Use normal FortiGate configuration steps on peer_1:
Enable virtual domain configuration.
Add the vdom_1 virtual domain.
Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
Set the IP address of port1 to 192.168.20.1.
Add route mode firewall policies between port1 and port2 to vdom_1.
Router or
Load Balancer
Session
Syncronization
Link
port3
port1
port2
Internet
Internal Network
Router or
Load Balancer
Peer_1
port2
port1
Vdom_1
port3
10.10.10.1
root
Peer_2
port2
port1
Vdom_1
port3
10.10.10.2
root
system session-sync
01-400-93051-20090415 451
4 Enter the following commands to configure session synchronization for peer_1
edi t 1
set peer i p 10. 10. 10. 2
set peer vd r oot
set syncvd vdom_1
end
5 Use normal FortiGate configuration steps on peer_2:
Enable virtual domain configuration.
Add the vdom_1 virtual domain.
Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
Add route mode firewall policies between port1 and port2 to vdom_1.
6 Enter the following commands to configure session synchronization for peer_1
edi t 1
set peer i p 10. 10. 10. 1
set peer vd r oot
set syncvd vdom_1
end
Adding a filter
You can add a filter to this basic configuration if you only want to synchronize some TCP sessions. For
example you can enter the following commands on both FortiGate units to edit the standalone sessions
configurations and add a filter so that only HTTP sessions are synchronized
edi t 1
conf i g f i l t er
set ser vi ce HTTP
end
end
History
FortiOS v3.0 MR6 The command conf i g syst emsessi on- sync is new for FortiOS v3.0 MR6.
FortiOS v3.0 MR7 The conf i g f i l t er command and associated keywords (dst addr , dst i nt f , ser vi ce,
sr caddr , and sr ci nt f ) are now available for MR7.
session-ttl system
452 01-400-93051-20090415
session-ttl
Use this command to increase or decrease the length of time a TCP session can be idle before being
dropped. You can set the general default timeout or set the timeout for a specific port.
Syntax
set def aul t <seconds>
conf i g por t
edi t <por t _number >
set t i meout {<seconds> | never }
end
end
Examples
The following command increases the default session timeout:
set def aul t 62000
end
Use the following command to change the session timeout for SSH on port 22 to 3600 seconds.
conf i g por t
edi t 22
set t i meout 3600
end
end
History
def aul t <seconds> Enter a the default session timeout in seconds. The valid range is
from 300 - 604800 seconds.
3600
edi t <por t _number > Enter the port number for the TCP session. None.
t i meout
{<seconds> | never }
Enter the number of seconds the session can be idle for on this port.
The valid range is from 300 - 604800 seconds. Optionally you can
select never instead of specifying the number of seconds.
300
Note: While it is possible to set a timeout for a session to a value that never expires, this is not a secure
configuration and should be avoided.
FortiOS v3.0 Changed from sessi on_t t l to sessi on- t t l .
FortiOS v3.0 MR3 Added never keyword to t i meout , and added valid ranges for times for
t i meout and def aul t .
system settings
01-400-93051-20090415 453
settings
Use this command to change settings that are per VDOM settings such as the operating mode and default
gateway.
When changing the opmode of the VDOM, there are keywords that are visible depending on which
opmode you are changing to. They are only visible after you set the opmode ab before you commit the
changes with either end or next. If you do not set these keywords, the opmode change will fail.
syst emset t i ngs differs from syst emgl obal in that syst emgl obal keywords apply to the entire
FortiGate unit, where syst emset t i ngs keywords apply only to the current VDOM, or the entire
FortiGate unit if VDOMs are not enabled.
Syntax
set al l ow- subnet - over l ap {enabl e | di sabl e}
set asymr out e {enabl e | di sabl e}
set asymr out e6 {enabl e | di sabl e}
set bf d {enabl e | di sabl e}
set bf d- desi r ed- mi n- t x 
set bf d- r equi r ed- mi n- t x 
set bf d- det ect - mul t <mul t i pl i er
set bf d- dont - enf or ce- sr c- por t {enabl e | di sabl e}
set ecmp- max- pat hs <max_ent r i es>
set gat eway <gw_i pv4>
set managei p <manage_i pv4>
set mul t i cast - f or war d {enabl e | di sabl e}
set mul t i cast - t t l - not change {enabl e | di sabl e}
set opmode {nat | t r anspar ent }
set sccp- por t <por t _number >
set si p- hel per {enabl e | di sabl e}
set si p- nat - t r ace {enabl e | di sabl e}
set si p- t cppor t <por t _number >
set si p- udppor t <por t _number >
set st r i ct - sr c- check {enabl e | di sabl e}
set ut f 8- spam- t aggi ng {enabl e | di sabl e}
set vpn- st at s- l og {i psec | l 2t p | ppt p | ssl }
set vpn- st at s- per i od <per i od_i nt >
Table 29: Keywords associated with each opmode
Change from NAT to Transparent mode Change from Transparent to NAT mode
set gat eway <gw_i pv4> set devi ce 
set managei p <manage_i pv4> set gat eway <gw_i pv4>
settings system
454 01-400-93051-20090415
end
al l ow- subnet - over l ap
Enable limited support for interface and VLAN
subinterface IP address overlap for this VDOM. Use
this command to enable limited support for overlapping
IP addresses in an existing network configuration.
Caution: for advanced users only. Use this only for
existing network configurations that cannot be
changed to eliminate IP address overlapping.
di sabl e
asymr out e
Enable to turn on IPv4 asymmetric routing on your
FortiGate unit, or this VDOM if you have VDOMs
enabled.
This feature should only be used as a temporary check
to troubleshoot a network. It is not intended to be
enabled permanently. When it enabled, many security
features of your FortiGate unit are not enabled. For
more information on asymmetric routing, see the
FortiGate VLANs and VDOMs guide
di sabl e
asymr out e6
Enable to turn on IPv6 asymmetric routing on your
FortiGate unit, or this VDOM if you have VDOMs
enabled.
This feature should only be used as a temporary check
to troubleshoot a network. It is not intended to be
enabled permanently. When it enabled, many security
features of your FortiGate unit are not enabled. For
more information on asymmetric routing, see the
FortiGate VLANs and VDOMs guide
di sabl e
bf d {enabl e | di sabl e} Enable to turn on bi-directional forwarding detection
(BFD) for this virtual domain, or the whole FortiGate
unit. BFD can be used with OSPF and BGP
configurations, and overridden on a per interface
basis.
di sabl e
bf d- desi r ed- mi n- t x

Enter a value from 1 to 100000 msec as the preferred
minimum transmit interval for BFD packets. If possible
this will be the minimum used.
This is only available when bfd is enabled.
50
bf d- r equi r ed- mi n- t x

Enter a value from 1 to 100000 msec as the required
minimum transmit interval for BFD packets. The
FortiGate unit will not transmit BFD packets at a slower
rate than this.
This is only available when bfd is enabled.
50
bf d- det ect - mul t
<mul t i pl i er
Enter a value from 1 to 50 for the BFD detection
multiplier.
3
bf d- dont - enf or ce- sr c- por t
Enable to not enforce the BFD source port. di sabl e
comment s <st r i ng> Enter a descriptive comment for this virtual domain. null
devi ce Enter the interface to use for management access.
This is the interface to which i p applies.
This keyword is visible only after you change opmode
from t r anspar ent to nat , before you commit the
change.
No default.
ecmp- max- pat hs
<max_ent r i es>
Enter the maximum number of routes allowed to be
included in an Equal Cost Multi-Path (ECMP)
configuration. Set to 1 to disable ECMP routing.
ECMP routes have the same distance and the same
priority, and can be used in load balancing.
10
system settings
01-400-93051-20090415 455
gat eway <gw_i pv4> Enter the default gateway IP address.
from nat to t r anspar ent or from t r anspar ent to
nat , before you commit the change.
No default.
i p <addr ess_i pv4> Enter the IP address to use after switching to nat
mode.
from t r anspar ent to nat , before you commit the
change.
No default.
managei p <manage_i pv4> Set the IP address and netmask of the Transparent
mode management interface. You must set this when
you change opmode from nat to t r anspar ent .
This option not available in transparent mode.
No default.
mul t i cast - f or war d
Enable or disable multicast forwarding to forward any
multicast IP packets in which the TTL is 2 or higher to
all interfaces and VLAN interfaces except the receiving
interface. The TTL in the IP header will be reduced
by 1.
When multiple VDOMs are configured, this option is
available within each VDOM.
disable
mul t i cast - t t l - not change
Enable to alter multicast forwarding so that it does not
decrement the time-to-live (TTL) in the packet header.
Disable for normal multicast forwarding behavior.
In multiple VDOM mode, this option is only available
within VDOMs. It is not available at the global level.
disable
opmode {nat | t r anspar ent } Enter the required operating mode.
If you change opmode from nat to t r anspar ent , you
must set managei p and gat eway.
If you change opmode from t r anspar ent to nat , you
must set devi ce, i p, gat eway- devi ce and
gat eway.
nat
sccp- por t <por t _number > Enter the port number from 1 to 65535 of the TCP port
to use to monitor Skinny Client Call protocol (SCCP)
traffic. SCCP is a Cisco proprietary protocol for VoIP.
2000
si p- hel per
Enable to use the helper to add dynamic sip firewall
allow rules.
enabl e
si p- nat - t r ace
Select enable to record the original IP address of the
phone.
enabl e
si p- t cppor t <por t _number > Enter a port number from 1 to 65535 for the TCP port
the SIP proxy will use to monitor for SIP traffic.
5060
si p- udppor t <por t _number > Enter a port number from 1 to 65535 for the UDP port
the SIP proxy will use to monitor for SIP traffic.
5060
st at us {enabl e | di sabl e} Disable or enable this VDOM. Disabled VDOMs keep
all their configuration, but the resources of that VDOM
are not accessible.
To leave VDOM mode, all disabled VDOMs must be
deleted - to leave VDOM mode there can be only the
root VDOM configured.
Only available when VDOMs are enabled.
enable
st r i ct - sr c- check
Enable to refuse packets from a source IP range if
there is a specific route in the routing table for this
network (RFC 3704).
di sabl e
ut f 8- spam- t aggi ng
Enable converts spam tags to UTF8 for better non-
ascii character support.
enable
settings system
456 01-400-93051-20090415
Example
Changing the opmode from Transparent to NAT involves a number of steps. For example, before you
change the opmode, the other required keywords ip, device, and gateway are not visible.
This example changes to NAT opmode in a VDOM called vdom2. The management interface is set to
internal, and the management IP is set to 192.168.10.8 with a gateway of 192.168.10.255 .
conf i g vdom
edi t vdom2
set opmode nat
set devi ce i nt er nal
set i p 192. 168. 10. 8
set gat eway i nt er nal
end
end
History
Related Commands
vdom
vpn- st at s- l og {i psec |
l 2t p | ppt p | ssl }
Enable periodic VPN log statistics for selected traffic:
ipsec
l2tp
pptp
ssl
vpn- st at s- per i od
<per i od_i nt >
Enter the interval in seconds for vpn- st at s- l og to
collect statistics.
0
FortiOS v3.0 New.
opmode moved from syst emgl obal .
managei p moved from syst emmanagei p.
FortiOS v3.0 MR3 Added mul t i cast - f or war d and mul t i cast - t t l - not change.
FortiOS v3.0 MR4 Added asymr out e, bf d, bf d- desi r ed- mi n- t x, bf d- r equi r ed- mi n- t x, bf d-
det ect - mul t , bf d- dont - enf or ce- sr c- por t , sccp- por t, si p- hel per , si p-
t cppor t , and si p- udppor t .
FortiOS v3.0 MR6 Added comment s, st at us, p2p- r at e- l i mi t , si p- nat - t r ace, and ut f 8-
spam- t aggi ng. Removed gat eway- devi ce.
FortiOS v3.0 MR7 Added al l ow- subnet - over l ap, asymr out e6, and st r i ct - sr c- check
keywords.
FortiOS v4.0 Added vpn- st at s- l og and vpn- st at s- per i od. Removed p2p- r at e- l i mi t .
system sit-tunnel
01-400-93051-20090415 457
sit-tunnel
Use this command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under
Syntax
set dest i nat i on <t unnel _addr ess>
set i p6 <addr ess_i pv6>
set sour ce <addr ess_i pv4>
end
Example
Use the following commands to set up an IPv6 tunnel.
edi t t est _t unnel
set dest i nat i on 10. 10. 10. 1
set i p6 12AB: 0: 0: CD30: : / 60
set sour ce 192. 168. 50. 1
end
History
Related topics
system interface
system ipv6-tunnel
Note: This command is not available in Transparent mode.
edi t <t unnel _name> Enter a name for the IPv6 tunnel. No default.
dest i nat i on
<t unnel _addr ess>
The destination IPv4 address for this tunnel. 0.0.0.0
i nt er f ace <name> The interface used to send and receive traffic for this tunnel. No default.
i p6 <addr ess_i pv6> The IPv6 address for this tunnel. No default.
sour ce <addr ess_i pv4> The source IPv4 address for this tunnel. 0.0.0.0
FortiOS v2.80 New.
FortiOS v3.0 Changed from ipv6_tunnel to ipv6-tunnel.
FortiOS v3.0 MR1 Removed vdomkeyword.
FortiOS v3.0 MR2 Added command syntax for multiple-vdom mode. Removed i pv6 and
mode keywords.
FortiOS v3.0 MR5 Added i p6
FortiOS v3.0 MR7 Changed from ipv6-tunnel to sit-tunnel.
snmp community system
458 01-400-93051-20090415
snmp community
Use this command to configure SNMP communities on your FortiGate unit. You add SNMP communities
so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP
traps. SNMP traps are triggered when system events happen such as when antirvirus checking is
bypassed, or when the log disk is almost full.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP
queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of
events. You can also the add IP addresses of up to 8 SNMP managers to each community.
For more information on SNMP traps and variables see the FortiGate Administration Guide, or the Fortinet
Knowledge Center online.
Syntax
edi t 
set event s <event s_l i st >
set name <communi t y_name>
set quer y- v1- por t <por t _number >
set quer y- v1- st at us {enabl e | di sabl e}
set quer y- v2c- por t <por t _number >
set quer y- v2c- st at us {enabl e | di sabl e}
set t r ap- v1- l por t <por t _number >
set t r ap- v1- r por t <por t _number >
set t r ap- v1- st at us {enabl e | di sabl e}
set t r ap- v2c- l por t <por t _number >
set t r ap- v2c- r por t <por t _number >
set t r ap- v2c- st at us {enabl e | di sabl e}
conf i g host s
edi t <host _number >
set i nt er f ace 
end
end
Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it
will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be
able to query it.
edi t Enter the index number of the community in the SNMP
communities table. Enter an unused index number to
create a new SNMP community.
system snmp community
01-400-93051-20090415 459
event s <event s_l i st > Enable the events for which the FortiGate unit should
send traps to the SNMP managers in this community.
All events
enabled.
av- bypass FortiGate unit has entered bypass
mode.
See set av- f ai l open pass
under global on page 363.
av- conser ve System enters conserve mode.
av- f r agment ed A fragmented file has been
detected.
av- over si ze An oversized file has been detected.
av- over si ze-
bl ocked
An oversized file has been blocked.
av- over si ze-
passed
An oversized file has passed
through.
av- pat t er n An file matching the AV pattern is
detected.
av- vi r us A virus is detected.
cpu- hi gh CPU usage exceeds threshold.
Default is 80%.
Automatic smoothing ensures only
prolonged high CPU usage will
trigger this trap, not a momentary
spike.
fm-conf-change FortiGate unit is managed by
FortiManager, but the FortiGate
administrator has modified the
configuration directly.
f m- i f - change FortiManager interface changes.
ha-hb-failure The HA heartbeat interface has
failed.
ha-member-down The HA cluster member stops.
ha-member-up The HA cluster members starts.
ha- swi t ch The primary unit in a HA cluster fails
and is replaced with a new HA unit.
i nt f - i p The IP address of a FortiGate
interface changes.
i ps- anomal y IPS detects an anomaly.
ips-pkg-update IPS package has been updated
i ps- si gnat ur e IPS detects an attack.
l og- f ul l Hard drive usage exceeds threshold.
Default is 90%.
mem- l ow Memory usage exceeds threshold.
Default is 80%.
power-supply-
failure
Power outage detected on monitored
power supply.
Only available on some models.
vpn- t un- down A VPN tunnel stops.
vpn- t un- up A VPN tunnel starts.
name <communi t y_name> Enter the name of the SNMP community. No
default.
snmp community system
460 01-400-93051-20090415
Example
This example shows how to add a new SNMP community named SNMP_Com1. The default configuration
can be used in most cases with only a few modifications. In the example below the community is added,
given a name, and then because this community is for an SNMP manager that is SNMP v1 compatible, all
v2c functionality is disabled. After the community is configured the SNMP manager is added. The SNMP
manager IP address is 192.168.20.34 and it connects to the FortiGate unit internal interface.
edi t 1
set name SNMP_Com1
set quer y- v2c- st at us di sabl e
set t r ap- v2c- st at us di sabl e
conf i g host s
edi t 1
set i p 192. 168. 10. 34
end
end
quer y- v1- por t <por t _number > Enter the SNMP v1 query port number used for SNMP
manager queries.
161
quer y- v1- st at us
Enable or disable SNMP v1 queries for this SNMP
community.
enabl e
quer y- v2c- por t <por t _number > Enter the SNMP v2c query port number used for SNMP
manager queries.
161
quer y- v2c- st at us
Enable or disable SNMP v2c queries for this SNMP
community.
enabl e
st at us {enabl e | di sabl e} Enable or disable the SNMP community. enabl e
t r ap- v1- l por t <por t _number > Enter the SNMP v1 local port number used for sending
traps to the SNMP managers.
162
t r ap- v1- r por t <por t _number > Enter the SNMP v1 remote port number used for sending
162
t r ap- v1- st at us
Enable or disable SNMP v1 traps for this SNMP
community.
enabl e
t r ap- v2c- l por t <por t _number > Enter the SNMP v2c local port number used for sending
162
t r ap- v2c- r por t <por t _number > Enter the SNMP v2c remote port number used for
sending traps to the SNMP managers.
162
t r ap- v2c- st at us
Enable or disable SNMP v2c traps for this SNMP
community.
enabl e
hosts variables
edi t <host _number > Enter the index number of the host in the table. Enter an
unused index number to create a new host.
i nt er f ace Enter the name of the FortiGate interface to which the
SNMP manager connects.
No
Default
i p <addr ess_i pv4> Enter the IP address of the SNMP manager. 0.0.0.0
01-400-93051-20090415 461
History
Related topics
system snmp sysinfo
FortiOS v2.80 MR6 f m_i f _change added to event s
FortiOS v3.0 Event names hyphens changed to underscores.
Changed underscores to hyphens in keywords.
FortiOS v3.0 MR3 New events added: av- f r agment ed, av- over si zed, av- pat t er n, ha- hb- f ai l ur e,
t emper at ur e- hi gh, and vol t age- al ar m. Added note.
FortiOS v3.0 MR7 Added event keywords av- bypass, av- conser ve, av- over si ze- bl ocked, av-
over si ze- pass, i ps- pkg- updat e, and power - suppl y- f ai l ur e. Removed
t emper at ur e- hi gh and vol t age- al er t .
snmp sysinfo system
462 01-400-93051-20090415
snmp sysinfo
Use this command to enable the FortiGate SNMP agent and to enter basic system information used by the
SNMP agent. Enter information about the FortiGate unit to identify it. When your SNMP manager receives
traps from the FortiGate unit, you will know which unit sent the information. Some SNMP traps indicate
high CPU usage, log full, or low memory.
Syntax
set cont act - i nf o 
set descr i pt i on <descr i pt i on>
set l ocat i on <l ocat i on>
set t r ap- hi gh- cpu- t hr eshol d <per cent age>
set t r ap- l og- f ul l - t hr eshol d <per cent age>
set t r ap- l ow- memor y- t hr eshol d <per cent age>
end
Example
This example shows how to enable the FortiGate SNMP agent and add basic SNMP information.
set cont act - i nf o ' Syst emAdmi n ext 245'
set descr i pt i on ' I nt er nal net wor k uni t '
set l ocat i on ' Ser ver RoomA121'
end
cont act - i nf o Add the contact information for the person responsible for this
FortiGate unit. The contact information can be up to 35
characters long.
No
default
descr i pt i on <descr i pt i on> Add a name or description of the FortiGate unit. The description
can be up to 35 characters long.
No
default
l ocat i on <l ocat i on> Describe the physical location of the FortiGate unit. The system
location description can be up to 35 characters long.
No
default
st at us {enabl e | di sabl e} Enable or disable the FortiGate SNMP agent. di sabl e
t r ap- hi gh- cpu- t hr eshol d
<per cent age>
Enter the percentage of CPU used that will trigger the threshold
SNMP trap for the high-cpu.
There is some smoothing of the high CPU trap to ensure the
CPU usage is constant rather than a momentary spike. This
feature prevents frequent and unnecessary traps.
80
t r ap- l og- f ul l - t hr eshol d
<per cent age>
Enter the percentage of disk space used that will trigger the
threshold SNMP trap for the log-full.
90
t r ap- l ow- memor y- t hr eshol d
<per cent age>
Enter the percentage of memory used that will be the threshold
SNMP trap for the low-memory.
80
system snmp sysinfo
01-400-93051-20090415 463
History
Related topics
FortiOS v3.0 Changed cont act _i nf o to cont act - i nf o.
FortiOS v3.0 MR2 Added t r ap- hi gh- cpu- t hr eshol d, t r ap- l og- f ul l - t hr eshol d,
and t r ap- l ow- memor y- t hr eshol d commands.
snmp user system
464 01-400-93051-20090415
snmp user
Use this command to configure an SNMP user including which SNMP events the user wants to be notified
about, which hosts will be notified, and if queries are enabled which port to listen on for them.
Syntax
conf i g syst emsnmp user
edi t <user name>
set event s <event _st r i ng>
set not i f y- host s <host s_st r i ng>
set quer i es {enabl e | di sabl e}
set quer y- por t <por t _i nt >
end
edi t <user name> Edit or add selected user. No
default
event s <event _st r i ng> Select which SNMP notifications to send. Select each event that
will generate a notification, and add to string. Separate multiple
events by a space. Available events include:
av- bypass AV bypass happens
av- conser ve AV system enters conserve mode
av- f r agment ed AV detected fragmented file
av- over si ze AV detected oversized file
av- over si ze- bl ocked AV oversized files blocked
av- over si ze- passed AV oversized files passed
av- pat t er n AV detected file matching pattern
av- vi r us AV detected virus
cpu- hi gh cpu usage too high
ent - conf - change entity config change (rfc4133)
f m- conf - change config change (FM trap)
f m- i f - change interface IP change (FM trap)
ha- hb- f ai l ur e HA heartbeat interface failure
ha- member - down HA cluster member down
ha- member - up HA cluster member up
ha- swi t ch HA cluster status change
i nt f - i p interface IP address changed
i ps- anomal y ips detected an anomaly
i ps- pkg- updat e ips package updated
i ps- si gnat ur e ips detected an attack
l og- f ul l available log space is low
mem- l ow available memory is low
power - suppl y- f ai l ur e power supply failure
vpn- t un- down VPN tunnel is down
vpn- t un- up VPN tunnel is up
No
default
not i f y- host s
<host s_st r i ng>
Enter IP address to send SNMP notification to when events
occur. Separate multiple addresses with a space.
No
default
quer i es
Enable or disable SNMP v3 queries for this user. Queries are
used to determine the status of SNMP variables such as.
di sabl e
quer y- por t <por t _i nt > Enter the number of the port used for SNMP v3 queries. If
multiple versions of SNMP are being supported, each version
should listen on a different port.
161
system snmp user
01-400-93051-20090415 465
History
Related topics
system snmp sysinfo
FortiOS v4.0 New.
switch-interface system
466 01-400-93051-20090415
switch-interface
Use this command to group interfaces into a soft-switch - a switch that is implemented in software instead
of hardware. A group of switched interfaces have one IP address between them to connect to the
FortiGate unit. This feature is available on all FortiGate models. For more information on switch-mode, see
global on page 363.
Interfaces that may be members of a soft-switch are physical and wlan interfaces that are not used
anywhere else. Member interfaces cannot be monitored by HA or used as heart beat devices.
Syntax
edi t <gr oup_name>
set member 
set span {enabl e | di sabl e}
set span- dest - por t <por t num>
set span- di r ect i on {r x | t x | bot h}
set span- sour ce- por t <por t l i st >
set t ype {hub | swi t ch | har dwar e- swi t ch}
set vdom<vdom_name>
end
<gr oup_name> The name for this group of interfaces.
Cannot be in use by any other interfaces, vlans, or inter-VDOM links.
No default
member Enter a list of the interfaces that will be part of this switch. Separate
interface names with a space.
Use <tab>to advance through the list of available interfaces.
No default
span
Enable or disable port spanning. This is available only when t ype is
swi t ch.
disable
span- dest - por t
<por t num>
Enter the destination port name. Use <tab>to advance through the
list of available interfaces. Available when span is enabled.
No default.
span- di r ect i on
{r x | t x | bot h}
Select the direction in which the span port operates: both
r x Copy only received packets from source SPAN ports to
the destination SPAN port.
t x Copy only transmitted packets from source SPAN ports
to the destination SPAN port.
bot h Copy both transmitted and received packets from source
SPAN ports to the destination SPAN port.
span- di r ect i on is available only when span is enabled.
span- sour ce- por t
<por t l i st >
Enter a list of the interfaces that are source ports. Separate interface
names with a space.
Use <tab>to advance through the list of available interfaces.
Available when span is enabled.
No default.
t ype {hub | swi t ch |
har dwar e- swi t ch}
Select the type of switch functionality:
hub duplicates packets to all member ports
swi t ch normal switch functionality (available in NAT mode only)
har dwar e- swi t ch unit electronics provides switch functionality
Note: har dwar e- swi t ch is available only on model 224B, where it
is the only option for t ype.
switch
vdom<vdom_name> Enter the VDOM to which the switch belongs. No default.
system switch-interface
01-400-93051-20090415 467
Example
This example shows how to create a group of 3 interfaces called l ow_speed ideally that are all at 10m
speed. It assumes these interfaces are not referred to in FortiOS by anything else.
edi t l ow_speed
set member por t 1 wl an dmz
end
History
FortiOS v3.0 MR7 Added span, span- dest - por t , span- di r ect i on, span- sour ce-
por t , t ype, and vdomkeywords.
FortiOS v4.0 All models support this command.
tos-based-priority system
468 01-400-93051-20090415
tos-based-priority
Use this command to prioritize your network traffic based on its type-of-service (TOS).
IP datagrams have a TOS byte in the header (as described in RFC 791). Four bits within this field
determine the delay, the throughput, the reliability, and cost (as described in RFC 1349) associated with
that service. Together these bits are the tos variable of the tos-based-priority command.
The TOS information can be used to manage network traffic based on the needs of the application or
service. TOS application routing (RFC 1583) is supported by OSPF routing.
Syntax
conf i g syst emt os- based- pr i or i t y
edi t <name>
set t os 
set pr i or i t y [ hi gh | medi um| l ow]
end
Examples
It is a good idea to have your entry names in the tos-based-priority table and their TOS values be the
same. Otherwise it can become confusing.
conf i g t os- based- pr i or i t y
edi t 1
set t os 1
set pr i or i t y l ow
next
edi t 4
set t os 4
set pr i or i t y medi um
next
edi t 6
set t os 6
set pr i or i t y hi gh
next
end
Related topics
system global
router ospf
router policy
execute ping-options, ping6-options
edi t <name> Enter the name of the link object to create No default.
t os Enter the value of the type of service byte in the IP
datagram header. This value can be from 0 to 15.
0
pr i or i t y [ hi gh | medi um|
l ow]
Select the priority of this type of service as either high,
medium, or low priority. These priority levels conform to the
firewall traffic shaping priorities.
High
system vdom-link
01-400-93051-20090415 469
vdom-link
Use this command to create an internal point-to-point interface object. This object is a link used to join
virtual domains. Inter-VDOM links support BGP routing, and DHCP.
Creating the interface object also creates 2 new interface objects by the name of <name>0 and <name>1.
For example if your object was named v_l i nk, the 2 interface objects would be named v_l i nk0 and
v_l i nk1. You can then configure these new interfaces as you would any other virtual interface using
When using vdom-links in HA, you can only have vdom-links in one vcluster. If you have vclusters defined,
you must use the vcluster keyword to determine which vcluster will be allowed to contain the vdom-links.
Vdom-links support IPSec DHCP, but not regular DHCP.
A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When
traffic is encrypted or decrypted it changes the content of the packets and this resets the inter-VDOM
counter. However using IPIP or GRE tunnels do not reset the counter.
For more information on the vdom-link command see Configuring inter-VDOM routing on page 54 and
the FortiGate VLANs and VDOMs Guide.
Syntax
edi t <name>
end
Examples
In this example you have already created two virtual domains called v1 and v2. You want to set up a link
between them. The following command creates the VDOM link called v12_link. Once you have the link you
need to bind its two ends to the VDOMs it will be working with.
edi t v12_l i nk
end
edi t v12_l i nk0
set vdomv1
next
edi t v12_l i nk1
set vdomv2
end
If you want to delete the vdom-link, you must delete the interface - in the above example this would be:
del et e v12_l i nk
end
edi t <name> Enter the name of the link object to create. You are limited
to 8 characters maximum for the name.
No default.
vcl ust er {1| 2} Select vcluster 1 or 2 as the only vcluster to have inter-
VDOM links.
This option is available only when HA and vclusters are
configured, and there are VDOMs in both vclusters.
vdom-link system
470 01-400-93051-20090415
History
Related topics
router bgp
system interface
system dhcp server
FortiOS v3.0 New command.
FortiOS v3.0 MR4 Added vcl ust er keyword.
system vdom-property
01-400-93051-20090415 471
vdom-property
Use this command to set the maximum and guaranteed limits of system resources for the specified virtual
domain (VDOM). The optional guaranteed limit ensures a minimum number of a resource is always
available for this VDOM. For example a minimum of 200 sessions could be necessary for the root VDOM.
Configured vdom- pr oper t y maximums, when totaled for all VDOMs, cannot exceed the maximum
values set in r esour ce- l i mi t s for that variable, which are for the entire FortiGate unit. For example if
r esour ce- l i mi t s sets a maximum of 10 000 sessions, then the maximum sessions for VDOMs when
totalled must be 10 000 sessions or less.
Restricting system resources on a per VDOM level allows increased numbers of VDOMs to be configured
while minimizing the impact on FortiGate performance. It also allows tiered service levels to be established
for different VDOMs.
This command is available only when VDOMs are enabled.
Syntax
conf i g gl obal
edi t <vdom_name>
set cust om- ser vi ce <sr vc_max> [ sr vc_mi n]
set di al up- t unnel <t unn_max> [ t unn_mi n]
set f i r ewal l - pol i cy <pol _max> [ pol _mi n]
set f i r ewal l - pr of i l e <pr of _max> [ pr of _mi n]
set f i r ewal l - addr ess <addr _max> [ addr _mi n]
set f i r ewal l - addr gr p <gr oup_max> [ gr oup_mmi n]
set i psec- phase1 <t unn_max> [ t unn_mi n]
set i psec- phase2 <t unn_max> [ t unn_mi n]
set onet i me- schedul e <sched_max> [ sched_mi n]
set r ecur r i ng- schedul e <sched_max> [ sched_mi n]
set ser vi ce- gr oup <gr oup_max> [ gr oup_mmi n]
set sessi on <sessi on_max> [ sessi on_mi n]
set user <user _max> [ user _mi n]
set user - gr oup <gr oup_max> [ gr oup_mmi n]
end
Note: The resource limits vary for different FortiGate models. The resources also are increased when
FortiGate units are in HA mode, due to the increased shared resources that are available.
edi t <vdom_name> Select the VDOM to set the limits for.
cust om- ser vi ce <sr vc_max>
[ sr vc_mi n]
Enter the maximum number and guaranteed number of
firewall custom services.
0
di al up- t unnel <t unn_max>
[ t unn_mi n]
dialup-tunnels.
0
f i r ewal l - pol i cy <pol _max>
[ pol _mi n]
firewall policies.
0
f i r ewal l - pr of i l e <pr of _max>
[ pr of _mi n]
firewall profiles.
0
f i r ewal l - addr ess <addr _max>
[ addr _mi n]
firewall addresses.
0
vdom-property system
472 01-400-93051-20090415
Example
Use the following commands set a maximum of 500 sessions on the root VDOM with a guaranteed
minimum level of 100 sessions. For this examples VDOMs are enabled.
conf i g gl obal
edi t r oot
set sesssi on 1000 100
next
end
end
History
Related topics
system resource-limits
f i r ewal l - addr gr p <gr oup_max>
[ gr oup_mmi n]
firewall address groups.
0
i psec- phase1 <t unn_max>
[ t unn_mi n]
IPSec phase1 tunnels.
0
i psec- phase2 <t unn_max>
[ t unn_mi n]
IPSec phase2 tunnels.
0
onet i me- schedul e <sched_max>
[ sched_mi n]
onetime schedules.
0
r ecur r i ng- schedul e
<sched_max> [ sched_mi n]
recurring schedules.
0
ser vi ce- gr oup <gr oup_max>
[ gr oup_mmi n]
firewall service groups.
0
sessi on <sessi on_max>
[ sessi on_mi n]
sessions.
0
user <user _max> [ user _mi n] Enter the maximum number and guaranteed number of
users.
0
user - gr oup <gr oup_max>
[ gr oup_mmi n]
user groups.
0
FortiOS v4.0 New.
system wccp
01-400-93051-20090415 473
wccp
Configure settings for Web Cache Communication Protocol (WCCP) version 2 to optimize web traffic, thus
reducing transmission costs and downloading time.
When a web client (on a computer) makes a request for web content, WCCP allows the routers on the
local network to redirect the web content requests to the appropriate web cache server on the local
network. If the web cache server contains the information in the web content request, the web cache
server sends the content directly to the local client. If the web cache does not contain the requested
information, the web cache server will download the HTTP information, cache it, and send it to the local
client. The local client it not aware this caching is taking place.
For web caching to function, local network traffic must be directed through one or more routers that are
able to forward the HTTP requests to the web cache servers. The FortiGate unit can act as a WCCP
version 2 enabled router and direct web content requests to configured web cache servers.
The web caching will speed up downloads by not accessing remote websites for each HTTP request. It will
also reduce the amount of data a company network sends and receives over the Internet, reducing costs.
conf i g syst emwccp
edi t <ser vi ce- i d>
set assi gnment - met hod {HASH | MASK | any}
set aut hent i cat i on {di sabl e | enabl e}
set f or war d- met hod {GRE | L2 | any}
set gr oup- addr ess <mul t i cast _i pv4>
set r et ur n- met hod {GRE | L2 | any}
set r out er - i d 
set ser ver - l i st <ser ver _i pv4mask>
next
end
<ser vi ce- i d> Valid ID range is from 0 to 255. 0 for HTTP. 1
assi gnment - met hod
{HASH | MASK | any}
Specifies which assignment method the FortiGate prefers. If
assi gnment - met hod is any the cache server determines the
assignment method
HASH
aut hent i cat i on
Enable or disable using use MD5 authentication for the WCCP
configuration.
f or war d- met hod {GRE |
L2 | any}
Specifies how the FortiGate unit forwards traffic to cache servers. If
f or war d- met hod is any the cache server determines the forward
method.
GRE
gr oup- addr ess
<mul t i cast _i pv4>
The IP multicast address used by the cache servers. 0. 0. 0. 0 means
the FortiGate unit ignores multicast WCCP traffic. Otherwise, gr oup-
addr ess must be from 224. 0. 0. 0 to 239. 255. 255. 255.
0. 0. 0. 0
passwor d
<passwor d_st r >
The MD5 authentication password. Maximum length is 8 characters.
r et ur n- met hod {GRE |
L2 | any}
Specifies how a cache server declines a redirected packet and return
it to the firewall. If r et ur n- met hod is any the cache server
determines the return method.
GRE
wccp system
474 01-400-93051-20090415
History
r out er - i d

An IP address known to all cache servers. This IP address identifies a
FortiGate interface IP address to the cache servers. If all cache
servers connect to the same FortiGate interface, then
can be 0. 0. 0. 0, and the FortiGate unit uses
the IP address of that interface as the r out er - i d.
If the cache servers can connect to different FortiGate interfaces, you
must set r out er - i d to a single IP address, and this IP address must
be added to the configuration of the cache servers.
0. 0. 0. 0
ser ver - l i st
<ser ver _i pv4mask>
The IP addresses of the web cache servers. 0. 0. 0. 0
0. 0. 0. 0
FortiOS v4.0 New.
system wireless ap-status
01-400-93051-20090415 475
wireless ap-status
Use this command to designate access points as accepted or rogue. This designation affects the web-
based manager Rogue AP listing.
You can use the get syst emwi r el ess det ect ed- ap command to obtain the required information.
The FortiWiFi unit must be in SCAN mode or have bgscan set to enabl e. For more information see
system wireless settings on page 477.
Syntax
conf i g syst emwi r el ess ap- st at us
edi t <ap_i d>
set bssi d <macaddr >
set ssi d <ssi d>
set st at us {accept ed | r ogue}
end
History
Related topics
get system wireless detected-ap
system wireless settings
edi t <ap_i d> Enter a numeric identifier for this entry. No default.
bssi d <macaddr > Enter MAC address of the access point. No default.
ssi d <ssi d> Enter the SSID of the access point. No default.
st at us {accept ed | r ogue} Set the designation of this access point:
accept ed a known access point
r ogue an unknown, possibly unsafe access point
r ogue
FortiOS v4.0.0 New.
wireless mac-filter system
476 01-400-93051-20090415
wireless mac-filter
Use this command to configure the WLAN interface MAC filter on the FortiWifi-60 unit in Access Point
mode.
Syntax
conf i g syst emwi r el ess mac- f i l t er
set def aul t - acl {al l ow | deny}
conf i g mac- l i st
edi t <l i st _number >
set acl {al l ow | deny }
end
end
Examples
This example shows how to enable the MAC filter, specify that unlisted MAC addresses should be denied
access, and add MAC address 12:34:56:78:90:AB to the MAC filter Allow list:
conf i g syst emwi r el ess mac- f i l t er
set def aul t - acl deny
conf i g mac- l i st
edi t 1
set acl al l ow
set mac 12: 34: 56: 78: 90: AB
end
end
History
Related topics
system interface
def aul t - acl {al l ow | deny} Select whether unlisted MAC addresses are allowed or
denied access.
deny
edi t <l i st _number > Enter the number of the MAC filter list that you want to edit.
Enter an unused number to create a new list.
st at us {enabl e | di sabl e} Enable or disable MAC filter.
Status is always di sabl e in Client mode.
di sabl e
mac-list variables
acl {al l ow | deny } Select Allow or Deny for the access control list (ACL). deny
mac <mac_addr ess> Set the MAC address to add to the list. No default.
FortiOS v2.80E New command, incorporating conf i g syst emnet wor k wi r el ess wl an.
FortiOS v3.0 Changed mac_f i l t er to mac- f i l t er , def aul t _acl to def aul t - acl , mac_l i st to
mac- l i st .
01-400-93051-20090415 477
wireless settings
Use this command to configure the WLAN interface wireless settings on a FortiWiFi unit.
Syntax
set band {802. 11a | 802. 11b | 802. 11g}
set bgscan {enabl e | di sabl e}
set bgscan- i dl e <msec>
set bgscan- i nt er val <msec>
set beacon_i nt er val 
set channel <channel _number >
set geogr aphy <amer i cas | EMEA | I sr ael | J apan | Wor l d>
set mode <opmode>
set power _l evel <dBm>
end
Except for mode, these keywords are available in Access Point (AP) mode only.
band
{802. 11a | 802. 11b | 802. 11g}
Enter the wireless band to use. (802.11a only available on the
FortiWiFi-60A and FortiWiFi-60B.)
802.11g
bgscan {enabl e | di sabl e} Enable scanning in the background. This provides scan mode
capabilities in AP mode. When the AP channel is idle, the unit
checks a scan channel and then returns to the AP channel.
When the AP channel is idle again, the unit checks the next
scan channel. This continues, repeatedly checking for signals
on all wireless channels.
di sabl e
bgscan- i dl e <msec> Set how long in milliseconds the AP channel must be idle
before the FortiWiFi unit checks a scan channel. Higher values
allow scanning only when wireless network traffic is light.
Lower values allow more scanning, but this can cause packet
loss in heavy network traffic.
This is available only when bgscan is set to enabl e.
250
bgscan- i nt er val <msec> Set how long in milliseconds the FortiWiFi unit waits after
scanning all wireless channels before beginning another cycle
of scanning.
This is available only when bgscan is set to enabl e.
120
beacon_i nt er val Set the interval between beacon packets. Access Points
broadcast Beacons or Traffic Indication Messages (TIM) to
synchronize wireless networks. In an environment with high
interference, decreasing the Beacon Interval might improve
network performance. In a location with few wireless nodes,
you can increase this value.
100
channel <channel _number > Select a channel number for your FortiWiFi unit wireless
network. Use 0 to auto-select the channel.
Users who want to use the wireless network should configure
their computers to use this channel for wireless networking.
5
geogr aphy <amer i cas | EMEA |
I sr ael | J apan | Wor l d>
Select the country or region in which this FortiWifi unit will
operate.
Wor l d
wireless settings system
478 01-400-93051-20090415
Example
This example shows how to configure the wireless interface.
set mode AP
set channel 4
set geogr aphy Amer i cas
end
edi t wl an
set i p 10. 10. 80. 1 255. 255. 255. 0
set wi f i - ssi d myssi d
set wi f i - secur i t y WEP128
set wi f i - key . . . .
. . .
end
end
History
Related topics
system interface
system vdom-link
wireless mac-filter
mode <opmode> Enter the operation mode for the wireless interface:
AP Access Point mode. Multiple wireless clients can connect
to the unit.
CLI ENT Connect to another wireless network as a client.
SCAN Scan all wireless bands and list the access points.
Note: When switching from AP mode to Client mode or
Monitoring mode you must remove virtual wireless interfaces.
AP
power _l evel <dBm> Set transmitter power level in dBm.
Range 0 to 31.
31
FortiOS v2.80E Command changed from conf i g syst emwi r el ess wl an.
Keywords added: beacon_i nt er val , br oadcast _ssi d, f r agment _t hr eshol d,
passphr ase, power _l evel , r adi us_ser ver , r t s_t hr eshol d
FortiOS v4.0.0 Removed br oadcast _ssi d, f r agment _t hr eshol d, key, passphr ase,
r adi us_ser ver , r t s_t hr eshol d, secur i t y, ssi d.
Added keywords bgscan, bgscan- i dl e, bgscan- i nt er val .
system zone
01-400-93051-20090415 479
zone
Use this command to add or edit zones.
In NAT/Route mode, you can group related interfaces or VLAN subinterfaces into zones. Grouping
interfaces and subinterfaces into zones simplifies policy creation. For example, if you have two interfaces
connected to the Internet, you can add both of these interfaces to the same zone. Then you can configure
policies for connections to and from this zone, rather than to and from each interface.
In Transparent mode you can group related VLAN subinterfaces into zones and add these zones to virtual
domains.
Syntax
edi t <zone_name>
set i nt r azone {al l ow | deny}
end
Example
This example shows how to add a zone named Zone1, add the internal interface to it, and to deny routing
between different zones.
edi t Zone1
set i nt r azone deny
end
History
Related topics
system interface
edi t <zone_name> Enter the name of a new or existing zone.
i nt er f ace <name_st r > Add the specified interface to this zone. You cannot add an
interface if it belongs to another zone or if firewall policies
are defined for it.
No default.
i nt r azone {al l ow | deny} Allow or deny traffic routing between different interfaces in
the same zone.
deny
FortiOS v2.80 MR2 i nt r azone now available on all models. All models support zones.
Added i nt er f ace keyword (was part of conf i g syst emi nt er f ace).
zone system
480 01-400-93051-20090415
user
01-400-93051-20090415 481
user
This chapter covers:
configuration of the FortiGate unit to use external authentication servers, including
Windows Active Directory or other Directory Service servers
configuration of user accounts and user groups for firewall policy authentication, administrator
authentication and some types of VPN authentication
configuration of peers and peer groups for IPSec VPN authentication and PKI user authentication
Configuring users for authentication
adgrp
ban
fsae
group
ldap
local
peer
peergrp
radius
settings
tacacs+
Configuring users for authentication user
482 01-400-93051-20090415
Configuring users for authentication
This chapter covers two types of user configuration:
users authenticated by password
users, sites or computers (peers) authenticated by certificate
Configuring users for password authentication
You need to set up authentication in the following order:
1 If external authentication is needed, configure the required servers.
See user radius on page 503.
See user ldap on page 495.
See user tacacs+ on page 506
For Directory Service, see user fsae on page 488.
2 Configure local user identities.
For each user, you can choose whether the FortiGate unit or an external authentication server verifies
the password.
See user local on page 498.
3 Create user groups.
Add local users to each user group as appropriate. You can also add an authentication server to a user
group. In this case, all users in the servers database can authenticate to the FortiGate unit.
See user group on page 490.
For Directory Service, also see user adgrp on page 483.
Configuring peers for certificate authentication
If your FortiGate unit will host IPSec VPNs that authenticate clients using certificates, you need to prepare
for certificate authentication as follows:
1 Import the CA certificates for clients who authenticate with a FortiGate unit VPN using certificates.
See vpn certificate ca on page 508.
2 Enter the certificate information for each VPN client (peer).
See user peer on page 500.
3 Create peer groups, if you have VPNs that authenticate by peer group. Assign the appropriate peers to
each peer group.
See user peergrp on page 502.
For detailed information about IPSec VPNs, see the FortiGate IPSec VPN Guide. For CLI-specific
information about VPN configuration, see the VPN chapter of this Reference.
user adgrp
01-400-93051-20090415 483
adgrp
Use this command to list Directory Service user groups.
Syntax
get user adgr p [ <dsgr oupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. For
example:
== [ DOCTEST/ Cer t Publ i sher s ]
name: DOCTEST/ Cer t Publ i sher s ser ver - name: DSser v1
== [ DOCTEST/ Devel oper s ]
name: DOCTEST/ Devel oper s ser ver - name: DSser v1
== [ DOCTEST/ Domai n Admi ns ]
name: DOCTEST/ Domai n Admi ns ser ver - name: DSser v1
== [ DOCTEST/ Domai n Comput er s ]
name: DOCTEST/ Domai n Comput er s ser ver - name: DSser v1
== [ DOCTEST/ Domai n Cont r ol l er s ]
name: DOCTEST/ Domai n Cont r ol l er s ser ver - name: DSser v1
== [ DOCTEST/ Domai n Guest s ]
name: DOCTEST/ Domai n Guest s ser ver - name: DSser v1
== [ DOCTEST/ Domai n User s ]
name: DOCTEST/ Domai n User s ser ver - name: DSser v1
== [ DOCTEST/ Ent er pr i se Admi ns ]
name: DOCTEST/ Ent er pr i se Admi ns ser ver - name: DSser v1
== [ DOCTEST/ Gr oup Pol i cy Cr eat or Owner s ]
name: DOCTEST/ Gr oup Pol i cy Cr eat or Owner s ser ver - name: DSser v1
== [ DOCTEST/ Schema Admi ns ]
name: DOCTEST/ Schema Admi ns ser ver - name: DSser v1
If you specify a Directory Service group name, the command returns information for only that group. For
example:
name : DOCTEST/ Devel oper s
ser ver - name : ADser v1
The ser ver - name is the name you assigned to the Directory Service server when you configured it in the
user f sae command.
History
Related topics
user fsae
execute fsae refresh
FortiOS v3.0 New.
ban user
484 01-400-93051-20090415
ban
The FortiGate unit compiles a list of all users, IP addresses, or interfaces that have a quarantine/ban rule
applied to them. The Banned User list in the FortiGate web-based interface shows all IP addresses and
interfaces blocked by NAC (Network Access Control) quarantine, and all IP addresses, authenticated
users, senders and interfaces blocked by DLP (Data Leak Prevention). All users or IP addresses on the
Banned User list are blocked until they are removed from the list, and all sessions to an interface on the list
are blocked until the interface is removed from the list. Each banned user configuration can have an expiry
time/date to automatically remove it from the Banned User list, or the user must be removed from the list
manually by the system administrator.
Syntax
conf i g user ban
edi t bani d <ban_i nt >
set sour ce {dl p- r ul e | dl p- compound | I PS | AV | DoS}
set t ype {quar ant i ne- sr c- i p | quar ant i ne- dst - i p | quar ant i ne- sr c- dst - i p
| quar ant i ne- i nt f | dl p- user | dl p- i p | dl p- sender | dl p- i m}
set cause {I PS ( I nt r usi on Pr ot ect i on Sensor ) ) | Ant i vi r us ( AV) | Dat a
Leak Pr event i on ( DLP) }
set sr c- i p- addr <sr c_i p_addr >
set pr ot ocol {smt p | pop3 | i map | ht t p- post | ht t p- get | f t p- put |
f t p- get | nnt p | ai m| i cq | msn | ym| smt ps | pop3s | i maps |
ht t ps- post | ht t ps_get }
set dst - i p- addr <dst _i p_addr >
set i p- addr 
set user <user _name>
set sender <sender _name>
set i m- t ype {ai m| i cq | msn | ym}
set i m- name 
set expi r es <ban_expi r y_dat e>
set cr eat ed <syst em_dat e>
end
end
Keywords and variables Description (or variable/description) Default
bani d <ban_i nt > Enter the unique ID number of the banned user configuration.
0,0.
No default
sour ce {dl p- r ul e | dl p-
compound | I PS | AV |
DoS}
Enter one of the following to specify the source of the ban: dl p- r ul e
dl p- r ul e Quarantine caused by a DLP rule
configured by the system administrator.
dl p- compound Quarantine caused by a DLP compound
rule configured by the system administrator.
I PS Quarantine caused by the FortiGate unit
IPS.
AV Quarantine caused by a virus detection by
the FortiGate unit.
DoS Quarantine caused by the DoS sensor.
user ban
01-400-93051-20090415 485
t ype {quar ant i ne- sr c- i p |
quar ant i ne- dst - i p |
quar ant i ne- sr c- dst - i p |
quar ant i ne- i nt f | dl p-
user | dl p- i p | dl p-
sender | dl p- i m}
Enter one of the following to specify the type of ban: quar ant i ne-
sr c- i p
quar ant i ne-
sr c- i p
Complete quarantine based on source IP
address.
quar ant i ne-
dst - i p
Complete quarantine based on destination
IP address.
quar ant i ne-
sr c- dst - i p
Block all traffic from source to destination
address.
quar ant i ne-
i nt f
Block all traffic on the banned interface (port
quarantine).
dl p- user Ban based on user.
dl p- i p Ban based on IP address of user.
dl p- sender Ban based on email sender.
dl p- i m Ban based on IM user.
cause {I PS ( I nt r usi on
Pr ot ect i on Sensor ) ) |
Ant i vi r us ( AV) | Dat a
Leak Pr event i on ( DLP) }
Enter one of the following to specify the FortiGate function that
caused the user, IP addresses or interfaces to be added to the
Banned User list:
( nul l )
I PS
( I nt r usi on
Pr ot ect i on
Sensor )
Quarantine users or IP addresses that
originate attacks detected by IPS.
Ant i vi r us
( AV)
Quarantine IP addresses or interfaces that
send viruses detected by AV processing.
Dat a Leak
Pr event i on
( DLP)
Quarantine users or IP addresses that are
banned or quarantined by DLP.
sr c- i p- addr <sr c_i p_addr > Enter the banned source IP address. 0.0.0.0
ban user
486 01-400-93051-20090415
pr ot ocol {smt p | pop3 |
i map | ht t p- post |
ht t p- get | f t p- put |
f t p- get | nnt p | ai m|
i cq | msn | ym| smt ps |
pop3s | i maps |
ht t ps- post | ht t ps_get }
Enter the protocol used by the user or IP addresses added to
the Banned User list (ban type dl p- i p, dl p- sender ,
dl p- i m, dl p- user ).
No default
smt p smtp
pop3 pop3
i map imap
ht t p- post http post
ht t p- get http get
f t p- put ftp put
f t p- get ftp get
nnt p nntp
ai m AOL instant messenger
i cq ICQ
msn MSN messenger
ym Yahoo! messenger
smt ps smtps
pop3s pop3s
i maps imaps
ht t ps- post https post
ht t ps- get https get
dst - i p- addr <dst _i p_addr > Enter the destination IP address to be quarantined/banned
(ban type quar ant i ne- dst - i p,
quar ant i ne- sr c- dst - i p).
i nt er f ace
Enter the interface to be quarantined/banned (ban type
quar ant i ne- i nt f ). Available list of interfaces depends on
FortiGate unit interface configuration.
null
modem( )
i nt er f ace1 ( )
i nt er f ace2 ( )
i nt er f ace3 ( )
i nt er f ace4 ( )
i nt er f ace5 ( )
ssl . r oot ( )
i p- addr Enter the banned IP address (ban type dl p- i p) 0. 0. 0. 0
user <user _name> Enter the name of the user to be banned (ban type dl p- user ). null
sender <sender _name> Enter the name of the sender to be banned (ban type
dl p- sender ).
null
i m- t ype {ai m| i cq | msn
| ym}
Enter the type of instant messenger to be banned (ban type
dl p- i m).
ai m
ai m AOL instant messenger
i cq ICQ
msn MSN messenger
ym Yahoo! messenger
i m- name Enter the name of the instant messenger to be banned (ban
type dl p- i m).
null
user ban
01-400-93051-20090415 487
History
Related topics
user group
expi r es <ban_expi r y_dat e> Specify when the ban is lifted by the FortiGate unit. Date and
time <yyyy/ mm/ dd hh: mm: ss>. Range from 5 min to 365
days or i ndef i ni t e. If set to i ndef i ni t e, the ban must be
manually removed from the Banned User list.
indefinite
cr eat ed <syst em_dat e> System-generated time that the ban was created by the system
administrator. Format Wed Dec 31 16: 00: 00 1969.
No default
FortiOS v4.0 New.
fsae user
488 01-400-93051-20090415
fsae
Use this command to configure the FortiGate unit to receive user group information from a Directory
Service server equipped with the Fortinet Server Authentication Extensions (FSAE). You can specify up to
five computers on which a FSAE collector agent is installed. The FortiGate unit uses these collector agents
in a redundant configuration. If the first agent fails, the FortiGate unit attempts to connect to the next agent
in the list.
You can add user groups to Directory Service type user groups for authentication in firewall policies.
Syntax
conf i g user f sae
edi t <ser ver _name>
set l dap_ser ver <l dap- ser ver - name>
set passwor d <passwor d> passwor d2 <passwor d2> passwor d3 <passwor d3>
passwor d4 <passwor d4> passwor d5 <passwor d5>
set passwor d2 <passwor d2>
set por t <por t _number > <por t _number 2>
set por t <por t _number 2>
set ser ver <domai n> ser ver 2 <domai n2> ser ver 3 <domai n3> ser ver 4
<domai n4> ser ver 5 <domai n5>
set ser ver 2 <domai n2>
end
edi t <ser ver _name> Enter a name to identify the Directory Service server.
Enter a new name to create a new server definition or enter an
existing server name to edit that server definition.
No default.
l dap_ser ver
<l dap- ser ver - name>
Enter the name of the LDAP server to be used to access the
Directory Service.
No default.
passwor d <passwor d>
passwor d2 <passwor d2>
For each collector agent, enter the password. No default.
user fsae
01-400-93051-20090415 489
History
Related topics
user group
execute fsae refresh
por t <por t _number >
<por t _number 2>
<por t _number 3>
<por t _number 4>
<por t _number 5>
For each collector agent, enter the port number used for
communication with FortiGate units.
8000
ser ver <domai n>
ser ver 2 <domai n2>
Enter the domain name or IP address for up to five collector
agents. Range from 1 to 63 characters.
No default.
FortiOS v3.0 New.
FortiOS v3.0 MR6 Added l dap_ser ver , added range to ser ver <domai n>.
FortiOS v3.0 MR7 Changed Active Directory to Directory Service.
group user
490 01-400-93051-20090415
group
Use this command to add or edit user groups.
There are three types of user groups:
To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more
user groups. You can then select a user group when you require authentication. You can select a user
group to configure authentication for:
Firewall policies that require authentication
Only users in the selected user group or users that can authenticate with the RADIUS or LDAP servers
added to the user group can authenticate with these policies.
SSL-VPN configurations
IPSec VPN Phase 1 configurations for dialup users
Only users in the selected user group can authenticate to use the VPN tunnel.
XAuth for IPSec VPN Phase 1 configurations
Only users in the selected user group can be authenticated using XAuth.
FortiGate PPTP and L2TP configurations
Only users in the selected user group can use the PPTP or L2TP configuration.
Administrator login with RADIUS authentication
If you use a user group for administrator authentication, it must contain only RADIUS servers.
FortiGuard Web Filtering override groups
When FortiGuard Web Filtering blocks a web page, authorized users can authenticate to access the
web page or to allow members of another group to access it.
When you add user names, RADIUS servers, and LDAP servers to a user group, the order in which they
are added determines the order in which the FortiGate unit checks for authentication. If user names are
first, then the FortiGate unit checks first for a match with the local user names. If a match is not found, the
FortiGate unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the
FortiGate unit checks the server and then the local user names.
Firewall user group Provides access to firewall policies that require authentication. A firewall policy
specifies the user groups that are allowed to use the policy. Members of a firewall
user group can be local users defined in user l ocal , peer member s
def i ned i n user peer , or accounts on RADIUS or LDAP servers configured in
user r adi us or user l dap. Users must provide a user name and password to
use the firewall policy.
SSL-VPN user group Provides access to the FortiGate SSL-VPN tunnel and SSL-VPN web applications.
Members of an SSL-VPN user group can be local users defined in user l ocal or
accounts on RADIUS or LDAP servers configured in user r adi us or user
l dap. Users authenticate using their VPN client or through the SSL-VPN web portal
login page.
Directory Service user group Provides access to firewall policies that require authentication. Members of an
Directory Service user group are members of selected Directory Service user
groups on Directory Service servers configured in user f sae. Users are
authenticated when they log on to their Windows domain and are not required to
authenticate again to use FortiGate firewall policies.
Note: User groups can utilize defined peer members as part of a group.
user group
01-400-93051-20090415 491
Syntax
edi t <gr oupname>
set aut ht i meout <t i meout >
set gr oup- t ype <gr p_t ype>
set member <names>
set pr of i l e <pr of i l ename>
set f t gd- wf - ovr d {al l ow | deny}
set f t gd- wf - ovr d- dur <###d##h##m>
set f t gd- wf - ovr d- dur - mode <mode>
set f t gd- wf - ovr d- ext <opt i on>
set f t gd- wf - ovr d- scope <scope>
set f t gd- wf - ovr d- t ype <o_t ype>
set r edi r - ur l <ur l _st r i ng>
set ssl vpn- cache- cl eaner {enabl e | di sabl e}
set ssl vpn- cl i ent - check
{3r dAV | 3r dFW| f or t i cl i ent - av | f or t i cl i ent - f w}
set ssl vpn- por t al - headi ng <web_por t al _st r i ng>
set ssl vpn- t unnel {enabl e | di sabl e}
set ssl vpn- t unnel - st ar t i p 
set ssl vpn- t unnel - endi p 
set ssl vpn- spl i t - t unnel i ng {enabl e | di sabl e}
set ssl vpn- webapp {enabl e | di sabl e}
set ssl vpn- f t p {enabl e | di sabl e}
set ssl vpn- ht t p {enabl e | di sabl e}
set ssl vpn- ssh {enabl e | di sabl e}
set ssl vpn- samba {enabl e | di sabl e}
set ssl vpn- r dp {enabl e | di sabl e}
set ssl vpn- t el net {enabl e | di sabl e}
set ssl vpn- vnc {enabl e | di sabl e}
set ssl vpn- os- check {enabl e | di sabl e}
conf i g ssl vpn- os- check- l i st {wi ndows- 2000 | wi ndows- xp}
set act i on {deny | check- up- t o- dat e | al l ow}
set l at est - pat ch- l evel {di sabl e | 0 - 255}
set t ol er ance <t ol er ance_num>
set ssl vpn- vi r t ual - deskt op {enabl e | di sabl e}
end
end
edi t <gr oupname> Enter a new name to create a new group or enter an existing
group name to edit that group.
No default.
gr oup- t ype <gr p_t ype> Enter the group type. <gr p_t ype>determines the type of
users and is one of the following:
di r ect or y- ser vi ce - Directory Service users
f i r ewal l - FortiGate users defined in user local,
user ldap or user radius
ssl vpn - SSL-VPN users
f i r ewal l
member <names> Enter the names of users, peers, LDAP servers, or RADIUS
servers to add to the user group. Separate names by spaces.
To add or remove names from the group you must re-enter
the whole list with the additions or deletions required.
No default.
pr of i l e <pr of i l ename> Enter the name of the firewall protection profile to associate
with this user group.
No default.
group user
492 01-400-93051-20090415
aut ht i meout <t i meout > Enter the value in seconds of an authentication timeout for
the user group. If not set, global authentication timeout value
used. 0 - 480 minutes.
0
FortiGuard override variables
f t gd- wf - ovr d {al l ow | deny} Allow or deny this group FortiGuard Web Filtering overrides. deny
f t gd- wf - ovr d- dur <###d##h##m> Enter the FortiGuard Web Filtering override duration in days,
hours, and minutes.
15m
f t gd- wf - ovr d- dur - mode <mode> Enter the FortiGuard Web Filtering duration type, one of:
const ant - as specified in f t gd- wf - ovr d- dur
ask - ask for duration when initiating override.
f t gd- wf - ovr d- dur is the maximum
const ant
f t gd- wf - ovr d- ext <opt i on> Enter one of the following to determine whether users can
follow links to external sites during FortiGuard Web Filtering
override:
al l ow
deny
ask
al l ow
f t gd- wf - ovr d- scope <scope> Enter the scope of the FortiGuard Web Filtering override, one
of:
user override for the user
user - gr oup override for the user's group
i p override for the initiating IP
pr of i l e override for the user's protection profile
ask ask for scope when initiating an override
user
f t gd- wf - ovr d- t ype <o_t ype> Enter the type of FortiGuard Web Filtering override, one of:
di r override for the specific website directory
domai n override for the specific domain
r at i ng override for the specific rating
ask ask for type when initiating an override
di r
SSLVPN variables
r edi r - ur l <ur l _st r i ng> Enter the URL for an optional second browser window to
open when the SSL VPN web portal page opens. The web
server for this URL must reside on the private network behind
the FortiGate unit.
No default.
ssl vpn- cache- cl eaner
Enable to remove all temporary Internet files created on the
client computer between user login and logout. This is done
with a downloaded ActiveX control and works only on Internet
Explorer.
di sabl e
ssl vpn- cl i ent - check
{3r dAV | 3r dFW| f or t i cl i ent -
av | f or t i cl i ent - f w}
Allow the client to connect only if it has security software
installed. Enter one of:
3r dAV check for Norton (Symantec) or McAfee antivirus
software (for systems other than Windows XP SP2), or Trend
Micro, Sophos, Panda Platinum 2006 Internet Security, F-
Secure, Secure Resolutions, Cat Computer Services, or
Ahnlab antivirus software for Windows XP SP2
3r dFW check for Norton (Symantec) or McAfee antivirus
software (for systems other than Windows XP SP2), or Trend
Micro, Panda Platinum 2006 Internet Security, F-Secure,
Secure Resolutions, Cat Computer Services, or Ahnlab
firewall software for Windows XP SP2
f or t i cl i ent - av check for FortiClient antivirus software
f or t i cl i ent - f w check for FortiClient firewall software
No default.
ssl vpn- os- check {enabl e |
di sabl e}
Enable or disable SSL VPN OS patch level check. di sabl e
ssl vpn- os- check- l i st
{wi ndows- 2000 | wi ndows- xp}
Configure the OS of the patch level check. Only available if
ssl vpn- os- check is enabled..
No default.
user group
01-400-93051-20090415 493
act i on {deny | check- up- t o-
dat e | al l ow}
Specify how to perform the patch level check.
al l ow any level is permitted
check- up- t o- dat e some patch levels are permitted,
make selections in
deny OS version does not permit access
If set to check- up- t o- dat e, you can set values for
l at est - pat ch- l evel and t ol er ance. Only available if
ssl vpn- os- check is enabled.
No default.
l at est - pat ch- l evel {di sabl e |
0 - 255}
Specify the latest allowed patch level. Default 4 for Windows
2000, 2 for Windows XP. Value used in tolerance calculation -
l at est - pat ch- l evel minus t ol er ance =patch level
version variance for OS matching. Only available if ssl vpn-
os- check is enabled.
No default.
t ol er ance <t ol er ance_num> Specify the lowest allowable patch level tolerance. Equals
l at est - pat ch- l evel minus t ol er ance and above.
Default for Windows 2000 and Windows XP is 0. Only
available if ssl vpn- os- check is enabled and action is set
to check- up- t o- dat e.
0
ssl vpn- por t al - headi ng
<web_por t al _st r i ng>
Type a custom caption for display at the top of the web portal
home page for the SSL VPN user group.
No default.
ssl vpn- t unnel
Enable or disable SSL-VPN tunnel access for this group.
Not available in Transparent mode.
di sabl e
ssl vpn- t unnel - st ar t i p Enter the first IP address of the IP address range reserved for
SSL-VPN clients.
No default.
ssl vpn- t unnel - endi p Enter the last IP address of the IP address range reserved for
SSL-VPN clients.
No default.
ssl vpn- spl i t - t unnel i ng
Enable or disable the split tunneling feature for this group. di sabl e
ssl vpn- webapp
Enable or disable access to web applications for this group.
di sabl e
ssl vpn- f t p
Enable or disable access to the FTP web application. This
option is available only if ssl vpn- webapp is enabled.
di sabl e
ssl vpn- ht t p
Enable or disable access to the HTTP/HTTPS proxy web
application. This option is available only if ssl vpn- webapp
is enabled.
di sabl e
ssl vpn- samba
Enable or disable access to the Samba web application. This
option is available only if ssl vpn- webapp is enabled. Not
di sabl e
ssl vpn- ssh
Enable or disable access to the SSH web application. This
available in Transparent mode
di sabl e
ssl vpn- t el net
Enable or disable access to the Telnet web application. This
di sabl e
ssl vpn- vnc
Enable or disable access to the VNC web application. This
di sabl e
ssl vpn- r dp
Enable or disable access to the RDP web application. This
di sabl e
ssl vpn- vi r t ual - deskt op
Enable the Virtual Desktop SSL VPN client application. If set
to enable on the client, attempts to connect via SSL VPN are
refused.
di sabl e
group user
494 01-400-93051-20090415
Example
This example shows how to add a group named User_Grp_1, and add User_2, User_3, Radius_2 and
LDAP_1 as members of the group, and set the protection profile to strict:
edi t User _Gr p_1
set member User _2 User _3 Radi us_2 LDAP_1
set pr of i l e st r i ct
end
History
Related topics
user ldap
user local
user radius
user tacacs+
FortiOS v2.80 MR3 Added pr of i l e keyword.
FortiOS v3.00 MR2 Expanded definition of ssl vpn- cl i ent - check.
Added keyword/variable ssl vpn- spl i t - t unnel i ng
Added keyword/variable ssl vpn- por t al - headi ng <web_por t al _st r i ng>.
FortiOS v3.00 MR3 Added keyword/variable aut ht i meout . Added keywor d/ var i abl es
ssl vpn- vnc and ssl vpn- r dp.
FortiOS v3.00 MR4 Peer members can be included in user groups.
FortiOS v3.00 MR7 Added keyword/variable ssl vpn- ssh. Changed Active Directory to Directory
Service. Added ssl vpn- vi r t ual - deskt op, ssl vpn- os- check, ssl vpn- os-
check- l i st , act i on, l at est - pat ch- l evel , and t ol er ance.
user ldap
01-400-93051-20090415 495
ldap
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the
user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate the user,
the connection is refused by the FortiGate unit. The maximum number of remote LDAP servers that can be
configured for authentication is 10.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating
user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password
expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information
to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With
PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge
Handshake Authentication Protocol) is not.
Syntax
conf i g user l dap
set cni d 
set dn <dname>
set por t <number >
set ser ver <domai n>
set t ype <aut h_t ype>
set user name <l dap_user name>
set passwor d <l dap_passwd>
set gr oup <gr oup>
set f i l t er <gr oup_f i l t er >
set secur e <aut h_por t >
set ca- cer t <cer t _name>
end
cni d Enter the common name identifier for the LDAP server.
The common name identifier for most LDAP servers is cn.
However some servers use other common name identifiers
such as uid. Maximum 20 characters.
cn
dn <dname> Enter the distinguished name used to look up entries on the
LDAP server. It reflects the hierarchy of LDAP database object
classes above the Common Name Identifier. The FortiGate unit
passes this distinguished name unchanged to the server.
You must provide a dn value if t ype is si mpl e. Maximum 512
characters.
No default.
edi t <ser ver _name> Enter a name to identify the LDAP server.
No default.
por t <number > Enter the port number for communication with the LDAP server. 389
ser ver <domai n> Enter the LDAP server domain name or IP address. No default.
ldap user
496 01-400-93051-20090415
Example
This example shows how to add an LDAP server called LDAP1 using the IP address 23. 64. 67. 44, the
default port, the common name cn, and the distinguished names
ou=mar ket i ng, dc=f or t i net , dc=comfor simple authentication.
conf i g user l dap
edi t LDAP1
set ser ver 23. 64. 67. 44
set cni d cn
set dn ou=mar ket i ng, dc=f or t i net , dc=com
end
This example shows how to change the distinguished name in the example above to
ou=account s, ou=mar ket i ng, dc=f or t i net , dc=com.
conf i g user l dap
edi t LDAP1
set dn ou=account s, ou=mar ket i ng, dc=f or t i net , dc=com
end
t ype <aut h_t ype> Enter the authentication type for LDAP searches. One of:
anonymous - bind using anonymous user search
r egul ar - bind using username/password and then search
si mpl e - simple password authentication without search
You can use si mpl e authentication if the user records are all
under one dn that you know. If the users are under more than
one dn, use the anonymous or r egul ar type, which can
search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform
searches, use the r egul ar type and provide values for
user name and passwor d.
si mpl e
user name <l dap_user name> This keyword is available only if t ype is r egul ar . For
r egul ar authentication, you need a user name and password.
See your server administrator for more information.
No default.
passwor d <l dap_passwd> This keyword is available only if t ype is r egul ar . For
r egul ar authentication, you need a user name and password.
See your server administrator for more information.
No default.
gr oup <gr oup> This keyword is available when the LDAP server must
authenticate that a user is a member of this group on the LDAP
server.
No default.
f i l t er <gr oup_f i l t er > Enter the name of the filter for group searches. The search for
the group on the LDAP server is done with the following default
filter configuration:
( &( obj ect cat egor y=gr oup) ( member =*) )
secur e <aut h_por t >
{di sabl e | st ar t t l s |
l daps}
Select the port to be used in authentication.
di sabl e port 389
l daps port 636
st ar t t l s port 389
disable
ca- cer t <cer t _name> This keyword is available when secur e is set to l daps or
st ar t t l s. User authentication will take place via a CA
certificate. The CA certificate will be used by the LDAP library
to validate the public certificate provided by the LDAP server.
null
user ldap
01-400-93051-20090415 497
History
Related topics
user group
user local
user radius
user tacacs+
FortiOS v3.00 MR2 Added key word/variable gr oup <gr oup>.
FortiOS v3.00 MR3 Added keywords f i l t er , secur e, ca- cer t .
FortiOS v3.00 MR7 Maximum length for dn =512 characters. Maximum length for cni d =20
characters.
local user
498 01-400-93051-20090415
local
Use this command to add local user names and configure user authentication for the FortiGate unit. To add
authentication by LDAP or RADIUS server you must first add servers using the conf i g user l dap and
conf i g user r adi us commands.
Syntax
edi t <user name>
set l dap- ser ver <ser ver name>
set passwd <passwor d_st r >
set r adi us- ser ver <ser ver name>
set t ype <aut h- t ype>
end
Example
This example shows how to add and enable a local user called Admin7 for authentication using the
RADIUS server RAD1.
edi t Admi n7
set t ype r adi us
set r adi us- ser ver RAD1
end
edi t <user name> Enter the user name. Enter a new name to create a new user
account or enter an existing user name to edit that account.
l dap- ser ver <ser ver name> Enter the name of the LDAP server with which the user must
authenticate. You can only select an LDAP server that has
been added to the list of LDAP servers. See ldap on
page 495.
This is available when t ype is set to l dap.
No default.
passwd <passwor d_st r > Enter the password with which the user must authenticate.
Passwords at least 6 characters long provide better security
than shorter passwords.
This is available when t ype is set to passwor d.
No default.
r adi us- ser ver
<ser ver name>
Enter the name of the RADIUS server with which the user must
authenticate. You can only select a RADIUS server that has
been added to the list of RADIUS servers. See radius on
page 503.
This is available when t ype is set to r adi us.
No default.
st at us {enabl e | di sabl e} Enter enabl e to allow the local user to authenticate with the
FortiGate unit.
enabl e
t ype <aut h- t ype> Enter one of the following to specify how this users password is
verified:
No default.
ldap The LDAP server specified in
l dap- ser ver verifies the password.
password The FortiGate unit verifies the password
against the value of passwd.
radius The RADIUS server specified in
r adi us- ser ver verifies the password.
user local
01-400-93051-20090415 499
This example shows how to change the authentication method for the user Admin7 to password and enter
the password.
edi t Admi n7
set t ype passwor d
set passwd abc123
end
History
Related topics
user group
user ldap
user radius
user tacacs+
FortiOS v2.80 MR2 Removed t r y_ot her keyword.
peer user
500 01-400-93051-20090415
peer
Use this command to add or edit peer (digital certificate holder) information. You use the peers you define
here in the conf i g vpn i psec phase1 command if you specify peer t ype as peer . Also, you can add
these peers to peer groups you define in the conf i g user peer gr p command.
For PKI user authentication, you can add or edit peer information and configure use of LDAP server to
check access rights for client certificates.
This command refers to certificates imported into the FortiGate unit. You import CA certificates using the
vpn cer t i f i cat e ca command. You import local certificates using the vpn cer t i f i cat e l ocal
command.
You can configure a peer user with no values in subj ect or ca. This user behaves like a user account or
policy that is disabled.
Syntax
conf i g user peer
edi t <peer _name>
set ca <ca_name>
set cn <cn_name>
set cn- t ype <t ype>
set l dap- passwor d <l dap_passwor d>
set l dap- ser ver <l dap_ser ver >
set l dap- user name <l dap_user >
set subj ect <const r ai nt s>
end
Note: If you create a PKI user in the CLI with no values in subj ect or ca, you cannot open the user
record in the GUI, or you will be prompted to add a value in Subject (subj ect ) or CA (ca).
ca <ca_name> Enter the CA certificate name, as returned by execut e vpn
cer t i f i cat e ca l i st .
No default.
cn <cn_name> Enter the peer certificate common name. No default.
cn- t ype <t ype> Enter the peer certificate common name type: st r i ng
FQDN Fully-qualified domain name.
emai l The users email address.
i pv4 The users IP address (IPv4).
i pv6 The users IP address (IPv6).
st r i ng Any other piece of information.
edi t <peer _name> Enter the peer name. Enter a new name to create a new peer or
enter an existing peer name to edit that peers information.
No default.
l dap- passwor d
<l dap_passwor d>
Enter the login password for the LDAP server used to perform
client access rights check for the defined peer.
No default.
l dap- ser ver
<l dap_ser ver >
Enter the name of one of the LDAP servers defined under config
user ldap used to perform client access rights check for the defined
peer.
null
l dap- user name
<l dap_user >
Enter the login name for the LDAP server used to perform client
access rights check for the defined peer.
null
subj ect <const r ai nt s> Optionally, enter any of the peer certificate name constraints. No default.
user peer
01-400-93051-20090415 501
Example
This example shows how to add the br anch_of f i ce peer.
Configure the peer using the CA certificate name and peer information:
conf i g user peer
edi t br anch_of f i ce
set ca CA_Cer t _1
set cn our addr ess@exampl e2. com
set cn- t ype emai l
end
Configure the peer with empty subject and ca fields.
conf i g user peer
edi t peer 2
end
History
Related topics
user peergrp
vpn ipsec phase1
vpn certificate ca
vpn certificate local
FortiOS v3.0 MR4 Addition of l dap- passwor d, l dap- ser ver , l dap- user name for use
of LDAP servers for PKI user authentication.
FortiOS v3.0 MR5 Addition of cn- t ype <t ype> i pv6 for authentication of IPv6 IPSec.
FortiOS v3.0 MR6 Added description of empty subj ect and ca fields.
peergrp user
502 01-400-93051-20090415
peergrp
Use this command to add or edit a peer group. Peers are digital certificate holders defined using the
conf i g user peer command. You use the peer groups you define here in the conf i g vpn i psec
phase1 command if you specify peer t ype as peer gr p.
For PKI user authentication, you can add or edit peer group member information. User groups that use PKI
authentication can also be configured using conf i g user gr oup.
Syntax
edi t <gr oupname>
set member <peer _names>
end
Example
This example shows how to add peers to the peergrp EU_br anches.
edi t EU_br anches
set member Sophi a_br anch Val enci a_br anch Car di f f _br anch
end
History
Related topics
user peer
vpn ipsec phase1
vpn l2tp
vpn pptp
edi t <gr oupname> Enter a new name to create a new peer group or enter an
existing group name to edit that group.
member <peer _names> Enter the names of peers to add to the peer group. Separate
names by spaces. To add or remove names from the group you
must re-enter the whole list with the additions or deletions
required.
No default.
user radius
01-400-93051-20090415 503
radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change
the default RADIUS port. You may set a different port for each of your RADIUS servers. The maximum
number of remote RADIUS servers that can be configured for authentication is 10.
The RADIUS server is now provided with more information to make authentication decisions, based on
values in ser ver , use- management - vdom, use- gr oup- f or - pr of i l e, and nas- i p. Attributes
include:
NAS- I P- Addr ess - RADIUS setting or IP address of FortiGate interface used to talk to RADIUS
server, if not configured
NAS- Por t - physical interface number of the traffic that triggered the authentication
Cal l ed- St at i on- I D - same value as NAS-IP Address but in text format
For t i net - Vdom- Name - name of VDOM of the traffic that triggered the authentication
NAS- I dent i f i er - configured hostname in non-HA mode; HA cluster group name in HA mode
Acct - Sessi on- I D - unique ID identifying the authentication session
Connect - I nf o - identifies the service for which the authentication is being performed (web-auth, vpn-
ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You may select an alternative authentication method for each server. These include CHAP, PAP, MS-
CHAP, and MS-CHAP-v2.
Syntax
set al l - user gr oup {enabl e | di sabl e}
set aut h- t ype {aut o | chap | ms_chap | ms_chap_v2 | pap}
set nas- i p <use_i p>
set r adi us- por t <r adi us_por t _num>
set secondar y- secr et <sec_ser ver _passwor d>
set secondar y- ser ver <sec_ser ver _domai n>
set secr et <ser ver _passwor d>
set use- gr oup- f or - pr of i l e {enabl e | di sabl e}
set use- management - vdom{enabl e | di sabl e}
end
edi t <ser ver _name> Enter a name to identify the RADIUS server.
al l - user gr oup {enabl e |
di sabl e}
Enable to automatically include this RADIUS server in all user
groups.
disable
aut h- t ype {aut o | chap |
ms_chap | ms_chap_v2 |
pap}
Select the authentication method for this RADIUS server.
aut o uses pap, ms_chap_v2, and chap.
auto
nas- i p <use_i p> IP address used as NAS- I P- Addr ess and
Cal l ed- St at i on- I D attribute in RADIUS access requests.
RADIUS setting or IP address of FGT interface used to talk with
RADIUS server, if not configured.
No default.
radius user
504 01-400-93051-20090415
Example
This example shows how to add the radius server RAD1 at the IP address 206. 205. 204. 203 and set the
shared secret as R1a2D3i 4U5s.
edi t RAD1
set secr et R1a2D3i 4U5s
set ser ver 206. 205. 204. 203
end
History
Related topics
user group
user ldap
user local
user tacacs+
r adi us- por t
<r adi us_por t _num>
Change the default RADIUS port for this server. The default port
for RADIUS traffic is 1812. Range is 0. . 65535.
1812
secondar y- secr et
<sec_ser ver _passwor d>
Enter the secondary RADIUS server shared secret. The server
secret key should be a maximum of 16 characters in length.
No default.
secondar y- ser ver
<sec_ser ver _domai n>
Enter the secondary RADIUS server domain name or IP
address.
No default.
secr et <ser ver _passwor d> Enter the RADIUS server shared secret. The server secret key
should be a maximum of 16 characters in length.
No default.
ser ver <domai n> Enter the RADIUS server domain name or IP address. No default.
use- management - vdom
Enable to use the management VDOM to send all RADIUS
requests.
disable
use- gr oup- f or - pr of i l e
Enable to use RADIUS group attribute to select the protection
profile.
disable
FortiOS v3.0 MR3 Added use- management - vdom, use- gr oup- f or - pr of i l e,
nas-ip. Description of additional authentication attributes.
FortiOS v3.0 MR4 Added secondar y- ser ver and secondar y- secr et .
FortiOS v3.0 MR5 Added al l - user gr oup.
FortiOS v3.0 MR6 Added aut h- t ype {aut o | chap | ms_chap | ms_chap_v2 |
pap}, and r adi us- por t .
user settings
01-400-93051-20090415 505
settings
Use this command to change per VDOM user settings such as the firewall user authentication time out and
protocol support for firewall policy authentication.
user set t i ngs differ from syst emgl obal set t i ngs in that syst emgl obal set t i ngs
keywords apply to the entire FortiGate unit, where user set t i ngs keywords apply only to the user
VDOM.
Syntax
conf i g user set t i ng
set aut h- cer t <cer t _name>
set aut h- keepal i ve {enabl e | di sabl e}
set aut h- secur e- ht t p {enabl e | di sabl e}
set aut h- t ype {f t p | ht t p | ht t ps | t el net }
set aut h- t i meout <aut h_t i meout _mi nut es>
end
Example
This example shows how to enable https user authentication, and set the firewall user authentication
timeout to 15 minutes.
conf i g user set t i ng
set aut h- t ype ht t ps
set aut h- t i meout 15
end
History
aut h- cer t <cer t _name> HTTPS server certificate for policy authentication.
Fortinet_Factory, Fortinet_Firmware (if applicable to your
FortiGate unit), and self-sign are built-in certificates but others
will be listed as you add them.
self-sign
aut h- keepal i ve
Enable to extend the authentication time of the session through
periodic traffic to prevent an idle timeout.
disable
aut h- secur e- ht t p
Enable to have ht t p user authentication redirected to secure
channel - ht t ps.
disable
aut h- t ype {f t p | ht t p |
ht t ps | t el net }
Set the user authentication protocol support for firewall policy
authentication. User controls which protocols should support the
authentication challenge.
aut h- t i meout
<aut h_t i meout _mi nut es>
Set the number of minutes before the firewall user
authentication timeout requires the user to authenticate again.
The maximum aut ht i meout interval is 480 minutes (8 hours).
To improve security, keep the authentication timeout at the
default value of 5 minutes.
5
FortiOS v3.0 MR6 New. Replaces syst emgl obal var i abl es aut ht i meout ,
aut h- t ype, and aut h- secur e- ht t p
tacacs+ user
506 01-400-93051-20090415
tacacs+
Use this command to add or edit the information used for TACACS+authentication.
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol used
to communicate with an authentication server. TACACS+allows a client to accept a username and
password and send a query to a TACACS+authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies network access to the user.
The default port for a TACACS+server is 49. The maximum number of remote TACACS+servers that can
be configured for authentication is 10.
You may select an alternative authentication method for each server. These include CHAP, PAP, MS-
CHAP, and ASCII.
Syntax
set aut hen- t ype {asci i | aut o | chap | ms_chap | pap}
set key <ser ver _key>
set t acacs+- por t <t acacs+_por t _num>
end
Example
This example shows how to add the TACACS+server TACACS1 at the IP address 206. 205. 204. 203,
set the server key as R1a2D3i 4U5s, and aut hent i cat e usi ng PAP.
edi t TACACS1
set aut hen- t ype pap
set key R1a2D3i 4U5s
set ser ver 206. 205. 204. 203
end
History
Related topics
user group, user local
user ldap, user radius
edi t <ser ver _name> Enter a name to identify the TACACS+server.
aut hen- t ype {asci i | aut o
| chap | ms_chap | pap}
Select the authentication method for this TACACS+server.
aut o uses pap, ms_chap_v, and chap, in that order.
auto
key <ser ver _key> Enter the key to access the server. The maximum number is 16.
t acacs+- por t
<t acacs+_por t _num>
Change the default TACACS+port for this server. The default port
for TACACS+traffic is 49. Range is 0. . 65535.
49
ser ver <domai n> Enter the TACACS+server domain name or IP address. No default.
vpn
01-400-93051-20090415 507
vpn
Use vpn commands to configure options related to virtual private networking through the FortiGate unit,
including:
IPSec operating parameters
a local address range for PPTP or L2TP clients
SSL VPN configuration settings
certificate ca
certificate crl
certificate local
certificate ocsp
certificate remote
ipsec concentrator
ipsec forticlient
ipsec manualkey
ipsec manualkey-interface
ipsec phase1
ipsec phase1-interface
ipsec phase2
l2tp
pptp
ssl monitor
ssl settings
ssl web portal
certificate ca vpn
508 01-400-93051-20090415
certificate ca
Use this command to install Certificate Authority (CA) root certificates.
When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed
local certificate and the Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1 Use the execut e vpn cer t i f i cat e l ocal command to generate a CSR.
2 Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate and the CRL.
3 Use the vpn cer t i f i cat e l ocal command to install the signed local certificate.
4 Use the vpn cer t i f i cat e ca command to install the CA certificate.
5 Use the vpn cer t i f i cat e cr l command to install the CRL.
Depending on your terminal software, you can copy the certificate and paste it into the command.
Syntax
conf i g vpn cer t i f i cat e ca
edi t <ca_name>
set ca <cer t >
end
To view all of the information about the certificate, use the get command:
get vpn cer t i f i cat e ca <ca_name>
History
Related topics
vpn certificate crl
vpn certificate ocsp
vpn certificate remote
execute vpn certificate ca
<keyword> Description
edi t <ca_name> Enter a name for the CA certificate.
ca <cer t > Enter or retrieve the CA certificate in PEM format.
FortiOS v3.0 New.
vpn certificate crl
01-400-93051-20090415 509
certificate crl
Use this command to install a Certificate Revocation List (CRL).
The CRL now updates automatically from a remove server.
Syntax
conf i g vpn cer t i f i cat e cr l
edi t <cr l _name>
set cr l <cr l _PEM>
set l dap- ser ver <l dap_ser ver _name>
set l dap- user name <l dap_user name>
set l dap- passwor d <l dap_passwor d>
set scep- cer t <scep_cer t i f i cat e>
set scep- ur l <scep_ur l >
set updat e- vdom<updat e_vdom>
set ht t p- ur l <ht t p_ur l >
end
edi t <cr l _name> Enter a name for the Certificate Revocation List (CRL).
cr l <cr l _PEM> Enter the CRL in PEM format.
l dap- ser ver
<l dap_ser ver _name>
Name of the LDAP server defined in config user ldap table for CRL auto-
update.
l dap- user name
<l dap_user name>
LDAP login name.
l dap- passwor d
<l dap_passwor d>
LDAP login password.
scep- cer t
<scep_cer t i f i cat e>
Local certificate used for SCEP communication for CRL auto-update.
scep- ur l <scep_ur l > URL of the SCEP server used for automatic CRL certificate updates. Start with
http://.
updat e- vdom<updat e_vdom> VDOM used to communicate with remote SCEP server for CRL auto-update.
ht t p- ur l <ht t p_ur l > URL of an http server used for automatic CRL certificate updates. Start with
http://.
certificate crl vpn
510 01-400-93051-20090415
History
Related topics
vpn certificate ca
execute vpn certificate crl
FortiOS v3.0 New.
FortiOS v3.0 MR4 Added variables for use with certificate authentication (automatic CRL updates).
01-400-93051-20090415 511
certificate local
Use this command to install local certificates.
Syntax
conf i g vpn cer t i f i cat e l ocal
edi t <cer t _name>
set passwor d <pwd>
set comment s <comment _t ext >
set pr i vat e- key <pr key>
set cer t i f i cat e <cer t _PEM>
set csr <csr _PEM>
end
get vpn cer t i f i cat e l ocal [ cer t _name]
History
Related topics
vpn certificate ca
vpn certificate crl
vpn certificate remote, execute vpn certificate local
edi t <cer t _name> Enter the local certificate name.
cer t i f i cat e <cer t _PEM> Enter the signed local certificate in PEM format.
comment s <comment _t ext > Enter any relevant information about the certificate.
You should not modify the following variables if you generated the CSR on this unit.
csr <csr _PEM> The CSR in PEM format.
passwor d <pwd> The password in PEM format.
pr i vat e- key <pr key> The private key in PEM format.
FortiOS v3.0 New.
FortiOS v3.0 MR6 Added comment s field.
certificate ocsp vpn
512 01-400-93051-20090415
certificate ocsp
Use this command to install remote certificates. The remote certificates are public certificates without a
private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
conf i g vpn cer t i f i cat e ocsp
edi t cer t <cer t _name>
set ur l <ocsp_ur l >
set unavai l - act i on <unavai l abl e_act i on>
end
get vpn cer t i f i cat e ocsp [ cer t _name]
History
Related topics
vpn certificate ca
vpn certificate crl
execute vpn certificate remote
cer t <cer t _name> Enter the OCSP server public certificate (one of the remote certificates).
ur l <ocsp_ur l > Enter the URL of the OCSP server.
unavai l - act i on
<unavai l abl e_act i on>
Action taken on client certification when the OCSP server is unreachable. r evoke
or i gnor e. Default is r evoke.
01-400-93051-20090415 513
certificate remote
Use this command to install remote certificates. The remote certificates are public certificates without a
private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
conf i g vpn cer t i f i cat e r emot e
edi t cer t <cer t _name>
set r emot e <r emot e_cer t _det ai l >
end
get vpn cer t i f i cat e r emot e [ cer t _name]
History
Related topics
vpn certificate ca
vpn certificate crl
cer t <cer t _name> Enter the name of the public certificate.
r emot e
<r emot e_cer t _det ai l >
Details/description of the remote certificate.
ipsec concentrator vpn
514 01-400-93051-20090415
ipsec concentrator
Use this command to add IPSec policy-based VPN tunnels to a VPN concentrator. The VPN concentrator
collects hub-and-spoke tunnels into a group.
The concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate unit. The
FortiGate unit functions as a concentrator, or hub, in a hub-and-spoke network.
Syntax
edi t <concent r at or _name>
set member <member _name> [ member _name] [ member _name]
set sr c- check {enabl e | di sabl e}
end
Example
Use the following commands to add an IPSec VPN concentrator named Concen_1 and add three tunnels
to the concentrator.
edi t Concen_1
set member Tunnel _1 Tunnel _2 Tunnel _3
end
History
Related topics
vpn ipsec phase1, vpn ipsec manualkey
Note: VPN concentrators are not available in Transparent mode.
Note: The member keyword is required.
edi t <concent r at or _name> Enter a name for the concentrator. No default.
member <member _name>
[ member _name]
[ member _name]
Enter the names of up to three VPN tunnels to add to the
concentrator. Separate the tunnel names with spaces.
Members can be tunnels defined in vpn i psec phase1 or vpn
i psec manual - key.
To add or remove tunnels from the concentrator you must re-enter
the whole list with the required additions or deletions.
No default.
sr c- check
Enable to check the source address of the phase2 selector when
locating the best matching phase2 in a concentrator. The default is
to check only the destination selector.
disable
FortiOS v2.80 MR4 Method for adding concentrators changed.
FortiOS v3.0 Members must now be phase1 configurations, not phase2.
FortiOS v4.0 Added sr c- check keyword.
vpn ipsec forticlient
01-400-93051-20090415 515
ipsec forticlient
Use this command to configure automatic VPN configuration for FortiClient Host Security application
users.
The FortiClient users who will use automatic configuration must be members of a user group. The conf i g
vpn i psec f or t i cl i ent command creates a realm that associates the user group with the phase 2
VPN configuration. You can create multiple realms to associate different user groups with different phase 2
configurations.
The user group identifies the user name and password settings that the dialup clients credentials must
match in order for authentication to be successful. The phase 2 tunnel definition and its associated firewall
encryption policy provides the configuration parameters to download to the FortiClient Host Security
application.
Syntax
Set or unset VPN policy distribution parameters.
conf i g vpn i psec f or t i cl i ent
edi t <r eal m_name>
set phase2name <t unnel _name>
set user gr oupname <gr oup_name>
end
Example
The following example enables VPN policy distribution for a user group called Di al up_user s. The phase
2 tunnel configuration named FG1t oDi al up_t unnel provides the FortiGate unit with the information it
needs to find and apply the associated firewall encryption policy:
conf i g vpn i psec f or t i cl i ent
edi t St andar d_VPN_pol i cy
set phase2name FG1t oDi al up_t unnel
set user gr oupname Di al up_user s
end
History
Related topics
vpn ipsec phase2
user group
edi t <r eal m_name> Enter a name for the FortiClient realm. This is also referred to as
the policy name.
No default.
phase2name <t unnel _name> Enter the name of the phase 2 tunnel configuration that you
defined as part of the dialup-client configuration.
Nul l
st at us {di sabl e | enabl e} Enable or disable IPSec VPN policy distribution. enabl e
user gr oupname <gr oup_name> Enter the name of the user group that you created for dialup
clients. This group must already exist.
Nul l
FortiOS v3.0 New.
ipsec manualkey vpn
516 01-400-93051-20090415
ipsec manualkey
Use this command to configure manual keys for IPSec tunnel-mode VPN tunnels. You configure a manual
key tunnel to create an IPSec tunnel-mode VPN tunnel between the FortiGate unit and a remote IPSec
VPN client or gateway that is also using manual key.
A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or client at
the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel.
Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel
to start. However, the VPN gateway or client that connects to this tunnel must use the same encryption and
authentication algorithms and must have the same encryption and authentication keys.
Syntax
conf i g vpn i psec manual key
set aut hent i cat i on <aut hent i cat i on_al gor i t hm>
set aut hkey <aut hent i cat i on_key>
set encr ypt i on <met hod>
set enckey <encr ypt i on_key>
set l ocal spi <l ocal _spi _number >
set l ocal - gw <addr ess_i pv4>
set r emot e- gw <addr ess_i pv4>
set r emot espi <r emot e_spi _number >
end
Note: The aut hent i cat i on, encr ypt i on, i nt er f ace, r emot e- gw, l ocal spi , and r emot espi keywords
are required. All other keywords are optional.
aut hent i cat i on
<aut hent i cat i on_al gor i t hm>
Enter one of the following authentication algorithms:
md5
nul l
sha1
Make sure you use the same algorithm at both ends of the
tunnel.
Note: encr ypt i on and aut hent i cat i on cannot both be
nul l .
nul l
aut hkey
<aut hent i cat i on_key>
This keyword is available when aut hent i cat i on is set to md5
or sha1.
If aut hent i cat i on is md5, enter a 32 digit (16 byte)
hexadecimal number. Separate each 16 digit (8 byte)
hexadecimal segment with a hyphen.
If aut hent i cat i on is sha1, enter a 40 digit (20 byte)
hexadecimal number. Use a hyphen to separate the first 16
digits (8 bytes) from the remaining 24 digits (12 bytes).
Digits can be 0 to 9, and a to f .
Use the same authentication key at both ends of the tunnel.
-
(No default.)
vpn ipsec manualkey
01-400-93051-20090415 517
Example
Use the following command to add an IPSec VPN manual key tunnel with the following characteristics:
Tunnel name: Manual _Tunnel
Local SPI: 1000f f
Remote SPI: 2000f f
Remote gateway IP address: 206. 37. 33. 45
Encryption algorithm: 3DES
encr ypt i on <met hod> Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
des
nul l
tunnel.
Note: encr ypt i on and aut hent i cat i on cannot both be
nul l .
nul l
enckey
<encr ypt i on_key>
This keyword is available when encryption is set to 3des,
aes128, aes192, aes256, or des. Enter the associated
encryption key:
If encr ypt i on is des, enter a 16 digit (8 byte) hexadecimal
number.
If encr ypt i on is 3des, enter a 48 digit (24 byte)
hexadecimal number.
If encr ypt i on is aes128, enter a 32 digit (16 byte)
hexadecimal number.
hexadecimal number.
hexadecimal number.
For all of the above, separate each 16 digit (8 byte) hexadecimal
segment with a hyphen.
Use the same encryption key at both ends of the tunnel.
-
(No default.)
i nt er f ace Enter the name of the physical, aggregate, or VLAN interface to
which the IPSec tunnel will be bound. The FortiGate unit obtains
the IP address of the interface from system interface settings
(see interface on page 387).
You cannot change i nt er f ace if a firewall policy references
this VPN.
Nul l .
l ocal - gw <addr ess_i pv4> Optionally, specify a secondary IP address of the interface
selected in i nt er f ace to use for the local end of the VPN
tunnel. If you do not specify an IP address here, the FortiGate
unit obtains the IP address of the interface from the system
interface settings (see interface on page 387).
0. 0. 0. 0
l ocal spi
<l ocal _spi _number >
Local Security Parameter Index. Enter a hexadecimal number of
up to eight digits (digits can be 0 to 9, a to f) in the range 0x100
to FFFFFFF. This number must be added to the Remote SPI at
the opposite end of the tunnel.
0x100
r emot e- gw <addr ess_i pv4> The IP address of the remote gateway external interface. 0. 0. 0. 0
r emot espi
<r emot e_spi _number >
Remote Security Parameter Index. Enter a hexadecimal number
of up to eight digits in the range 0x100 to FFFFFFF. This number
must be added to the Local SPI at the opposite end of the tunnel.
0x100
ipsec manualkey vpn
518 01-400-93051-20090415
Encryption keys: 003f 2b01a9002f 3b 004f 4b0209003f 01 3b00f 23bf f 003ef f
Authentication algorithm: MD5
Authentication keys: f f 003f 012ba900bb 00f 402303f 0100f f
conf i g vpn i psec manual key
edi t Manual _Tunnel
set l ocal spi 1000f f
set r emot espi 2000f f
set r emot e- gw 206. 37. 33. 45
set encr ypt i on 3des
set enckey 003f 2b01a9002f 3b- 004f 4b0209003f 01- 3b00f 23bf f 003ef f
set aut hent i cat i on md5
set aut hkey f f 003f 012ba900bb- 00f 402303f 0100f f
end
History
Related topics
vpn ipsec phase2
FortiOS v2.80 Revised
FortiOS v2.80 MR3 concent r at or keyword available in NAT/Route mode only.
FortiOS v3.0 Removed concent r at or keyword. Renamed gat eway keyword to
r emot e- gw. Added i nt er f ace keyword.
FortiOS v3.0 MR3 Added l ocal - gwkeyword.
FortiOS v3.0 MR5 encr ypt i on and aut hent i cat i on cannot both be nul l .
vpn ipsec manualkey-interface
01-400-93051-20090415 519
Use this command to configure manual keys for a route-based (interface mode) IPSec VPN tunnel. When
you create a route-based tunnel, the FortiGate unit creates a virtual IPSec interface automatically. The
interface can be modified afterward using the syst emnet wor k i nt er f ace CLI command. This
command is available only in NAT/Route mode.
Syntax
conf i g vpn i psec manual key- i nt er f ace
set aut h- al g <aut hent i cat i on_al gor i t hm>
set aut h- key <aut hent i cat i on_key>
set enc- al g <met hod>
set enckey <encr ypt i on_key>
set i p- ver si on <4 | 6>
set l ocal - gw6 <addr ess_i pv6>
set l ocal - spi <l ocal _spi _number >
set r emot e- gw6 <addr ess_i pv6>
set r emot e- spi <r emot e_spi _number >
end
Note: The aut h- al g, enc- al g, i nt er f ace, r emot e- gw, l ocal - spi , and r emot e- spi keywords are
required. All other keywords are optional.
aut h- al g
<aut hent i cat i on_al gor i t hm>
Enter one of the following authentication algorithms:
md5
nul l
sha1
tunnel.
Note: enc- al g and aut h- al g cannot both be nul l .
nul l
aut h- key
<aut hent i cat i on_key>
This keyword is available when aut h- al g is set to md5 or sha1.
If aut h- al g is md5, enter a 32 digit (16 byte) hexadecimal
number. Separate each 16 digit (8 byte) hexadecimal
If aut h- al g is sha1, enter a 40 digit (20 byte) hexadecimal
number. Use a hyphen to separate the first 16 digits (8 bytes)
from the remaining 24 digits (12 bytes).
Use the same authentication key at both ends of the tunnel.
-
(No default.)
ipsec manualkey-interface vpn
520 01-400-93051-20090415
Example
Use the following command to add a route-based (interface-mode) IPSec VPN tunnel having the following
characteristics:
Tunnel name: Manual - i nf _t unnel
Local SPI: 1000f f
Remote SPI: 2000f f
enc- al g <met hod> Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
des
nul l
tunnel.
Note: enc- al g and aut h- al g cannot both be nul l .
nul l
enckey
<encr ypt i on_key>
This keyword is available when enc- al g is set to 3des,
aes128, aes192, aes256, or des. Enter the associated
encryption key:
If enc- al g is des, enter a 16 digit (8 byte) hexadecimal
number.
If enc- al g is 3des, enter a 48 digit (24 byte) hexadecimal
number.
If enc- al g is aes128, enter a 32 digit (16 byte) hexadecimal
number.
number.
number.
For all of the above, separate each 16 digit (8 byte) hexadecimal
Use the same encryption key at both ends of the tunnel.
-
(No default.)
i nt er f ace Enter the name of the physical, aggregate, or VLAN interface to
(see interface on page 387).
Nul l .
i p- ver si on <4 | 6> Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation. 4
l ocal - gw <addr ess_i pv4>
l ocal - gw6 <addr ess_i pv6>
By default, the FortiGate unit determines the local gateway IP
address from the i nt er f ace setting. Optionally, you can
specify a secondary IP address configured on the same
interface.
l ocal - gw6 is available when i p- ver si on is 6.
l ocal - gwis available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
l ocal - spi
<l ocal _spi _number >
Local Security Parameter Index. Enter a hexadecimal number of
up to eight digits (digits can be 0 to 9, a to f) in the range 0x100
to FFFFFFF. This number must be added to the Remote SPI at
the opposite end of the tunnel.
0x100
r emot e- gw <addr ess_i pv4>
r emot e- gw6 <addr ess_i pv6>
The IP address of the remote gateway external interface.
r emot e- gw6 is available when i p- ver si on is 6.
r emot e- gwis available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
r emot e- spi
<r emot e_spi _number >
Remote Security Parameter Index. Enter a hexadecimal number
of up to eight digits in the range 0x100 to FFFFFFF. This number
must be added to the Local SPI at the opposite end of the tunnel.
0x100
01-400-93051-20090415 521
VLAN interface name: vl an_1
Remote gateway IP address: 206. 37. 33. 45
Encryption algorithm: 3DES
Encryption keys: 003f 2b01a9002f 3b 004f 4b0209003f 01 3b00f 23bf f 003ef f
Authentication algorithm: MD5
Authentication keys: f f 003f 012ba900bb 00f 402303f 0100f f
conf i g vpn i psec- i nt f manual key- i nt er f ace
edi t Manual - i nf _t unnel
set aut h- al g md5
set aut h- key f f 003f 012ba900bb- 00f 402303f 0100f f
set enc- al g 3des
set enckey 003f 2b01a9002f 3b- 004f 4b0209003f 01- 3b00f 23bf f 003ef f
set i nt er f ace vl an_1
set l ocal - spi 1000f f
set r emot e- spi 2000f f
set r emot e- gw 206. 37. 33. 45
end
History
Related topics
vpn ipsec phase2-interface
FortiOS v3.0 New
FortiOS v3.0 MR5 enc- al g and aut h- al g cannot both be nul l
Added i p- ver si on, l ocal - gw6 and r emot e- gw6 keywords.
ipsec phase1 vpn
522 01-400-93051-20090415
ipsec phase1
Use this command to add or edit IPSec tunnel-mode phase 1 configurations. When you add a tunnel-mode
phase 1 configuration, you define how the FortiGate unit and a remote VPN peer (gateway or client)
authenticate themselves to each other as part of establishing an IPSec VPN tunnel.
The phase 1 configuration specifies the name of a remote VPN peer, the nature of the connection (static
IP, dialup, or dynamic DNS), the encryption and authentication keys for the phase 1 proposal, and the
authentication method (preshared key or certificate). For authentication to be successful, the FortiGate unit
and the remote VPN peer must be configured with compatible phase 1 settings.
You can change all settings except the t ype setting after you define the configuration: if the address type
of a remote peer changes, you must delete the original phase 1 configuration and define a new one. As a
general rule, create only one phase 1 configuration per remote VPN peer.
Syntax
set add- gw- r out e {enabl e | di sabl e}
set aut hmet hod <aut hent i cat i on_met hod>
set aut hpasswd <passwor d>
set aut husr <user _name>
set aut husr gr p <gr oup_name>
set dhgr p {1 2 5}
set di st ance 
set dpd {di sabl e | enabl e}
set dpd- r et r ycount <r et r y_i nt eger >
set dpd- r et r yi nt er val <seconds> [ <mi l l i seconds>]
set keepal i ve <seconds>
set keyl i f e <seconds>
set l ocal i d <l ocal _i d>
set mode {aggr essi ve | mai n}
set nat t r aver sal {di sabl e | enabl e}
set peer <CA_cer t i f i cat e_name>
set peer i d <peer _i d>
set peer gr p <cer t i f i cat e_gr oup_name>
set peer t ype <aut hent i cat i on_met hod>
set pr i or i t y <pr i o>
set pr oposal <encr ypt i on_combi nat i on>
set psksecr et <pr eshar ed_key>
set r emot egw- ddns <domai n_name>
set r sa- cer t i f i cat e <ser ver _cer t i f i cat e>
set t ype <r emot e_gw_t ype>
set usr gr p <gr oup_name>
set xaut ht ype <XAut h_t ype>
end
Note: A pr oposal value is required. In NAT/Route mode, you must specify i nt er f ace. A r emot e- gwvalue
may be required depending on the value of the t ype attribute. You must also enter a preshared key or a
certificate name depending on the value of aut hmet hod. All other keywords are optional.
vpn ipsec phase1
01-400-93051-20090415 523
edi t <gat eway_name> Enter a name (maximum 35 characters) for this gateway. If
t ype is dynami c, the maximum name length is further reduced
depending on the number of dialup tunnels that can be
established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4
for up to 999 tunnels, and so on.
No default.
add- gw- r out e
Enable to automatically add a route to the remote gateway
specified in r emot e- gw. This is effective only when
i nt er f ace is an interface that obtains its IP address by DHCP
or PPPoE. The route distance is specified in the interface
configuration. See system interface on page 387.
disable
aut hmet hod
<aut hent i cat i on_met hod>
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use
psksecr et to enter the pre-shared key.
Enter r sa- si gnat ur e to authenticate using a digital
certificate. Use set r sa- cer t i f i cat e to enter the name
of the digital certificate.
You must configure certificates before selecting r sa-
si gnat ur e here. For more information, see execute vpn
certificate local on page 675 and vpn certificate ca on
page 508.
psk
aut hpasswd <passwor d> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client password for the FortiGate unit.
No default.
aut husr <user _name> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client user name for the FortiGate unit.
Nul l .
aut husr gr p <gr oup_name> This keyword is available when xaut ht ype is set to aut o,
pap, or chap.
When the FortiGate unit is configured as an XAuth server, enter
the user group to authenticate remote VPN peers. The user
group can contain local users, LDAP servers, and RADIUS
servers. The user group must be added to the FortiGate
configuration before the group name can be cross-referenced.
For more information, see user group on page 490, user ldap
on page 495, user local on page 498, and user radius on
page 503.
Nul l .
dhgr p {1 2 5} Type 1, 2, and/or 5 to select one or more Diffie-Hellman groups
from DH group 1, 2, and 5 respectively. At least one of the DH
group settings on the remote peer or client must be identical to
one of the selections on the FortiGate unit.
5
di st ance Configure the administrative distance for routes added when a
dialup IPSec connection is established. Using administrative
distance you can specify the relative priorities of different routes
to the same destination. A lower administrative distance
indicates a more preferred route. Distance can be an integer
from 1-255. See also router static distance <distance> on
page 301.
1
dpd {di sabl e | enabl e} Enable or disable DPD (Dead Peer Detection). DPD detects the
status of the connection between VPN peers. Enabling DPD
facilitates cleaning up dead connections and establishing new
VPN tunnels. DPD is not supported by all vendors and is not
used unless DPD is supported and enabled by both VPN peers.
enabl e
dpd- r et r ycount
<r et r y_i nt eger >
This keyword is available when dpd is set to enabl e.
The DPD retry count when dpd is set to enabl e. Set the
number of times that the local VPN peer sends a DPD probe
before it considers the link to be dead and tears down the
security association (SA). The dpd- r et r ycount range is 0 to
10.
To avoid false negatives due to congestion or other transient
failures, set the retry count to a sufficiently high value for your
network.
3
ipsec phase1 vpn
524 01-400-93051-20090415
dpd- r et r yi nt er val
<seconds>
[ <mi l l i seconds>]
The DPD (Dead Peer Detection) retry interval is the time that
the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For
example, for 2.5 seconds enter 2 500. The range is 1 to 60
seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of 5
seconds is used if dpd- r et r yi nt er val is less than 5
seconds.
5
i nt er f ace
Enter the name of the physical, aggregate, or VLAN interface to
(see interface on page 387) unless you specify a different IP
address using the local-gw <address_ipv4>attribute.
You cannot change i nt er f ace if a firewall policy references
this VPN.
Null.
keepal i ve <seconds> This keyword is available when nat t r aver sal is set to
enabl e.
Set the NAT traversal keepalive frequency. This number
specifies (in seconds) how frequently empty UDP packets are
sent through the NAT device to make sure that the NAT
mapping does not change until P1 and P2 security associations
expire. The keepalive frequency can be from 10 to 900
seconds.
10
keyl i f e <seconds> Set the keylife time. The keylife is the amount of time (in
seconds) before the phase 1 encryption key expires. When the
key expires, a new key is generated without interrupting service.
The range is 120 to 172,800 seconds.
28800
l ocal - gw <addr ess_i pv4> Optionally, specify a secondary IP address of the interface
tunnel. If you do not specify an IP address here, the FortiGate
unit obtains the IP address of the interface from the system
interface settings (see interface on page 387).
0. 0. 0. 0
l ocal i d <l ocal _i d> Enter a local ID if the FortiGate unit is functioning as a VPN
client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client, you
must assign a unique identifier (local ID) to the FortiGate client.
Whenever you configure a unique identifier (local ID) on a
FortiGate dialup client, you must enable aggressive mode on
the FortiGate dialup server and also specify the identifier as a
peer ID on the FortiGate dialup server.
Nul l .
mode {aggr essi ve | mai n} Enter aggr essi ve or mai n (ID Protection) mode. Both modes
establish a secure channel.
In main mode, identifying information is hidden. Main mode is
typically used when both VPN peers have static IP addresses.
In aggressive mode, identifying information is exchanged in the
clear.
When the remote VPN peer or client has a dynamic IP address,
or the remote VPN peer or client will be authenticated using an
identifier (local ID), you must select Aggressive mode if there is
more than one dialup phase 1 configuration for the interface IP
address.
mai n
nat t r aver sal {di sabl e |
enabl e}
Enable NAT traversal if you expect the IPSec VPN traffic to go
through a gateway that performs NAT. If no NAT device is
detected, enabling NAT traversal has no effect. Both ends of the
VPN must have the same NAT traversal setting. If you enable
NAT traversal you can set the keepal i ve frequency.
enabl e
vpn ipsec phase1
01-400-93051-20090415 525
peer
<CA_cer t i f i cat e_name>
This keyword is available when aut hmet hod is set to r sa-
si gnat ur e and peer t ype is set to peer .
Enter the name of the peer (CA) certificate that will be used to
authenticate remote VPN clients or peers. Use the command
conf i g user peer to add peer certificates. Peer certificates
must be added to the FortiGate configuration before they can
be cross-referenced. For more information, see user peer on
page 500.
Nul l .
peer i d <peer _i d> This keyword is available when peer t ype is set to one.
Enter the peer ID that will be used to authenticate remote clients
or peers by peer ID.
Nul l .
peer gr p
<cer t i f i cat e_gr oup_name>
This keyword is available when t ype is set to dynami c,
aut hmet hod is set to r sa- si gnat ur e, and peer t ype is set
to peer gr p.
Enter the name of the peer certificate group that will be used to
authenticate remote clients or peers. You must create the peer
certificate group before the group name can be cross-
referenced. For more information, see user peergrp on
page 502.
Nul l .
ipsec phase1 vpn
526 01-400-93051-20090415
peer t ype
The following attributes are available under the following
conditions:
one is available when mode is set to aggr essi ve or when
aut hmet hod is set to r sa- si gnat ur e.
di al up is available when t ype is set to dynami c and
aut hmet hod is set to psk.
peer is available when aut hmet hod is set to r sa-
si gnat ur e.
peer gr p is available when t ype is set to dynami c and
Enter the method for authenticating remote clients or peers
when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are
not used for authentication purposes). The mode attribute
can be set to aggr essi ve or mai n.
You can use this option with RSA Signature authentication.
But, for highest security, you should configure a PKI
user/group for the peer and set Peer Options to Accept this
peer certificate only.
Type one to authenticate either a remote peer or client that
has a dynamic IP address and connects using a unique
identifier over a dedicated tunnel, or more than one dialup
client that connects through the same tunnel using the same
(shared) identifier. Use the peer i d keyword to set the peer
ID. If more than one dialup client will be connecting using the
same (shared) identifier, set mode to aggr essi ve.
Type di al up to authenticate dialup VPN clients that use
unique identifiers and preshared keys (or unique preshared
keys only) to connect to the VPN through the same VPN
tunnel. In this case, you must create a dialup user group for
authentication purposes. Use the usr gr p keyword to set
the user group name. If the dialup clients use unique
identifiers and preshared keys, set mode to aggr essi ve. If
the dialup clients use preshared keys only, set mode to
mai n.
Type peer to authenticate one (or more) certificate holders
based on a particular (or shared) certificate. Use the peer
keyword to enter the certificate name. Set mode to
aggr essi ve if the remote peer or client has a dynamic IP
address.
Type peer gr p to authenticate certificate holders that use
unique certificates. In this case, you must create a group of
certificate holders for authentication purposes. Use the
peer gr p keyword to set the certificate group name. The
mode attribute can be set to aggr essi ve or mai n. Set
mode to aggr essi ve if the remote peer or client has a
dynamic IP address.
any
pr i or i t y <pr i o> This value is used to be break ties in selection of dialup routes.
In the case that both routes have the same priority, the egress
index for the routes will be used to determine the selected route.
Set <pr i o>to a value between 0 and 4 294 967 295.
0
vpn ipsec phase1
01-400-93051-20090415 527
pr oposal
<encr ypt i on_combi nat i on>
Select a minimum of one and a maximum of three encryption-
message digest combinations for the phase 1 proposal (for
example, 3des- md5). The remote peer must be configured to
use at least one of the proposals that you define. Use a space
to separate the combinations.
You can enter any of the following encryption-message digest
combinations:
3des- md5
3des- sha1
aes128- md5
aes128- sha1
aes192- md5
aes192- sha1
aes256- md5
aes256- sha1
des- md5
des- sha1
Here is an explanation of the abbreviated symmetric key
algorithms:
des Digital Encryption Standard, a 64-bit block algorithm
that uses a 56-bit key.
3des Triple-DES, in which plain text is encrypted three
times by three keys.
aes128 A 128-bit block algorithm that uses a 128-bit key.
You can select either of the following message digests to check
the authenticity of messages during an encrypted session:
md5 Message Digest 5, the hash algorithm developed by
RSA Data Security.
sha1 Secure Hash Algorithm 1, which produces a 160-bit
message digest.
aes128- sha1
3des- sha1
psksecr et <pr eshar ed_key> This keyword is available when aut hmet hod is set to psk.
Enter the pre-shared key. The pre-shared key must be the same
on the remote VPN gateway or client and should only be known
by network administrators. The key must consist of at least 6
printable characters. For optimum protection against currently
known attacks, the key should consist of a minimum of 16
randomly chosen alphanumeric characters.
*
(No default.)
r emot e- gw <addr ess_i pv4> This keyword is available when t ype is set to st at i c.
Enter the static IP address of the remote VPN peer.
0. 0. 0. 0
r emot egw- ddns
<domai n_name>
This keyword is available when t ype is set to ddns.
Enter the identifier of the remote peer (for example, a fully
qualified domain name).
Use this setting when the remote peer has a static domain
name and a dynamic IP address (the IP address is obtained
dynamically from an ISP and the remote peer subscribes to a
dynamic DNS service).
Nul l .
r sa- cer t i f i cat e
<ser ver _cer t i f i cat e>
si gnat ur e.
Enter the name of the signed personal certificate for the
FortiGate unit. You must install the server certificate before you
enter the server certificate name. For more information, see
vpn certificate local on page 675.
Nul l .
ipsec phase1 vpn
528 01-400-93051-20090415
Example
Use the following command to add a tunnel-mode IPSec VPN phase 1 configuration with the following
characteristics:
Phase 1 configuration name: Si mpl e_GW
Physical interface name: por t 6
Remote peer address type: Dynami c
Encryption and authentication proposal: des- md5
Authentication method: psk
Pre-shared key: Qf 2p3O93j I j 2bz7E
Mode: aggr essi ve
Dead Peer Detection: di sabl e
edi t Si mpl e_GW
set t ype dynami c
set pr oposal des- md5
set aut hmet hod psk
set psksecr et Qf 2p3O93j I j 2bz7E
set mode aggr essi ve
set dpd di sabl e
end
t ype <r emot e_gw_t ype> Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type
st at i c. Use the r emot egwkeyword to enter the IP
address.
If the remote VPN peer has a dynamically assigned IP
address (DHCP or PPPoE), type dynami c.
address and subscribes to a dynamic DNS service, type
ddns. Use the r emot egw- ddns keyword to enter the
domain name of the remote VPN peer.
st at i c
usr gr p <gr oup_name> This keyword is available when t ype is set to dynami c,
aut hmet hod is set to psk, and peer t ype is set to di al up.
Enter the name of the group of dialup VPN clients to
authenticate. The user group must be added to the FortiGate
configuration before it can be cross-referenced here. For more
information, see user group on page 490, user ldap on
page 495, user local on page 498, and user radius on
page 503.
Nul l .
xaut ht ype <XAut h_t ype> Optionally configure XAuth (eXtended Authentication):
Type di sabl e to disable XAuth.
Type cl i ent to configure the FortiGate unit to act as an
XAuth client. Use the aut huser keyword to add the XAuth
user name and password.
Type aut o, pap, or chap to configure the FortiGate unit as
an XAuth server. These options are available only when
t ype is dynami c. Use the aut husr gr p keyword to specify
the user group containing members that will be
authenticated using XAuth.
di sabl e
vpn ipsec phase1
01-400-93051-20090415 529
History
Related topics
vpn ipsec phase2
user group
user local
user peer
user peergrp
user radius
execute vpn certificate local
vpn certificate ca
FortiOS v2.80 MR2 Added two new parameters to the peer t ype keyword {peer | peer gr p}.
Added two new keywords: peer and peer gr p.
FortiOS v3.0 Renamed mi xed attribute of xaut ht ype keyword to aut o. Renamed r emot egwto
r emot e- gw. Added i nt er f ace and l ocal - gwattributes. Name of phase 1 definition is
now limited to 15 characters.
Added pr i or i t y keyword.
FortiOS v4.0 Changed default value of pr oposal to aes128- sha1 3des- sha1.
Changed default value of dpd and nat t r aver sal to enabl e.
ipsec phase1-interface vpn
530 01-400-93051-20090415
Use this command to define a phase 1 definition for a route-based (interface mode) IPSec VPN tunnel that
generates authentication and encryption keys automatically. A new interface of type tunnel with the same
name is created automatically as the local end of the tunnel.
Optionally, you can create a route-based phase 1 definition to act as a backup for another IPSec interface.
See the monitor-phase1 <phase1>keyword.
To complete the configuration of an IPSec tunnel, you need to:
configure phase 2 settings (see ipsec phase2-interface on page 546)
configure a firewall policy to pass traffic from the local private network to the tunnel interface
configure a static route via the IPSec interface to the private network at the remote end of the tunnel
optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the
tunnel or to enable pinging of each end of the tunnel for testing
Syntax
set add- gw- r out e {enabl e | di sabl e}
set aut hmet hod <aut hent i cat i on_met hod>
set aut hpasswd <passwor d>
set aut husr <user _name>
set aut husr gr p <gr oup_name>
set def aul t - gw <gw_i p>
set def aul t - gw- pr i or i t y 
set dhgr p {1 2 5}
set di st ance 
set dpd {di sabl e | enabl e}
set dpd- r et r ycount <r et r y_i nt eger >
set dpd- r et r yi nt er val <seconds> [ <mi l l i seconds]
set i p- ver si on <4 | 6>
set keepal i ve <seconds>
set keyl i f e <seconds>
set l ocal - gw6 <addr ess_i pv6>
set l ocal i d <l ocal _i d>
set mode {aggr essi ve | mai n}
set moni t or - phase1 <phase1>
set nat t r aver sal {di sabl e | enabl e}
set peer <CA_cer t i f i cat e_name>
set peer i d <peer _i d>
set peer gr p <cer t i f i cat e_gr oup_name>
set peer t ype <aut hent i cat i on_met hod>
set pr i or i t y <pr i o>
set psksecr et <pr eshar ed_key>
set r emot e- gw6 <addr ess_i pv6>
set r emot egw- ddns <domai n_name>
set r sa- cer t i f i cat e <ser ver _cer t i f i cat e>
set t ype <r emot e_gw_t ype>
01-400-93051-20090415 531
set xaut ht ype <XAut h_t ype>
end
Note: You must specify values for pr oposal and i nt er f ace. A r emot e- gwvalue may be required depending
on the value of the t ype attribute. You must also enter a preshared key or a certificate name depending on the
value of aut hmet hod. All other keywords are optional.
edi t <gat eway_name> Enter a name (maximum 15 characters) for the remote
gateway. If t ype is dynami c, the maximum name length is
further reduced depending on the number of dialup tunnels that
can be established: by 2 for up to 9 tunnels, by 3 for up to 99
tunnels, 4 for up to 999 tunnels, and so on
No default.
add- gw- r out e
Enable to automatically add a route to the remote gateway
specified in r emot e- gw. This is effective only when
i nt er f ace is an interface that obtains its IP address by DHCP
or PPPoE. The route distance is specified in the interface
configuration. See system interface on page 387.
disable
aut hmet hod
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use
psksecr et to enter the pre-shared key.
Enter r sa- si gnat ur e to authenticate using a digital
certificate. Use set r sa- cer t i f i cat e to enter the name
of the digital certificate.
You must configure certificates before selecting
r sa- si gnat ur e here. For more information, see execute
vpn certificate local on page 675 and vpn certificate ca on
page 508.
psk
aut hpasswd <passwor d> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client password for the FortiGate unit.
No default.
aut husr <user _name> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client user name for the FortiGate unit.
Nul l
aut husr gr p <gr oup_name> This keyword is available when xaut ht ype is set to aut o,
pap, or chap.
When the FortiGate unit is configured as an XAuth server, enter
the user group to authenticate remote VPN peers. The user
group can contain local users, LDAP servers, and RADIUS
servers. The user group must be added to the FortiGate
configuration before the group name can be cross-referenced.
For more information, see user group on page 490, user
ldap on page 495, user local on page 498, and user radius
on page 503.
Nul l
def aul t - gw <gw_i p> If the IPSec interface has a different default route than other
traffic, enter the next hop router IP address. Be sure to set
def aul t - gw- pr i or i t y to a higher priority (lower value) than
the general default route.
This is available when t ype is dynami c. The route it creates is
not visible in the routing table.
0.0.0.0
def aul t - gw- pr i or i t y If you set def aul t - gw, set the priority to a lower value (higher
priority) than the general default route.
0
dhgr p {1 2 5} Type 1, 2, and/or 5 to select one or more Diffie-Hellman groups
from DH group 1, 2, and 5 respectively. At least one of the DH
group settings on the remote peer or client must be identical to
one of the selections on the FortiGate unit.
5
532 01-400-93051-20090415
di st ance Configure the administrative distance for routes added when a
dialup IPSec connection is established. Using administrative
distance you can specify the relative priorities of different routes
to the same destination. A lower administrative distance
indicates a more preferred route. Distance can be an integer
from 1-255. See also router static distance <distance> on
page 301.
1
dpd {di sabl e | enabl e} Enable or disable DPD (Dead Peer Detection). DPD detects the
status of the connection between VPN peers. Enabling DPD
facilitates cleaning up dead connections and establishing new
VPN tunnels. DPD is not supported by all vendors and is not
used unless DPD is supported and enabled by both VPN peers.
enabl e
dpd- r et r ycount
<r et r y_i nt eger >
The DPD retry count when dpd is set to enabl e. Set the
number of times that the local VPN peer sends a DPD probe
before it considers the link to be dead and tears down the
security association (SA). The dpd- r et r ycount range is 0 to
10.
To avoid false negatives due to congestion or other transient
failures, set the retry count to a sufficiently high value for your
network.
3
dpd- r et r yi nt er val
<seconds> [ <mi l l i seconds]
The DPD (Dead Peer Detection) retry interval is the time that
the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For
example, for 2.5 seconds enter 2 500. The range is 1 to 60
seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of 5
seconds is used if dpd- r et r yi nt er val is less than 5
seconds.
5
i nt er f ace
Enter the name of the physical, aggregate, or VLAN interface to
which the IPSec tunnel will be bound. The FortiGate unit
obtains the IP address of the interface from system interface
settings (see interface on page 387) unless you specify a
different IP address using the local-gw <address_ipv4>
attribute.
Null.
i p- ver si on <4 | 6> Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation. 4
keepal i ve <seconds> This keyword is available when nat t r aver sal is set to
enabl e.
Set the NAT traversal keepalive frequency. This number
specifies (in seconds) how frequently empty UDP packets are
sent through the NAT device to make sure that the NAT
mapping does not change until P1 and P2 security associations
expire. The keepalive frequency can be from 0 to 900 seconds.
5
keyl i f e <seconds> Set the keylife time. The keylife is the amount of time (in
seconds) before the phase 1 encryption key expires. When the
key expires, a new key is generated without interrupting
service. The range is 120 to 172,800 seconds.
28800
l ocal - gw <addr ess_i pv4>
l ocal - gw6 <addr ess_i pv6>
Optionally, specify a secondary IP address of the interface
tunnel. l ocal - gw6 is available when i p- ver si on is 6.
l ocal - gwis available when i p- ver si on is 4.
If you do not specify an IP address here, the FortiGate unit
obtains the IP address of the interface from system interface
settings (see interface on page 387).
0. 0. 0. 0 for
IPv4
: : for IPv6
01-400-93051-20090415 533
l ocal i d <l ocal _i d> Enter a local ID if the FortiGate unit is functioning as a VPN
client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client, you
must assign a unique identifier (local ID) to the FortiGate client.
Whenever you configure a unique identifier (local ID) on a
FortiGate dialup client, you must enable aggressive mode on
the FortiGate dialup server and also specify the identifier as a
peer ID on the FortiGate dialup server.
Nul l .
mode {aggr essi ve | mai n} Enter aggr essi ve or mai n (ID Protection) mode. Both modes
establish a secure channel.
In main mode, identifying information is hidden. Main mode is
typically used when both VPN peers have static IP addresses.
In aggressive mode, identifying information is exchanged in the
clear. Aggressive mode is typically used when a remote peer or
dialup client has a dynamic IP address. You must enable
aggressive mode when the remote FortiGate unit has a
dynamic IP address, or the remote VPN peer or client will be
authenticated using an identifier (local ID).
mai n
moni t or - phase1 <phase1> Optionally, this IPSec interface can act as a backup for another
(primary) IPSec interface. Enter the name of the primary
interface.
The backup interface is used only while the primary interface is
out of service. dpd must be enabled.
A primary interface can have only one backup interface and
cannot act as a backup for another interface.
For a configuration example, see Example of backup IPSec
interface on page 538.
Null.
nat t r aver sal {di sabl e |
enabl e}
Enable NAT traversal if you expect the IPSec VPN traffic to go
through a gateway that performs NAT. If no NAT device is
detected, enabling NAT traversal has no effect. Both ends of
the VPN must have the same NAT traversal setting. If you
enable NAT traversal you can set the keepal i ve frequency.
enabl e
peer
<CA_cer t i f i cat e_name>
si gnat ur e and peer t ype is set to peer .
Enter the name of the peer (CA) certificate that will be used to
authenticate remote VPN clients or peers. Use the command
conf i g user peer to add peer certificates. Peer certificates
must be added to the FortiGate configuration before they can
be cross-referenced. For more information, see user peer on
page 500.
Nul l .
peer i d <peer _i d> This keyword is available when peer t ype is set to one.
Enter the peer ID that will be used to authenticate remote
clients or peers by peer ID.
Nul l .
peer gr p
<cer t i f i cat e_gr oup_name>
This keyword is available when t ype is set to dynami c,
aut hmet hod is set to r sa- si gnat ur e, and peer t ype is set
to peer gr p.
Enter the name of the peer certificate group that will be used to
authenticate remote clients or peers. You must create the peer
certificate group before the group name can be cross-
referenced. For more information, see user peergrp on
page 502.
Nul l .
534 01-400-93051-20090415
peer t ype
The following attributes are available under the following
conditions:
di al up is available when t ype is set to dynami c and
aut hmet hod is set to psk.
peer is available when aut hmet hod is set to
r sa- si gnat ur e.
peer gr p is available when t ype is set to dynami c and
Enter the method for authenticating remote clients or peers
when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are
not used for authentication purposes). The mode attribute
can be set to aggr essi ve or mai n.
You can use this option with RSA Signature authentication.
But, for highest security, you should configure a PKI
user/group for the peer and set Peer Options to Accept this
peer certificate only.
Type one to authenticate either a remote peer or client that
has a dynamic IP address and connects using a unique
identifier over a dedicated tunnel, or more than one dialup
client that connects through the same tunnel using the same
(shared) identifier. Use the peer i d keyword to set the peer
ID. If more than one dialup client will be connecting using
the same (shared) identifier, set mode to aggr essi ve.
Type di al up to authenticate dialup VPN clients that use
unique identifiers and preshared keys (or unique preshared
keys only) to connect to the VPN through the same VPN
tunnel. In this case, you must create a dialup user group for
authentication purposes. Use the usr gr p keyword to set
the user group name. If the dialup clients use unique
identifiers and preshared keys, set mode to aggr essi ve. If
the dialup clients use preshared keys only, set mode to
mai n.
Type peer to authenticate one (or more) certificate holders
based on a particular (or shared) certificate. Use the peer
keyword to enter the certificate name. Set mode to
aggr essi ve if the remote peer or client has a dynamic IP
address.
Type peer gr p to authenticate certificate holders that use
unique certificates. In this case, you must create a group of
certificate holders for authentication purposes. Use the
peer gr p keyword to set the certificate group name. The
mode attribute can be set to aggr essi ve or mai n. Set
mode to aggr essi ve if the remote peer or client has a
dynamic IP address.
any
pr i or i t y <pr i o> This value is used to be break ties in selection of dialup routes.
In the case that both routes have the same priority, the egress
index for the routes will be used to determine the selected
route.
Set <pr i o>to a value between 0 and 4 294 967 295.
0
01-400-93051-20090415 535
pr oposal
Select a minimum of one and a maximum of three encryption-
message digest combinations for the phase 1 proposal (for
example, 3des- md5). The remote peer must be configured to
use at least one of the proposals that you define. Use a space
to separate the combinations.
You can enter any of the following symmetric-key encryption
algorithms:
3des- md5
3des- sha1
aes128- md5
aes128- sha1
aes192- md5
aes192- sha1
aes256- md5
aes256- sha1
des- md5
des- sha1
Here is an explanation of the abbreviated combinations:
You can select either of the following message digests to
check the authenticity of messages during an encrypted
session:
RSA Data Security.
message digest.
aes128- sha1
3des- sha1
psksecr et <pr eshar ed_key> This keyword is available when aut hmet hod is set to psk.
Enter the pre-shared key. The pre-shared key must be the
same on the remote VPN gateway or client and should only be
known by network administrators. The key must consist of at
least 6 printable characters. For optimum protection against
currently known attacks, the key should consist of a minimum of
16 randomly chosen alphanumeric characters.
*
(No default.)
r emot e- gw <addr ess_i pv4>
r emot e- gw6 <addr ess_i pv6>
This keyword is available when t ype is set to st at i c.
Enter the static IP address of the remote VPN peer.
r emot e- gw6 is available when i p- ver si on is 6. remote-gw
is available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
r emot egw- ddns
<domai n_name>
This keyword is available when t ype is set to ddns and
i p- ver si on is set to 4.
Enter the identifier of the remote peer (for example, a fully
qualified domain name).
Use this setting when the remote peer has a static domain
name and a dynamic IP address (the IP address is obtained
dynamically from an ISP and the remote peer subscribes to a
dynamic DNS service).
Nul l
r sa- cer t i f i cat e
<ser ver _cer t i f i cat e>
si gnat ur e.
Enter the name of the signed personal certificate for the
FortiGate unit. You must install the server certificate before you
enter the server certificate name. For more information, see
vpn certificate local on page 675.
Nul l
536 01-400-93051-20090415
Example of route-based VPN
In this example, an IPSec tunnel is needed between two sites using FortiGate units. Users on the
192.168.2.0/24 network at Site A need to communicate with users on the 192.168.3.0/24 network at Site
B. At Site A, the public IP address is 172.16.67.199 and at Site B it is 172.16.68.198. At both ends:
Port 2 of the FortiGate unit: connects to the private network
Port 1 of the FortiGate unit: connects to the Internet
Encryption and authentication proposal: des- md5
Authentication method: psk
Pre-shared key: Qf 2p3O93j I j 2bz7
Mode: mai n
Dead Peer Detection: enabl e
t ype <r emot e_gw_t ype> Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type
st at i c. Use the r emot egwkeyword to enter the IP
address.
address (DHCP or PPPoE), type dynami c.
address and subscribes to a dynamic DNS service, type
ddns. Use the r emot egw- ddns keyword to enter the
domain name of the remote VPN peer. This option is not
available if i p- ver si on is 6.
st at i c
usr gr p <gr oup_name> This keyword is available when t ype is set to dynami c,
aut hmet hod is set to psk, and peer t ype is set to di al up.
Enter the name of the group of dialup VPN clients to
authenticate. The user group must be added to the FortiGate
configuration before it can be cross-referenced here. For more
information, see user group on page 490, user ldap on
page 495, user local on page 498, and user radius on
page 503.
Nul l .
xaut ht ype <XAut h_t ype> Optionally configure XAuth (eXtended Authentication):
Type di sabl e to disable XAuth.
Type cl i ent to configure the FortiGate unit to act as an
XAuth client. Use the aut huser keyword to add the XAuth
user name and password.
Type aut o, pap, or chap to configure the FortiGate unit as
an XAuth server. These options are available only when
t ype is dynami c. Use the aut husr gr p keyword to specify
the user group containing members that will be
authenticated using XAuth.
di sabl e
edi t t oSi t eB
set t ype st at i c
set r emot e- gw 172. 16. 68. 198
set psksecr et Qf 2p3O93j I j 2bz7
set mode mai n
set dpd enabl e
end
edi t t oSi t eA
set t ype st at i c
set r emot e- gw 172. 16. 68. 199
set psksecr et Qf 2p3O93j I j 2bz7
set mode mai n
set dpd enabl e
end
01-400-93051-20090415 537
In this example, the user defines IP addresses for each end of the tunnel to enable dynamic routing
through the tunnel or to enable pinging of each end of the tunnel for testing. The Site A end has the IP
address 10.0.0.1 and the SiteB end is 10.0.0.2.
edi t New_Tunnel
set phase1name t oSi t eB
set pr oposal 3des- sha1
set keyl i f e- t ype seconds
set keyl i f eseconds 18001
set dhgr p 2
set r epl ay enabl e
set pf s enabl e
set keepal i ve enabl e
end
edi t New_Tunnel
set phase1name t oSi t eA
set pr oposal 3des- sha1
set dhgr p 2
set pf s enabl e
end
edi t 1
set dst - i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 1
set dst - i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 2
set sr c- i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 2
set sr c- i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 1
set devi ce t oSi t eB
set dst 192. 168. 3. 0/ 24
end
edi t 1
set devi ce t oSi t eA
set dst 192. 168. 2. 0/ 24
end
(Optional)
edi t t oSi t eB
set i p 10. 0. 0. 1/ 32
set r emot e- i p 10. 0. 0. 2
end
(Optional)
edi t t oSi t eA
set i p 10. 0. 0. 2/ 32
set r emot e- i p 10. 0. 0. 1
end
538 01-400-93051-20090415
Example of backup IPSec interface
In this example, the backupToHeadquarters IPSec interface provides failover protection for the
toHeadquarters IPSec interface.
The backupToHeadquarters interface is a backup interface because its moni t or - phase1 option is not
null; it is set to monitor the toHeadquarters interface. If the monitored interface goes down, as determined
by Dead Peer Detection, the backup interface becomes active.
The backup interface uses a different physical interface, which could be connected to a different Internet
service provider. The remote gateway can be the same, or it can specify an alternative gateway, if one
exists. Otherwise, the two IPSec interfaces are identically configured.
edi t " t oHeadquar t er s"
set r emot e- gw 172. 16. 1. 10
set dpd enabl e
. . . [ ot her phase1 set t i ngs as needed]
next
edi t " backupToHeadquar t er s"
set moni t or - phase1 " t oHeadquar t er s"
set r emot e- gw 172. 16. 1. 10
. . . [ ot her phase1 set t i ngs as needed]
end
end
History
Related topics
user group
user local
user peer
user peergrp
user radius
vpn certificate ca
FortiOS v3.0 New
FortiOS v3.0 MR5 Added keywords i p- ver si on, l ocal - gw6, r emot e- gw6.
FortiOS v3.0 MR6 Added keywords def aul t - gwand def aul t - gw- pr i or i t y.
FortiOS v4.0 Changed default value of pr oposal to aes128- sha1 3des- sha1.
Changed default value of dpd and nat t r aver sal to enabl e.
vpn ipsec phase2
01-400-93051-20090415 539
ipsec phase2
Use this command to add or edit an IPSec tunnel-mode phase 2 configuration. The FortiGate unit uses the
tunnel-mode phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote VPN peer
(the VPN gateway or client).
The phase 2 configuration consists of a name for the VPN tunnel, the name of an existing phase 1
configuration, the proposal settings (encryption and authentication algorithms) and DH group used for
phase 2. For phase 2 to be successful, the FortiGate unit and the remote VPN peer must be configured
with compatible proposal settings.
Syntax
set add- r out e {enabl e | di sabl e}
set aut o- negot i at e {enabl e | di sabl e}
set dhcp- i psec {di sabl e | enabl e}
set dhgr p {1 | 2 | 5}
set dst - addr - t ype <t ype>
set dst - end- i p <addr ess_i pv4>
set dst - name <addr ess_name>
set dst - por t <dest i nat i on_por t _number >
set dst - st ar t - i p <addr ess_i pv4>
set dst - subnet <addr ess_i pv4mask>
set keepal i ve {di sabl e | enabl e}
set keyl i f e- t ype <keyl i f e_t ype>
set keyl i f ekbs <kb_i nt eger >
set keyl i f eseconds <seconds>
set pf s {di sabl e | enabl e}
set phase1name <gat eway_name>
set r epl ay {di sabl e | enabl e}
set r out e- over l ap {over l ap_opt i on}
set sel ect or - mat ch <mat ch_t ype>
set si ngl e- sour ce {di sabl e | enabl e}
set sr c- addr - t ype 
set sr c- end- i p <addr ess_i pv4>
set sr c- name <addr ess_name>
set sr c- por t <sour ce_por t _number >
set sr c- st ar t - i p <addr ess_i pv4>
set sr c- subnet <addr ess_i pv4mask>
set use- nat i p {enabl e | di sabl e}
end
Note: The phase1name keyword is required. All other keywords are optional.
ipsec phase2 vpn
540 01-400-93051-20090415
add- r out e
Enable only if you are running a dynamic routing protocol (RIP,
OSPF, or BGP) and want the routes to be propagated to routing
peers.
disable
aut o- negot i at e
Enable to negotiate the phase 2 security association (SA)
automatically, even if there is no traffic. This repeats every five
seconds until it succeeds.
You can use this option on a dialup peer to ensure that the
tunnel is available for peers at the server end to initiate traffic to
the dialup peer. Otherwise, the tunnel does not exist until the
dialup peer initiates traffic.
disable
dhcp- i psec
This keyword is available when phase1name names a dialup
gateway configuration.
Enable dhcp- i psec if the FortiGate unit acts as a dialup server
and FortiGate DHCP relay will be used to assign VIP addresses
to FortiClient dialup clients. The DHCP relay parameters must
be configured separately.
If you configure the DHCP server to assign IP addresses based
on RADIUS user group attributes, you must also set the
peer t ype to di al up and specify the usr gr p in vpn ipsec
phase1.
For information about how to configure a DHCP server on a
FortiGate interface, see system dhcp server on page 349. For
information about FortiGate DHCP relay, see system interface
on page 387.
If the FortiGate unit acts as a dialup server and you manually
assigned FortiClient dialup clients VIP addresses that match the
network behind the dialup server, select Enable to cause the
FortiGate unit to act as a proxy for the dialup clients.
di sabl e
dhgr p {1 | 2 | 5} Type 1, 2 or 5 to select the Diffie-Hellman group to propose for
Phase 2 of the IPSec VPN connection. Both VPN peers must
use the same DH Group.
5
dst - addr - t ype <t ype> Enter the type of destination address that corresponds to the
recipient(s) or network behind the remote VPN peer or
FortiGate dialup client:
To specify the IP address of a server or host, type i p. Enter
the IP address using the dst - st ar t - i p keyword.
To specify a range of IP addresses, type r ange. Enter the
starting and ending addresses using the dst - st ar t - i p,
and dst - end- i p keywords.
To specify a network address, type subnet . Enter the
network address using the dst - subnet keyword.
To specify a firewall address or address group, type name.
Enter the address or address group name using the
dst - name keyword. You must also select the name option
for sr c- addr - t ype.
This option is intended for users upgrading VPN
configurations created using FortiOS 2.80. For new VPNs
that use firewall addresses or address groups as selectors,
interface mode VPNs are recommended.
subnet
dst - end- i p <addr ess_i pv4> This keyword is available when dst - addr - t ype is set to
r ange.
Enter the highest destination IP address in the range of IP
addresses.
0. 0. 0. 0
dst - name <addr ess_name> This keyword is available when dst - addr - t ype is set to
name. Enter the name of a firewall address or address group.
No default.
dst - por t
<dest i nat i on_por t _number >
Enter the port number that the remote VPN peer or FortiGate
dialup client uses to transport traffic related to the specified
service (see pr ot ocol ). The range is 1 to 65535. To specify all
ports, type 0.
0
vpn ipsec phase2
01-400-93051-20090415 541
dst - st ar t - i p
<addr ess_i pv4>
This keyword is available when dst - addr - t ype is set to
r ange.
Enter the lowest destination IP address in the range of IP
addresses.
0. 0. 0. 0
dst - subnet
Enter the IP address and network mask that identifies the
private network behind the remote VPN peer or FortiGate dialup
client.
0. 0. 0. 0
0. 0. 0. 0
keepal i ve {di sabl e |
enabl e}
Enable to automatically negotiate a new phase 2 security
association (SA) before the current SA expires, keeping the
tunnel up. Otherwise, a new SA is negotiated only if there is
traffic.
di sabl e
keyl i f e- t ype
<keyl i f e_t ype>
Set when the phase 2 key expires. When the key expires, a new
key is generated without interrupting service.
To make the key expire after a period of time has expired
and after an amount of data is transmitted, type bot h.
To make the key expire after an amount of data is
transmitted, type kbs. Use the keyl i f ekbs keyword to set
the amount of data that is transmitted.
To make the key expire after a number of seconds elapses,
type seconds. Use the keyl i f eseconds keyword to set
the amount of time that elapses.
seconds
keyl i f ekbs <kb_i nt eger > This keyword is available when keyl i f e- t ype is set to kbs or
bot h.
Set the number of KBytes of data to transmit before the phase 2
key expires. The range is 5120 to 99999 KBytes.
5120
keyl i f eseconds <seconds> This keyword is available when keyl i f e- t ype is set to
seconds or bot h.
Set the number of seconds to elapse before the phase 2 key
expires. seconds can be 120 to 172800 seconds.
1800
pf s {di sabl e | enabl e} Optionally, enable or disable perfect forward secrecy (PFS).
PFS ensures that each key created during Phase 2 is unrelated
to keys created during Phase 1 or to other keys created during
Phase 2. PFS may cause minor delays during key generation.
enabl e
phase1name <gat eway_name> Enter a phase 1 gateway configuration name. You must add the
phase 1 gateway definition to the FortiGate configuration before
it can be cross-referenced.
Null.
ipsec phase2 vpn
542 01-400-93051-20090415
pr oposal
Enter a minimum of one and a maximum of three encryption-
message digest combinations (for example, 3des- md5). The
remote peer must be configured to use at least one of the
proposals that you define. Use a space to separate the
combinations.
combinations:
3des- md5
3des- nul l
3des- sha1
aes128- md5
aes128- nul l
aes128- sha1
aes192- md5
aes192- nul l
aes192- sha1
aes256- md5
aes256- nul l
aes256- sha1
des- md5
des- nul l
des- sha1
nul l - md5
nul l - sha1
Here is an explanation of the abbreviated encryption algorithms:
nul l Do not use an encryption algorithm.
You can enter either of the following message digests to check
nul l Do not use a message digest.
RSA Data Security.
message digest.
aes128- sha1
3des- sha1
pr ot ocol
<pr ot ocol _i nt eger >
This keyword is available when sel ect or is set to speci f y.
Enter the IP protocol number for the service. The range is 1 to
255. To specify all services, type 0.
0
r epl ay {di sabl e | enabl e} Optionally, enable or disable replay detection. Replay attacks
occur when an unauthorized party intercepts a series of IPSec
packets and replays them back into the tunnel. Enable replay
detection to check the sequence number of every IPSec packet
to see if it has been received before. If packets arrive out of
sequence, the FortiGate units discards them.
You can configure the FortiGate unit to send an alert email when
it detects a replay packet. See alertemail on page 65.
enabl e
r out e- over l ap
{over l ap_opt i on}
Specify how FortiGate unit handles multiple dialup users with
the same IP source address. Set over l ap_opt i on to one of
the following:
al l ow allow overlapping routes
use- new delete the old route and add the new route
use- ol d use the old route and do not add the new route
use- new
vpn ipsec phase2
01-400-93051-20090415 543
sel ect or - mat ch
<mat ch_t ype>
The peers IPSec selectors are compared to FortiGate phase 2
selectors, which are any of sr c- st ar t - i p / sr c- end- i p,
sr c- subnet , dst - subnet , dst - st ar t - i p / dst - end- i p.
The mat ch_t ype value can be one of:
exact peers selector must match exactly
subset peers selector can be a subset of this selector
aut o use exact or subset match as needed (default)
Note: This keyword is configured automatically when upgrading
a FortiOS version 2.80 VPN to version 3.0. You should not set
this keyword when configuring a new VPN.
auto
si ngl e- sour ce {di sabl e |
enabl e}
Enable if sr c- addr - t ype is name and hosts on the internal
network will initiate communication sessions with remote dialup
clients.
di sabl e
sr c- addr - t ype

If the FortiGate unit is a dialup server, enter the type of source
address that corresponds to the local sender(s) or network
behind the FortiGate dialup server:
To specify the IP address of a server or host, type i p. Enter
the IP address using the sr c- st ar t - i p keyword.
To specify a range of IP addresses, type r ange. Enter the
starting and ending addresses using the sr c- st ar t - i p
and sr c- end- i p keywords.
To specify a network address, type subnet . Enter the
network address using the sr c- subnet keyword.
To specify a firewall address or address group, type name.
Enter the address or address group name using the sr c-
name keyword. You must also select the name option for
dst - addr - t ype.
This option is intended for users upgrading VPN
configurations created using FortiOS 2.80. For new VPNs
that use firewall addresses or address groups as selectors,
interface mode VPNs are recommended.
If the FortiGate unit is a dialup client, sr c- addr - t ype must
refer to the server(s), host(s), or private network behind the
FortiGate dialup client.
subnet
sr c- end- i p <addr ess_i pv4> This keyword is available when sr c- addr - t ype is set to
r ange.
Enter the highest source IP address in the range of IP
addresses.
0. 0. 0. 0
sr c- name <addr ess_name> This keyword is available when sr c- addr - t ype is set to
name. Enter the name of a firewall address or address group.
No default.
sr c- por t
<sour ce_por t _number >
If the FortiGate unit is a dialup server, enter the port number that
the FortiGate dialup server uses to transport traffic related to the
specified service (see pr ot ocol ). If the FortiGate unit is a
dialup client, enter the port number that the FortiGate dialup
client uses to transport traffic related to the specified service.
The sr c- por t range is 1 to 65535. To specify all ports, type 0.
0
sr c- st ar t - i p
<addr ess_i pv4>
This keyword is available when sr c- addr - t ype is set to
r ange.
Enter the lowest source IP address in the range of IP
addresses.
0. 0. 0. 0
ipsec phase2 vpn
544 01-400-93051-20090415
Example
Use the following command to add a tunnel-mode phase 2 configuration with the following characteristics:
Name: New_Tunnel
Phase 1 name: Si mpl e_GW
Encryption and authentication proposal: 3des- sha1 aes256- sha1 des- md5
Keylife type: seconds
Keylife seconds: 18001
Diffie-Hellman group: 2
Replay detection: enabl e
Perfect forward secrecy: enabl e
Keepalive: enabl e
edi t New_Tunnel
set phase1name Si mpl e_GW
set pr oposal 3des- sha1 aes256- sha1 des- md5
set dhgr p 2
set pf s enabl e
end
History
sr c- subnet
If the FortiGate unit is a dialup server, enter the IP address and
network mask that identifies the private network behind the
FortiGate dialup server. If the FortiGate unit is a dialup client,
enter the IP address and network mask that identifies the
private network behind the FortiGate dialup client.
0. 0. 0. 0
0. 0. 0. 0
use- nat i p
By default, when outbound NAT is used, the FortiGate unit
public interface IP address is the source selector. If you disable
use- nat i p, the source selector is as specified in sr c- st ar t -
i p / sr c- end- i p or sr c- subnet .
Note: This keyword is configured automatically when upgrading
a FortiOS version 2.80 VPN to version 3.0. You should not set
this keyword when configuring a new VPN.
enable
FortiOS v2.80 MR3 concent r at or keyword available in NAT/Route mode only.
FortiOS v2.80 MR7 wi l dcar di d keyword removed.
sel ect or keyword and associated sr caddr , dst addr , pr ot ocol , sr cpor t , and
dst por t keywords added.
si ngl e- sour ce keyword added.
FortiOS v3.0 Replaced underscore character in keyl i f e- t ype keyword with a hyphen. Removed
bi ndt oi f , concent r at or , i nt er net br owsi ng, sel ect or , dst addr , dst por t ,
sr caddr , and sr cpor t keywords. Added dst - addr - t ype, dst - por t , dst - subnet ,
dst - end- i p, dst - st ar t - i p, sr c- addr - t ype, sr c- por t , sr c- subnet , sr c- end-
i p, and sr c- st ar t - i p keywords.
vpn ipsec phase2
01-400-93051-20090415 545
Related topics
vpn ipsec phase1
alertemail setting
alertemail setting
FortiOS v3.0 MR5 Removed nul l - nul l option from pr oposal keyword.
FortiOS v4.0.0 add- r out e keyword added.
Changed default value of pr oposal to aes128- sha1 3des- sha1.
Changed default value of pf s and r epl ay to enabl e.
546 01-400-93051-20090415
Use this command to add a phase 2 configuration for a route-based (interface mode) IPSec tunnel or edit
an existing interface-mode phase 2 configuration. This command is available only in NAT/Route mode.
Syntax
set aut o- negot i at e {enabl e | di sabl e}
set dhcp- i psec {di sabl e | enabl e}
set dhgr p {1 | 2 | 5}
set dst - addr - t ype <t ype>
set dst - end- i p <addr ess_i pv4>
set dst - end- i p6 <addr ess_i pv6>
set dst - name <addr ess_name>
set dst - por t <dest i nat i on_por t _number >
set dst - st ar t - i p <addr ess_i pv4>
set dst - st ar t - i p6 <addr ess_i pv6>
set dst - subnet <addr ess_i pv4mask>
set dst - subnet 6 <addr ess_i pv6mask>
set keepal i ve {di sabl e | enabl e}
set keyl i f e- t ype <keyl i f e_t ype>
set keyl i f ekbs <kb_i nt eger >
set keyl i f eseconds <seconds>
set pf s {di sabl e | enabl e}
set phase1name <gat eway_name>
set r epl ay {di sabl e | enabl e}
set r out e- over l ap {over l ap_opt i on}
set si ngl e- sour ce {di sabl e | enabl e}
set sr c- addr - t ype 
set sr c- end- i p <addr ess_i pv4>
set sr c- end- i p6 <addr ess_i pv6>
set sr c- name <addr ess_name>
set sr c- por t <sour ce_por t _number >
set sr c- st ar t - i p <addr ess_i pv4>
set sr c- st ar t - i p6 <addr ess_i pv6>
set sr c- subnet <addr ess_i pv4mask>
set sr c- subnet 6 <addr ess_i pv6mask>
end
Note: The phase1name keyword is required. All other keywords are optional.
01-400-93051-20090415 547
edi t <t unnel _name> Enter a name for the phase 2 tunnel configuration. No default.
aut o- negot i at e
Enable to negotiate the phase 2 security association (SA)
automatically, even if there is no traffic. This repeats every five
seconds until it succeeds.
You can use this option on a dialup peer to ensure that the
tunnel is available for peers at the server end to initiate traffic to
the dialup peer. Otherwise, the tunnel does not exist until the
dialup peer initiates traffic.
disable
dhcp- i psec
This keyword is available when phase1name names a dialup
gateway configuration.
Enable dhcp- i psec if the FortiGate unit acts as a dialup server
and FortiGate DHCP relay will be used to assign VIP addresses
to FortiClient dialup clients. The DHCP relay parameters must
be configured separately.
If you configure the DHCP server to assign IP addresses based
on RADIUS user group attributes, you must also set the
peer t ype to di al up and specify the usr gr p in vpn ipsec
phase1.
For information about how to configure a DHCP server on a
FortiGate interface, see system dhcp server on page 349. For
information about FortiGate DHCP relay, see system interface
on page 387.
If the FortiGate unit acts as a dialup server and you manually
assigned FortiClient dialup clients VIP addresses that match the
network behind the dialup server, select Enable to cause the
FortiGate unit to act as a proxy for the dialup clients.
di sabl e
dhgr p {1 | 2 | 5} Type 1, 2 or 5 to select the Diffie-Hellman group to propose for
Phase 2 of the IPSec VPN connection. Both VPN peers must
use the same DH Group.
5
dst - addr - t ype <t ype> Enter the type of destination address that corresponds to the
recipient(s) or network behind the remote VPN peer or FortiGate
dialup client:
To specify the IPv4 IP address of a server or host, type i p.
Enter the IP address using the dst - st ar t - i p keyword.
To specify the IPv6 IP address of a server or host, type i p6.
Enter the IP address using the dst - st ar t - i p6 keyword.
To specify a range of IPv4 IP addresses, type r ange. Enter
the starting and ending addresses using the dst - st ar t - i p
and dst - end- i p keywords.
To specify a range of IPv6 IP addresses, type r ange6. Enter
the starting and ending addresses using the dst - st ar t -
i p6 and dst - end- i p6 keywords.
To specify an IPv4 network address, type subnet . Enter the
network address using the dst - subnet keyword.
To specify an IPv6 network address, type subnet 6. Enter
the network address using the dst - subnet keyword.
To specify an address defined in a firewall address or
address group, type name. Enter the address name using the
dst - name keyword. You must also select the name option
for sr c- addr - t ype. This is available only for IPv4
addresses.
subnet
dst - end- i p
<addr ess_i pv4>
r ange.
addresses.
0. 0. 0. 0
dst - end- i p6
<addr ess_i pv6>
r ange6.
addresses.
: :
548 01-400-93051-20090415
dst - name <addr ess_name> This keyword is available when dst - addr - t ype is set to name.
Enter the firewall address or address group name.
No default.
dst - por t
<dest i nat i on_por t _number
>
Enter the port number that the remote VPN peer or FortiGate
dialup client uses to transport traffic related to the specified
service (see pr ot ocol ). The range is 1 to 65535. To specify all
ports, type 0.
0
dst - st ar t - i p
<addr ess_i pv4>
r ange.
addresses.
0. 0. 0. 0
dst - st ar t - i p6
<addr ess_i pv6>
r ange6.
addresses.
: :
dst - subnet
Enter the IPv4 IP address and network mask that identifies the
client.
0. 0. 0. 0
0. 0. 0. 0
dst - subnet 6
Enter the IPv6 IP address and network mask that identifies the
client.
: : / 0
keepal i ve {di sabl e |
enabl e}
Enable to automatically negotiate a new phase 2 security
association (SA) before the current SA expires, keeping the
tunnel up. Otherwise, a new SA is negotiated only if there is
traffic.
di sabl e
keyl i f e- t ype
<keyl i f e_t ype>
Set when the phase 2 key expires. When the key expires, a new
key is generated without interrupting service.
To make the key expire after a period of time has expired and
after an amount of data is transmitted, type bot h.
To make the key expire after an amount of data is
transmitted, type kbs. Use the keyl i f ekbs keyword to set
the amount of data that is transmitted.
To make the key expire after a number of seconds elapses,
type seconds. Use the keyl i f eseconds keyword to set
the amount of time that elapses.
seconds
keyl i f ekbs <kb_i nt eger > This keyword is available when keyl i f e- t ype is set to kbs or
bot h.
Set the number of KBytes of data to transmit before the phase 2
key expires. The range is 5120 to 99999 KBytes.
5120
keyl i f eseconds <seconds> This keyword is available when keyl i f e- t ype is set to
seconds or bot h.
Set the number of seconds to elapse before the phase 2 key
expires. seconds can be 120 to 172800 seconds.
1800
pf s {di sabl e | enabl e} Optionally, enable or disable perfect forward secrecy (PFS).
PFS ensures that each key created during Phase 2 is unrelated
to keys created during Phase 1 or to other keys created during
Phase 2. PFS may cause minor delays during key generation.
enabl e
phase1name
<gat eway_name>
Enter a phase 1 gateway configuration name. You must add the
phase 1 gateway definition to the FortiGate configuration before
it can be cross-referenced.
Null.
01-400-93051-20090415 549
pr oposal
Enter a minimum of one and a maximum of three encryption-
message digest combinations (for example, 3des- md5). The
remote peer must be configured to use at least one of the
proposals that you define. Use a space to separate the
combinations.
combinations:
3des- md5
3des- nul l
3des- sha1
aes128- md5
aes128- nul l
aes128- sha1
aes192- md5
aes192- nul l
aes192- sha1
aes256- md5
aes256- nul l
aes256- sha1
des- md5
des- nul l
des- sha1
nul l - md5
nul l - sha1
Here is an explanation of the abbreviated encryption algorithms:
nul l Do not use an encryption algorithm.
3des Triple-DES, which encrypts data three times by
three keys.
aes192- A 128-bit block algorithm that uses a 192-bit key.
You can enter either of the following message digests to check
nul l Do not use a message digest.
RSA Data Security.
message digest.
aes128- sha1
3des- sha1
pr ot ocol
<pr ot ocol _i nt eger >
This keyword is available when sel ect or is set to speci f y.
Enter the IP protocol number for the service. The range is 1 to
255. To specify all services, type 0.
0
r epl ay {di sabl e | enabl e} Optionally, enable or disable replay detection. Replay attacks
occur when an unauthorized party intercepts a series of IPSec
packets and replays them back into the tunnel. Enable replay
detection to check the sequence number of every IPSec packet
to see if it has been received before. If packets arrive out of
sequence, the FortiGate units discards them.
You can configure the FortiGate unit to send an alert email when
it detects a replay packet. See alertemail on page 65.
enabl e
r out e- over l ap
{over l ap_opt i on}
Specify how FortiGate unit handles multiple dialup users with the
same IP source address. Set over l ap_opt i on to one of the
following:
al l ow allow overlapping routes
use- new delete the old route and add the new route
use- ol d use the old route and do not add the new route
use- new
si ngl e- sour ce {di sabl e |
enabl e}
Enable or disable all FortiClient dialup clients to connect using
the same phase 2 tunnel definition.
di sabl e
550 01-400-93051-20090415
sr c- addr - t ype

If the FortiGate unit is a dialup server, enter the type of source
address that corresponds to the local sender(s) or network
behind the FortiGate dialup server:
To specify the IPv4 IP address of a server or host, type i p.
Enter the IP address using the sr c- st ar t - i p keyword.
To specify the IPv6 IP address of a server or host, type i p6.
Enter the IP address using the sr c- st ar t - i p6 keyword.
To specify a range of IPv4 IP addresses, type r ange. Enter
the starting and ending addresses using the sr c- st ar t - i p
and sr c- end- i p keywords.
To specify a range of IPv6 IP addresses, type r ange6. Enter
the starting and ending addresses using the sr c- st ar t -
i p6 and sr c- end- i p6 keywords.
To specify an IPv4 network address, type subnet . Enter the
network address using the sr c- subnet keyword.
To specify an IPv6 network address, type subnet 6. Enter
the network address using the sr c- subnet 6 keyword.
To specify an address defined in a firewall address or
address group, type name. Enter the address name using the
sr c- name keyword. You must also select the name option
for dst - addr - t ype. This is available only for IPv4
addresses.
If the FortiGate unit is a dialup client, sr c- addr - t ype must
refer to the server(s), host(s), or private network behind the
FortiGate dialup client.
subnet
sr c- end- i p
<addr ess_i pv4>
r ange.
addresses.
0. 0. 0. 0
sr c- end- i p6
<addr ess_i pv6>
r ange6.
addresses.
: :
sr c- name <addr ess_name> This keyword is available when sr c- addr - t ype is set to name.
Enter the firewall address or address group name.
sr c- por t
<sour ce_por t _number >
If the FortiGate unit is a dialup server, enter the port number that
the FortiGate dialup server uses to transport traffic related to the
specified service (see pr ot ocol ). If the FortiGate unit is a
dialup client, enter the port number that the FortiGate dialup
client uses to transport traffic related to the specified service.
The sr c- por t range is 1 to 65535. To specify all ports, type 0.
0
sr c- st ar t - i p
<addr ess_i pv4>
r ange.
Enter the lowest source IP address in the range of IP addresses.
0. 0. 0. 0
sr c- st ar t - i p6
<addr ess_i pv6>
r ange6.
Enter the lowest source IP address in the range of IP addresses.
: :
sr c- subnet
If the FortiGate unit is a dialup server, enter the IPv4 IP address
and network mask that identifies the private network behind the
enter the IP address and network mask that identifies the private
network behind the FortiGate dialup client.
0. 0. 0. 0
0. 0. 0. 0
sr c- subnet 6
If the FortiGate unit is a dialup server, enter the IPv6 IP address
and network mask that identifies the private network behind the
enter the IP address and network mask that identifies the private
network behind the FortiGate dialup client.
: : / 0
01-400-93051-20090415 551
Example
Use the following command to add a route-based (interface mode) phase 2 configuration with the following
characteristics:
Name: I nt er f ace_Tunnel
Phase 1 name: I nt er f ace_GW
Encryption and authentication proposal: 3des- sha1 aes256- sha1 des- md5
Keylife type: seconds
Keylife seconds: 18001
Diffie-Hellman group: 2
Replay detection: enabl e
Perfect forward secrecy: enabl e
Keepalive: enabl e
edi t I nt er f ace_Tunnel
set phase1name I nt er f ace_GW
set pr oposal 3des- sha1 aes256- sha1 des- md5
set dhgr p 2
set pf s enabl e
end
History
Related topics
alertemail setting
alertemail setting
FortiOS v3.0 New
FortiOS v3.0 MR3 added sr c- addr - t ype name, sr c- name, dst - addr - t ype name, dst - name.
FortiOS v3.0 MR5 Removed nul l - nul l option from pr oposal keyword.
Added i p6, r ange6, subnet 6 options to sr c- addr - t ype keyword.
Added dst - end- i p6, dst - st ar t - i p6, dst - subnet 6, sr c- end- i p6,
sr c- st ar t - i p6, sr c- subnet 6 keywords.
FortiOS v4.0.0 Added dhcp- i psec keyword.
Changed default value of pr oposal to aes128- sha1 3des- sha1.
Changed default value of pf s and r epl ay to enabl e.
l2tp vpn
552 01-400-93051-20090415
l2tp
Use this command to enable L2TP and specify a local address range to reserve for remote L2TP clients.
When a remote L2TP client connects to the internal network through a L2TP VPN, the client is assigned an
IP address from the specified range.
L2TP clients must authenticate with the FortiGate unit when a L2TP session starts. To support L2TP
authentication on the FortiGate unit, you must define the L2TP users who need access and then add them
to a user group. For more information, see user group on page 490, user ldap on page 495, user local
on page 498, and user radius on page 503.
You need to define a firewall policy to control services inside the L2TP tunnel. For more information, see
firewall on page 103. When you define the firewall policy:
Create an external ->internal policy.
Set the source address to match the L2TP address range.
Set the destination address to reflect the private address range of the internal network behind the local
FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that L2TP users may generate.
Set the policy action to accept .
Enable NAT if required.
Syntax
conf i g vpn l 2t p
set ei p <addr ess_i pv4>
set si p <addr ess_i pv4>
end
Caution: FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryption only. Later
implementations of Microsoft L2TP for Windows use IPSec and require certificates for authentication and
encryption. If you want to use Microsoft L2TP with IPSec to connect to a FortiGate unit, the IPSec and certificate
elements must be disabled on the remote client. For more information, see the Disabling Microsoft L2TP for
IPSec article in the Fortinet Knowledge Center.
Note: You can configure L2TP VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only. When you configure an L2TP address range for the first time, you must enter
a starting IP address, an ending IP address, and a user group.
ei p <addr ess_i pv4> The ending IP address of the L2TP address range. 0. 0. 0. 0
si p <addr ess_i pv4> The starting IP address of the L2TP address range. 0. 0. 0. 0
st at us {di sabl e | enabl e} Enable or disable L2TP VPN. di sabl e
usr gr p <gr oup_name> This keyword is available when st at us is set to enabl e.
Enter the name of the user group for authenticating L2TP clients.
The user group must be added to the FortiGate configuration before
it can be specified here. For more information, see user group on
page 490, user ldap on page 495, user local on page 498, and
user radius on page 503.
Nul l .
vpn l2tp
01-400-93051-20090415 553
Example
This example shows how to enable L2TP and set the L2TP address range for the first time using a starting
address of 192. 168. 1. 150, an ending address of 192. 168. 1. 160 and an existing group of L2TP users
named L2TP_user s:
conf i g vpn l 2t p
set si p 192. 168. 1. 150
set ei p 192. 168. 1. 160
set usr gr p L2TP_user s
end
History
Related topics
user group
pptp vpn
554 01-400-93051-20090415
pptp
Use this command to enable PPTP and specify a local address range to reserve for remote PPTP clients.
When a remote PPTP client connects to the internal network through a PPTP VPN, the client is assigned
an IP address from the specified range or from the server defined in the PPTP user group.
PPTP clients must authenticate with the FortiGate unit when a PPTP session starts. To support PPTP
authentication on the FortiGate unit, you must define the PPTP users who need access and then add them
to a user group. For more information, see user group on page 490, user ldap on page 495, user local
on page 498, user radius on page 503, user peer on page 500, and user peergrp on page 502.
You need to define a firewall policy to control services inside the PPTP tunnel. For more information, see
firewall on page 103. When you define the firewall policy:
Create an external ->internal policy.
Set the source address to match the PPTP address range.
Set the destination address to reflect the private address range of the internal network behind the local
FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that PPTP users may generate.
Set the policy action to accept .
Enable NAT if required.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP client IP from a
local address range or use the server defined in the PPTP user group. You select which method to use for
IP address retrieval and, in the case of the user group server, provide the IP address and the user group.
The FortiGate unit retrieves the Fr amed- I P- Addr ess (the actual IP address of the client) from the
RADIUS accounting start/stop message when i p- mode is set to usr gr p.
Syntax
conf i g vpn ppt p
set ei p <addr ess_i pv4>
set i p- mode {r ange | usr gr p}
set l ocal - i p {addr ess_l ocal i p}
set si p <addr ess_i pv4>
end
Note: You can configure PPTP VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only. When you configure a PPTP address range for the first time, you must enter
a starting IP address, an ending IP address, and a user group.
ei p <addr ess_i pv4> The ending address of the PPTP address range. 0. 0. 0. 0
i p- mode {r ange | usr gr p} Enable to have the PPTP client retrieve the IP address from the
PPTP user group or select an IP address from the pre-configured IP
address range.
l ocal - i p
{addr ess_l ocal i p}
PPTP server IP address from the PPTP user group.
si p <addr ess_i pv4> The starting address of the PPTP IP address range. 0. 0. 0. 0
vpn pptp
01-400-93051-20090415 555
Example
This example shows how to enable PPTP and set the PPTP address range for the first time using a
starting address of 192. 168. 1. 100, an ending address of 192. 168. 1. 130 and an existing group of
PPTP users named PPTP_user s:
conf i g vpn ppt p
set si p 192. 168. 1. 100
set ei p 192. 168. 1. 130
set usr gr p PPTP_user s
end
This example shows how to enable PPTP and set the IP address from the PPTP user group server.
conf i g vpn ppt p
set i p- mode usr gr p
set l ocal - i p 172. 14. 12. 14
set usr gr p PPTP_user s
end
History
Related topics
user group
st at us {di sabl e | enabl e} Enable or disable PPTP VPN. di sabl e
usr gr p <gr oup_name> This keyword is available when st at us is set to enabl e.
Enter the name of the user group for authenticating PPTP clients.
The user group must be added to the FortiGate configuration before
it can be specified here. For more information, see user group on
page 490, user ldap on page 495, user local on page 498, user
radius on page 503, user peer on page 500, and user
peergrp on page 502
Nul l .
FortiOS v3.0 MR5 Added links for PKI user and user group (peer and peer group).
FortiOS v4.0 Added information about selecting PPTP IP address from user group.
New variables introduced: i p- mode and l ocal - i p.
ssl monitor vpn
556 01-400-93051-20090415
ssl monitor
Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.
Syntax
get vpn ssl moni t or
Output
History
Related topics
vpn ssl settings
FortiOS v3.0 New.
vpn ssl settings
01-400-93051-20090415 557
ssl settings
Use this command to configure basic SSL VPN settings including interface idle-timeout values and SSL
encryption preferences. If required, you can also enable the use of digital certificates for authenticating
remote clients.
You can optionally specify the IP address of any Domain Name Service (DNS) server and/or Windows
Internet Name Service (WINS) server that resides on the private network behind the FortiGate unit. The
DNS and/or WINS server will find the IP addresses of other computers whenever a connected SSL VPN
user sends an email message or browses the Internet.
Syntax
conf i g vpn ssl set t i ngs
set al gor i t hm<ci pher _sui t e>
set aut h- t i meout <aut h_seconds>
set i dl e- t i meout 
set por t al - headi ng <capt i on>
set r eqcl i ent cer t {di sabl e | enabl e}
set r out e- sour ce- i nt er f ace {di sabl e | enabl e}
set ser ver cer t <ser ver _cer t _name>
set ssl v2 {di sabl e | enabl e}
set ssl v3 {di sabl e | enabl e}
set ssl vpn- enabl e {di sabl e | enabl e}
set t unnel - endi p <addr ess_i pv4>
set t unnel - st ar t i p <addr ess_i pv4>
set ur l - obscur at i on {di sabl e | enabl e}
set wi ns- ser ver 1 <addr ess_i pv4>
set wi ns- ser ver 2 <addr ess_i pv4>
end
When you configure the timeout settings, if you set the authentication timeout (aut h- t i meout ) to 0, then
the remote client does not have to re-authenticate again unless they log out of the system. In order to fully
take advantage of this setting, the value for i dl e- t i meout has to be set to 0 also, so the client does not
timeout if the maximum idle time is reached. If the i dl e- t i meout is not set to the infinite value, the
system will log out if it reaches the limit set, regardless of the aut h- t i meout setting.
Note: You can configure SSL VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only.
Note: Set the ssl vpn- enabl e attribute to enabl e to view all possible settings. The t unnel - endi p and
t unnel - st ar t i p keywords are required for tunnel-mode access only. All other keywords are optional.
ssl settings vpn
558 01-400-93051-20090415
al gor i t hm<ci pher _sui t e> This keyword is available when ssl vpn- enabl e is set to
enable.
Enter one of the following options to determine the level of SSL
encryption to use. The web browser on the remote client must
be capable of matching the level that you specify:
To use any cipher suite, type l ow.
To use a 128-bit or greater cipher suite, type def aul t .
To use a cipher suite that is greater than 128 bits, type hi gh.
def aul t
aut h- t i meout
<aut h_seconds>
This keyword is available when ssl vpn- enabl e is set to
enable.
Enter the period of time (in seconds) to control how long an
authenticated connection will remain connected. When this time
expires, the system forces the remote client to authenticate
again. Range is 10 to 259,200 seconds (3 days). Use the value
of 0 to indicate no timeout.
1500
dns- ser ver 1
<addr ess_i pv4>
Enter the IP address of the primary DNS server that SSL VPN
clients will be able to access after a connection has been
established. If required, you can specify a secondary DNS
server through the dns- ser ver 2 attribute.
0. 0. 0. 0
dns- ser ver 2
<addr ess_i pv4>
Enter the IP address of a secondary DNS server if required. 0. 0. 0. 0
i dl e- t i meout

enable.
Enter the period of time (in seconds) to control how long the
connection can remain idle before the system forces the remote
user to log in again. The range is from 10 to 28800 seconds.
Use the value of 0 to indicate no timeout.
300
por t al - headi ng <capt i on> This keyword is available when ssl vpn- enabl e is set to
enable.
If you want to display a custom caption at the top of the web
portal home page, type the message.
Nul l .
r eqcl i ent cer t {di sabl e |
enabl e}
enable.
Disable or enable the use of group certificates for authenticating
remote clients.
di sabl e
r out e- sour ce- i nt er f ace
enable.
Enable to allow the SSL VPN connection to bypass routing and
bind to the incoming interface.
di sabl e
ser ver cer t
<ser ver _cer t _name>
enable.
Enter the name of the signed server certificate that the
FortiGate unit will use to identify itself during the SSL
handshake with a web browser when the web browser connects
to the login page. The server certificate must already be loaded
into the FortiGate configuration. If you do not specify a server
certificate, the FortiGate unit offers its factory installed (self-
signed) certificate from Fortinet to remote clients when they
connect.
/ et c/ ser ver
ssl v2 {di sabl e | enabl e} This keyword is available when ssl vpn- enabl e is set to
enable.
Disable or enable SSL version 2 encryption.
di sabl e
ssl v3 {di sabl e | enabl e} This keyword is available when ssl vpn- enabl e is set to
enable.
Disable or enable SSL version 3 encryption.
enabl e
ssl vpn- enabl e {di sabl e |
enabl e}
Disable or enable remote-client access. disable
vpn ssl settings
01-400-93051-20090415 559
Example
The following command enables the FortiGate unit to assign virtual IP addresses in the 10.10.10.100 to
10.10.10.105 range to authenticated clients (an IP address range is needed to support tunnel-mode
access). The command also sets timeout values for authenticated connections and connection inactivity
respectively.
conf i g vpn ssl set t i ngs
set ssl vpn- enabl e enabl e
set t unnel - st ar t i p 10. 10. 10. 100
set t unnel - endi p 10. 10. 10. 105
set aut h- t i meout 600
set i dl e- t i meout 1500
end
History
Related topics
system replacemsg sslvpn
execute vpn sslvpn del-tunnel
vpn ssl monitor
user group
t unnel - endi p
<addr ess_i pv4>
enable.
This attribute is required for tunnel-mode access only. Enter the
ending address in the range of IP addresses reserved for
remote clients.
0. 0. 0. 0
t unnel - st ar t i p
<addr ess_i pv4>
enable.
This attribute is required for tunnel-mode access only. Enter the
starting address in the range of IP addresses reserved for
remote clients.
0. 0. 0. 0
ur l - obscur at i on {di sabl e
| enabl e}
enable.
Enable to encrypt the host name of the url in the display (web
address) of the browser for web mode only. This is a
requirement for ICSA ssl vpn certification. Also, if enabled,
bookmark details are not visible (field is blank.).
disable
wi ns- ser ver 1
<addr ess_i pv4>
Enter the IP address of the primary WINS server that SSL VPN
clients will be able to access after a connection has been
established. If required, you can specify a secondary WINS
server through the wi ns- ser ver 2 attribute.
0. 0. 0. 0
wi ns- ser ver 2
<addr ess_i pv4>
Enter the IP address of a secondary WINS server if required. 0. 0. 0. 0
FortiOS v3.0 New.
FortiOS v3.0 MR4 Added r out e- sour ce- i nt er f ace.
FortiOS v3.0 MR5 Added ur l - obscur at i on.
FortiOS v3.0 MR6 Changed values in aut h- t i meout and i dl e- t i meout to include infinity setting.
FortiOS v3.0 MR7 If ur l - obscur at i on is enabled, bookmark details are not visible.
ssl web portal vpn
560 01-400-93051-20090415
ssl web portal
The SSL VPN Service portal allows you to access network resources through a secure channel using a
web browser. FortiGate administrators can configure log in privileges for system users and which network
resources are available to the users, such as HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
The portal configuration determines what the system user sees when they log in to the FortiGate. Both the
system administrator and the system user have the ability to customize the SSL VPN portal.
There are three pre-defined default web portal configurations available:
full-access: Includes all widgets available to the user - Session Information, Connection Tool,
Bookmarks, and Tunnel Mode.
tunnel-access: Includes Session Information and Tunnel Mode widgets.
web-access: Includes Session Information and Bookmarks widgets.
These pre-defined portal configurations can be edited, including their names.
Syntax
conf i g vpn ssl web por t al
edi t <por t al _name>
set al l owaccess <al l ow_access>
set cache- cl ean {di sabl e | enabl e}
set cl i ent - check- t ype <f or t i cl i ent | none | t hi r d- par t y>
set headi ng <st r _headi ng>
set l ayout <doubl e- col umn | si ngl e- col umn>
set os- check <{di sabl e | enabl e}>
set r edi r - ur l <r edi r _ur l >
set t heme <bl ue | gr ay | or ange>
set vi r t ual - deskt op {di sabl e | enabl e}
conf i g wi dget
edi t i d <wi dget _i d>
set t ype <wi dget _t ype>
set col umn ( col umn_number >
set col l apse {di sabl e | enabl e}
set al l ow- apps <ser vi ce_t ype_access>
set t unnel - st at us {di sabl e | enabl e}
set spl i t - t unnel i ng {di sabl e | enabl e}
set st ar t - i p <st ar t _i p>
set end- i p <end_i p>
set i p- mode {r ange | usr gr p}
conf i g bookmar ks
edi t name <bookmar k_name>
set appt ype <ser vi ce_t ype>
set ur l <t ar get _i p>
set host <host _name>
set f ol der <f ol der _name>
set descr i pt i on <descr i pt i on_t xt >
end
end
end
end
end
vpn ssl web portal
01-400-93051-20090415 561
edi t <st r _por t al _name> Enter a name for the portal.
Three pre-defined web portal configurations exist: f ul l - access,
t unnel - access, and web- access.
No default.
al l owaccess
<al l ow_access>
Allow access to SSL VPN applications.
Type f t p for FTP services.
Type r dp for Windows Terminal services.
Type smb for SMB/CIFS (Windows file share) services.
Type ssh for SSH services.
Type t el net for telnet services.
Type vnc for VNC services.
Type web for HTTP and/or HTTPS services.
No default.
cache- cl ean {di sabl e |
enabl e}
Enable the FortiGate unit to remove residual information from the
remote client computer just before the SSL VPN session ends.
This is done with a downloaded ActiveX control or
di sabl e
cl i ent - check- t ype
<f or t i cl i ent | none |
t hi r d- par t y>
Enter the method used to determine whether a client is permitted
to connect to the network:
none enables a client to connect to the SSL VPN session
without determining whether any antivirus or firewall applications
are installed.
f or t i cl i ent allows a client to connect to the SSL VPN
session only if they are running FortiClient.
t hi r d- par t y allows a client to connect to the SSL VPN
session only if they are running a third party antivirus or firewall
application.
none
headi ng <st r _headi ng> Enter the caption that appears at the top of the web portal home
page.
null
l ayout <doubl e- col umn |
si ngl e- col umn>
Select the number of columns in the portal display. si ngl e-
col umn
os- check <{di sabl e |
enabl e}>
Enable the FortiGate unit to determine what action to take
depending on what operating system the client has.
di sabl e
r edi r - ur l <r edi r _ur l > Enter the URL of the web page which will enable the FortiGate unit
to display a second HTML page in a popup window when the web
portal home page is displayed. The web server for this URL must
reside on the private network behind the FortiGate unit.
null
t heme <bl ue | gr ay |
or ange>
Select the portal display theme (color). bl ue
vi r t ual - deskt op {di sabl e
| enabl e}
Enable the SSL VPN virtual desktop client application. If set to
enable on the client, attempts to connect via SSL VPN are refused.
di sabl e
Widget variables
i d <wi dget _i d> Enter the unique ID number of the widget. No default.
name <name_st r > Enter the name for the widget. Maximum 36 characters. null
t ype <wi dget _t ype> Enter the type of widget: bookmar k, i nf o, t ool or t unnel . bookmar k
col umn ( col umn_number > Enter the number of columns in the widget display: one or t wo. one
col l apse {di sabl e |
enabl e}
Enable the widget to expand in the web portal view. Allows user to
make changes to the widget view/configuration.
di sabl e
ssl web portal vpn
562 01-400-93051-20090415
History
Related topics
vpn ssl settings
al l ow- apps
<ser vi ce_t ype_access>
Enter the identifier of the service permitted SSL VPN access:
No default.
t unnel - st at us {di sabl e |
enabl e}
Enable the ability of the FortiGate unit to configure SSL VPN tunnel
setup for users. Applicable to tunnel widget only.
di sabl e
spl i t - t unnel i ng {di sabl e
| enabl e}
Enable split tunneling. Split tunneling ensures that only the traffic
for the private network is sent to the SSL VPN gateway. Internet
traffic is sent through the usual unencrypted route. Available only if
t unnel - st at us is enabled.
di sabl e
st ar t - i p <st ar t _i p> Enter the starting IP address for the split tunnel range. Available
only if t unnel - st at us is enabled.
0.0.0.0
end- i p <end_i p> Enter the ending IP address for the split tunnel range. Available
only if t unnel - st at us is enabled.
0.0.0.0
i p- mode {r ange | usr gr p} Select the mode by which the IP address is assigned to the user:
Available only if t unnel - st at us is enabled.
r ange
Bookmarks variables
name <bookmar k_name> Enter the unique name of the bookmark. Maximum 36 characters. null
appt ype <ser vi ce_t ype> Enter the identifier of the service to associate with the bookmark:
web
ur l <t ar get _i p> Enter the URL of the web page, if appt ype is web. No default.
host <host _name> Enter the host name, if appt ype is t el net or r dp. Maximum 36
characters.
No default.
f ol der <f ol der _name> Enter the remote folder name, if appt ype is smb or f t p.
The folder name must include the server name,
/ / 172. 20. 120. 103/ myf ol der , for example.
No default.
descr i pt i on
<descr i pt i on_t xt >
Enter a description of the bookmark. Maximum 129 characters. null
FortiOS v4.0 New.
wanopt
01-400-93051-20090415 563
wanopt
Use these commands to configure FortiGate WAN optimization.
auth-group
cache-storage
iscsi
peer
rule
settings
ssl-server
storage
webcache
auth-group wanopt
564 01-400-93051-20090415
auth-group
Use this command to configure WAN optimization authentication groups. Add authentication groups to
support authentication and secure tunneling between WAN optimization peers.
Syntax
conf i g wanopt aut h- gr oup
edi t <aut h_gr oup_name>
set aut h- met hod {cer t | psk}
set cer t <cer t i f i cat e_name>
set peer <peer _host _i d>
set peer - accept {any | def i ned | one}
set psk <pr eshar ed_key>
end
Example
This example shows how to add an authentication group named aut h_gr p_1 that uses a certificate
named Exampl e_Cer t and can be used to authenticate all peers added to the FortiGate unit
configuration
conf i g wanopt aut h- gr oup
edi t aut h_gr p_1
set aut h- met hod cer t
set cer t Exampl e_Cer t
set peer - accept def i ned
end
History
edi t <aut h_gr oup_name> Enter a name for the authentication group.
aut h- met hod {cer t | psk} Specify the authentication method for the authentication
group. Enter cer t to authenticate using a certificate. Enter
psk to authenticate using a preshared key.
cert
cer t <cer t i f i cat e_name> If aut h- met hod is set to cer t , select the local certificate to
be used by the peers in this authentication group. The
certificate must be a local certificate added to the FortiGate
unit using the conf i g vpn cer t i f i cat e l ocal
command. For more information, see vpn certificate local
on page 511.
peer <peer _host _i d> If peer - met hod is set to one select the name of one peer
to add to this authentication group. The peer must have
been added to the FortiGate unit using the conf i g
wanopt peer command.
peer - accept {any | def i ned |
one}
Specify whether the authentication group can be used for
any peer, only the def i ned peers that have been added to
the FortiGate unit configuration, or just one peer. If you
specify one use the peer keyword to add the name of the
peer to the authentication group.
any
psk <pr eshar ed_key> If aut h- met hod is set to psk enter a preshared key to be
used for the authentication group.
FortiOS v4.0 New.
wanopt auth-group
01-400-93051-20090415 565
Related commands
wanopt cache-storage
wanopt iscsi
wanopt peer
wanopt rule
wanopt settings
wanopt ssl-server
wanopt storage
wanopt webcache
cache-storage wanopt
566 01-400-93051-20090415
cache-storage
Using the execut e scsi - dev st or age command you can add multiple WAN optimization storages
and then use the conf i g wanopt cache- st or age command to configure the storages to use for byte
caching and web caching. A storage defines the maximum size of the byte caching or web caching
database added to the storage.
Unless you have special requirements, you do not need to change cache- st or age settings unless you
add iSCSI support or otherwise want to use more than one SCSI device for WAN optimization.
You can use the show wanopt st or age command to view the WAN optimization storages that you have
added using the execut e scsi - dev st or age command. You can also use the conf i g wanopt
st or age command to change the storage sizes.
For more information about the execut e scsi - dev command, see execute scsi-dev on page 656.
Syntax
conf i g wanopt cache- st or age
set byt e- cache- st or age <st or age_name_st r >
set webcache- st or age <st or age_name_st r >
end
Example WAN optimization iSCSI configuration
This example shows how to configure FortiGate WAN optimization to use iSCSI for the topology shown in
Figure 5. The example describes adding the iSCSI server, creating a 40-Gbyte partition on the ISCSI
server, adding 15 and 25 WAN optimization storages to the partition, using the 15 Gbyte storage for web
caching and the 25 Gbyte partition for byte caching.
Figure 5: FortiGate unit and iSCSI server topology
1 Enter the following command to add the iSCSI server to the FortiGate configuration.
conf i g wanopt i scsi
set f i r st _t ar get 192. 168. 20. 100
end
If required you can also change the TCP port used for iSCSI. The default iSCSI port is TCP 3260. Its
also common for some iSCSI servers to use TCP 860. If required, use the following command to
change the iSCSI port to 860:
set i scsi - por t 860
byt e- cache- st or age
<st or age_name_st r >
Select the WAN optimization storage to use for byte
caching.
default
webcache- st or age
Select the WAN optimization storage to use for web
caching.
default
iSCSI
Server
192.168.20.100
Network
01-400-93051-20090415 567
end
2 Enter the following command to view the SCSI devices that the FortiGate unit can save data to
(example output shown, actual output should be similar):
# execut e scsi - dev l i st
Devi ce 1 74. 5 GB r ef : 0 ( Vendor : ATA Model : FUJ I TSU MHW2080B?
Rev: 000)
par t i t i on 1 74. 5 GB r ef : 1 l abel : <none>
Devi ce 2 60. 3 GB r ef : 16 ( Vendor : I ET Model : VI RTUAL- DI SK
Rev: 0)
In the example output, Devi ce 1 is a FortiGate-ASM-S08 and Devi ce 2 is the iSCSI device added in
step 1.
3 Enter the following command to create the 40 Gbyte partition on the iSCSI device.
execut e scsi - dev par t i t i on cr eat e 16 40000
Par t i t i on i s cr eat ed on / dev/ sdc wi t h f i l e syst em; si ze: 40000MB
4 Enter the following command to display the new partition:
# execut e scsi - dev l i st
Devi ce 1 74. 5 GB r ef : 0 ( Vendor : ATA Model : FUJ I TSU MHW2080B? Rev: 000)
Devi ce 2 60. 3 GB r ef : 16 ( Vendor : I ET Model : VI RTUAL- DI SK Rev: 0)
The command adds partition ref 17 to the device ref 16. The actual size of the partition is 39.1 GBytes.
5 Enter the following command to add a WAN optimization storage named web_cache_st o to be used
for web caching. The command adds the WAN optimization storage to partition reference 17.
execut e scsi - dev st or age 17 15000 web_cache_st o
Rel abel i ng par t i t i on 17 ( sdb2) , cur r ent l abel : <none>
Par t i t i on l abel ed as 77A2A1AB1D0EF8B7
St or age cr eat ed; si ze: 15000MB si gnat ur e: web_cache_st o- 77A2A1AB1D0EF8B7
See About partition labels on page 568 for more information about adding storages to a partition.
6 Enter the following command to add a WAN optimization storage named byt e_cache_st o to be used
for byte caching. The command adds the WAN optimization storage to partition reference 17.
execut e scsi - dev st or age 17 24999 byt e_cache_st or age
St or age cr eat ed; si ze: 24999MB si gnat ur e: byt e_cache_st o- 77A2A1AB1D0EF8B7
You cannot list these WAN optimization storages using the execut e scsi - dev command. Instead,
you can use the following command to list the WAN optimization storages that you have added:
get wanopt st or age
== [ web_cache_st o ]
name: web_cache_st o par t i t i on- l abel : 77A2A1AB1D0EF8B7 par t i t i on- si ze: 39999
st or age- si ze: 15000
== [ byt e_cache_st o ]
name: byt e_cache_st o par t i t i on- l abel : 77A2A1AB1D0EF8B7 par t i t i on- si ze: 39999
st or age- si ze: 24999
7 Enter the following commands to configure web caching to use the web_cache_st o storage and byte
caching to use the byt e_cache_st o storage.
conf i g wanopt cache- st or age
Note: If you set the storage to 25000 the following error message appears:
The space l ef t t o def i ne mor e st or ages on t hi s par t i t i on: 24999MB
Command f ai l . Ret ur n code - 39
cache-storage wanopt
568 01-400-93051-20090415
set webcache- st or age web_cache_st o
set byt e- cache- st or age byt e_cache_st o
end
About partition labels
The first time you add a storage to a partition using the execut e scsi - dev st or age command the
partition is labelled with a random string (in the above example 77A2A1AB1D0EF8B7). This label is used
for all storages added to a given partition. A different label is created for each partition. The labels appear
when you use the execut e scsi - dev l i st command to list the partitions. In the following example,
label is added to partition reference 17.
execut e scsi - dev l i st
Par t i t i on i s cr eat ed on / dev/ sdb wi t h f i l e syst em; si ze: 40000MB
Devi ce 1 74. 5 GB r ef : 0 ( Vendor : ATA Model : FUJ I TSU MHW2080B? Rev: 000)
Devi ce 2 60. 3 GB r ef : 16 ( Vendor : I ET Model : VI RTUAL- DI SK Rev: 0)
par t i t i on 1 39. 1 GB r ef : 17 l abel : 77A2A1AB1D0EF8B7
History
Related commands
execute scsi-dev
wanopt auth-group
wanopt iscsi
wanopt peer
wanopt rule
wanopt settings
wanopt ssl-server
wanopt storage
wanopt webcache
FortiOS v4.0 New.
wanopt iscsi
01-400-93051-20090415 569
iscsi
Use this command to add the IP address of one or two iSCSI servers to the FortiGate WAN optimization
configuration. You can also use this command to change the TCP port number used for communication
between the FortiGate unit and the iSCSI servers. Both servers must use the same TCP port number.
You can display information about the iSCSI servers that you add using execut e scsi - dev l i st
command. You can also use the execut e scsi - dev par t i t i on command to edit partitions on the
iSCSI devices.
For more information about the execut e scsi - dev command, see execute scsi-dev on page 656.
For more information about iSCSI see RFC 3270.
Syntax
set f i r st - t ar get 
set i scsi - por t 
set second t ar get 
end
Example
This example shows how to add the iSCSI server shown in Figure 5 on page 566 to the FortiGate
configuration and change the iSCSI port to 860
set f i r st _t ar get 192. 168. 20. 100
set i scsi - por t 860
end
History
Related commands
execute scsi-dev
wanopt auth-group
wanopt peer
wanopt rule
wanopt settings, wanopt ssl-server
wanopt storage, wanopt webcache
f i r st - t ar get Add the IP address of the first iSCSI server. Configure
f i r st - t ar get if you only have one iSCSI server.
0.0.0.0
i scsi - por t Change the TCP port number used for communication
between the FortiGate unit and the first and second iSCSI
servers. The default iSCSI TCP port is 3260. Both iSCSI
servers use the same TCP port number. Another
commonly used iSCSI port number is TCP 860.
3260
second t ar get

Add the IP address of the second iSCSI server. Configure
second- t ar get to add a second iSCSI server.
0.0.0.0
FortiOS v4.0 New.
peer wanopt
570 01-400-93051-20090415
peer
Add WAN optimization peers to a FortiGate unit to identify the FortiGate units that the local FortiGate unit
can form WAN optimization tunnels with. A peer consists of a peer name, which is the local host ID of the
remote FortiGate unit and an IP address, which is the IP address of the interface that the remote FortiGate
unit uses to connect to the local FortiGate unit.
Use the command conf i g wanopt set t i ngs to add the local host ID to a FortiGate unit.
Syntax
conf i g wanopt peer
edi t <peer _name>
set i p <peer _i p_i pv4>
end
Example
Use the following commands to add three peers.
edi t Wan_opt _peer _1
set i p 172. 20. 120. 100
next
set i p 172. 30. 120. 100
next
set i p 172. 40. 120. 100
end
History
Related commands
wanopt auth-group
wanopt iscsi
wanopt rule
wanopt settings, wanopt ssl-server
wanopt storage, wanopt webcache
edi t <peer _name> Add the local host ID of the remote FortiGate unit. When the remote
FortiGate unit connects to the local FortiGate unit to start a WAN
optimization tunnel, the WAN optimization setup request include the
remote FortiGate unit local host ID. If the local host ID in the setup
request matches a peer added to the local FortiGate unit, then the local
FortiGate unit can accept WAN optimization tunnel setup requests from
the remote FortiGate unit.
i p <peer _i p_i pv4> Enter the IP address of the interface that the remote FortiGate unit
uses to connect to the local FortiGate unit. Usually this would be the IP
address of the interface connected to the WAN.
0.0.0.0
FortiOS v4.0 New.
wanopt rule
01-400-93051-20090415 571
rule
WAN optimization uses rules to select traffic to be optimized. But, before WAN optimization rules can
accept traffic, the traffic must be accepted by a FortiGate firewall policy. All sessions accepted by a firewall
policy that also match a WAN optimization rule are processed by WAN optimization.
To configure WAN optimization you add WAN optimization rules to the FortiGate units at each end of the
tunnel. Similar to firewall policies, when the FortiGate unit receives a connection packet, it analyzes the
packets source address, destination address, and service (by destination port number), and attempts to
locate a matching WAN optimization rule that decides how to optimize the traffic over WAN.
The FortiGate unit applies firewall policies to packets before WAN optimization rules. A WAN optimization
rule is applied to a packet only after the packet is accepted by a firewall policy.
Syntax
conf i g wanopt r ul e
set aut h- gr oup <aut h_gr oup_name>
set aut o- det ect {act i ve | of f | passi ve}
set byt e- cachi ng {di sabl e | enabl e}
set dst - i p <addr ess_i pv4>[ - <addr ess- i pv4>]
set mode {f ul l | webcache- onl y}
set peer <peer _name>
set por t <por t _i nt >[ - <por t - i nt >]
set pr ot o {ci f s | f t p | ht t p | mapi | t cp}
set secur e- t unnel {di sabl e | enabl e}
set sr c- i p <addr ess_i pv4>[ - <addr ess- i pv4>]
set ssl {di sabl e | enabl e}
set t r anspar ent {di sabl e | enabl e}
set t unnel - non- ht t p {di sabl e | enabl e}
set t unnel - shar i ng {expr ess- shar ed | pr i vat e | shar ed}
set unknown- ht t p- ver si on {best - ef f or t | r ej ect | t unnel }
set webcache {di sabl e | enabl e}
end
edi t Enter the unique ID number of this rule.
aut h- gr oup <aut h_gr oup_name> Select an authentication group to be used by this rule. Select
an authentication group if you want the client and server
FortiGate units that use this rule to authenticate with each
other before starting a WAN optimization tunnel.
You must add the same authentication group to the client and
server FortiGate units. The authentication group should have
the same name of both FortiGate units and use the same pre-
shared key or the same certificate.
You can add an authentication group to rules with
aut o- det ect set to of f or act i ve. An authentication
group is required if you enable secur e- t unnel for the rule.
rule wanopt
572 01-400-93051-20090415
aut o- det ect {act i ve | of f |
passi ve}
Specify whether the rule is an act i ve (client) rule, a
passi ve (server) rule or if auto-detect is of f . If auto-detect
is of f the rule can be a peer to peer rule or a web cache only
rule.
For an act i ve (client) rule you must specify all of the WAN
optimization features to be applied by the rule. This
includes byt e- cachi ng, ssl , secur e- t unnel , and
pr ot o.
A passi ve (server) rule uses the settings in the active rule
on the client FortiGate unit to apply WAN optimization
settings. You can also enable webcache for a passive rule.
If aut o- det ect is of f , the rule configuration must include
all required WAN optimization features and you must add
one peer to the rule.
of f
byt e- cachi ng {di sabl e | enabl e} Enable or disable WAN optimization byte caching for the
traffic accepted by this rule. Byte caching is a WAN
optimization technique that reduces the amount of data that
has to be transmitted across a WAN by caching file data to
serve it later as required. Byte caching is available for all
protocols. You can enable byte caching for active rules or if
aut o- det ect is of f .
enabl e
dst - i p
<addr ess_i pv4>[ - <addr ess- i pv4>]
Enter the destination IP address or address range for the
rule. Enter a single IP address or the start and end of the IP
address range separated by a hyphen.
Only packets whose destination address header contains an
IP address matching this IP address or address range will be
accepted by and subject to this rule.
0. 0. 0. 0
mode {f ul l | webcache- onl y} Configure the rule to apply all selected WAN optimization
features or just web caching to traffic matched by the rule.
f ul l
peer <peer _name> Add a peer to the rule. You can only add a peer if
aut o- det ect is of f .
( nul l )
por t <por t _i nt >[ - <por t - i nt >] Enter a single port number or port number range for the rule.
Only packets whose destination port number matches this
port number or port number range will be accepted by and
subject to this rule.
0
pr ot o {ci f s | f t p | ht t p | mapi
| t cp}
Select ci f s, f t p, ht t p, or mapi to have the rule apply
protocol optimization for one these protocols.
Select t cp if the WAN optimization tunnel accepts packets
that use more than one protocol or that do not use the CIFS,
FTP, HTTP, or MAPI protocol.
ht t p
secur e- t unnel {di sabl e |
enabl e}
Enable or disable using SSL to encrypt and secure the traffic
in the WAN optimization tunnel. The FortiGate units use
FortiASIC acceleration to accelerate SSL decryption and
encryption of the secure tunnel. The secure tunnel uses the
same TCP port as a non-secure tunnel (TCP port 7810).
You can configure secure-t unnel if aut o- det ect is set to
act i ve or of f . If you enable secur e- t unnel you must
also add an aut h- gr oup to the rule.
di sabl e
sr c- i p
<addr ess_i pv4>[ - <addr ess- i pv4>]
Enter the source IP address or address range for the rule.
Enter a single IP address or the start and end of the IP
address range separated by a hyphen.
Only packets whose source address header contains an IP
address matching this IP address or address range will be
accepted by and subject to this rule.
0. 0. 0. 0
wanopt rule
01-400-93051-20090415 573
ssl {di sabl e | enabl e} Enable or disable applying SSL offloading for HTTPS traffic.
You use SSL offloading to offload SSL encryption and
decryption from one or more HTTP server. If you enable ssl ,
you should configure the rule to accept SSL-encrypted traffic,
usually by configuring the rule to accept HTTPS traffic by
setting por t to 443.
If you enable SSL you must also use the conf i g wanopt
ssl - ser ver command to add an SSL server for each HTTP
server that you wan to offload SSL encryption/decryption for.
See wanopt ssl-server on page 578.
You can configure ssl if aut o- det ect is set to act i ve or
of f .
di sabl e
st at us {di sabl e | enabl e} Enable or disable the rule. enabl e
t r anspar ent {di sabl e | enabl e} Enable or disable transparent mode for this rule.
If you enable transparent mode, WAN optimization keeps the
original source address of the packets, so servers appear to
receive traffic directly from clients. Routing on the server
network should be able to route traffic with client IP
addresses to the FortiGate unit.
If you do not select transparent mode, the source address of
the packets received by servers is changed to the address of
the FortiGate unit interface. So servers appear to receive
packets from the FortiGate unit. Routing on the server
network is simpler in this case because client addresses are
not involved, but the server sees all traffic as coming from the
FortiGate unit and not from individual clients.
enabl e
t unnel - non- ht t p {di sabl e |
enabl e}
Configure how to process non-HTTP traffic when a rule
configured to accept and optimize HTTP traffic accepts a
non-HTTP session. This can occur if an application sends
non-HTTP traffic using an HTTP destination port.
Select di sabl e to drop or tear down non-HTTP sessions
accepted by the rule.
Select enabl e to pass non-HTTP sessions through the
tunnel without applying protocol optimization, byte-caching,
or web caching. TCP protocol optimization is applied to
non-HTTP sessions.
You can configure t unnel - non- ht t p if pr ot o is set to
ht t p and aut o- det ect is set to act i ve or of f .
di sabl e
t unnel - shar i ng {expr ess- shar ed
| pr i vat e | shar ed}
Select the tunnel sharing mode for this rule:
Select expr ess- shar ed for rules that accept interactive
protocols such as Telnet.
Select pr i vat e for rules that accept aggressive protocols
such as HTTP and FTP so that these aggressive protocols
do not share tunnels with less-aggressive protocols.
Select shar ed for rules that accept non-aggressive and
non-interactive protocols.
You can configure tunnel sharing if pr ot o is set to ht t p and
aut o- det ect is set to of f .
For more information about tunnel sharing, see About WAN
optimization tunnel sharing on page 574.
pr i vat e
rule wanopt
574 01-400-93051-20090415
About WAN optimization tunnel sharing
You can use the t unnel - shar i ng keyword to configure tunnel sharing for WAN optimization rules with
aut o- det ect set to of f . Tunnel sharing is multiple WAN optimization sessions sharing the same WAN
optimization tunnel. Tunnel sharing can improve WAN performance by reducing the number of WAN
optimization tunnels between FortiGate units. Fewer tunnels means less data to manage. Also tunnel
setup requires more than one exchange of information between the ends of the tunnel. Once the tunnel is
set up, each new session that shares the tunnel avoids tunnel setup delays.
Tunnel sharing also uses bandwidth more efficiently by reducing the chances that small packets will be
sent down the tunnel. Processing small packets reduces network throughput so reducing the number of
small packets improves performance. A shared tunnel can combine all the data from the sessions being
processed by the tunnel and send it together. For example, a FortiGate unit is processing five WAN
optimization sessions and each session has 100 bytes to send. If these sessions use a shared tunnel,
WAN optimization combines the packets from all five sessions into one 500 byte packet. If each session
uses its own private tunnel, five 100 byte packets will be sent instead. Each packet also requires a TCP
ACK reply. The combined packet in the shared tunnel requires one TCP ACK packet. The separate
packets in the private tunnels require 5 TCP ACK packets.
Tunnel sharing is not always recommended. Aggressive and non-aggressive protocols should not share
the same tunnel. An aggressive protocol can be defined as a protocol that is able to get more bandwidth
than a non-aggressive protocol (the aggressive protocols can starve the non-aggressive protocols).
HTTP and FTP are considered aggressive protocols. If aggressive and non-aggressive protocols share the
same tunnel, the aggressive protocols may take all of the available bandwidth. As a result, the
performance of less aggressive protocols could be reduced. To avoid this problem, rules for HTTP and
FTP traffic should have their own tunnel. To do this, set t unnel - shar i ng to pr i vat e for WAN
optimization rules that accept HTTP or FTP traffic.
Its also useful to set t unnel - shar i ng to expr ess- shar i ng for applications, such as Telnet, that are
very interactive but not aggressive. Express sharing optimizes tunnel sharing for interactive applications
such as Telnet where latency or delays would seriously affect the users experience with the protocol.
Set t unnel - shar i ng to shar i ng for applications that are not aggressive and are not sensitive to
latency or delays. WAN optimization rules set to shar i ng and expr ess- shar i ng can share the same
tunnel.
unknown- ht t p- ver si on
{best - ef f or t | r ej ect | t unnel }
Unknown HTTP sessions are HTTP sessions that dont
comply with HTTP 0.9, 1.0, or 1.1. Configure unknown-
ht t p- ver si on to specify how a rule handles HTTP traffic
that does not comply with HTTP 0.9, 1.0, or 1.1.
Select best - ef f or t to assume all HTTP sessions
accepted by the rule comply with HTTP 0.9, 1.0, or 1.1. If a
session uses a different HTTP version, WAN optimization
may not parse it correctly. As a result the FortiGate unit may
stop forwarding the session and the connection may be
lost.
Select r ej ect to reject or tear down HTTP sessions that
do not use HTTP 0.9, 1.0, or 1.1.
Select t unnel to pass HTTP traffic that does not use
HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol
optimization, byte-caching, or web caching. TCP protocol
optimization is applied to this HTTP traffic.
You can configure unknown- ht t p- ver si on if pr ot o is set
to ht t p and aut o- det ect is set to act i ve or of f .
t unnel
webcache {di sabl e | enabl e} Enable or disable web caching for this rule. You can enable
webcache if pr ot o is set to ht t p and aut o- det ect set to
passi ve or of f .
di sabl e
wanopt rule
01-400-93051-20090415 575
Example client/server (active-passive) configuration
The following example shows how to client/server (active-passive) WAN optimization rules for the topology
shown in Figure 6. In this example, clients on the user network connect to web servers on the web server
network using HTTP on TCP port 80. The FortiGate units are configured to optimize HTTP traffic over the
WAN using HTTP protocol optimization, web caching, and byte caching.
Figure 6: Example client/server (active-passive) WAN optimization topology
Client side FortiGate configuration
1 Add the Local Host ID to the client side FortiGate configuration.
conf i g wanopt set t i ngs
set host - i d User _net
end
2 Add the server side Local Host ID to the client side peer list.
edi t Web_ser ver s
set i p 192. 168. 10. 1
end
3 Add the following active rule to the client side FortiGate unit:
edi t 2
set aut o- det ect act i ve
set sr c- i p 172. 20. 120. 0
set dst - i p 192. 168. 10. 0
set por t 80
end
Accept default settings for t r anspar ent (enabl e), pr ot o (ht t p), st at us (enabl e), mode (f ul l ),
byt e- cachi ng (enabl e), ssl (di sabl e), secur e- t unnel (di sabl e), aut h- gr oup (nul l ),
unknown- ht t p- ver si on (t unnel ), and t unnel - non- ht t p (di sabl e).
Server side FortiGate configuration
1 Add the Local Host ID to the server side FortiGate configuration.
set host - i d Web_ser ver s
end
2 Add the client side Local Host ID to the server side peer list.
edi t User _net
set i p 172. 20. 120. 1
User Network
172.20.120.0
Web Server
Network
192.168.10.0
WAN
Client side
(active rule)
Local Host ID: User_net
IP address
172.20.120.1
IP address
192.168.10.1
Server side
(passive rule)
Local Host ID: Web_servers
rule wanopt
576 01-400-93051-20090415
end
3 Add the following passive rule to the server side FortiGate unit:
edi t 5
set aut o- det ect passi ve
set sr c- i p 172. 20. 120. 0
set dst - i p 192. 168. 10. 0
set por t 80
set webcache enabl e
end
Accept default settings for st at us (enabl e) and mode (f ul l ).
History
Related commands
wanopt auth-group
wanopt iscsi
wanopt peer
wanopt settings
wanopt ssl-server
wanopt storage
wanopt webcache
FortiOS v4.0 New.
wanopt settings
01-400-93051-20090415 577
settings
Use this command to add or change the FortiGate WAN optimization local host ID. The local host ID
identifies the FortiGate unit to other FortiGate units for WAN optimization. All WAN optimization tunnel
startup requests to other FortiGate units include the local host id. The FortiGate unit can only perform WAN
optimization with other FortiGate units that have this local host id in their peer list.
Syntax
set host - i d <host - i d- name_st r >
end
History
Related commands
wanopt auth-group
wanopt iscsi
wanopt peer
wanopt rule
wanopt ssl-server
wanopt storage
wanopt webcache
host - i d <host - i d- name_st r > Enter the local host ID. default-id
FortiOS v4.0 New.
ssl-server wanopt
578 01-400-93051-20090415
ssl-server
Use this command to add one or more SSL servers to support WAN optimization SSL offloading. You
enable WAN optimization SSL offloading by enabling the ssl keyword in a WAN optimization rule. WAN
optimization supports SSL encryption/decryption offloading for HTTP servers.
SSL offloading uses the FortiGate unit to encrypt and decrypt SSL sessions.The FortiGate unit intercepts
HTTPS traffic from clients and decrypts it before sending it as clear text to the HTTP server. The clear text
response from the HTTP server is encrypted by the FortiGate unit and returned to the client. The result
should be a performance improvement because SSL encryption is offloaded from the server to the
FortiGate unit FortiASIC SSL encryption/decryption engine.
You must add one WAN optimization SSL server configuration to the FortiGate unit for each HTTP server
that you are configuring SSL offloading for. This SSL server configuration must also include the HTTP
server CA. You load this certificated into the FortiGate unit as a local certificate using the conf i g vpn
cer t i f i cat i on l ocal command and then add the certificate to the SSL server configuration using the
ssl - cer t keyword. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
You can configure one WAN optimization rule to offload SSL encryption/decryption for multiple HTTP
servers. To do this, the WAN optimization rule source and destination addresses must be configured so
that the rule accepts packets destined for all of the HTTP servers that you want offloading for. Then you
must add one SSL server configuration for each of the HTTP servers.
Syntax
conf i g wanopt ssl - ser ver
edi t <ssl - ser ver - name>
set i p <ssl _ser ver _i p_i pv4>
set por t <por t _i nt >
set ssl - mode {f ul l | hal f }
set ssl - cer t <cer t i f i cat e_name>
set ssl - dh- bi t s {1024 | 1536 | 2048 | 768}
set ssl - send- empt y- f r ags {di sabl e | enabl e}
end
edi t <ssl - ser ver - name> Enter a name for the SSL server. It can be any name and
this name is not used by other FortiGate configurations.
i p <ssl _ser ver _i p_i pv4> Enter an IP address for the SSL server. This IP address
should be the same as the IP address of the HTTP server
that this SSL server will be offloading for. When a session
is accepted by a WAN optimization rule with SSL
offloading enabled, the destination IP address of the
session is matched with this IP address to select the SSL
server configuration to use.
0.0.0.0
por t <por t _i nt > Enter a port number to be used by the SSL server. Usually
this would be port 443 for an HTTPS server. When a
session is accepted by a WAN optimization rule with SSL
offloading enabled, the destination port of the session is
matched with this port to select the SSL server
configuration to use.
0
ssl - mode {f ul l | hal f } Configure the SSL server to operate in f ul l mode or
hal f mode. Half mode offloads SSL from the backend
server to the server-side FortiGate unit.
full
wanopt ssl-server
01-400-93051-20090415 579
Example: SSL offloading for a WAN optimization tunnel
In this example, clients on the user network use https://192.168.10.20 to browse to an HTTP web server. A
WAN optimization rule with aut o- det ect set to of f on the client side FortiGate unit accepts sessions
from the clients with source addresses on the 172.20.120.0 network and with a destination address of
192.168.10.0 and with a destination port of 443. In this rule secur e- t unnel is enabled so that the tunnel
is encrypted.
The server side FortiGate unit includes an SSL server configuration with i p set to 192.168.10.20 and
por t to 443. The server side FortiGate unit also includes the HTTP server CA.
Figure 7: SSL offloading for byte caching
ssl - cer t <cer t i f i cat e_name> Select the certificate to be used for this SSL server. The
certificate should be the HTTP server CA used by the
HTTP server that this SSL server configuration will be
offloading for.
The certificate must be a local certificate added to the
FortiGate unit using the conf i g vpn cer t i f i cat e
l ocal command. For more information, see vpn
certificate local on page 511.
The certificate key size must be 1024 or 2048 bits.
4096-bit keys are not supported.
ssl - dh- bi t s {1024 | 1536 |
2048 | 768}
Select the size of the Diffie-Hellman prime used in
DHE_RSA negotiation. Larger primes may cause a
performance reduction but are more secure.
1024
ssl - mi n- ver si on {ssl - 3. 0 |
t l s- 1. 0}
Select the lowest or oldest SSL/TLS version to offer when
negotiating. You can set the minimum version to SSL 3.0
or TLS 1.0. TLS 1.0 is more secure that SSL 3.0.
ssl - 3. 0
ssl - max- ver si on {ssl - 3. 0 |
t l s- 1. 0}
Select the highest or newest SSL/TLS version to offer
when negotiating. You can set the maximum version to
SSL 3.0 or TLS 1.0. TLS 1.0 is more secure that SSL 3.0.
tls-1.0
Enable or disable sending empty fragments before
sending the actual payload. Sending empty fragments is a
technique used to avoid cipher-block chaining (CBC)
plaintext attacks if the initiation vector (IV) is known. Also
called the CBC IV. Some SSL implementations are not
compatible with sending empty fragments. Change ssl -
send- empt y- f r ags to di sabl e if required by your SSL
implementation.
enable
Client Network
172.20.120.0
WAN
Encrypted
Traffic
Decrypted
Traffic
Decrypted
Traffic
Protected by the
Encrypted tunnel
HTTP
Web Server
(port 80)
IP:192.168.10.20
Server side
SSL server and HTTP server CA
Local Host ID:Web_servers
Client side
Rule: autodetect: off
Local Host ID:User_net
3 1
2 3 1
2
3 1
2
IP address
172.20.120.1
IP address
192.168.10.1
ssl-server wanopt
580 01-400-93051-20090415
When the client side FortiGate unit accepts an HTTPS connection for 192.168.10.20 the SSL server
configuration provides the information that the client side FortiGate unit needs to decrypt the traffic and
send it in clear text across a WAN optimization tunnel to the server side FortiGate unit. The server side
FortiGate unit then forwards the clear text packets to the HTTP server.
The HTTP server CA is not downloaded from the server side to the client side FortiGate unit. Instead the
client side FortiGate unit proxies the SSL parameters from the client side to the server side which returns
an SSL key and other required information to the client side FortiGate unit so that the client FortiGate unit
can decrypt and encrypt HTTPS traffic.
To configure the client side FortiGate unit
1 Enter the following command to set the local host ID of the client side FortiGate unit to User _net .
set host - i d User _net
end
2 Enter the following command to add the server side local host ID to the client side FortiGate unit.
edi t Web_ser ver s
set i p 192. 168. 10. 1
end
3 Enter the following command to add an authentication group named SSL_aut h_gr p to the client side
FortiGate unit. The authentication group includes a preshared key and the peer added in step 2. An
authentication group with the same name and the same preshared key must also be added to the
server side FortiGate unit. This authentication group is required for the secure tunnel.
conf i g wanopt aut h- gr p
edi t SSL_aut h_gr p
set aut h- met hod psk
set peer - accept one
set peer Web_ser ver s
end
4 Enter the following command to add the WAN optimization rule:
edi t 5
set sr c- i p 172. 20. 120. 0
set dst - i p 192. 168. 10. 0
set por t 443
set peer Web_ser ver s
set ssl enabl e
set secur e- t unnel enabl e
set aut h- gr oup SSL_aut h_gr p
set webcache enabl e
Note: You do not need to add a WAN optimization rule to the server side FortiGate unit as long as the server
side FortiGate unit includes the local host ID of the client FortiGate unit in its peer list. However, you could set
aut o- det ect to act i ve on the client side FortiGate and add then a rule to the server side FortiGate unit
with aut o- det ect set to passi ve.
Note: In this example the secure tunnel and the authentication group configurations are not required, but are
added to enhance security. Adding the peers and the WAN optimization rules are required for WAN
optimization SSL offloading.
wanopt ssl-server
01-400-93051-20090415 581
end
You can configure other rule settings as required. By default t r anspar ent is enabled, pr ot o is ht t p
(pr ot o should not be changed), mode is f ul l , aut o- det ect is of f , byt e- cachi ng is enabled, and
t unnel - shar i ng is pr i vat e.
To configure the server side FortiGate unit
1 Enter the following command to set the local host ID of the server side FortiGate unit to Web_ser ver s.
set host - i d Web_ser ver s
end
2 Enter the following command to add the client side local host ID to the server side FortiGate unit.
edi t User _net
set i p 172. 20. 120. 1
end
3 Enter the following command to add an authentication group named SSL_aut h_gr p to the server side
FortiGate unit. The authentication group includes a preshared key and the peer added to the server
side FortiGate unit in step 2.
conf i g wanopt aut h- gr p
edi t SSL_aut h_gr p
set aut h- met hod psk
set peer - accept one
set peer User _net
end
4 Use the conf i g vpn cer t i f i cat i on l ocal command to add the HTTP server CA. Set the name
of the local certificate to Web_Ser ver _Cer t _1.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
5 Enter the following command to add the SSL server to the server side FortiGate unit.
conf i g wanopt ssl - ser ver
edi t exampl e_ser ver
set i p 192. 168. 10. 20
set por t 443
set ssl - cer t Web_Ser ver _Cer t _1
end
Configure other ssl - ser ver settings as required for your configuration.
History
Related commands
wanopt auth-group
wanopt iscsi
wanopt peer, wanopt rule
wanopt settings, wanopt storage
wanopt webcache
FortiOS v4.0 New.
storage wanopt
582 01-400-93051-20090415
storage
Use the show wanopt st or age command to view WAN optimization storages. Use the conf i g
wanopt st or age command to change the size of WAN optimization storages. A storage defines the
maximum size of the byte caching or web caching database added to the storage.
You use the execut e scsi - dev st or age command to add WAN optimization storages. For more
information about the execut e scsi - dev command, see execute scsi-dev on page 656.
Syntax
conf i g wanopt st or age
edi t <st or age_name_st r >
set par t i t i on- l abel <par t i t i on- l abel >
set par t i t i on- si ze <par t i t i on_si ze_i nt >
set st or age- si ze <st or age_si ze_i nt >
end
Examples
Use the following command to display all of the storages added to a FortiGate unit. The two storages
shown in the output were added to the same partition.
show wanopt st or age
edi t " st or age_1"
set par t i t i on- l abel " 742FD71029DB5130"
set par t i t i on- si ze 76316
set st or age- si ze 30000
next
set par t i t i on- l abel " 742FD71029DB5130"
set par t i t i on- si ze 76316
next
end
Use the following command to change the size of st or age_2 from 30000 to 40000 Mbytes:
next
end
edi t <st or age_name_st r > Enter the name of the storage added using the execut e
scsi - dev st or age command.
par t i t i on- l abel
<par t i t i on- l abel >
The random string used to label the partition. You cannot
change the partition label. For more information, see
About partition labels on page 568.
par t i t i on- si ze
<par t i t i on_si ze_i nt >
The size of the partition in Mbytes. You cannot change the
partition size.
st or age- si ze
<st or age_si ze_i nt >
The size of the storage in Mbytes. You can use this
keyword to change the storage size.
wanopt storage
01-400-93051-20090415 583
History
Related commands
wanopt auth-group
wanopt iscsi
wanopt peer
wanopt rule
wanopt settings
wanopt ssl-server
wanopt webcache
FortiOS v4.0 New.
webcache wanopt
584 01-400-93051-20090415
webcache
Use this command to change how the WAN optimization web cache operates. In most cases the default
settings are acceptable. However you may want to change these settings to improve performance or
optimize the cache for your configuration.
Syntax
set al ways- r eval i dat e {di sabl e | enabl e}
set cache- expi r ed {di sabl e | enabl e}
set def aul t - t t l <expi r y_t i me>
set expl i ci t {di sabl e | enabl e}
set f r esh- f act or <f r esh_per cent >
set i gnor e- condi t i onal {di sabl e | enabl e}
set i gnor e- i e- r el oad {di sabl e | enabl e}
set i gnor e- i ms {di sabl e | enabl e}
set i gnor e- pnc {di sabl e | enabl e}
set max- obj ect - si ze <obj ect _si ze>
set max- t t l <expi r y_t i me>
set mi n- t t l <expi r y_t i me>
set neg- r esp- t i me <r esponse_t i me>
set r eval - pnc {di sabl e | enabl e}
end
al ways- r eval i dat e
Enable to always to revalidate the requested cached object with
content on the server before serving it to the client.
enable
cache- expi r ed
Applies only to type-1 objects. When this setting is enabled, type-1
objects that are already expired at the time of acquisition are cached (if
all other conditions make the object cachable). When this setting is
disabled, already expired type-1 objects become non-cachable at the
time of acquisition.
disable
def aul t - t t l
<expi r y_t i me>
The default expiry time for objects that do not have an expiry time set
by the web server. The default expiry time is 1440 minutes (24 hours).
1440
expl i ci t
Enable or disable using the WAN optimization web cache to cache for
the explicit proxy.
enable
f r esh- f act or
<f r esh_per cent >
Set the fresh factor as a percentage. The default is 100, and the range
is 1 to 100. For cached objects that dont have an expiry time, the web
cache periodically checks the server to see if the object has expired.
The higher the fresh factor the less often the checks occur.
100
i gnor e- condi t i onal
Enable or disable controlling the behavior of cache-control header
values. HTTP 1.1 provides additional controls to the client over the
behavior of caches concerning the staleness of the object. Depending
on various Cache-Control headers, the FortiGate unit can be forced to
consult the OCS before serving the object from the cache. For more
information about the behavior of cache-control header values, see
RFC 2616.
disable
i gnor e- i e- r el oad
Some versions of Internet Explorer issue Accept / header instead of
Pragma nocache header when you select Refresh. When an Accept
header has only the / value, the FortiGate unit treats it as a PNC header
if it is a type-N object.
When this option is enabled, the FortiGate unit ignores the PNC
interpretation of the Accept: / header.
enable
wanopt webcache
01-400-93051-20090415 585
History
i gnor e- i ms
Be default, the time specified by the if-modified-since (IMS) header in
the client's conditional request is greater than the last modified time of
the object in the cache, it is a strong indication that the copy in the
cache is stale. If so, HTTP does a conditional GET to the Overlay
Caching Scheme (OCS), based on the last modified time of the cached
object. Enable i gnor e- i ms to override this behavior.
disable
i gnor e- pnc
Typically, if a client sends an HTTP GET request with a pragma no-
cache (PNC) or cache-control nocache header, a cache must consult
the OCS before serving the content. This means that the FortiGate unit
always re-fetches the entire object from the OCS, even if the cached
copy of the object is fresh.
Because of this, PNC requests can degrade performance and increase
server-side bandwidth utilization. However, if i gnor e- pmc is enabled,
then the PNC header from the client request is ignored. The FortiGate
unit treats the request as if the PNC header is not present at all.
disable
max- obj ect - si ze
<obj ect _si ze>
Set the maximum object size to cache. The default size is 512000
kbytes (512 Mbytes). This object size determines the maximum object
size to store in the web cache. All objects retrieved that are larger than
the maximum size are delivered to the client but are not stored in the
web cache.
512000
max- t t l
<expi r y_t i me>
The maximum amount of time an object can stay in the web cache
without checking to see if it has expired on the server. The default is
7200 minutes (120 hours or 5 days).
7200
mi n- t t l
<expi r y_t i me>
The minimum amount of time an object can stay in the web cache
before checking to see if it has expired on the server. The default is 5
minutes.
5
neg- r esp- t i me
<r esponse_t i me>
Set how long in minutes to cache negative responses. The default is 0,
meaning negative responses are not cached. The content server might
send a client error code (4xx HTTP response) or a server error code
(5xx HTTP response) as a response to some requests. If the web
cache is configured to cache these negative responses, it returns that
response in subsequent requests for that page or image for the
specified number of minutes.
0
r eval - pnc
The pragma-no-cache (PNC) header in a client's request can affect the
efficiency of the FortiGate unit from a bandwidth gain perspective. If
you do not want to completely ignore PNC in client requests (which you
can do by using the ignore PNC option configuration), you can lower
the impact of the PNC by enabling r eval - pnc. When the r eval - pnc
is enabled, a client's non-conditional PNC-GET request results in a
conditional GET request sent to the OCS if the object is already in the
cache. This gives the OCS a chance to return the 304 Not Modified
response, consuming less server-side bandwidth, because it has not
been forced to return full content even though the contents have not
actually changed. By default, the revalidate PNC configuration is
disabled and is not affected by changes in the top-level profile. When
the Substitute Get for PNC configuration is enabled, the revalidate PNC
configuration has no effect.
Most download managers make byte-range requests with a PNC
header. To serve such requests from the cache, the r eval - pnc option
should be enabled along with byte-range support.
disable
FortiOS v4.0 New.
webcache wanopt
586 01-400-93051-20090415
Related commands
wanopt auth-group
wanopt iscsi
wanopt peer
wanopt rule
wanopt settings
wanopt ssl-server
wanopt storage
web-proxy
01-400-93051-20090415 587
web-proxy
Use these commands to configure the web proxy.
explicit
global
explicit web-proxy
588 01-400-93051-20090415
explicit
Use this command to configure an explicit web proxy.
Syntax
conf i g web- pr oxy expl i ci t
set ht t p- i ncomi ng- por t <por t _num>
set unknown- ht t p- ver si on {best - ef f or t | r ej ect }
end
History
Related commands
web-proxy global
ht t p- i ncomi ng- por t <por t _num> Select the port the incoming HTTP traffic will use. Valid
numbers range from 0 to 65535.
st at us {enabl e | di sabl e} Enable to activate explicit web proxies.
When disabled, passive web proxies are used.
disable
unknown- ht t p- ver si on
{best - ef f or t | r ej ect }
Select the action to take when an unknown version of HTTP
is encountered.
Best effort attempts to handle the HTTP traffic as best as it
can.
Reject treats the HTTP traffic as malformed.
reject
FortiOS v4.0 New.
web-proxy global
01-400-93051-20090415 589
global
Configure global web-proxy settings.
Syntax
conf i g web- pr oxy gl obal
set add- header - cl i ent - i p {enabl e | di sabl e}
set add- header - f r ont - end- ht t ps {enabl e | di sabl e}
set add- header - vi a {enabl e | di sabl e}
set add- header - x- f or war ded- f or {enabl e | di sabl e}
set max- message- l engt h <kByt es>
set max- r equest - l engt h <kByt es>
set pr oxy- f qdn <f qdn>
end
History
Related commands
web-proxy explicit
add- header - cl i ent - i p
Enable to add the client IP to the header of forwarded
requests
disable
add- header - f r ont - end- ht t ps
Enable to add a front-end-https header to forwarded
requests.
disable
add- header - vi a
Enable to add the via header to forwarded requests. disable
add- header - x- f or war ded- f or
Enable to add x-forwarded-for header to forwarded
requests.
disable
max- message- l engt h <kByt es> Set the maximum length, in kBytes, of the HTTP message
not including body. Range 16 to 256.
32
max- r equest - l engt h <kByt es> Set the maximum length, in kBytes, of the HTTP request
line. Range 2 to 64.
4
pr oxy- f qdn <f qdn> Set the fully qualified domain name (FQDN) for the proxy.
This is the domain that clients connect to.
def aul t . f qdn
FortiOS v4.0 New.
global web-proxy
590 01-400-93051-20090415
webfilter
01-400-93051-20090415 591
webfilter
Use webfilter commands to add banned words to the banned word list, filter URLs, and configure
FortiGuard-Web category filtering.
bword
exmword
fortiguard
ftgd-local-cat
ftgd-local-rating
ftgd-ovrd
ftgd-ovrd-user
urlfilter
bword webfilter
592 01-400-93051-20090415
bword
Control web content by blocking specific words or patterns. If enabled in the protection profile, the
FortiGate unit searches for words or patterns on requested web pages. If matches are found, values
assigned to the words are totalled. If a user-defined threshold value is exceeded, the web page is blocked.
Use this command to add or edit and configure options for the Web content block list. Banned words can
be one word or a text string up to 80 characters long. The maximum number of banned words and patterns
in the list is 5000.
When a single word is entered, the FortiGate unit checks Web pages for that word. Add phrases by
enclosing the phrase in single quotes. When a phrase is entered, the FortiGate unit checks Web pages
for any word in the phrase. Add exact phrases by enclosing the phrases in quotation marks. If the phrase
is enclosed in quotation marks, the FortiGate checks Web pages for the exact phrase.
Create banned word patterns using wildcards or Perl regular expressions. See Using Perl regular
You can add multiple banned word lists, and then select the best web content block list for each protection
profile. Choose the command syntax list below according to your FortiGate unit model.
Syntax
conf i g webf i l t er bwor d
conf i g ent r i es
edi t <wor d_st r >
set l ang {f r ench | j apanese | kor ean | si mch | spani sh | t hai | t r ach
| west er n}
set scor e <scor e_i nt >
end
C
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase
case insensitive, use the regular expression / i . For example, / bad l anguage/ i blocks all instances of bad
l anguage regardless of case. Wildcard patterns are not case sensitive.
<l i st _i nt > A unique number to identify the banned word list.
<l i st _st r > The name of the banned word list.
<comment _st r > The comment attached to the banned word list.
<wor d_st r > The word to be blocked.
l ang {f r ench | j apanese |
kor ean | si mch |
spani sh | t hai | t r ach |
west er n}
Enter the language character set used for the banned word or
Chinese, Spanish, Thai, Traditional Chinese, or Western.
west er n
pat t er n- t ype
Set the pattern type for the banned word. Choose from r egexp
or wi l dcar d.Create patterns for banned words using Perl
regular expressions or wildcards.
wi l dcar d
webfilter bword
01-400-93051-20090415 593
History
Related topics
webfilter exmword
webfilter fortiguard
webfilter ftgd-local-cat
webfilter ftgd-local-rating
webfilter ftgd-ovrd
webfilter ftgd-ovrd-user
webfilter urlfilter
scor e <scor e_i nt > A numerical weighting applied to the banned word. The score
values of all the matching words appearing on a web page are
added, and if the total is greater than the webwor dt hr eshol d
value set in the protection profile, the page is processed
according to whether the bannedwor d option is set with the
ht t p command in the protection profile. The score for a
banned word is counted once even if the word appears multiple
times on the web page.
10
st at us {enabl e | di sabl e} Enable or disable the banned word. di sabl e
FortiOS v3.0 Added scor e variable. Added multiple-list capability for models 800 and
above. Minor changes.
exmword webfilter
594 01-400-93051-20090415
exmword
Web content exempt allows overriding of the web content block feature. If any patterns defined in the web
content exempt list appear on a web page, the page will not be blocked even if the web content block
feature would otherwise block it.
Use this command to add or edit and configure options for the Web content exempt list. Exempt words can
be one word or a text string up to 80 characters long. The maximum number of exempt words and patterns
in the list is 5000.
When a single word is entered, the FortiGate unit checks Web pages for that word. Add phrases by
enclosing the phrase in single quotes. When a phrase is entered, the FortiGate unit checks Web pages
for any word in the phrase. Add exact phrases by enclosing the phrases in quotation marks. If the phrase
is enclosed in quotation marks, the FortiGate checks Web pages for the exact phrase.
Create exempt word patterns using wildcards or Perl regular expressions. See Using Perl regular
You can add multiple exempt word lists, and then select the best web content exempt list for each
protection profile. Choose the command syntax list below according to your FortiGate unit model.
Syntax
conf i g webf i l t er exmwor d
conf i g ent r i es
edi t <wor d_st r >
set l ang {f r ench | j apanese | kor ean | si mch | spani sh | t hai | t r ach
| west er n}
end
Note: Perl regular expression patterns are case sensitive for Web Filter content exempt. To make a word or
phrase case insensitive, use the regular expression / i . For example, / good l anguage/ i exempts all instances
of good l anguage regardless of case. Wildcard patterns are not case sensitive.
<l i st _i nt > A unique number to identify the exempt word list.
<l i st _st r > The name of the exempt word list.
<comment _st r > The comment attached to the exempt word list.
<wor d_st r > The word to be exempted.
l ang {f r ench | j apanese |
kor ean | si mch | spani sh |
t hai | t r ach | west er n}
Enter the language character set used for the exempt word or
Chinese, Spanish, Thai, Traditional Chinese, or Western.
west er n
pat t er n- t ype
Set the pattern type for the exempt word. Choose from r egexp
or wi l dcar d.Create patterns for exempt words using Perl
regular expressions or wildcards.
wi l dcar d
st at us {enabl e | di sabl e} Enable or disable the exempt word. di sabl e
webfilter exmword
01-400-93051-20090415 595
History
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
fortiguard webfilter
596 01-400-93051-20090415
fortiguard
Use this command to enable Web filtering by specific categories using FortiGuard-Web URL filtering.
FortiGuard-Web category blocking
FortiGuard-Web is a web filtering solution provided by Fortinet. FortiGuard-Web sorts thousands of Web
pages into a wide variety of categories that users can allow, block, or monitor. Categories are also
organized into broader groups to make configuration fast and easy. The FortiGate unit accesses the
nearest FortiGuard-Web server to determine the category of a requested web page and then follows the
firewall policy configured for that user or interface. FortiGuard-Web servers are located worldwide.
FortiGuard-Web licensing
Every FortiGate unit comes with a free 30 day FortiGuard-Web trial license. FortiGuard-Web license
management is done by the FortiGuard-Web server, so there is no need to enter a license number. The
FortiGate unit automatically contacts the FortiGuard-Web servers when FortiGuard-Web category blocking
is enabled.
To renew the FortiGuard-Web license after the free trial, contact Fortinet Technical Support.
FortiGuard-Web configuration
Once enabled, FortiGuard-Web category block settings apply globally. After enabling FortiGuard-Web,
configure different categories for each firewall protection profile create.
See firewall profile on page 132 to configure FortiGuard-Web category blocking in a protection profile.
See FortiGuard-Web categories in the FortiGate Administration Guide for a complete list and description
of the FortiGuard-Web web filter categories.
HTTP and HTTPS FortiGuard override traffic
The FortiGuard override for HTTP and HTTPS is no longer a single global forward rule. Instead, a separate
rule is created for each protection profile to redirect both the FortiGuard override HTTP and HTTPS ports,
as required, into the authentication daemon. This ensures that these ports only appear open when the
appropriate options are enabled in the profile. A matrix of how the profile options affect the port status
follows:
HTTP WF HTTP ovrd HTTPS WF ovrd via HTTPS HTTP Port HTTPS Port
0 0 0 0 closed closed
0 0 1 0 closed open
0 0 1 1 closed open
0 1 1 0 closed open
0 1 1 1 closed open
1 0 0 0 open closed
1 0 0 1 open closed
1 0 1 0 open open
1 0 1 1 open open
1 1 0 0 open closed
1 1 0 1 open open
1 1 1 0 open open
1 1 1 1 open open
01-400-93051-20090415 597
There are two separate ports for HTTP and HTTPS override traffic which can be configured independently.
In addition, HTTPS uses the HTTPS override form regardless of the ovr d- aut h- ht t ps status. If ovr d-
aut h- ht t ps is enabled, any attempts to use the HTTP version of the override form will transparently be
re-directed to the HTTPS version.
Syntax
conf i g webf i l t er f or t i guar d
set cache- mode {t t l | db- ver }
set cache- mem- per cent <per cent _i nt eger >
set cache- pr ef i x- mat ch <enabl e | di sabl e>
set ovr d- aut h- por t - ht t p <por t _i nt eger >
set ovr d- aut h- ht t ps <enabl e | di sabl e>
set ovr d- aut h- por t - ht t ps <por t _i nt eger >
end
History
cache- mode {t t l | db- ver } Change the cache entry expiration mode. Choices
are t t l or db- ver .
Using t t l , cache entries are deleted after a number
of seconds determined by the cache- t t l setting, or
until newer cache entries force the removal of older
ones.
When set to db- ver , cache entries are kept until the
FortiGuard database changes, or until newer cache
entries force the removal of older ones.
t t l
cache- mem- per cent
<per cent _i nt eger >
Change the maximum percentage of memory the
cache will use. Enter a value from 1 to 15 percent.
2
cache- pr ef i x- mat ch
<enabl e | di sabl e>
Enable and disable prefix matching.
If enabled the FortiGate unit attempts to match a
packet against the rules in a prefix list starting at the
top of the list.
For information on prefix lists see the section prefix-
list on page 282 of the Router chapter in the FortiOS
CLI Guide.
enable
ovr d- aut h- por t - ht t p
<por t _i nt eger >
The port to use for FortiGuard Web Filter HTTP
override authentication.
8008
ovr d- aut h- ht t ps
<enabl e | di sabl e>
Enable to use HTTPS for override authentication. di sabl e
ovr d- aut h- por t - ht t ps
<por t _i nt eger >
The port to use for FortiGuard Web filtering HTTPS
override authentication.
8010
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added cer b_host name, cer b_por t , f t gd_host name, and, f t gd_por t keywords.
Changed l i cense to cer b_l i cense.
FortiOS v2.80 MR4 Removed cer b_host name, cer b_l i cense, and, cer b_por t keywords.
Removed f t gd_por t keyword.
FortiOS v3.0 Add cache- mode, cache- mem- per cent , l i cense, expi r at i on, host name,
i mg- si nk- i p, ovr d- aut h- por t , ovr d- aut h- ht t ps, and, por t . Removed
f t gd_host name, and, ser vi ce.
Name changed from catblock to fortiguard.
FortiOS v3.0 MR1 Many of the commands were moved to config system fortiguard and some new
commands were added.
fortiguard webfilter
598 01-400-93051-20090415
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
FortiOS v3.0 MR3 cache- pr ef i x- mat ch <enabl e | di sabl e>command added.
FortiOS v3.0 MR4 Removed the command ovr d- aut h- por t replaced with ovr d- aut h- por t - ht t p.
Added the command ovr d- aut h- por t - ht t ps.
Added new H3 section on HTTP and HTTPS FortiGuard override traffic.
FortiOS v3.0 MR4 Removed the command i mg- si nk- i p.
01-400-93051-20090415 599
ftgd-local-cat
Use this command to add local categories to the global URL category list. The categories defined here
appear in the global URL category list when configuring a protection profile. Users can rate URLs based on
the local categories.
Syntax
conf i g webf i l t er f t gd- l ocal - cat
edi t <l ocal _cat _st r >
set i d 
end
Example
This example shows how to add the category l ocal _bl ock with an ID of 155.
conf i g webf i l t er f t gd- l ocal - cat
edi t l ocal _bl ock
set i d 155
end
History
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
<l ocal _cat _st r > The description of the local category.
i d The local category unique ID number. 140
FortiOS v3.0 New
ftgd-local-rating webfilter
600 01-400-93051-20090415
ftgd-local-rating
Use this command to rate URLs using local categories.
Users can create user-defined categories then specify the URLs that belong to the category. This allows
users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with
associated categories and compared in the same way the URL block list is processed.
The user can also specify whether the local rating is used in conjunction with the FortiGuard rating or is
used as an override.
Syntax
conf i g webf i l t er f t gd- l ocal - r at i ng
edi t <ur l _st r >
set r at i ng [ [ <cat egor y_i nt >] [ gr oup_st r ] [ cl ass_st r ] . . . ]
end
Example
This example shows how to configure a local rating for the web site www.example.com. with a rating
including category 12, all categories in group 4, and classification 1.
conf i g webf i l t er f t gd- l ocal - r at i ng
edi t www. exampl e. com
set r at i ng 12 g4 c1
end
History
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
<ur l _st r > The URL being rated.
r at i ng [ [ <cat egor y_i nt >]
[ gr oup_st r ]
[ cl ass_st r ] . . . ]
Set categories, groups, and classifications for the rating. Enter
? to print a list of category codes and descriptions available. To
remove categories from the rating, use the unset command.
st at us {enabl e | di sabl e} Enable or disable the local rating. enabl e
FortiOS v3.0 New
webfilter ftgd-ovrd
01-400-93051-20090415 601
ftgd-ovrd
Use this command to configure FortiGuard-Web filter administrative overrides.
The administrative overrides are backed up with the main configuration and managed by the FortiManager
system. The administrative overrides are not cleaned up when they expire and you can reuse these
override entries by extending their expiry dates.
Users may require access to web sites that are blocked by a policy. In this case, an administrator can give
the user the ability to override the block for a specified period of time.
When a user attempts to access a blocked site, if override is enabled, a link appears on the block page
directing the user to an authentication form. The user must provide a correct user name and password or
the web site remains blocked. Authentication is based on user groups and can be performed for local,
RADIUS, and LDAP users.
Syntax
conf i g webf i l t er f t gd- ovr d
set expi r es <yyyy/ mm/ dd hh: mm: ss>
set ext - r ef <al l ow | deny>
set i ni t i at or
set i p 
set pr of i l e <pr of i l e_st r >
set scope {user | user - gr oup | i p | pr of i l e}
set t ype {di r | domai n | r at i ng}
set ur l <ur l _st r >
set user <user _st r >
set user - gr oup <user _gr oup_st r >
end
get webf i l t er f t gd- ovr d <over r i de_i nt >
<over r i de_i nt > The unique ID number of the override.
expi r es
<yyyy/ mm/ dd hh: mm: ss>
The date and time the override expires.
For example, the command to configure an expiry time of
6:45 p.m. on May 22, 2009 would be formatted this way:
set expi r es 2010/ 05/ 22 18: 45: 00
15 minutes
after the
override is
created.
ext - r ef <al l ow | deny> Allow or deny access to off-site URLs. allow
i ni t i at or The user who initiated the override rule. This keyword is get-
only.
i p When the scope is IP, enter the IP address for which the
override rule applies.
0.0.0.0
pr of i l e <pr of i l e_st r > When the scope is profile, enter the profile for which the
[ gr oup_st r ]
[ cl ass_st r ] . . . ]
If t ype is set to r at i ng, set the categories, groups, and
classifications to override. Enter ? to print a list of category
codes and descriptions available. To remove categories from
the rating, use the unset command.
scope {user |
user - gr oup | i p |
pr of i l e}
The scope of the override rule. user
st at us {enabl e | di sabl e} Enable or disable the override rule. disable
ftgd-ovrd webfilter
602 01-400-93051-20090415
Example
This example shows how to set an override (13).
conf i g webf i l t er f t gd- ovr d
edi t 13
set r at i ng 12 g4 c1
end
Use the following command to get information about an override.
#get webf i l t er f t gd- ovr d 1
i d : 1
expi r es : Wed J ul 6 07: 00: 30 2009
ext _r ef : al l ow
i ni t i at or : admi n
scope : user
st at us : enabl e
t ype : di r
ur l : 192. 168. 220. 23
user : user _1
History
Related topics
webfilter bword
webfilter urlfilter
t ype {di r | domai n |
r at i ng}
Specify the type of override rule.
dir - override the website directory
domain - override the domain
rating - override the specified categories and classifications
di r
ur l <ur l _st r > The URL for which the override rule applies.
user <user _st r > When the scope is user , the user for which the override rule
applies.
user - gr oup
<user _gr oup_st r >
When the scope is user group, enter the user group for which
the override rule applies.
FortiOS v3.0 New
01-400-93051-20090415 603
ftgd-ovrd-user
Use this command to configure FortiGuard-Web filter user overrides.
When a user attempts to access a blocked site, if override is enabled, a link appears on the block page
directing the user to an authentication form. The user must provide a correct user name and password or
the web site remains blocked. Authentication is based on user groups and can be performed for local,
RADIUS, and LDAP users.
Administrators can only view and delete the user overrides entries.
Syntax
conf i g webf i l t er f t gd- ovr d- user
set expi r es <yyyy/ mm/ dd hh: mm: ss>
set ext - r ef <al l ow | deny>
set i ni t i at or
set i p 
set pr of i l e <pr of i l e_st r >
set scope {user | user - gr oup | i p | pr of i l e}
set t ype {di r | domai n | r at i ng}
set ur l <ur l _st r >
set user <user _st r >
set user - gr oup <user _gr oup_st r >
end
get webf i l t er f t gd- ovr d- user <over r i de_i nt >
<over r i de_i nt > The unique ID number of the override.
expi r es
<yyyy/ mm/ dd hh: mm: ss>
The date and time the override expires.
For example, the command to configure an expiry time of
6:45 p.m. on May 22, 2009 would be formatted this way:
set expi r es 2010/ 05/ 22 18: 45: 00
15 minutes
after the
override is
created.
ext - r ef <al l ow | deny> Allow or deny access to off-site URLs. allow
i ni t i at or The user who initiated the override rule. This keyword is get-
only.
i p When the scope is IP, enter the IP address for which the
0.0.0.0
pr of i l e <pr of i l e_st r > When the scope is profile, enter the profile for which the
[ gr oup_st r ]
[ cl ass_st r ] . . . ]
If t ype is set to r at i ng, set the categories, groups, and
classifications to override. Enter ? to print a list of category
codes and descriptions available. To remove categories from
the rating, use the unset command.
scope {user | user - gr oup
| i p | pr of i l e}
The scope of the override rule. user
st at us {enabl e | di sabl e} Enable or disable the override rule. disable
t ype {di r | domai n |
r at i ng}
Specify the type od override rule.
dir - override the website directory
domain - override the domain
rating - override the specified categories and classifications
di r
ur l <ur l _st r > The URL for which the override rule applies.
ftgd-ovrd-user webfilter
604 01-400-93051-20090415
Example
This example shows how to set an override (12).
conf i g webf i l t er f t gd- ovr d- user
edi t 12
set scope i p
set i p 192. 168. 220. 23
end
Use the following command to get information about an override.
#get webf i l t er f t gd- ovr d- user 1
i d : 1
expi r es : Wed J ul 6 07: 00: 30 2005
ext _r ef : al l ow
i ni t i at or : user
scope : user
st at us : enabl e
t ype : di r
ur l : 192. 168. 220. 23
user : user _1
History
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
user <user _st r > When the scope is user , the user for which the override rule
applies.
user - gr oup
<user _gr oup_st r >
When the scope is user group, the user group for which the
FortiOS v3.0 MR7 New
webfilter urlfilter
01-400-93051-20090415 605
urlfilter
Use this command to control access to specific URLs by adding them to the URL filter list. The FortiGate
unit exempts or blocks Web pages matching any specified URLs and displays a replacement message
instead.
Configure the FortiGate unit to allow, block, or exempt all pages on a website by adding the top-level URL
or IP address and setting the action to allow, block, or exempt.
Block individual pages on a website by including the full path and filename of the web page to block. Type
a top-level URL or IP address to block access to all pages on a website. For example, www. exampl e. com
or 172. 16. 144. 155 blocks access to all pages at this website.
Type a top-level URL followed by the path and filename to block access to a single page on a website. For
example, www. exampl e. com/ news. ht ml or 172. 16. 144. 155/ news. ht ml blocks the news page on
this website.
To block all pages with a URL that ends with exampl e. com, add exampl e. comto the block list. For
example, adding exampl e. comblocks access to www. exampl e. com, mai l . exampl e. com,
www. f i nance. exampl e. com, and so on.
Use this command to exempt or block all URLs matching patterns created using text and regular
expressions (or wildcard characters). For example, exampl e. * matches exampl e. com, exampl e. or g,
exampl e. net and so on. The FortiGate unit exempts or blocks Web pages that match any configured
pattern and displays a replacement message instead.
The maximum number of entries in the list is 5000.
Syntax
conf i g webf i l t er ur l f i l t er
set name <l i st _sr t >
conf i g ent r i es
edi t <ur l _st r >
set act i on {al l ow | bl ock | exempt }
set t ype {si mpl e | r egex}
end
end
<l i st _i nt > A unique number to identify the URL filter list.
<l i st _sr t > The name of the URL filter list.
<comment _st r > The comment attached to the URL filter list.
<ur l _st r > The URL to added to the list.
act i on
{al l ow | bl ock | exempt }
The action to take for matches.
An al l owmatch exits the URL filter list and checks the other
web filters.
An exempt match stops all further checking including AV
scanning.
A bl ock match blocks the URL and no further checking will be
done.
exempt
st at us {enabl e | di sabl e} The status of the filter. enabl e
t ype {si mpl e | r egex} The type of URL filter: simple or regular expression. si mpl e
urlfilter webfilter
606 01-400-93051-20090415
History
Related topics
webfilter bword
webfilter ftgd-ovrd
FortiOS v3.0 New
FortiOS v3.0
MR4
All models have the same CLI syntax now.
execute
01-400-93051-20090415 607
execute
The execute commands perform immediate operations on the FortiGate unit. You can:
Back up and restore the system configuration, or reset the unit to factory settings.
Execute the run but not save feature
Set the unit date and time.
View and clear DHCP leases.
Clear arp table entries.
View and delete log messages. Delete old log files.
Manually dial or hang up the modem (models 50A, 50AM, 60, 60M only).
Use ping or traceroute to diagnose network problems.
Restart the router or the entire FortiGate unit.
Update the antivirus and attack definitions on demand.
Generate certificate requests and install certificates for VPN authentication.
backup
batch
central-mgmt
cfg reload
cfg save
clear system arp table
cli check-template-status
cli status-msg-only
date
dhcp lease-clear
dhcp lease-list
disconnect-admin-session
enter
factoryreset
formatlogdisk
fortiguard-log update
fsae refresh
ha disconnect
ha manage
ha synchronize
interface dhcpclient-renew
interface pppoe-reconnect
log delete-all
log delete-filtered
log delete-rolled
log display
log filter
log fortianalyzer test-connectivity
log list
log roll
modem dial
modem hangup
modem trigger
ping
ping-options, ping6-options
ping6
reboot
router clear bfd
router clear bgp
router clear bfd
router clear ospf process
router restart
scsi-dev
send-fds-statistics
set-next-reboot
sfp-mode-sgmii
shutdown
ssh
telnet
time
traceroute
update-ase
update-av
update-ips
update-now
upd-vd-license
usb-disk
vpn certificate ca
vpn certificate crl
vpn sslvpn del-tunnel
vpn sslvpn del-web
backup execute
608 01-400-93051-20090415
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server,
USB disk, or a management station. Management stations can either be a FortiManager unit, or
FortiGuard Analysis and Management Service. For more information, see system fortiguard on page 357
or system central-management on page 345.
When virtual domain configuration is enabled (in syst emgl obal , vdom- admi n is enabled), the content
of the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and
the settings for all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file
contains the global settings and the settings for the VDOM to which the administrator belongs. Only a
regular administrator account can restore the configuration from this file.
Syntax
execut e backup conf i g f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
ser ver _f qdn[ : por t _i nt ] > [ <user name_st r > [ <passwor d_st r >] ]
[ <backup_passwor d_st r >]
execut e backup conf i g management - st at i on <comment _st r >
execut e backup conf i g t f t p <f i l ename_st r > <ser ver _i pv4>
execut e backup conf i g usb <f i l ename_st r > [ <backup_passwor d_st r >]
execut e backup f ul l - conf i g f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e backup f ul l - conf i g t f t p <f i l ename_st r > <ser ver _i pv4>
execut e backup f ul l - conf i g usb <f i l ename_st r > [ <backup_passwor d_st r >]
execut e backup i psuser def si g f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e backup i psuser def si g t f t p t f t p <f i l ename_st r > <ser ver _i pv4>
execut e backup {di sk | memor y} al l l ogs f t p <ser ver _i pv4[ : por t _i nt ] |
ser ver _f qdn[ : por t _i nt ] > [ <user name_st r > <passwor d_st r >]
execut e backup {di sk | memor y} al l l ogs t f t p <ser ver _i pv4>
execut e backup {di sk | memor y} l og f t p <ser ver _i pv4[ : por t _i nt ] |
ser ver _f qdn[ : por t _i nt ] > <user name_st r > <passwor d_st r > {app- ct r l | event
| i ds | i m| spam| vi r us | voi p | webf i l t er }
execut e backup {di sk | memor y} l og t f t p <ser ver _i pv4> {app- ct r l | event |
i ds | i m| spam| vi r us | voi p | webf i l t er }
execute backup
01-400-93051-20090415 609
Keywords and variables Description
conf i g f t p <f i l ename_st r >
<ser ver _i pv4[ : por t _i nt ] |
ser ver _f qdn[ : por t _i nt ] > [ <user name_st r >
[ <passwor d_st r >] ] [ <backup_passwor d_st r >]
Back up the system configuration to an FTP server.
Optionally, you can specify a password to protect the
saved data.
conf i g management - st at i on <comment _st r > Back up the system configuration to a configured
management station. If you are adding a comment, do
not add spaces, underscore characters (_), or quotation
marks ( ) or any other punctuation marks.
For example,
uploadedthetransparentmodeconfigfortheaccountingde
partmentwilluploadonadailybasis.
The comment you enter displays in both the portal
website and FortiGate web-based manager (System >
Maintenance >Revision).
conf i g t f t p <f i l ename_st r > <ser ver _i pv4>
Back up the system configuration to a file on a TFTP
server. Optionally, you can specify a password to protect
the saved data.
conf i g usb <f i l ename_st r >
Back up the system configuration to a file on a USB
disk. Optionally, you can specify a password to protect
the saved data.
f ul l - conf i g f t p <f i l ename_st r >
[ <passwor d_st r >] ] [ <backup_passwor d_st r >]
Back up the full system configuration to a file on an FTP
server. You can optionally specify a password to protect
the saved data.
f ul l - conf i g t f t p <f i l ename_st r >
<ser ver _i pv4> [ <backup_passwor d_st r >]
Back up the full system configuration to a file on a TFTP
server. You can optionally specify a password to protect
the saved data.
f ul l - conf i g usb <f i l ename_st r >
Back up the full system configuration to a file on a USB
disk. You can optionally specify a password to protect
the saved data.
i psuser def si g f t p <f i l ename_st r >
[ <passwor d_st r >] ]
Backup IPS user-defined signatures to a file on an FTP
server.
i psuser def si g t f t p t f t p <f i l ename_st r >
<ser ver _i pv4>
Back up IPS user-defined signatures to a file on a TFTP
server.
{di sk | memor y} al l l ogs f t p
<passwor d_st r >]
Back up either all memory or all hard disk log files for
this VDOM to an FTP server. The disk option will only
be available on FortiGate models that log to a hard disk.
The file name has the form:
<log_file_name>_<VDOM>_<date>_<time>
{di sk | memor y} al l l ogs t f t p <ser ver _i pv4> Back up either all memory or all hard disk log files for
this VDOM to a TFTP server. The disk option will only
be available on FortiGate models that log to a hard disk.
The file name has the form:
<log_file_name>_<VDOM>_<date>_<time>
{di sk | memor y} l og f t p
ser ver _f qdn[ : por t _i nt ] > <user name_st r >
<passwor d_st r > {app- ct r l | event | i ds |
i m| spam| vi r us | voi p | webf i l t er }
Back up the specified type of log file from either hard
disk or memory to an FTP server.
The disk option will only be available on FortiGate
models that log to a hard disk.
{di sk | memor y} l og t f t p <ser ver _i pv4>
{app- ct r l | event | i ds | i m| spam|
vi r us | voi p | webf i l t er }
Back up the specified type of log file from either hard
disk or memory to an FTP server.
The disk option will only be available on FortiGate
models that log to a hard disk.
backup execute
610 01-400-93051-20090415
Example
This example shows how to backup the FortiGate unit system configuration to a file named f gt . cf g on a
TFTP server at IP address 192.168.1.23.
execut e backup conf i g t f t p f gt . cf g 192. 168. 1. 23
History
Related topics
execute restore
ips custom
FortiOS v3.0 Added USB backup options.
FortiOS v3.0 MR1 Changed backup l og from <name> <t f t p_i pv4>to <t f t p_i pv4> <l og_t ype>.
FortiOS v3.0 MR3 l og and al l l ogs now refer to either di sk or memor y as selected.
FortiOS v3.0 MR4 Added f ul l - conf i g t f t p and f ul l - conf i g usb.
FortiOS v3.0 MR5 Added conf i g management - st at i on.
FortiOS v3.0 MR6 Added f t p to the commands.
FortiOS v3.0 MR7 Added ftp_user name to backup conf i g f t p. Fixed typo in backup f ul l - conf i g
t f t p.
FortiOS 4.0.0 Added the ability to back up all logs and individual log types to FTP servers as well as TFTP
servers.
execute batch
01-400-93051-20090415 611
batch
Execute a series of CLI commands.
Syntax
execut e bat ch [ <cmd_cue>]
where <cmd_cue>is one of:
end - exit session and run the batch commands
l ast l og - read the result of the last batch commands
st ar t - start batch mode
st at us - batch mode status reporting if batch mode is running or stopped
Example
To start batch mode:
execut e bat ch st ar t
Ent er bat ch mode. . .
To enter commands to run in batch mode:
set r ef r esh 5
end
To execute the batch commands:
execut e bat ch end
Exi t and r un bat ch commands. . .
History
Note: execut e bat ch commands are controlled by the Maintenance (mnt gr p) access control group.
FortiOS v3.0 MR4 Control of execut e bat ch commands in Maintenance (mnt gr p) access control group.
FortiOS v3.0 MR5 Added l ast l og.
central-mgmt execute
612 01-400-93051-20090415
central-mgmt
Update Central Management Service account information. Also used receive configuration file updates
from an attached FortiManager unit.
Syntax
execut e cent r al - mgmt set - mgmt - i d <management _i d>
execut e cent r al - mgmt updat e
set - mgmt - i d is used to change or initially set the management ID, or your account number for Central
Management Services. This account ID must be set for the service to be enabled.
updat e is used to update your Central Management Service contract with your new management account
ID. This command is to be used if there are any changes to your management service account.
updat e is also one of the steps in your FortiGate unit receiving a configuration file from an attached
FortiManager unit. For more information, see system central-management on page 345.
Example
If you are registering with the Central Management Service for the first time, and your account number is
123456, you would enter the following:
execut e cent r al - mgmt set - mgmt - i d 123456
execut e cent r al - mgmt updat e
History
Related topics
execute cfg reload
01-400-93051-20090415 613
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual or
r ever t . This command has no effect if the mode is aut omat i c, the default. The set cf g- save
command in syst emgl obal sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.
In the default configuration change mode, aut omat i c, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you
execute the execut e cf g save command. When the FortiGate unit restarts, the saved configuration is
loaded. Configuration changes that were not saved are lost.
The r ever t mode is similar to manual mode, except that configuration changes are saved automatically
if the administrative session is idle for more than a specified timeout period. This provides a way to recover
from an erroneous configuration change, such as changing the IP address of the interface you are using
for administration. You set the timeout in syst emgl obal using the set cf g- r ever t - t i meout
command.
Syntax
execut e cf g r el oad
Example
This is sample output from the command when successful:
# exec cf g r el oad
conf i gs r el oaded. syst emwi l l r eboot . Thi s i s sampl e out put f r omt he command
when not i n r unt i me- onl y conf i gur at i on mode:
# exec cf g r el oad
no conf i g t o be r el oaded.
History
Related topics
execute cfg save
system global
cfg save execute
614 01-400-93051-20090415
cfg save
Use this command to save configuration changes when the configuration change mode is manual or
r ever t . If the mode is aut omat i c, the default, all changes are added to the saved configuration as you
make them and this command has no effect. The set cf g- save command in syst emgl obal sets the
configuration change mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you
execute the execut e cf g save command. When the FortiGate unit restarts, the saved configuration is
loaded. Configuration changes that were not saved are lost.
The r ever t mode is similar to manual mode, except that configuration changes are saved automatically
if the administrative session is idle for more than a specified timeout period. This provides a way to recover
from an erroneous configuration change, such as changing the IP address of the interface you are using
for administration. To change the timeout from the default of 600 seconds, go to syst emgl obal and use
the set cf g- r ever t - t i meout command.
Syntax
execut e cf g save
Example
This is sample output from the command:
# exec cf g save
conf i g saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# exec cf g save
no conf i g t o be saved.
History
Related topics
execute cfg reload
system global
execute clear system arp table
01-400-93051-20090415 615
Clear all the entries in the arp table.
Syntax
exec cl ear syst emar p t abl e
History
Related topics
execute router restart
get system arp
cli check-template-status execute
616 01-400-93051-20090415
cli check-template-status
Reports the status of the secure copy protocol (SCP) script template.
Syntax
exec cl i check- t empl at e- st at us
History
execute cli status-msg-only
01-400-93051-20090415 617
cli status-msg-only
Enable standardized CLI error output messages. If executed, this command stops other debug messages
from displaying in the current CLI session.
Syntax
exec cl i st at us- msg- onl y <enabl e | di sabl e>
The message format is:
[ er r or code] : t ext message
There are two error categories: Keyword Error, and Data Error. The error code provides details about the
type of error.
An ERROR message indicates that the command generated an error. A Keyword Error [ 1000x] indicates
that the keyword is not supported, or the attempted command is not recognized. A Data Error [ 2000x]
indicates that the data source is already in use.
History
st at us- msg- onl y <enabl e |
di sabl e>
Enabl es st andar di zed CLI er r or out put messages.
FortiOS v3.0 MR6 No longer sends OK message.
date execute
618 01-400-93051-20090415
date
Get or set the system date.
Syntax
execut e dat e [ <dat e_st r >]
dat e_st r has the form yyyy- mm- dd, where
yyyy is the year and can be 2001 to 2037
mmis the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as 06
instead of 2006 for the year or 1 instead of 01 for month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execut e dat e 2004- 09- 17
History
Related topics
execute time
FortiOS v3.0 MR1 <dat e_st r >changed from mm/dd/yyyy format.
execute dhcp lease-clear
01-400-93051-20090415 619
dhcp lease-clear
Clear all DHCP address leases.
Syntax
History
Related topics
execute dhcp lease-list
system dhcp server
FortiOS v3.0 Command name changed from execut e dhcpcl ear .
dhcp lease-list execute
620 01-400-93051-20090415
dhcp lease-list
Display DHCP leases on a given interface
Syntax
execut e dhcp l ease- l i st [ i nt er f ace_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list
includes all leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.
History
Related topics
system dhcp server
FortiOS v2.90 New.
execute disconnect-admin-session
01-400-93051-20090415 621
disconnect-admin-session
Disconnect an administrator who is logged in.
Syntax
execut e di sconnect - admi n- sessi on 
To determine the index of the administrator that you want to disconnect, view the list of logged-in
administrators by using the following command:
execut e di sconnect - admi n- sessi on ?
The list of logged-in administrators looks like this:
Connect ed:
I NDEX USERNAME TYPE FROM TI ME
0 admi n WEB 172. 20. 120. 51 Mon Aug 14 12: 57: 23 2006
1 admi n2 CLI ssh( 172. 20. 120. 54) Mon Aug 14 12: 57: 23 2006
Example
This example shows how to disconnect a logged in administrator.
execut e di sconnect - admi n- sessi on 1
History
Related topics
system mac-address-table
get system info admin status
FortiOS v2.90 New.
FortiOS v3.0 MR3 Changed execut e di sconnect to execut e di sconnect -
admi n- sessi on . Deleted get syst eml ogged- user s reference.
enter execute
622 01-400-93051-20090415
enter
Use this command to go from global commands to a specific virtual domain (VDOM).
Only available when virtual domains are enabled and you are in config global.
After you enter the VDOM, the prompt will not change from ( gl obal ) . However you will be in the VDOM
with all the commands that are normally available in VDOMs.
Syntax
execut e ent er <vdom>
Use ? to see a list of available VDOMs.
History
execute factoryreset
01-400-93051-20090415 623
factoryreset
Reset the FortiGate configuration to factory default settings.
Syntax
History
Related topics
execute backup
execute reboot
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the
system to its original configuration, including resetting interface addresses.
FortiOS v2.80 No changes.
formatlogdisk execute
624 01-400-93051-20090415
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Syntax
History
Caution: This operation will erase all quarantine files and logging data on the hard disk.
FortiOS v2.80 No change.
execute fortiguard-log update
01-400-93051-20090415 625
Update the FortiGuard Analysis and Management Service contract.
Syntax
execut e f or t i guar d- l og updat e
History
Related topics
system fortiguard
fsae refresh execute
626 01-400-93051-20090415
fsae refresh
Use this command to manually refresh user group information from Directory Service servers connected to
the FortiGate unit using the Fortinet Server Authentication Extensions (FSAE).
Syntax
History
Related topics
user fsae
FortiOS v3.0 New.
FortiOS v3.0 MR7 Changed Active Directory to Directory Service.
execute ha disconnect
01-400-93051-20090415 627
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial
number of the unit to be disconnected. You must also specify an interface name and assign an IP address
and netmask to this interface of the disconnected unit. You can disconnect any unit from the cluster even
the primary unit. After the unit is disconnected the cluster responds as if the disconnected unit has failed.
The cluster may renegotiate and may select a new primary unit.
To disconnect the unit from the cluster, the execut e ha di sconnect command sets the HA mode of the
disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to
0.0.0.0. The interface specified in the command is set to the IP address and netmask that you specify in
the command. In addition all management access to this interface is enabled. Once the FortiGate unit is
disconnected you can use SSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.
Syntax
execut e ha di sconnect <cl ust er - member - ser i al _st r > 
<addr ess_i pv4> <addr ess_i pv4mask>
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internal
interface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execut e ha di sconnect FGT5002803033050 i nt er nal 1. 1. 1. 1 255. 255. 255. 0
History
Related topics
execute ha manage
execute ha synchronize
system ha
cl ust er - member - ser i al _st r The serial number of the cluster unit to be disconnected.
i nt er f ace_st r The name of the interface to configure. The command configures the IP
address and netmask for this interface and also enables all management
access for this interface.
FortiOS v3.0 New
ha manage execute
628 01-400-93051-20090415
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in the
cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a
subordinate unit. However, if you have logged into a subordinate unit CLI, you can use this command to
log into the primary unit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes
to the configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to
all cluster units.
Syntax
execut e ha manage <cl ust er - i ndex>
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example
you have already logged into the primary unit. The primary unit has serial number FGT3082103000056.
The subordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execut e ha manage ?
 pl ease i nput sl ave cl ust er i ndex.
<0> Subsi dar y uni t FGT3012803021709
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The
CLI prompt changes to the host name of this unit. To return to the primary unit, type exi t .
From the subordinate unit you can also use the execut e ha manage command to log into the primary
unit or into another subordinate unit. Enter the following command:
execut e ha manage ?
 pl ease i nput sl ave cl ust er i ndex.
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other
subordinate unit. The CLI prompt changes to the host name of this unit.
History
Related topics
system ha
cl ust er - i ndex The cluster index is assigned by the FortiGate Clustering Protocol according to
cluster unit serial number. The cluster unit with the highest serial number has a
cluster index of 0. The cluster unit with the second highest serial number has a
cluster index of 1 and so on.
Enter ? to list the cluster indexes of the cluster units that you can log into. The
list does not show the unit that you are already logged into.
FortiOS v2.80 Unchanged.
01-400-93051-20090415 629
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with
the primary unit. Using this command you can synchronize the following:
Configuration changes made to the primary unit (normal system configuration, firewall configuration,
VPN configuration and so on stored in the FortiGate configuration file),
Antivirus engine and antivirus definition updates received by the primary unit from the FortiGuard
Distribution Network (FDN),
IPS attack definition updates received by the primary unit from the FDN,
Web filter lists added to or changed on the primary unit,
Email filter lists added to or changed on the primary unit,
Certification Authority (CA) certificates added to the primary unit,
Local certificates added to the primary unit.
You can also use the st ar t and st op keywords to force the cluster to synchronize its configuration or to
stop a synchronization process that is in progress.
Syntax
execut e ha synchr oni ze {conf i g| avupd| at t ackdef | webl i st s| emai l l i st s|
ca| l ocal cer t | ase | al l | st ar t | st op}
Example
From the CLI of a subordinate unit, use the following commands to synchronize the antivirus and attack
definitions on the subordinate FortiGate unit with the primary unit after the FDN has pushed new definitions
to the primary unit.
execut e ha synchr oni ze avupd
execut e ha synchr oni ze at t ackdef
History
Variables Description
conf i g Synchronize the FortiGate configuration.
avupd Synchronize the antivirus engine and antivirus definitions.
at t ackdef Synchronize attack definitions.
webl i st s Synchronize web filter lists.
emai l l i st s Synchronize email filter lists.
ca Synchronize CA certificates.
l ocal cer t Synchronize local certificates.
ase Synchronize the antispam engine and antispam rule sets.
al l Synchronize all of the above.
st ar t Start synchronizing the cluster configuration.
st op Stop the cluster from completing synchronizing its configuration.
FortiOS v2.80 MR6 Added st ar t and st op keywords.
FortiOS v4.0 Added ase keyword.
ha synchronize execute
630 01-400-93051-20090415
Related topics
execute ha manage
system ha
execute interface dhcpclient-renew
01-400-93051-20090415 631
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP
connection on the specified port, there is no output.
Syntax
execut e i nt er f ace dhcpcl i ent - r enew <por t >
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# exec i nt er f ace dhcpcl i ent - r enew por t 1
r enewi ng dhcp l ease on por t 1
History
Related topics
execute dhcp lease-list
FortiOS v3.0 MR2 New. Replaces the old connect - enabl e command
interface pppoe-reconnect execute
632 01-400-93051-20090415
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no
PPPoE connection on the specified port, there is no output.
Syntax
execut e i nt er f ace pppoe- r econnect <por t >
History
Related topics
execute modem dial
execute modem hangup
FortiOS v3.0 MR2 New. Replaces the old connect - enabl e command
execute log delete-all
01-400-93051-20090415 633
log delete-all
Use this command to clear all log entries in memory and current log files on hard disk. If your FortiGate unit
has no hard disk, only log entries in system memory will be cleared. You will be prompted to confirm the
command.
Syntax
History
Related topics
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
FortiOS v3.0 MR2 No change.
log delete-filtered execute
634 01-400-93051-20090415
log delete-filtered
Use this command to delete log messages that match the current filter. You need to first set the log filter
with the execut e l og f i l t er <f i l t er >command.
Syntax
Example
To delete all traffic logs, enter the following commands:
execut e l og f i l t er cat egor y t r af f i c
Related topics
execute log filter
execute log display
execute log list
01-400-93051-20090415 635
log delete-rolled
Use this command to delete rolled log files.
Syntax
execut e l og del et e- r ol l ed <cat egor y> <st ar t > <end>
Example
The following deletes all event rolled logs from 1 to 50.
execut e l og del et e- r ol l ed event 1 50
History
Related topics
execute log filter
execute log delete-all
Variable Description
<cat egor y> Enter the category of rolled log files that you want to delete:
traffic
event
virus
webfilter
attack
spam
content
im
voip
dlp
app-crtl
The <cat egor y> must be one of the above categories. The FortiGate unit can only
delete one category at a time.
<st ar t > Enter the number of the first log to delete. If you are deleting multiple rolled log files, you
must also enter a number for end.
The <st ar t >and <end>values represent the range of rolled log files to delete. If
<end>is not specified, only the <st ar t >log number is deleted.
<end> Enter the number of the last log to delete, if you are deleting multiple rolled log files.
The <st ar t >and <end>values represent the range of rolled log files to delete. If
<end>is not specified, only the <st ar t >log number is deleted.
FortiOS v4.0 Added dl p and app- cr t l keywords.
log display execute
636 01-400-93051-20090415
log display
Use this command to display log messages that you have selected with the execut e l og f i l t er
command.
Syntax
The console displays the first 10 log messages. To view more messages, run the command again. You can
do this until you have seen all of the selected log messages. To restart viewing the list from the beginning,
use the commands
execut e l og f i l t er st ar t - l i ne 1
You can restore the log filters to their default values using the command
execut e l og f i l t er r eset
History
Related topics
execute log filter
FortiOS v2.90 New.
execute log filter
01-400-93051-20090415 637
log filter
Use this command to select log messages for viewing or deletion. You can view one log category on one
device at a time. Optionally, you can filter the messages to select only specified date ranges or severities
of log messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execut e l og f i l t er commands as you need to define the log messages that you want
to view.
execut e l og f i l t er cat egor y <cat egor y_name>
execut e l og f i l t er devi ce {di sk | memor y}
execut e l og f i l t er f i el d <name>
execut e l og f i l t er l i nes- per - vi ew <count >
execut e l og f i l t er l i st
execut e l og f i l t er r eset
execut e l og f i l t er r ol l ed_number <number >
execut e l og f i l t er st ar t - l i ne <l i ne_number >
History
Related topics
execute log display
cat egor y <cat egor y_name> Enter the type of log you want to select, one of:
traffic
event
virus
webfilter
spam
attack
content
im
voip
dlp
app-crtl
event
devi ce {di sk | memor y} Device where the logs are stored. di sk
f i el d <name> Press Enter to view the fields that are available for the
associated category. Enter the fields you want, using
commas to separate multiple fields.
No default.
l i nes- per - vi ew <count > Set lines per view. Range: 5 to 1000 10
l i st Display current filter settings. No default.
r eset Execute this command to reset all filter settings. No default.
r ol l ed_number <number > Select logs from rolled log file. 0 selects current log
file.
0
st ar t - l i ne <l i ne_number > Select logs starting at specified line number. 1
FortiOS v4.0 Added dl p and app- cr t l keywords in cat egor y.
log fortianalyzer test-connectivity execute
638 01-400-93051-20090415
Use this command to test the connection to the FortiAnalyzer unit. This command is available only when
FortiAnalyzer is configured.
Syntax
execut e l og f or t i anal yzer t est - connect i vi t y
Example
When FortiAnalyzer is connected, the output looks like this:
For t i Anal yzer Host Name: For t i Anal yzer - 800B
For t i Gat e Devi ce I D: FG50B3G06500085
Regi st r at i on: r egi st er ed
Connect i on: al l ow
Di sk Space ( Used/ Al l ocat ed) : 468/ 1003 MB
Tot al Fr ee Space: 467088 MB
Log: Tx & Rx
Repor t : Tx & Rx
Cont ent Ar chi ve: Tx & Rx
Quar ant i ne: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Er r or
History
Related topics
FortiOS v3.0 New.
execute log list
01-400-93051-20090415 639
log list
You can view the list of current and rolled log files on the console. The list shows the file name, size and
timestamp.
Syntax
execut e l og l i st <cat egor y>
<cat egor y>must be one of: t r af f i c, event , vi r us, webf i l t er , at t ack, spam, cont ent ,
i m, voi p, dl p and app- ct r l .
Example
The output looks like this:
el og 8704 Fr i Mar ch 6 14: 24: 35 2009
el og. 1 1536 Thu Mar ch 5 18: 02: 51 2009
el og. 2 35840 Wed Mar ch 4 22: 22: 47 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event l og f i l e( s) f ound.
History
Related topics
FortiOS 4.0 Added the cat egor y options, dl p and app- ct r l .
log roll execute
640 01-400-93051-20090415
log roll
Use this command to roll all log files.
Syntax
History
Related topics
FortiOS v3.0 New.
execute modem dial
01-400-93051-20090415 641
modem dial
Dial the modem.
The dial command dials the accounts configured in conf i g syst emmodemuntil it makes a connection
or it has made the maximum configured number of redial attempts.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is in
Standalone mode.
Syntax
execut e modemdi al
History
Related topics
system modem
FortiOS v2.80 New
modem hangup execute
642 01-400-93051-20090415
modem hangup
Hang up the modem.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is in
Standalone mode.
Syntax
execut e modemhangup
History
Related topics
system modem
execute modem dial
FortiOS v2.80 New
01-400-93051-20090415 643
modem trigger
This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its
current state. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the
modem should not be connected but is, this command will cause the modem to disconnect.
Syntax
execut e modemt r i gger
History
Related topics
execute modem dial
FortiOS v4.0 New
ping execute
644 01-400-93051-20090415
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and another
network device.
Syntax
execut e pi ng {<addr ess_i pv4> | <host - name_st r >}
<host-name_str>should be an IP address, or a fully qualified domain name.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execut e pi ng 172. 20. 120. 16
PI NG 172. 20. 120. 16 ( 172. 20. 120. 16) : 56 dat a byt es
64 byt es f r om172. 20. 120. 16: i cmp_seq=0 t t l =128 t i me=0. 5 ms
- - - 172. 20. 120. 16 pi ng st at i st i cs - - -
5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0%packet l oss
r ound- t r i p mi n/ avg/ max = 0. 2/ 0. 2/ 0. 5 ms
History
Related topics
execute ping6
execute traceroute
01-400-93051-20090415 645
ping-options, ping6-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between the
FortiGate unit and another network device.
Syntax
execut e pi ng- opt i ons dat a- si ze <byt es>
execut e pi ng- opt i ons df - bi t {yes | no}
execut e pi ng- opt i ons pat t er n <2- byt e_hex>
execut e pi ng- opt i ons r epeat - count <r epeat s>
execut e pi ng- opt i ons sour ce {aut o | <sour ce- i nt f _i p>}
execut e pi ng- opt i ons t i meout <seconds>
execut e pi ng- opt i ons t os <ser vi ce_t ype>
execut e pi ng- opt i ons t t l <hops>
execut e pi ng- opt i ons val i dat e- r epl y {yes | no}
execut e pi ng- opt i ons vi ew- set t i ngs
Example
Use the following command to increase the number of pings sent.
execut e pi ng- opt i ons r epeat - count 10
Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.
execut e pi ng- opt i ons sour ce 192. 168. 10. 23
Keyword Description Default
dat a- si ze <byt es> Specify the datagram size in bytes. 56
df - bi t {yes | no} Set df - bi t to yes to prevent the ICMP packet from being
fragmented. Set df - bi t to no to allow the ICMP packet to be
fragmented.
no
pat t er n <2- byt e_hex> Used to fill in the optional data buffer at the end of the ICMP
packet. The size of the buffer is specified using the dat a_si ze
parameter. This allows you to send out packets of different sizes
for testing the effect of packet size on the connection.
No
default.
r epeat - count <r epeat s> Specify how many times to repeat ping. 5
sour ce
{aut o | <sour ce- i nt f _i p>}
Specify the FortiGate interface from which to send the ping. If you
specify aut o, the FortiGate unit selects the source address and
interface based on the route to the <host - name_st r >or
<host _i p>. Specifying the IP address of a FortiGate interface
tests connections to different network segments from the specified
interface.
auto
t i meout <seconds> Specify, in seconds, how long to wait until ping times out. 2
t os <ser vi ce_t ype> Set the ToS (Type of Service) field in the packet header to provide
an indication of the quality of service wanted.
lowdelay =minimize delay
throughput =maximize throughput
reliability =maximize reliability
lowcost =minimize cost
0
t t l <hops> Specify the time to live. Time to live is the number of hops the ping
packet should be allowed to make before being discarded or
returned.
64
val i dat e- r epl y {yes | no} Select yes to validate reply data. no
vi ew- set t i ngs Display the current ping-option settings. No
default
ping-options, ping6-options execute
646 01-400-93051-20090415
History
Related topics
execute ping
execute ping6
execute traceroute
system tos-based-priority
execute ping6
01-400-93051-20090415 647
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6
capable network device.
Syntax
execut e pi ng6 {<addr ess_i pv6> | <host - name_st r >}
Example
This example shows how to ping a host with the IPv6 address 12AB: 0: 0: CD30: 123: 4567: 89AB: CDEF.
execut e pi ng6 12AB: 0: 0: CD30: 123: 4567: 89AB: CDEF
History
Related topics
execute ping
router static6
FortiOS v2.80 New.
reboot execute
648 01-400-93051-20090415
reboot
Restart the FortiGate unit.
Syntax
execut e r eboot <comment comment _st r i ng>
<comment comment_string>allows you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execut e r eboot comment December mont hl y mai nt enance
History
Related topics
execute backup
FortiOS v3.0 MR4 Added comment keyword.
execute router clear bfd
01-400-93051-20090415 649
router clear bfd
Use this command to clear bi-directional forwarding session.
Syntax
execut e r out er cl ear bf d sessi on <sr c_i p> <dst _i p> 
History
Related topics
router bgp
<sr c_i p> Select the source IP address of the session.
<dst _i p> Select the destination IP address of the session.
 Select the interface for the session.
restore execute
650 01-400-93051-20090415
restore
Use this command to
restore the configuration from a file
change the FortiGate firmware
change the FortiGate backup firmware
restore an IPS custom signature file
When virtual domain configuration is enabled (in syst emgl obal , vdom- admi n is enabled), the content
of the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and
the settings for all of the VDOMs. Only the super admin account can restore the configuration from this
file.
A backup file from a regular administrator account contains the global settings and the settings for the
VDOM to which the administrator belongs. Only a regular administrator account can restore the
configuration from this file.
Syntax
execut e r est or e ase f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e ase t f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] >
execut e r est or e av f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e av t f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] >
execut e r est or e conf i g f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e conf i g management - st at i on {nor mal | t empl at e | scr i pt }
<r ev_i nt >
execut e r est or e conf i g t f t p <f i l ename_st r > <ser ver _i pv4>
execut e r est or e conf i g usb <f i l ename_st r > [ <backup_passwor d_st r >]
execut e r est or e i mage f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e i mage management - st at i on <ver si on_i nt >
execut e r est or e i mage t f t p <f i l ename_st r > <ser ver _i pv4>
execut e r est or e i mage usb <f i l ename_st r >
execut e r est or e i ps f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e i ps t f t p <f i l ename_st r > <ser ver _i pv4>
execut e r est or e i psuser def si g f t p <f i l ename_st r > <ser ver _i pv4[ : por t _i nt ] |
execut e r est or e i psuser def si g t f t p <f i l ename_st r > <ser ver _i pv4>
execut e r est or e secondar y- i mage f t p <f i l ename_st r ><ser ver _i pv4[ : por t _i nt ] |
execut e r est or e secondar y- i mage t f t p <f i l ename_st r > <ser ver _i pv4>
execut e r est or e secondar y- i mage usb <f i l ename_st r >
execut e r est or e f or t i cl i ent t f t p <f i l ename_st r > <ser ver _i pv4>
execute restore
01-400-93051-20090415 651
ase f t p <f i l ename_st r >
ser ver _f qdn[ : por t _i nt ] >
[ <user name_st r > <passwor d_st r >]
Restore the antispam engine. Download the restore file from an
FTP server. The user and password to access the FTP server are
only necessary if the server requires them
ase t f t p <f i l ename_st r >
<ser ver _i pv4[ : por t _i nt ] >
Restore the antispam engine. Download the restore file from a
TFTP server.
av f t p <f i l ename_st r >
Download the antivirus database file from an FTP server to the
FortiGate unit.
av t f t p <f i l ename_st r >
<ser ver _i pv4[ : por t _i nt ] >
Download the antivirus database file from a TFTP server to the
FortiGate unit.
conf i g f t p <f i l ename_st r >
Restore the system configuration from an FTP server. The new
configuration replaces the existing configuration, including
administrator accounts and passwords.
If the backup file was created with a password, you must specify
the password.
conf i g management - st at i on {nor mal
| t empl at e | scr i pt } <r ev_i nt >
Restore the system configuration from the central management
server. The new configuration replaces the existing configuration,
including administrator accounts and passwords.
r ev_i nt is the revision number of the saved configuration to
restore. Enter 0 for the most recent revision.
conf i g t f t p <f i l ename_st r >
<ser ver _i pv4>
Restore the system configuration from a file on a TFTP server.
The new configuration replaces the existing configuration,
including administrator accounts and passwords.
the password.
conf i g usb <f i l ename_st r >
Restore the system configuration from a file on a USB disk. The
new configuration replaces the existing configuration, including
administrator accounts and passwords.
the password.
i mage f t p <f i l ename_st r >
Download a firmware image from an FTP server to the FortiGate
unit. The FortiGate unit reboots, loading the new firmware.
This command is not available in multiple VDOM mode.
i mage management - st at i on
<ver si on_i nt >
Download a firmware image from the central management
station. This is available if you have configured a FortiManager
unit as a central management server. This is also available if your
account with FortiGuard Analysis and Management Service
allows you to upload firmware images.
i mage t f t p <f i l ename_st r >
<ser ver _i pv4>
Download a firmware image from a TFTP server to the FortiGate
i mage usb <f i l ename_st r > Download a firmware image from a USB disk to the FortiGate
i ps f t p <f i l ename_st r >
Download the IPS database file from an FTP server to the
FortiGate unit.
i ps t f t p <f i l ename_st r >
<ser ver _i pv4>
Download the IPS database file from a TFTP server to the
FortiGate unit.
restore execute
652 01-400-93051-20090415
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart
the FortiGate unit with this configuration. The name of the configuration file on the TFTP server is
backupconf i g. The IP address of the TFTP server is 192.168.1.23.
execut e r est or e conf i g t f t p backupconf i g 192. 168. 1. 23
History
Related topics
execute backup
ips custom
i psuser def si g f t p <f i l ename_st r >
Restore IPS custom signature file from an FTP server. The file
will overwrite the existing IPS custom signature file.
i psuser def si g t f t p <f i l ename_st r >
<ser ver _i pv4>
Restore an IPS custom signature file from a TFTP server. The file
will overwrite the existing IPS custom signature file.
secondar y- i mage f t p
<f i l ename_st r >
Download a firmware image from an FTP server as the backup
firmware of the FortiGate unit. This is available only on models
that support backup firmware images.
secondar y- i mage t f t p
<f i l ename_st r > <ser ver _i pv4>
Download a firmware image from a TFTP server as the backup
firmware of the FortiGate unit. This is available only on models
that support backup firmware images.
secondar y- i mage usb
<f i l ename_st r >
Download a firmware image from a USB disk as the backup
firmware of the FortiGate unit. The unit restarts when the upload
is complete. This is available only on models that support backup
firmware images.
f or t i cl i ent t f t p <f i l ename_st r >
<ser ver _i pv4>
Download the FortiClient image from a TFTP server to the
FortiGate unit. The filename must have the format:
FortiClientSetup_versionmajor.versionminor.build.exe.
For example, FortiClientSetup.4.0.377.exe.
FortiOS v3.0 Added USB restore options and secondary-image restoration.
Removed allconfig option.
FortiOS v3.0 MR2 Added FTP restore option.
FortiOS v3.0 MR4 Added av, f or t i cl i ent , i ps keywords.
FortiOS v3.0 MR5 Added config management-station
FortiOS v3.0 MR6 Added f t p to all keywords except f or t i cl i ent .
FortiOS v4.0.0 Added ase f t p and ase t f t p.
execute router clear bgp
01-400-93051-20090415 653
router clear bgp
Use this command to clear BGP peer connections.
Syntax
execut e r out er cl ear bgp al l [ sof t ] [ i n | out ]
execut e r out er cl ear bgp as <as_number > [ sof t ] [ i n | out ]
execut e r out er cl ear bgp dampeni ng {i p_addr ess | i p/ net mask}
execut e r out er cl ear bgp ext er nal {i n pr ef i x- f i l t er } [ sof t ] [ i n | out ]
execut e r out er cl ear bgp f l ap- st at i st i cs {i p_addr ess | i p/ net mask}
execut e r out er cl ear bgp i p [ sof t ] [ i n | out ]
History
Related topics
router bgp
al l Clear all BGP peer connections.
as <as_number > Clear BGP peer connections by AS number.
dampeni ng {i p_addr ess | i p/ net mask} Clear route flap dampening information for peer or network.
ext er nal {i n pr ef i x- f i l t er } Clear all external peers.
i p Clear BGP peer connections by IP address.
peer - gr oup Clear all members of a BGP peer-group.
[ i n | out ] Optionally limit clear operation to inbound only or outbound
only.
f l ap- st at i st i cs {i p_addr ess |
i p/ net mask}
Clear flap statistics for peer or network.
sof t Do a soft reset that changes the configuration but does not
disturb existing sessions.
FortiOS v3.0 MR1 Added flap-statistics keyword.
router clear ospf process execute
654 01-400-93051-20090415
Use this command to clear and restart the OSPF router.
Syntax
execut e r out er cl ear ospf pr ocess
History
Related topics
router ospf
01-400-93051-20090415 655
router restart
Use this command to restart the routing software.
Syntax
execut e r out er r est ar t
History
Related topics
router
scsi-dev execute
656 01-400-93051-20090415
scsi-dev
Use this command as part of a WAN optimization configuration to edit FortiGate SCSI devices that can
include internal high-capacity hard drives, AMC module hard drives, SAS devices, and iSCSI devices.
Unless you have special requirements, you do not need to change the SCSI device configuration unless
you add iSCSI support or otherwise want to use more than one SCSI device for WAN optimization.
To configure SCSI devices for WAN optimization you:
1 Use the execut e scsi - dev par t i t i on command to create and edit partitions.
2 Use the execut e scsi - dev st or age command to create WAN optimization storages. WAN
optimization storages are logical parts of a partition used by WAN optimization to store the byte cache
and web cache databases. You can create multiple storages but only two of then are used at a time;
one for byte caching and one for web caching. You cannot use the same storage for both byte caching
and web caching. You can add more than one storage to a partition.
3 Use the conf i g wanopt cache- st or age command to configure the storages to use for byte
caching and web caching.
You can use the show wanopt st or age command to view the storages that you have added. You can
also use the conf i g wanopt st or age command to change the storage sizes. See wanopt storage on
page 582.
See the description of the wanopt cache-storage on page 566 for an example of using the execut e
scsi - dev command to configure iSCSI support.
Syntax
execut e scsi - dev l i st
execut e scsi - dev par t i t i on cr eat e <devi ce_r ef _i nt > <par t i t i on_si ze_i nt >
execut e scsi - dev par t i t i on del et e <par t i t i on_r ef _i nt >
execut e scsi - dev par t i t i on r esi ze <par t i t i on_r ef _i nt > <par t i t i on_si ze_i nt >
execut e scsi - dev st or age <par t i t i on_r ef _i nt > <st or age_si ze_i nt >
l i st List the SCSI devices and partitions. The list displays device reference numbers
<devi ce_r ef _i nt >, partition reference numbers <par t i t i on_r ef _i nt >, and
partition sizes <par t i t i on_si ze_i nt >.
par t i t i on cr eat e Create new SCSI device partitions.
par t i t i on del et e Delete SCSI device partitions.
par t i t i on r esi ze Expand or shrink a SCSI device partition. Only the last partition on a device can be
resized.
<devi ce_r ef _i nt > SCSI device reference number displayed by the execut e scsi - dev list command.
These numbers uniquely identify each SCSI device.
<par t i t i on_si ze_i nt > The size of a partition in Mbytes.
<par t i t i on_r ef _i nt > Partition reference number displayed by the execut e scsi - dev list command. These
numbers uniquely identify each SCSI device partition.
st or age Add WAN optimization storages. The first time you add a storage to a partition using the
execut e scsi - dev st or age command the partition is labelled with a random string
(for example, 77A2A1AB1D0EF8B7). This label is used for all storages added to a given
partition. A different label is created for each partition. The labels appear when you use
the execut e scsi - dev l i st command to list the partitions.
<st or age_si ze_i nt > The size of a WAN optimization storage in Mbytes. The storage can be from 16 Mbytes
up to the size of the partition.
<st or age_name_st r > The name of the WAN optimization storage.
execute scsi-dev
01-400-93051-20090415 657
Examples
Use the following command to list the SCSI devices for a FortiGate unit that includes a FortiGate-ASM-S08
module.
#execut e scsi - dev l i st
Devi ce 1 492. 0 MB r ef : 0 ( Vendor : Model : USB DI SK 2. 0
Rev: PMAP)
par t i t i on 1 39. 1 MB r ef : 1 l abel : <none>
Devi ce 2 74. 5 GB r ef : 16 ( Vendor : ATA Model : FUJ I TSU MH
W2080B Rev: 0)
par t i t i on 1 74. 5 GB r ef : 17 l abel : 404913186405899C
In this example, the device reference number for the hard disk on the FortiGate-ASM-S08 module is 16
and the partition reference number for the partition on this hard disk is 17. The label 404913186405899C for
partition ref 17 indicates that WAN optimization storages have been added to this partition.
Use the following command to add a WAN optimization storage named is WAN_st o_1 to partition
reference number 17. The storage size is 20 Mbytes.
execut e scsi - dev st or age 17 20 WAN_st o_1
St or age cr eat ed; si ze: 20MB si gnat ur e: WAN- st o_1- 404913186405899C
History
FortiOS v4.0 New.
send-fds-statistics execute
658 01-400-93051-20090415
send-fds-statistics
Use this command to send an FDS statistics report now, without waiting for the FDS statistics report
interval to expire.
Syntax
History
execute set-next-reboot
01-400-93051-20090415 659
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. This
command is useful only on models numbered 100 and higher which are able to store two firmware images.
By default, the FortiGate unit loads the firmware from the primary partition.
VDOM administrators do not have permission to run this command. It must be executed by a super
administrator.
Syntax
execut e set - next - r eboot {pr i mar y | secondar y}
History
Related topics
execute reboot
execute shutdown
FortiOS v3.0 New.
FortiOS v3.0 MR3 VDOM administrators cant run this command.
sfp-mode-sgmii execute
660 01-400-93051-20090415
sfp-mode-sgmii
Change the SFP mode for an NP2 card to SGMII. By default when an AMC card is inserted the SFP mode
is set to SERDES mode by default.
If a configured NP2 card is removed and re-inserted, the SFP mode goes back to the default.
In these situations, the sf pmode- sgmi i command will change the SFP mode from SERDES to SGMII for
the interface specified.
Syntax
execut e sf pmode- sgmi i 
<interface>is the NP2 interface where you are changing the SFP mode.
History
execute shutdown
01-400-93051-20090415 661
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.
Syntax
execut e shut down <comment > <comment _st r i ng>
<comment>allows you to optionally add a message that will appear in the hard disk log indicating the
reason for the shutdown. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execut e shut down comment emer gency f aci l i t y shut down
History
Related topics
execute reboot
FortiOS v3.0 MR4 Added comment .
ssh execute
662 01-400-93051-20090415
ssh
Use this command to establish an ssh session with another system.
Syntax
execut e ssh <dest i nat i on>
<dest i nat i on>- the destination in the form user@ip or user@host.
Example
execut e ssh admi n@172. 20. 120. 122
To end an ssh session, type exi t :
FGT- 6028030112 # exi t
Connect i on t o 172. 20. 120. 122 cl osed.
FGT- 8002805000 #
History
Related topics
execute ping
execute traceroute
system interface
execute telnet
01-400-93051-20090415 663
telnet
Use telnet client. You can use this tool to test network connectivity.
Syntax
execut e t el net <t el net _i pv4>
<t el net _i pv4>is the address to connect with.
Type exi t to close the telnet session.
History
Related topics
execute ping
execute traceroute
system interface
FortiOS v3.0 New.
time execute
664 01-400-93051-20090415
time
Get or set the system time.
Syntax
execut e t i me [ <t i me_st r >]
t i me_st r has the form hh: mm: ss, where
hh is the hour and can be 00 to 23
mmis the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01
and 1:1:1 are allowed.
Example
This example sets the system time to 15:31:03:
execut e t i me 15: 31: 03
History
Related topics
execute date
execute traceroute
01-400-93051-20090415 665
traceroute
Test the connection between the FortiGate unit and another network device, and display information about
the network hops between the device and the FortiGate unit.
Syntax
execut e t r acer out e { | <host - name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the
traceroute command times out after the first hop indicating a possible problem.
#execut e t r aceout e docs. f or t i car e. com
t r acer out e t o docs. f or t i car e. com( 65. 39. 139. 196) , 30 hops max, 38 byt e packet s
1 172. 20. 120. 2 ( 172. 20. 120. 2) 0. 324 ms 0. 427 ms 0. 360 ms
2 * * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote
host-named locations with traceroute.
History
Related topics
execute ping
update-ase execute
666 01-400-93051-20090415
update-ase
Use this command to manually initiate the antispam engine and rules update..
Syntax
History
Related topics
execute update-now
FortiOS 4.0 New
execute update-av
01-400-93051-20090415 667
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus and
attack definitions, use the execut e updat e- nowcommand.
Syntax
History
Related topics
execute update-now
FortiOS v3.0 MR2 New
update-ips execute
668 01-400-93051-20090415
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engine
update. To update both virus and attack definitions, use the execut e updat e- now command.
Syntax
History
Related topics
execute update-now
FortiOS v3.0 MR4 Command name changed execute update-ids to execute update-ips.
execute update-now
01-400-93051-20090415 669
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only
virus or attack definitions, use the execut e updat e- av or execut e updat e- i ds command
respectively.
Syntax
History
Related topics
execute update-ase
execute update-ips
upd-vd-license execute
670 01-400-93051-20090415
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If you have a FortiGate-3016A/B unit or higher, you can purchase a license key from Fortinet to increase
the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximum of
10 VDOMs.
This command is available only on FortiGate-3016A/B units and higher.
Syntax
execut e upd- vd- l i cense <l i cense_key>
History
Note: . FortiGate-620B units do not support VDOMs.
<l i cense_key> The license key is a 32-character string supplied by Fortinet. Fortinet requires your unit
serial number to generate the license key.
FortiOS v3.0 New.
execute usb-disk
01-400-93051-20090415 671
usb-disk
Use these commands to manage your USB disks.
Syntax
execut e usb- di sk del et e <f i l ename>
execut e usb- di sk f or mat
execut e usb- di sk l i st
execut e usb- di sk r ename <ol d_name> <new_name>
History
Related topics
execute backup
execute restore
del et e <f i l ename> Delete the named file from the USB disk.
f or mat Format the USB disk.
l i st List the files on the USB disk.
r ename <ol d_name> <new_name> Rename a file on the USB disk.
FortiOS v3.0 New.
vpn certificate ca execute
672 01-400-93051-20090415
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export
a CA certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is
the certificate that the FortiGate unit uses to authenticate itself to other devices.
Syntax
execut e vpn cer t i f i cat e ca expor t t f t p <cer t i f i cat e- name_st r >
<f i l e- name_st r > <t f t p_i p>
execut e vpn cer t i f i cat e ca i mpor t aut o <ca_ser ver _ur l > <ca_i dent i f i er _st r >
execut e vpn cer t i f i cat e ca i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
Examples
Use the following command to import the CA certificate named t r ust _ca to the FortiGate unit from a
TFTP server with the address 192. 168. 21. 54.
execut e vpn cer t i f i cat e ca i mpor t t r ust _ca 192. 168. 21. 54
History
Note: VPN peers must use digital certificates that adhere to the X.509 standard.
Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.
Keyword/variable Description
i mpor t Import the CA certificate from a TFTP server to the FortiGate unit.
expor t Export or copy the CA certificate from the FortiGate unit to a file on the
TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the CA certificate.
<f i l e- name_st r > Enter the file name on the TFTP server.
<t f t p_i p> Enter the TFTP server address.
aut o Retrieve a CA certificate from a SCEP server.
t f t p Import the CA certificate to the FortiGate unit from a file on a TFTP
server (local administrator PC).
<ca_ser ver _ur l > Enter the URL of the CA certificate server.
<ca_i dent i f i er _st r > CA identifier on CA certificate server (optional).
FortiOS v2.80 MR2 The del et e keyword was added.
The downl oad keyword was changed to expor t .
FortiOS v2.80 MR3 Keywords were removed from the execut e vpn cer t i f i cat e l ocal
keyword and replaced with variables.
FortiOS v3.0 MR1 Removed all keywords but generate.
01-400-93051-20090415 673
Related topics
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate crl
FortiOS v3.0 MR3 Added keywords i mpor t , expor t .
FortiOS v3.0 MR4 Added keywords aut o, t f t p and variables <ca_ser ver _ur l >,
<ca_i dent i f i er _st r > as result of the addition of the PKI certificate
authentication feature.
vpn certificate crl execute
674 01-400-93051-20090415
vpn certificate crl
Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update
configuration.
In order to use the command execute vpn certificate crl, the authentication servers must already be
configured.
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is
Syntax
execut e vpn cer t i f i cat e cr l i mpor t aut o <cr l - name>
History
Related topics
vpn certificate ca
vpn certificate crl
i mpor t Import the CRL from the configured LDAP, HTTP, or SCEP
authentication server to the FortiGate unit.
<cr l - name> Enter the name of the CRL.
aut o Trigger an auto-update of the CRL from the configured LDAP, HTTP, or
SCEP authentication server.
01-400-93051-20090415 675
Use this command to generate a local certificate, to export a local certificate from the FortiGate unit to a
TFTP server, and to import a local certificate from a TFTP server to the FortiGate unit.
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local certificate is
When you generate a certificate request, you create a private and public key pair for the local FortiGate
unit. The public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the vpn cer t i f i cat e l ocal command to
install it on the FortiGate unit.
Syntax - generate
execut e vpn cer t i f i cat e l ocal gener at e <cer t i f i cat e- name_st r > <key- l engt h>
{<host _i p> | <domai n- name_st r > | emai l - addr _st r >}
[ <opt i onal _i nf or mat i on>]
<cer t i f i cat e- name_st r > Enter a name for the certificate. The name can contain numbers (0-9),
uppercase and lowercase letters (A-Z, a-z), and the special characters -
and _. Other special characters and spaces are not allowed.
<host _i p>
{<host _i p> |
<domai n- name_st r > |
emai l - addr _st r >}
Enter the host IP address (host _i p), the domain name
(domai n- name_st r ), or an email address (emai l - addr _st r ) to
identify the FortiGate unit being certified. Preferably use an IP address
or domain name. If this is impossible (such as with a dialup client), use
an e-mail address.
For host _i p, enter the IP address of the FortiGate unit.
For domai n- name_st r , enter the fully qualified domain name of the
FortiGate unit.
For emai l - addr _st r , enter an email address that identifies the
FortiGate unit.
If you specify a host IP or domain name, use the IP address or domain
name associated with the interface on which IKE negotiations will take
place (usually the external interface of the local FortiGate unit). If the IP
address in the certificate does not match the IP address of this interface
(or if the domain name in the certificate does not match a DNS query of
the FortiGate units IP), then some implementations of IKE may reject
the connection. Enforcement of this rule varies for different IPSec
products.
vpn certificate local execute
676 01-400-93051-20090415
Optional information variables
Example - generate
Use the following command to generate a local certificate request with the name br anch_cer t , the
domain name www. exampl e. comand a key size of 1536.
execut e vpn cer t i f i cat e l ocal gener at e br anch_cer t 1536 www. exampl e. com
Syntax - import/export
execut e vpn cer t i f i cat e l ocal i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
execut e vpn cer t i f i cat e l ocal expor t t f t p <cer t i f i cat e- name_st r >
<key- l engt h> Enter 1024, 1536 or 2048 for the size in bits of the encryption key.
[ <opt i onal _i nf or mat i on>] Enter opt i onal _i nf or mat i on as required to further identify the
certificate. See Optional information variables on page 676 for the list
of optional information variables. You must enter the optional variables
in order that they are listed in the table. To enter any optional variable
you must enter all of the variables that come before it in the list. For
example, to enter the or gani zat i on_name_st r , you must first enter
the count r y_code_st r , st at e_name_st r , and ci t y_name_st r .
While entering optional variables, you can type ? for help on the next
required variable.
<count r y_code_st r > Enter the two-character country code. Enter execut e vpn
cer t i f i cat es l ocal gener at e <name_st r > count r y
followed by a ? for a list of country codes. The country code is case
sensitive. Enter nul l if you do not want to specify a country.
<st at e_name_st r > Enter the name of the state or province where the FortiGate unit is
located.
<ci t y_name_st r > Enter the name of the city, or town, where the person or organization
certifying the FortiGate unit resides.
<or gani zat i on- name_st r > Enter the name of the organization that is requesting the certificate for
the FortiGate unit.
<or gani zat i on- uni t _name_st r > Enter a name that identifies the department or unit within the
organization that is requesting the certificate for the FortiGate unit.
<emai l _addr ess_st r > Enter a contact e-mail address for the FortiGate unit.
<ca_ser ver _ur l > Enter the URL of the CA (SCEP) certificate server that allows auto-
signing of the request.
<chal l enge_passwor d> Enter the challenge password for the SCEP certificate server.
i mpor t Import the local certificate from a TFTP server to the FortiGate unit.
expor t Export or copy the local certificate from the FortiGate unit to a file on the
TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the local certificate.
l i st List local certificates.
01-400-93051-20090415 677
Examples - import/export
Use the following command to export the local certificate request generated in the above example from the
FortiGate unit to a TFTP server. The example uses the file name t est cer t for the downloaded file and
the TFTP server address 192.168.21.54.
exec vpn cer t i f i cat e l ocal expor t br anch_cer t t est cer t 192. 168. 21. 54
Use the following command to import the signed local certificate named br anch_cer t to the FortiGate
unit from a TFTP server with the address 192.168.21.54.
exec vpn cer t i f i cat e l ocal i mpor t br anch_cer t 192. 168. 21. 54
History
Related topics
vpn certificate ca
vpn certificate crl
FortiOS v2.80 MR2 The del et e keyword was added.
The downl oad keyword was changed to expor t .
FortiOS v2.80 MR3 Keywords were removed from the execut e vpn cer t i f i cat e l ocal
keyword and replaced with variables.
FortiOS v3.0 MR1 Removed all keywords but generate.
FortiOS v3.0 MR3 Added keywords i mpor t , expor t .
FortiOS v3.0 MR4 Added optional variables for certificate-based user authentication.
vpn certificate remote execute
678 01-400-93051-20090415
Use this command to import a remote certificate from a TFTP server, or export a remote certificate from
the FortiGate unit to a TFTP server. The remote certificates are public certificates without a private key.
They are used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
execut e vpn cer t i f i cat e r emot e i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
execut e vpn cer t i f i cat e r emot e expor t t f t p <cer t i f i cat e- name_st r >
History
Related topics
vpn certificate ca
vpn certificate crl
i mpor t Import the remote certificate from the TFTP server to the FortiGate unit.
expor t Export or copy the remote certificate from the FortiGate unit to a file on
the TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the public certificate.
t f t p Import/export the remote certificate via a TFTP server.
01-400-93051-20090415 679
vpn sslvpn del-tunnel
Use this command to delete an SSL tunnel connection.
Syntax
execut e vpn ssl vpn del - t unnel <t unnel _i ndex>
<t unnel _i ndex>identifies which tunnel to delete if there is more than one active tunnel.
History
Related topics
vpn ssl settings
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added <t unnel _i ndex>.
vpn sslvpn del-web execute
680 01-400-93051-20090415
vpn sslvpn del-web
Use this command to delete an active SSL VPN web connection.
Syntax
execut e vpn ssl vpn del - web <web_i ndex>
<web_i ndex>identifies which web connection to delete if there is more than one active connection.
History
Related topics
vpn ssl settings
get
01-400-93051-20090415 681
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
firewall service predefined
gui console status
gui topology status
hardware status
ips decoder status
ips rule status
ipsec tunnel list
router info bfd neighbor
router info bgp
router info multicast
router info ospf
router info protocols
router info rip
router info routing-table
router info6 interface
router info6 routing-table
system admin list
system admin status
system arp
system checksum
system cmdb status
system dashboard
system fdp-fortianalyzer
system fortianalyzer-connectivity
system fortiguard-log-service status
system fortiguard-service status
system ha status
system info admin ssh
system info admin status
system interface physical
system performance status
system session list
system session status
system status
system wireless detected-ap
firewall service predefined get
682 01-400-93051-20090415
firewall service predefined
Use this command to retrieve information about predefined services. If you do not specificy a
<service_name>, a long list will be displayed linking services to protocols.
The following information is available:
destination port
source port
ICMP code
ICMP type
protocol
protocol-number
Syntax
get f i r ewal l ser vi ce pr edef i ned <ser vi ce_name>
Example output
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned FTP
name : FTP
i cmpcode :
i cmpt ype :
pr ot ocol : TCP/ UDP
pr ot ocol - number : 6
t cppor t - r ange : 21- 21: 0- 65535
udppor t - r ange :
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned SI P
name : SI P
i cmpcode :
i cmpt ype :
t cppor t - r ange :
udppor t - r ange : 5060- 5060: 0- 65535
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned AOL
name : AOL
i cmpcode :
i cmpt ype :
t cppor t - r ange : 5190- 5194: 0- 65535
udppor t - r ange :
get gui console status
01-400-93051-20090415 683
gui console status
Display information about the CLI console.
Syntax
get gui consol e st at us
Example
Pr ef er ences:
User : admi n
Col our scheme ( RGB) : t ext =FFFFFF, backgr ound=000000
Font : st yl e=monospace, si ze=10pt
Hi st or y buf f er =50 l i nes, ext er nal i nput =di sabl ed
Related topics
get gui topology status
History
gui topology status get
684 01-400-93051-20090415
gui topology status
Display information about the topology viewer database.
Syntax
get gui t opol ogy st at us
Example
Pr ef er ences:
Canvas di mensi ons ( pi xel s) : wi dt h=780, hei ght =800
Col our scheme ( RGB) : canvas=12f f 08, l i nes=bf 0f 00, ext er i or =ddeeee
Backgr ound i mage: t ype=none, pl acement : x=0, y=0
Li ne st yl e: t hi ckness=2
Cust ombackgr ound i mage f i l e: none
Topol ogy el ement dat abase:
__For t i Gat e__: x=260, y=340
Of f i ce: x=22, y=105
I SPnet : x=222, y=129
__Text __: x=77, y=112: " Ot t awa"
__Text __: x=276, y=139: " I nt er net "
Related topics
get gui console status
History
get hardware status
01-400-93051-20090415 685
hardware status
Report information about the FortiGate unit hardware.
Syntax
get har dwar e st at us
Example
FG600B3908600705 # get har dwar e st at us
Model name: For t i gat e- 620B
ASI C ver si on: CP6
ASI C SRAM: 64M
CPU: I nt el ( R) Cor e( TM) 2 Duo CPU E4300 @1. 80GHz
RAM: 2020 MB
Compact Fl ash: 493 MB / dev/ sda
Har d di sk: 76618 MB / dev/ sdb
USB Fl ash: not avai l abl e
Net wor k Car d chi pset : Br oadcom570x Ti gon3 Et her net Adapt er ( r ev. 0x5784100)
History
Related topics
get system status
ips decoder status get
686 01-400-93051-20090415
ips decoder status
Displays all the port settings of all the IPS decoders.
Syntax
get i ps decoder st at us
The command output looks like this (partial output):
# get i ps decoder st at us
decoder - name: " back_or i f i ce"
decoder - name: " dns_decoder "
por t _l i st : 53
decoder - name: " f t p_decoder "
por t _l i st : 21
decoder - name: " ht t p_decoder "
decoder - name: " i m_decoder "
decoder - name: " i map_decoder "
por t _l i st : 143
Ports are shown only for decoders with configurable port settings.
History
Related topics
ips decoder
get ips rule status
get ips rule status
01-400-93051-20090415 687
ips rule status
Displays current configuration information about IPS rules.
Syntax
get i ps r ul e st at us
The output looks like this (partial output):
# get i ps r ul e st at us
r ul e- name: " I P. Land"
r ul e- i d: 12588
r ev: 2. 464
act i on: pass
st at us: di sabl e
l og: enabl e
sever i t y: 3. hi gh
ser vi ce: Al l
l ocat i on: ser ver , cl i ent
os: Al l
appl i cat i on: Al l
r ul e- name: " I P. Loose. Sr c. Recor d. Rout e. Opt i on"
r ul e- i d: 12805
r ev: 2. 464
act i on: pass
st at us: di sabl e
l og: enabl e
sever i t y: 2. medi um
ser vi ce: Al l
l ocat i on: ser ver , cl i ent
os: Al l
appl i cat i on: Al l
History
Related topics
ips decoder
get ips decoder status
ips rule
ipsec tunnel list get
688 01-400-93051-20090415
ipsec tunnel list
List the current IPSec VPN tunnels and their status.
Syntax
get i psec t unnel l i st
Example
NAME REMOTE- GW PROXY- I D- SOURCE PROXY- I D- DESTI NATI ON STATUS
TI MEOUT
VPN1 172. 20. 120. 5: 500 0. 0. 0. 0/ 255. 255. 255. 255 172. 20. 120. 5/ 172. 20. 120. 5 up
1786
History
Related topics
vpn ipsec phase1
vpn ipsec manualkey
NAME The name of the configured tunnel.
REMOTE-GW The public IP address and UDP port of the remote host device, or if a
NAT device exists in front of the remote host, the public IP address and
UDP port of the NAT device.
PROXY- ID-SOURCE The IP address range of the hosts, servers, or private networks behind
the FortiGate unit that are available through the VPN tunnel.
PROXY- ID-DESTINATION This field displays IP addresses as a range.
When a FortiClient dialup client establishes a tunnel:
If VIP addresses are not used, the Proxy ID Destination field
displays the public IP address of the remote host Network Interface
Card (NIC).
If VIP addresses were configured (manually or through FortiGate
DHCP relay), the Proxy ID Destination field displays either the VIP
address belonging to the FortiClient dialup client, or the subnet
address from which VIP addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID
Destination field displays the IP address of the remote private network.
STATUS Tunnel status: up or down.
TIMEOUT The number of seconds before the next phase 2 key exchange. The
time is calculated by subtracting the time elapsed since the last key
exchange from the keylife duration setting. When the phase 2 key
expires, a new key is generated without interrupting service.
get router info bfd neighbor
01-400-93051-20090415 689
router info bfd neighbor
Use this command to list state information about the neighbors in the bi-directional forwarding table.
Syntax
get r out er i nf o bf d nei ghbour
History
router info bgp get
690 01-400-93051-20090415
router info bgp
Use this command to display information about the BGP configuration.
Syntax
get r out er i nf o bgp <keywor d>
ci dr - onl y Show all BGP routes having non-natural network masks.
communi t y Show all BGP routes having their COMMUNITY attribute
set.
communi t y- i nf o Show general information about the configured BGP
communities, including the routes in each community and
their associated network addresses.
communi t y- l i st Show all routes belonging to configured BGP community
lists.
dampeni ng {dampened- pat hs | f l ap-
st at i st i cs | par amet er s}
Display information about dampening:
Type dampened- pat hs to show all paths that have
been suppressed due to flapping.
Type f l ap- st at i st i cs to show flap statistics related
to BGP routes.
Type par amet er s to show the current dampening
settings.
f i l t er - l i st Show all routes matching configured AS-path lists.
i nconsi st ent - as Show all routes associated with inconsistent autonomous
systems of origin.
memor y Show the BGP memory table.
nei ghbor s [ <addr ess_i pv4> |
<addr ess_i pv4> adver t i sed- r out es |
<addr ess_i pv4> r ecei ved pr ef i x- f i l t er |
<addr ess_i pv4> r ecei ved- r out es |
<addr ess_i pv4> r out es]
Show information about connections to TCP and BGP
neighbors.
net wor k [ <addr ess_i pv4mask>] Show general information about the configured BGP
networks, including their network addresses and
associated prefixes.
net wor k- l onger - pr ef i xes
Show general information about the BGP route that you
specify (for example, 12. 0. 0. 0/ 14) and any specific
routes associated with the prefix.
pat hs Show general information about BGP AS paths, including
their associated network addresses.
pr ef i x- l i st <name> Show all routes matching configured prefix list <name>.
quot e- r egexp <r egexp_st r > Enter the regular expression to compare to the AS_PATH
attribute of BGP routes (for example, ^730$) and enable
the use of output modifiers (for example, i ncl ude,
excl ude, and begi n) to search the results.
r egexp <r egexp_st r > Enter the regular expression to compare to the AS_PATH
attribute of BGP routes (for example, ^730$).
r out e- map Show all routes matching configured route maps.
scan Show information about next-hop route scanning,
including the scan interval setting.
summar y Show information about BGP neighbor status.
get router info bgp
01-400-93051-20090415 691
Example
For the command get r out er i nf o bgp memor y, the output looks like:
Memor y t ype Al l oc count Al l oc byt es
=================================== ============= ===============
BGP st r uct ur e : 2 1408
BGP VR st r uct ur e : 2 104
BGP gl obal st r uct ur e : 1 56
BGP peer : 2 3440
BGP as l i st mast er : 1 24
Communi t y l i st handl er : 1 32
BGP Damp Reuse Li st Ar r ay : 2 4096
BGP t abl e : 62 248
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tempor ar y memor y : 4223 96095
Hash : 7 140
Hash i ndex : 7 28672
Hash bucket : 11 132
Thr ead mast er : 1 564
Thr ead : 4 144
Li nk l i st : 32 636
Li nk l i st node : 24 288
Show : 1 396
Show page : 1 4108
Show ser ver : 1 36
Pr ef i x I Pv4 : 10 80
Rout e t abl e : 4 32
Rout e node : 63 2772
Vect or : 2180 26160
Vect or i ndex : 2180 18284
Host conf i g : 1 2
Message of The Day : 1 100
I MI Cl i ent : 1 708
VTY mast er : 1 20
VTY i f : 11 2640
VTY connect ed : 5 140
Message handl er : 2 120
NSM Cl i ent Handl er : 1 12428
NSM Cl i ent : 1 1268
Host : 1 64
Log i nf or mat i on : 2 72
Cont ext : 1 232
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
bgp pr ot o speci f c al l ocat i ons : 9408 B
bgp gener i c al l ocat i ons : 196333 B
bgp t ot al al l ocat i ons : 205741 B
History
FortiOS v3.0 New.
FortiOS v3.0 MR2 Command moved from router to get chapter.
router info bgp get
692 01-400-93051-20090415
Related topics
router aspath-list
router bgp
get router info multicast
01-400-93051-20090415 693
router info multicast
Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.
Multicast routing is supported in the root virtual domain only.
Syntax
get r out er i nf o mul t i cast <keywor ds>
Examples
This example displays all of the PIM entries in the multicast routing table:
get r out er i nf o mul t i cast t abl e
<keywords> Description
i gmp Show Internet Group Management Protocol (IGMP) membership information
according to one of these qualifiers:
Type gr oups [ { | <gr oup- addr ess>}] to show
IGMP information for the multicast group(s) associated with the specified
interface or multicast group address.
Type gr oups- det ai l [ { | <gr oup-
addr ess>}] to show detailed IGMP information for the multicast group(s)
associated with the specified interface or multicast group address.
Type i nt er f ace [ ] to show IGMP information for
all multicast groups associated with the specified interface.
pi mdense- mode Show information related to dense mode operation according to one of these
qualifiers:
Type i nt er f ace to show information about PIM-enabled interfaces.
Type i nt er f ace- det ai l to show detailed information about PIM-
enabled interfaces.
Type nei ghbor to show the current status of PIM neighbors.
Type nei ghbor - det ai l to show detailed information about PIM
neighbors.
Type next - hop to show information about next-hop PIM routers.
Type t abl e [ <gr oup- addr ess>] [ <sour ce- addr ess>] to show the
multicast routing table entries associated with the specified multicast group
address and/or multicast source address.
pi mspar se- mode Show information related to sparse mode operation according to one of these
qualifiers:
Type bsr - i nf o to show Boot Strap Router (BSR) information.
Type i nt er f ace to show information about PIM-enabled interfaces.
Type i nt er f ace- det ai l to show detailed information about PIM-
enabled interfaces.
Type nei ghbor to show the current status of PIM neighbors.
Type nei ghbor - det ai l to show detailed information about PIM
neighbors.
Type next - hop to show information about next-hop PIM routers.
Type r p- mappi ng to show Rendezvous Point (RP) information.
Type t abl e [ <gr oup- addr ess>] [ <sour ce- addr ess>] to show the
multicast routing table entries associated with the specified multicast group
address and/or multicast source address.
t abl e [ <gr oup- addr ess>]
[ <sour ce- addr ess>]
Show the multicast routing table entries associated with the specified
multicast group address and/or multicast source address.
t abl e- count
[ <gr oup- addr ess>]
[ <sour ce- addr ess>]
Show statistics related to the specified multicast group address and/or
multicast source address.
router info multicast get
694 01-400-93051-20090415
This example displays IGMP information for the multicast group associated with multicast group address
239.254.2.0:
get r out er i nf o mul t i cast i gmp gr oups 239. 254. 2. 0
History
Related topics
router multicast
FortiOS v3.0 New.
FortiOS v3.0 MR2 Moved from router to get chapter.
01-400-93051-20090415 695
router info ospf
Use this command to display information about the FortiGate OSPF configuration and/or the Link-State
Advertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of all
OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select
the shortest path to a destination.
Syntax
get r out er i nf o ospf <keywor d>
bor der - r out er s Show OSPF routing table entries that have an Area Border Router (ABR) or
Autonomous System Boundary Router (ASBR) as a destination.
dat abase <qual i f i er > Show information from the OSPF routing database according to one of these
qualifiers.
t ar get can be one of the following values:
Type adv_r out er <addr ess_i pv4>to limit the information to LSAs
originating from the router at the specified IP address.
Type sel f - or i gi nat e <addr ess_i pv4>to limit the information to LSAs
originating from the FortiGate unit.
adv- r out er
<addr ess_i pv4>
Type adv- r out er <addr ess_i pv4> to show ospf Advertising Router link
states for the router at the given IP address.
asbr - summar y
<t ar get >
Type asbr - summar y to show information about ASBR summary LSAs.
br i ef Type br i ef to show the number and type of LSAs associated with each
OSPF area.
ext er nal <t ar get > Type ext er nal to show information about external LSAs.
maxage Type maxage to show all LSAs in the MaxAge list.
net wor k <t ar get > Type net wor k to show information about network LSAs.
nssa- ext er nal
<t ar get >
Type nssa- ext er nal to show information about not-so-stubby external
LSAs.
opaque- ar ea
<addr ess_i pv4>
Type opaque- ar ea <addr ess_i pv4>to show information about opaque
Type 10 (area-local) LSAs (see RFC 2370).
opaque- as
<addr ess_i pv4>
Type opaque- as <addr ess_i pv4>to show information about opaque
Type 11 LSAs (see RFC 2370), which are flooded throughout the AS.
opaque- l i nk
<addr ess_i pv4>
Type opaque- l i nk <addr ess_i pv4>to show information about opaque
Type 9 (link-local) LSAs (see RFC 2370).
r out er <t ar get > Type r out er to show information about router LSAs.
sel f - or i gi nat e Type sel f - or i gi nat e to show self-originated LSAs.
summar y <t ar get > Type summar y to show information about summary LSAs.
i nt er f ace
[ ]
Show the status of one or all FortiGate interfaces and whether OSPF is
enabled on those interfaces.
router info ospf get
696 01-400-93051-20090415
Examples
The following example shows how to display information from LSAs originating from a neighboring router
at IP address 10.2.4.1:
get r out er i nf o ospf dat abase r out er adv_r out er 10. 2. 4. 1
The following example shows how to display the number and type of LSAs associated with each OSPF
area to which the FortiGate unit is linked:
get r out er i nf o ospf dat abase br i ef
The following command shows the status of all FortiGate interfaces and whether OSPF is enabled on
those interfaces.
get r out er i nf o ospf i nt er f ace
History
Related topics
system interface
router ospf
nei ghbor [ al l |
<nei ghbor _i d> | det ai l |
det ai l al l | i nt er f ace
<addr ess_i pv4>]
Show general information about OSPF neighbors, excluding down-status
neighbors:
Type al l to show information about all neighbors, including down-status
neighbors.
Type <nei ghbor _i d>to show detailed information about the specified
neighbor only.
Type det ai l to show detailed information about all neighbors, excluding
down-status neighbors.
Type det ai l al l to show detailed information about all neighbors,
including down-status neighbors.
Type i nt er f ace <addr ess_i pv4>to show neighbor information based
on the FortiGate interface IP address that was used to establish the
neighbors relationship.
r out e Show the OSPF routing table.
st at us Show general information about the OSPF routing processes.
vi r t ual - l i nks Show information about OSPF virtual links.
FortiOS v2.80 MR2 Renamed from execut e r out er show ospf .
FortiOS v2.80 MR7 Added st at us keyword.
FortiOS v3.0 Added variants of the dat abase and nei ghbor keywords.
01-400-93051-20090415 697
router info protocols
Use this command to show the current states of active routing protocols. Inactive protocols are not
displayed.
Syntax
get r out er i nf o pr ot ocol s
Rout i ng Pr ot ocol i s " r i p"
Sendi ng updat es ever y 30 seconds wi t h +/ - 50%
Ti meout af t er 180 seconds, gar bage col l ect af t er 120 seconds
Out goi ng updat e f i l t er l i st f or al l i nt er f ace i s not set
I ncomi ng updat e f i l t er l i st f or al l i nt er f ace i s not set
Def aul t r edi st r i but i on met r i c i s 1
Redi st r i but i ng:
Def aul t ver si on cont r ol : send ver si on 2, r ecei ve ver si on 2
I nt er f ace Send Recv Key- chai n
Rout i ng f or Net wor ks:
Rout i ng I nf or mat i on Sour ces:
Gat eway Di st ance Last Updat e Bad Packet s Bad Rout es
Di st ance: ( def aul t i s 120)
Rout i ng Pr ot ocol i s " ospf 0"
I nval i d af t er 0 seconds, hol d down 0, f l ushed af t er 0
Out goi ng updat e f i l t er l i st f or al l i nt er f aces i s
I ncomi ng updat e f i l t er l i st f or al l i nt er f aces i s
Rout i ng f or Net wor ks:
Rout i ng I nf or mat i on Sour ces: Gat eway Di st ance Last Updat e
Di st ance: ( def aul t i s 110) Addr ess Mask Di st ance Li st
Rout i ng Pr ot ocol i s " bgp 5"
I GP synchr oni zat i on i s di sabl ed
Aut omat i c r out e summar i zat i on i s di sabl ed
Def aul t l ocal - pr ef er ence appl i ed t o i ncomi ng r out e i s 100
Nei ghbor ( s) :
Addr ess Addr essFami l y Fi l t I n Fi l t Out Di st I n Di st Out Rout eMapI n Rout eMapOut
Wei ght
192. 168. 20. 10 uni cast
History
Related topics
get router info rip, get router info routing-table
router rip, router ospf
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show pr ot ocol s.
router info rip get
698 01-400-93051-20090415
router info rip
Use this command to display information about the RIP configuration.
Syntax
get r out er i nf o r i p <keywor d>
Example
The following command displays the RIP configuration information for the port1 interface:
get r out er i nf o r i p i nt er f ace por t 1
History
Related topics
router rip
system interface
dat abase Show the entries in the RIP routing database.
i nt er f ace [ ] Show the status of the specified FortiGate unit interface
and whether RIP is enabled.
If interface is used alone it lists all the FortiGate unit interfaces and
whether RIP is enabled on each.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show r i p.
FortiOS v3.0 Added optional i nt er f ace_name component to i nt er f ace attribute.
FortiOS v3.0 MR2 Move from router to get chapter.
01-400-93051-20090415 699
router info routing-table
Use this command to display the routes in the routing table.
Syntax
get r out er i nf o r out i ng- t abl e <keywor d>
Example
The following command displays the entire routing table:
get r out er i nf o r out i ng- t abl e al l
History
Related topics
get router info rip
router policy
router rip
router static
router static6
system interface
al l Show all entries in the routing table.
bgp Show the BGP routes in the routing table.
connect ed Show the connected routes in the routing table.
dat abase Show the routing information database.
det ai l s [ <addr ess_i pv4mask>] Show detailed information about a route in the routing table, including
the next-hop routers, metrics, outgoing interfaces, and protocol-specific
information.
ospf Show the OSPF routes in the routing table.
r i p Show the RIP routes in the routing table.
st at i c Show the static routes in the routing table.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show r out i ng_t abl e.
FortiOS v3.0 Added <keywor d>variable to command syntax and replaced underscore character in
command with hyphen.
FortiOS v3.0 MR1 Added dat abase keywor d.
router info6 interface get
700 01-400-93051-20090415
router info6 interface
Use this command to display information about IPv6 interfaces.
Syntax
get r out er i nf o6 i nt er f ace 
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [ admi ni st r at i vel y down/ down]
2001: db8: 85a3: 8d3: 1319: 8a2e: 370: 7348
f e80: : 209: f f f : f e04: 4cf d
History
FortiOS v4.0 New.
get router info6 routing-table
01-400-93051-20090415 701
router info6 routing-table
Use this command to display the routes in the IPv6 routing table.
Syntax
get r out er i nf o6 r out i ng- t abl e 
where <item>is one of the following:
History
 Destination IPv6 address or prefix.
bgp Show BGP routing table entries.
connect ed Show connected routing table entries.
dat abase Show routing information base.
ospf Show OSPF routing table entries.
r i p Show RIP routing table entries.
st at i c Show static routing table entries.
FortiOS v4.0 New.
system admin list get
702 01-400-93051-20090415
system admin list
View a list of all the current administration sessions.
Syntax
get syst emadmi n l i st
Example
# get syst emadmi n l i st
user name l ocal devi ce r emot e st ar t ed
admi n sshv2 por t 1: 172. 20. 120. 148: 22 172. 20. 120. 16: 4167 2006- 08- 09 12: 24: 20
admi n ht t ps por t 1: 172. 20. 120. 148: 443 172. 20. 120. 161: 56365 2006- 08- 09 12: 24: 20
admi n ht t ps por t 1: 172. 20. 120. 148: 443 172. 20. 120. 16: 4214 2006- 08- 09 12: 25: 29
History
user name Name of the admin account for this session
l ocal The protocol this session used to connect to the FortiGate unit.
devi ce The interface, IP address, and port used by this session to connect to the FortiGate
unit.
r emot e The IP address and port used by the originating computer to connect to the FortiGate
unit.
st ar t ed The time the current session started.
get system admin status
01-400-93051-20090415 703
system admin status
View the status of the currently logged in admin and their session.
Syntax
get syst emadmi n st at us
Example
# get syst emadmi n st at us
user name: admi n
l ogi n l ocal : sshv2
l ogi n devi ce: por t 1: 172. 20. 120. 148: 22
l ogi n r emot e: 172. 20. 120. 16: 4167
l ogi n vdom: r oot
l ogi n st ar t ed: 2006- 08- 09 12: 24: 20
cur r ent t i me: 2006- 08- 09 12: 32: 12
History
user name Name of the admin account currently logged in.
l ogi n l ocal The protocol used to start the current session.
l ogi n devi ce The login information from the FortiGate unit
including interface, IP address, and port number.
l ogi n r emot e The computer the user is logging in from including
the IP address and port number.
l ogi n vdom The virtual domain the admin is current logged into.
l ogi n st ar t ed The time the current session started.
cur r ent t i me The current time of day on the FortiGate unit
system arp get
704 01-400-93051-20090415
system arp
View the ARP table entries on the FortiGate unit.
Syntax
get syst emar p
Example
# get syst emar p
Addr ess Age( mi n) Har dwar e Addr I nt er f ace
172. 20. 120. 16 0 00: 0d: 87: 5c: ab: 65 i nt er nal
172. 20. 120. 138 0 00: 08: 9b: 09: bb: 01 i nt er nal
History
Related topics
system arp-table
system proxy-arp
Addr ess The IP address that is linked to the MAC address.
Age Current duration of the ARP entry in minutes.
Har dwar e Addr The hardware, or MAC address, to link with this IP address.
I nt er f ace The physical interface the address is on.
FortiOS v3.0 New.
FortiOS v3.0 MR2 Moved from system to get chapter.
FortiOS v3.0 MR4 Output format changed.
get system central-management
01-400-93051-20090415 705
View information about the Central Management System configuration.
Syntax
get syst emcent r al - management
Example
FG600B3908600705 # get syst emcent r al - management
st at us : enabl e
t ype : f or t i manager
aut o- backup : di sabl e
schedul e- conf i g- r est or e: enabl e
schedul e- scr i pt - r est or e: enabl e
al l ow- push- conf i gur at i on: enabl e
al l ow- pushd- f i r mwar e: enabl e
al l ow- r emot e- f i r mwar e- upgr ade: enabl e
al l ow- moni t or : enabl e
f mg : 172. 20. 120. 161
vdom : r oot
aut hor i zed- manager - onl y: enabl e
ser i al - number : " FMG- 3K2404400063"
History
FortiOS v4.0 Command name changed to get syst emcent r al - management .
system checksum get
706 01-400-93051-20090415
system checksum
View the checksums for global, root, and all.
Syntax
get syst emchecksumst at us
Example
# get syst emchecksumst at us
gl obal : 7a 87 3c 14 93 bc 98 92 b0 58 16 f 2 eb bf a4 15
r oot : bb a4 80 07 42 33 c2 f f f 1 b5 6e f e e4 bb 45 f b
al l : 1c 28 f 1 06 f a 2e bc 1f ed bd 6b 21 f 9 4b 12 88
History
get system cmdb status
01-400-93051-20090415 707
system cmdb status
View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.
Syntax
get syst emcmdb st at us
Example
# get syst emcmdb st at us
ver si on: 1
owner i d: 18
updat e i ndex: 6070
conf i g checksum: 12879299049430971535
l ast r equest pi d: 68
l ast r equest t ype: 29
l ast r equest : 78
History
ver si on Version of the cmdb software.
owner i d Process ID of the cndbsvr daemon.
updat e i ndex The updated index shows how many changes have been made in cmdb.
conf i g checksum The config file version used by FortiManager.
l ast r equest pi d The last process to access the cmdb.
l ast r equst t ype Type of the last attempted access of cmdb.
l ast r equest The number of the last attempted access of cmdb.
system dashboard get
708 01-400-93051-20090415
system dashboard
List the available dashboard widgets. The hel p: field explains widget purpose.
FortiManager uses this information.
Syntax
get syst emdashboar d [ <wi dget _name>]
Example
# get syst emdashboar d
== [ sysi nf o ]
name: sysi nf o hel p: syst emi nf or mat i on
== [ l i ci nf o ]
name: l i ci nf o hel p: l i cense i nf or mat i on
== [ sysop ]
name: sysop hel p: syst emoper at i on
== [ sysr es ]
name: sysr es hel p: syst emr esour ce
== [ al er t ]
name: al er t hel p: al er t consol e
== [ st at i st i cs ]
name: st at i st i cs hel p: st at i st i cs
== [ j sconsol e ]
name: j sconsol e hel p: CLI consol e
== [ sessi ons ]
name: sessi ons hel p: t op sessi ons
== [ t op- vi r uses ]
name: t op- vi r uses hel p: t op det ect ed vi r uses
== [ t op- at t acks ]
name: t op- at t acks hel p: t op det ect ed at t acks
== [ t r - hi st or y ]
name: t r - hi st or y hel p: t r af f i c hi st or y
If you specify a specific widget, the output looks like this:
# get syst emdashboar d sysi nf o
name : sysi nf o
hel p : syst emi nf or mat i on
History
get system fdp-fortianalyzer
01-400-93051-20090415 709
system fdp-fortianalyzer
Use this command to display the serial number of the FortiAnalyzer unit you use for logging.
Syntax
get syst emf dp- f or t i anal yzer
The result looks like this:
# get syst emf dp- f or t i anal yzer
SERI AL NUMBER
- - - - - - - - - - - - -
FL800B3908000420
History
FortiOS v4.0 New.
system fortianalyzer-connectivity get
710 01-400-93051-20090415
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
Syntax
get f or t i anal yzer - connect i vi t y st at us
Example
# get syst emf or t i anal yzer - connect i vi t y st at us
St at us: connect ed
Di sk Usage: 0%
History
get system fortiguard-log-service status
01-400-93051-20090415 711
system fortiguard-log-service status
Command returns information about the status of the FortiGuard Log & Analysis Service including license
and disk information.
Syntax
get syst emf or t i guar d- l og- ser vi ce st at us
Example
This shows a sample output.
# get syst emf or t i guar d- l og- ser vi ce st at us
For t i Guar d Log & Anal ysi s Ser vi ce
Expi r e on: 20071231
Tot al di sk quot a: 1111 MB
Max dai l y vol ume: 111 MB
Cur r ent di sk quot a usage: n/ a
History
system fortiguard-service status get
712 01-400-93051-20090415
system fortiguard-service status
COMMAND REPLACED. Command returns information about the status of the FortiGuard service
including the name, version late update, method used for the last update and when the update expires.
This information is shown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.
Syntax
get syst emf or t i guar d- ser vi ce st at us
Example
This shows a sample output.
NAME VERSI ON LAST UPDATE METHOD EXPI RE
AV Engi ne 2. 002 2006- 01- 26 19: 45: 00 manual 2006- 06- 12 08: 00: 00
Vi r us Def i ni t i ons 6. 513 2006- 06- 02 22: 01: 00 manual 2006- 06- 12 08: 00: 00
At t ack Def i ni t i ons 2. 299 2006- 06- 09 19: 19: 00 manual 2006- 06- 12 08: 00: 00
I PS At t ack Engi ne 1. 015 2006- 05- 09 23: 29: 00 manual 2006- 06- 12 08: 00: 00
History
FortiOS v3.0 MR5 Command replaced with get syst emcent r al - mgmt st at us
get system ha status
01-400-93051-20090415 713
system ha status
Use this command to display information about an HA cluster. The command displays general HA
configuration settings. The command also displays information about how the cluster unit that you have
logged into is operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get syst emha
st at us command displays information about the primary unit first, and also displays the HA state of the
primary unit (the primary unit operates in the work state). However, if you log into the primary unit and then
use the execut e ha manage command to log into a subordinate unit, (or if you use a console connection
to log into a subordinate unit) the get syst emst at us command displays information about this
subordinate unit first, and also displays the HA state of this subordinate unit. The state of a subordinate
unit is work for an active-active cluster and standby for an active-passive cluster.
For a virtual cluster configuration, the get syst emha st at us command displays information about
how the cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For
example, if you connect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate
unit for virtual cluster 2, the output of the get syst emha st at us command shows virtual cluster 1 in
the work state and virtual cluster 2 in the standby state. The get syst emha st at us command also
displays additional information about virtual cluster 1 and virtual cluster 2.
Syntax
get syst emha st at us
The command display includes the following fields. For more information see the examples that follow.
Model The FortiGate model number.
Mode The HA mode of the cluster: a-a or a-p.
Gr oup The group ID of the cluster.
Debug The debug status of the cluster.
ses_pi ckup The status of session pickup: enable or disable.
l oad_bal ance The status of the l oadbal ance- al l keyword: enable or disable. Displayed for
active-active clusters only.
schedul e The active-active load balancing schedule. Displayed for active-active clusters only.
Mast er
Sl ave
Mast er displays the device priority, host name, serial number, and actual cluster index of the
primary (or master) unit.
Sl ave displays the device priority, host name, serial number, and actual cluster index of the
subordinate (or slave, or backup) unit or units.
The list of cluster units changes depending on how you log into the CLI. Usually you would
use SSH or telnet to log into the primary unit CLI. In this case the primary unit would be at the
top the list followed by the other cluster units.
If you use execut e ha manage or a console connection to log into a subordinate unit CLI,
and then enter get syst emha st at us the subordinate unit that you have logged into
appears at the top of the list of cluster units.
number of
vcl ust er
The number of virtual clusters. If virtual domains are not enabled, the cluster has one virtual
cluster. If virtual domains are enabled the cluster has two virtual clusters.
system ha status get
714 01-400-93051-20090415
Examples
The following example shows get syst emha st at us output for a cluster of two FortiGate-5001SX
units operating in active-active mode. The cluster group ID, session pickup, load balance all, and the load
balancing schedule are all set to the default values. The device priority of the primary unit is also set to the
default value. The device priority of the subordinate unit has been reduced to 100. The host name of the
primary unit is 5001_Sl ot _4. The host name of the subordinate unit in is 5001_Sl ot _3.
The command output was produced by connecting to the primary unit CLI (host name 5001_Sl ot _4).
Model : 5000
Mode: a- a
Gr oup: 0
Debug: 0
ses_pi ckup: di sabl e
l oad_bal ance: di sabl e
schedul e: r ound r obi n
Mast er : 128 5001_Sl ot _4 FG50012204400045 1
Sl ave : 100 5001_Sl ot _3 FG50012205400050 0
number of vcl ust er : 1
vcl ust er 1: wor k 10. 0. 0. 2
vcl ust er 1 The HA state (hello, work, or standby) and HA heartbeat IP address of the cluster unit that
you have logged into in virtual cluster 1. If virtual domains are not enabled, vcl ust er 1
displays information for the cluster. If virtual domains are enabled, vcl ust er 1 displays
information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.1 if you are logged into a the primary unit of virtual
cluster 1 and 10.0.0.2 if you are logged into a subordinate unit of virtual cluster 1.
vcl ust er 1 also lists the primary unit (master) and subordinate units (slave) in virtual
cluster 1. The list includes the operating cluster index and serial number of each cluster unit
in virtual cluster 1. The cluster unit that you have logged into is at the top of the list.
If virtual domains are not enabled and you connect to the primary unit CLI, the HA state of the
cluster unit in virtual cluster 1 is work. The display lists the cluster units starting with the
primary unit.
If virtual domains are not enabled and you connect to a subordinate unit CLI, the HA state of
the cluster unit in virtual cluster 1 is standby. The display lists the cluster units starting with
the subordinate unit that you have logged into.
If virtual domains are enabled and you connect to the virtual cluster 1 primary unit CLI, the
HA state of the cluster unit in virtual cluster 1 is work. The display lists the cluster units
starting with the virtual cluster 1 primary unit.
If virtual domains are enabled and you connect to the virtual cluster 1 subordinate unit CLI,
the HA state of the cluster unit in virtual cluster 1 is standby. The display lists the cluster units
starting with the subordinate unit that you are logged into.
In a cluster consisting of two cluster units operating without virtual domains enabled all
clustering actually takes place in virtual cluster 1. HA is designed to work this way to support
virtual clustering. If this cluster was operating with virtual domains enabled, adding virtual
cluster 2 is similar to adding a new copy of virtual cluster 1. Virtual cluster 2 is visible in the
get syst emha st at us command output when you add virtual domains to virtual cluster
2.
vcl ust er 2 vcl ust er 2 only appears if virtual domains are enabled. vcl ust er 2 displays the HA
state (hello, work, or standby) and HA heartbeat IP address of the cluster unit that you have
logged into in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 if you are logged into
the primary unit of virtual cluster 2 and 10.0.0.1 if you are logged into a subordinate unit of
virtual cluster 2.
vcl ust er 2 also lists the primary unit (master) and subordinate units (slave) in virtual
cluster 2. The list includes the cluster index and serial number of each cluster unit in virtual
cluster 2. The cluster unit that you have logged into is at the top of the list.
If you connect to the virtual cluster 2 primary unit CLI, the HA state of the cluster unit in virtual
cluster 2 is wor k. The display lists the cluster units starting with the virtual cluster 2 primary
unit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HA state of the cluster unit in
virtual cluster 2 is st andby. The display lists the cluster units starting with the subordinate
unit that you are logged into.
01-400-93051-20090415 715
Mast er : 0 FG50012204400045
Sl ave : 1 FG50012205400050
The following command output was produced by using execut e HA manage 0 to log into the
subordinate unit CLI of the cluster shown in the previous example. The host name of the subordinate unit
is 5001_Sl ot _3.
Model : 5000
Mode: a- a
Gr oup: 0
Debug: 0
l oad_bal ance: di sabl e
schedul e: r ound r obi n
Sl ave : 100 5001_Sl ot _3 FG50012205400050 0
Mast er : 128 5001_Sl ot _4 FG50012204400045 1
vcl ust er 1: wor k 10. 0. 0. 2
Sl ave : 1 FG50012205400050
Mast er : 0 FG50012204400045
About the HA cluster index and the execute ha manage command
When a cluster starts up the FortiGate Cluster Protocol (FGCP) assigns a cluster index and a HA
heartbeat IP address to each cluster unit based on the serial number of the cluster unit. The FGCP selects
the cluster unit with the highest serial number to become the primary unit. The FGCP assigns a cluster
index of 0 and an HA heartbeat IP address of 10.0.0.1 to this unit. The FGCP assigns a cluster index of 1
and an HA heartbeat IP address of 10.0.0.2 to the cluster unit with the second highest serial number. If the
cluster contains more units, the cluster unit with the third highest serial number is assigned a cluster index
of 2 and an HA heartbeat IP address of 10.0.0.3, and so on. You can display the cluster index assigned to
each cluster unit using the get syst emha st at us command. Also when you use the execut e ha
manage command you select a cluster unit to log into by entering its cluster index.
The cluster index and HA heartbeat IP address only change if a unit leaves the cluster or if a new unit joins
the cluster. When one of these events happens, the FGCP resets the cluster index and HA heartbeat IP
address of each cluster unit according to serial number in the same way as when the cluster first starts up.
Each cluster unit keeps its assigned cluster index and HA heartbeat IP address even as the units take on
different roles in the cluster. After the initial cluster index and HA heartbeat IP addresses are set according
to serial number, the FGCP checks other primary unit selection criteria such as device priority and
monitored interfaces. Checking these criteria could result in selecting a cluster unit without the highest
serial number to operate as the primary unit.
Even if the cluster unit without the highest serial number now becomes the primary unit, the cluster indexes
and HA heartbeat IP addresses assigned to the individual cluster units do not change. Instead the FGCP
assigns a second cluster index, which could be called the operating cluster index, to reflect this role
change. The operating cluster index is 0 for the primary unit and 1 and higher for the other units in the
cluster. By default both sets of cluster indexes are the same. But if primary unit selection selects the cluster
unit that does not have the highest serial number to be the primary unit then this cluster unit is assigned an
operating cluster index of 0. The operating cluster index is used by the FGCP only. You can display the
operating cluster index assigned to each cluster unit using the get syst emha st at us command.
There are no CLI commands that reference the operating cluster index.
Note: Even though there are two cluster indexes there is only one HA heartbeat IP address and the HA
heartbeat address is not affected by a change in the operating cluster index.
716 01-400-93051-20090415
Using the execute ha manage command
When you use the CLI command execut e ha manage to connect to the CLI of
another cluster unit, the that you enter is the cluster index of the unit that you want to
connect to.
Using get system ha status to display cluster indexes
You can display the cluster index assigned to each cluster unit using the CLI command get syst emha
st at us. The following example shows the information displayed by the get syst emha st at us
command for a cluster consisting of two FortiGate-5001SX units operating in active-passive HA mode with
virtual domains not enabled and without virtual clustering.
Model : 5000
Mode: a- p
Gr oup: 0
Debug: 0
Mast er : 128 5001_sl ot _7 FG50012205400050 0
Sl ave : 128 5001_sl ot _11 FG50012204400045 1
vcl ust er 1: wor k 10. 0. 0. 1
Mast er : 0 FG50012205400050
Sl ave : 1 FG50012204400045
In this example, the cluster unit with serial number FG50012205400050 has the highest serial number and
so has a cluster index of 0 and the cluster unit with serial number FG50012204400045 has a cluster index
of 1. From the CLI of the primary (or master) unit of this cluster you can connect to the CLI of the
subordinate (or slave) unit using the following command:
execut e ha manage 1
This works because the cluster unit with serial number FG50012204400045 has a cluster index of 1.
The get syst emha st at us command output shows two similar lists of indexes and serial numbers.
The listing on the sixth and seventh lines of the command output are the cluster indexes assigned
according to cluster unit serial number. These are the cluster indexes that you enter when using the
execut e ha manage command. The cluster indexes shown in the last two lines of the command output
are the operating cluster indexes that reflect how the cluster units are actually operating in the cluster. In
this example both sets of cluster indexes are the same.
The last three lines of the command output display the status of vcluster 1. In a cluster consisting of two
cluster units operating without virtual domains enabled all clustering actually takes place in virtual cluster 1.
HA is designed to work this way to support virtual clustering. If this cluster was operating with virtual
domains enabled, adding virtual cluster 2 is similar to adding a new copy of virtual cluster 1. Virtual cluster
2 is visible in the get syst emha st at us command output when you add virtual domains to virtual
cluster 2.
The HA heartbeat IP address displayed on line 8 is the HA heartbeat IP address of the cluster unit that is
actually operating as the primary unit. For a default configuration this IP address will always be 10.0.0.1
because the cluster unit with the highest serial number will be the primary unit. This IP address changes if
the operating primary unit is not the primary unit with the highest serial number.
01-400-93051-20090415 717
Example: actual and operating cluster indexes do not match
This example shows get system ha status command output for same cluster of two FortiGate-5001SX
units. However, in this example the device priority of the cluster unit with the serial number
FG50012204400045 is increased to 200. As a result the cluster unit with the lowest serial number
becomes the primary unit. This means the actual and operating cluster indexes of the cluster units do not
match.
Model : 5000
Mode: a- p
Gr oup: 0
Debug: 0
Mast er : 128 5001_sl ot _7 FG50012205400050 0
Sl ave : 200 5001_sl ot _11 FG50012204400045 1
vcl ust er 1: wor k 10. 0. 0. 2
Mast er : 1 FG50012205400050
Sl ave : 0 FG50012204400045
The actual cluster indexes have not changed but the operating cluster indexes have. Also, the HA
heartbeat IP address displayed for vcluster 1 has changed to 10.0.0.2.
Virtual clustering example output
The get syst emha st at us command output is the same if a cluster is operating with virtual clustering
turned on but with all virtual domains in virtual cluster 1. The following get syst emha st at us
command output example shows the same cluster operating as a virtual cluster with virtual domains in
virtual cluster 1 and added to virtual cluster 2. In this example the cluster unit with serial number
FG50012204400045 is the primary unit for virtual cluster 1 and the cluster unit with serial number
FG50012205400050 is the primary unit for virtual cluster 2.
Model : 5000
Mode: a- p
Gr oup: 0
Debug: 0
Mast er : 128 5001_sl ot _7 FG50012205400050 0
Sl ave : 200 5001_sl ot _11 FG50012204400045 1
vcl ust er 1: wor k 10. 0. 0. 2
Mast er : 1 FG50012205400050
Sl ave : 0 FG50012204400045
vcl ust er 2: st andby 10. 0. 0. 1
Mast er : 0 FG50012205400050
Sl ave : 1 FG50012204400045
This example shows three sets of indexes. The indexes in lines six and seven are still used by the
execut e ha manage command. The indexes on lines ten and eleven are for the primary and subordinate
units in virtual cluster 1 and the indexes on the last two lines are for virtual cluster 2.
History
718 01-400-93051-20090415
Related topics
system ha
execute ha manage
get system info admin ssh
01-400-93051-20090415 719
system info admin ssh
Use this command to display information about the SSH configuration on the FortiGate unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
Syntax
get syst emi nf o admi n ssh
Example
This shows sample output.
# get syst emi nf o admi n ssh
SSH v2 i s enabl ed on por t 22
SSH i s enabl ed on t he f ol l owi ng 1 i nt er f aces:
i nt er nal
SSH host key DSA f i nger pr i nt = cd: e1: 87: 70: bb: f 0: 9c: 7d: e3: 7b: 73: f 7: 44: 23: a5: 99
SSH host key RSA f i nger pr i nt = c9: 5b: 49: 1d: 7c: ba: be: f 3: 9d: 39: 33: 4d: 48: 9d: b8: 49
History
Related topics
system accprofile
execute disconnect-admin-session
FortiOS v3.0 MR4 Output changed - added SSH hostkey RSA fingerprint.
system info admin status get
720 01-400-93051-20090415
system info admin status
Use this command to display administrators that are logged into the FortiGate unit.
Syntax
get syst emi nf o admi n st at us
Example
This shows sample output.
I ndex User name Logi n t ype Fr om
0 admi n CLI ssh( 172. 20. 120. 16)
1 admi n WEB 172. 20. 120. 16
History
Related topics
get system info admin ssh
I ndex The order the administrators logged in.
User name The name of the user account logged in.
Logi n t ype Which interface was used to log in.
Fr om The IP address this user logged in from.
get system interface physical
01-400-93051-20090415 721
system interface physical
Use this command to list information about the units physical network interfaces.
Syntax
get syst emi nt er f ace physi cal
# get syst emi nt er f ace physi cal
== [ onboar d]
==[ dmz1]
mode: st at i c
i p: 0. 0. 0. 0 0. 0. 0. 0
st at us: down
speed: n/ a
==[ dmz2]
mode: st at i c
i p: 0. 0. 0. 0 0. 0. 0. 0
st at us: down
speed: n/ a
==[ i nt er nal ]
mode: st at i c
i p: 172. 20. 120. 146 255. 255. 255. 0
st at us: up
speed: 100
==[ wan1]
mode: pppoe
i p: 0. 0. 0. 0 0. 0. 0. 0
st at us: down
speed: n/ a
==[ wan2]
mode: st at i c
i p: 0. 0. 0. 0 0. 0. 0. 0
st at us: down
speed: n/ a
==[ modem]
mode: st at i c
i p: 0. 0. 0. 0 0. 0. 0. 0
st at us: down
speed: n/ a
History
FortiOS v4.0 New.
system performance status get
722 01-400-93051-20090415
Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS
attacks, and system up time.
Syntax
get syst emper f or mance st at us
Example
# get syst emper f or mance st at us
CPU st at es: 0%user 0%syst em0%ni ce 100%i dl e
Memor y st at es: 18%used
Aver age net wor k usage: 0 kbps i n 1 mi nut e, 0 kbps i n 10 mi nut es, 1 kbps i n 30
mi nut es
Aver age sessi ons: 5 sessi ons i n 1 mi nut e, 6 sessi ons i n 10 mi nut es, 5 sessi ons
i n 30 mi nut es
Vi r us caught : 0 t ot al i n 1 mi nut e
I PS at t acks bl ocked: 0 t ot al i n 1 mi nut e
Upt i me: 9days, 22 hour s, 0 mi nut es
History
CPU st at es The percentages of CPU cycles used by user, system,
nice and idle categories of processes.
Memor y st at es The percentage of memory used.
Aver age net wor k
usage
The average amount of network traffic in kbps in the last
1, 10 and 30 minutes.
Aver age sessi ons The average number of sessions connected to the
FortiGate unit over the list 1, 10 and 30 minutes.
Vi r us caught The number of viruses the FortiGate unit has caught in
the last 1 minute.
I PS at t acks
bl ocked
The number of IPS attacks that have been blocked in the
last 1 minute.
Upt i me How long since the FortiGate unit has been restarted.
FortiOS v3.0 Added.
FortiOS v3.0 MR2 Changed to get system performance status and moved from system to get chapter.
FortiOS v3.0 MR3 Output of command changed to include more CPU information, average network traffic,
average sessions, viruses caught, and IPS attacks blocked.
get system session list
01-400-93051-20090415 723
system session list
Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if
virtual domain mode is enabled.
Syntax
get syst emsessi on l i st
Example
PROTO EXPI RE SOURCE SOURCE- NAT DESTI NATI ON DESTI NATI ON- NAT
t cp 0 127. 0. 0. 1: 1083 - 127. 0. 0. 1: 514 -
t cp 0 127. 0. 0. 1: 1085 - 127. 0. 0. 1: 514 -
t cp 10 127. 0. 0. 1: 1087 - 127. 0. 0. 1: 514 -
t cp 20 127. 0. 0. 1: 1089 - 127. 0. 0. 1: 514 -
t cp 30 127. 0. 0. 1: 1091 - 127. 0. 0. 1: 514 -
t cp 40 127. 0. 0. 1: 1093 - 127. 0. 0. 1: 514 -
t cp 60 127. 0. 0. 1: 1097 - 127. 0. 0. 1: 514 -
t cp 70 127. 0. 0. 1: 1099 - 127. 0. 0. 1: 514 -
t cp 80 127. 0. 0. 1: 1101 - 127. 0. 0. 1: 514 -
t cp 90 127. 0. 0. 1: 1103 - 127. 0. 0. 1: 514 -
t cp 100 127. 0. 0. 1: 1105 - 127. 0. 0. 1: 514 -
t cp 110 127. 0. 0. 1: 1107 - 127. 0. 0. 1: 514 -
t cp 103 172. 20. 120. 16: 3548 - 172. 20. 120. 133: 22 -
t cp 3600 172. 20. 120. 16: 3550 - 172. 20. 120. 133: 22 -
udp 175 127. 0. 0. 1: 1026 - 127. 0. 0. 1: 53 -
t cp 5 127. 0. 0. 1: 1084 - 127. 0. 0. 1: 514 -
t cp 5 127. 0. 0. 1: 1086 - 127. 0. 0. 1: 514 -
t cp 15 127. 0. 0. 1: 1088 - 127. 0. 0. 1: 514 -
t cp 25 127. 0. 0. 1: 1090 - 127. 0. 0. 1: 514 -
t cp 45 127. 0. 0. 1: 1094 - 127. 0. 0. 1: 514 -
t cp 59 127. 0. 0. 1: 1098 - 127. 0. 0. 1: 514 -
t cp 69 127. 0. 0. 1: 1100 - 127. 0. 0. 1: 514 -
t cp 79 127. 0. 0. 1: 1102 - 127. 0. 0. 1: 514 -
t cp 99 127. 0. 0. 1: 1106 - 127. 0. 0. 1: 514 -
t cp 109 127. 0. 0. 1: 1108 - 127. 0. 0. 1: 514 -
t cp 119 127. 0. 0. 1: 1110 - 127. 0. 0. 1: 514 -
History
PROTO The transfer protocol of the session.
EXPI RE How long before this session will terminate.
SOURCE The source IP address and port number.
SOURCE- NAT The source of the NAT. - indicates there is no NAT.
DESTI NATI ON The destination IP address and port number.
DESTI NATI ON- NAT The destination of the NAT. - indicates there is no NAT.
FortiOS v3.0 MR6 Now per VDOM.
system session status get
724 01-400-93051-20090415
system session status
Command returns the number of active sessions on the FortiGate unit, or if virtual domain mode is enabled
it returns the number of active sessions on the current VDOM. In both situations it will say the current
VDOM.
Syntax
get syst emsessi on st at us
Example
The t ot al number of sessi ons f or t he cur r ent VDOM: 31
History
get system status
01-400-93051-20090415 725
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode VDOMs
and VDOM status
current HA status
system time
Syntax
get syst emst at us
Example output
Ver si on: For t i gat e- 800 v4. 0. 1, bui l d0056, 081107
Vi r us- DB: 8. 00631( 2008- 01- 15 14: 27)
I PS- DB: 2. 00542( 2008- 09- 04 23: 08)
Ser i al - Number : FGT8002805030003
BI OS ver si on: 03000300
Log har d di sk: Avai l abl e
Host name: FGT8002805030003
Oper at i on Mode: NAT
Cur r ent vi r t ual domai n: r oot
Max number of vi r t ual domai ns: 10
Vi r t ual domai ns st at us: 4 i n NAT mode, 0 i n TP mode
Vi r t ual domai n conf i gur at i on: enabl e
FI PS- CC mode: di sabl e
Cur r ent HA mode: st andal one
Di st r i but i on: I nt er nat i onal
Br anch poi nt : 056
Rel ease Ver si on I nf or mat i on: Bet a 1
Syst emt i me: Mon Nov 24 16: 25: 56 2008
History
Related topics
get hardware status
FortiOS v3.0 Added.
FortiOS v3.0 MR2 Moved from system to get chapter.
system wireless detected-ap get
726 01-400-93051-20090415
system wireless detected-ap
Use this command to view the list of access points detected in SCAN mode or when bgscan is set to
enabl e. For more information see system wireless settings on page 477.
Syntax
get syst emwi r el ess det ect ed- ap
Example output
SSI D BSSI D CHAN RATE S: N I NT CAPS ACT LI VE AGE
Di st i l _G 00: 1b: 2f : 9f : 6a: 0b 1 54M 19: 0 100 EPSs Y 10 0 WPA
VLAN2Z 00: 1d: 70: 59: a6: 40 6 54M 6: 0 100 EPSs Y 10 0 RSN
0. . . 00: 16: 46: 9b: ba: d0 11 54M 3: 0 100 ES Y 10 0 WME
HCS- user s 00: 17: c5: 00: f 0: 31 7 54M 2: 0 100 EPs Y 10 10 WPA
t r ai ni ng 00: 12: bf : 14: f a: 82 2 54M 43: 0 100 EPSs Y 7 7 WPA WME
0. . . 00: 16: 46: 9b: ba: b0 9 54M 17: 0 100 ESs Y 6 6 WME
di xon 00: 11: 50: d5: d6: c2 11 54M 7: 0 100 EPs Y 0 0
History
Related topics
system wireless ap-status
FortiOS v4.0.0 New.
Index
01-400-93051-20090415 727
Index
Symbols
#
comment character in configuration file, 47
Numerics
3600A, 412
3810B, 412
A
abort
CLI edit shell command, 37
abr-type
router ospf, 265
accept-lifetime
router key-chain, 251
access control list, 476
access-group
router multicast interface igmp, 258
access-list, 240
router, 228
router ospf, 271
router rip distance, 287
router rip offset-list, 291
accprofile
system, 322
system admin, 327
ACK, 366
acl
system wireless mac-filter, 476
action
antivirus filepattern, 72
firewall multicast-policy, 119
firewall policy, 122
imp2p aim-user, 186
imp2p icq-user, 187
imp2p msn-user, 188
router access-list, 228
router aspath-list, 231, 233
router prefix-list, 282
router route-map, 295
spamfilter bword, 307
spamfilter DNSBL, 319
spamfilter emailbwl, 309
spamfilter ipbwl, 313
spamfilter mheader, 316
webfilter urlfilter, 605
activate
router bgp neighbor, 242
active
antivirus filepattern, 72
address
firewall, 104
system autoupdate clientoverride, 336
system autoupdate override, 337
system autoupdate push-update, 338
system autoupdate tunneling, 341
address overlap, 454
address-mode
system fortianalyzer, 355
addrgrp
firewall, 106
admin
log filter, 210
system, 326
admingrp
access group for system accprofile, 322
administrative distance, 301
administrator access
access profiles description, 30
system accprofile command, 322
administrators
info, 720
list, 702
admin-port
system global, 365
admin-sport
system global, 365
admintimeout
system global, 365
ADSL
bridged mode, 395
ipoa, 395
Advanced Encryption Standard (AES), 398
advertise
router ospf area filter-list, 269
router ospf summary-address, 276
advertisement-interval
agelimit
antivirus quarantine, 77
aggregate interface, 401
algorithm, 401
lacp-ha-slave, 401
lacp-mode, 401
lacp-speed, 401
member, 401
aggregate route, 237
aim
imp2p old-version, 189
imp2p policy, 190
aim-user
imp2p, 186
alertemail
system, 331
algorithm
system interface, 401
vpn ssl settings, 558
all
execute ha synchronize, 629
router info routing-table, 699
allowaccess
system interface, 390, 399
allowas-in
Index
728 01-400-93051-20090415
allowas-in-enable
allowed
log filter, 210
altmode
system modem, 409
always-compare-med
router bgp, 238
anomaly
ips, 194
log filter, 210
antispam, 305
antispam-cache
system fortiguard, 358
antispam-cache-ttl
antispam-timeout
antivirus, 71
AP mode
system wireless settings, 478
area
router ospf network, 272
area border router (ABR), 263, 267
ARP
proxy ARP, 168
arp
system, 704
ARP packets, 371, 390
ARP table
adding entries, 414
display, 704
arpforward
arps
system ha, 376
arps-interval
system ha, 376
arp-table
system, 333, 334
as
router bgp, 238
ase
AS-path list, 231
aspath-list
router, 231
as-set
router bgp aggregate-address, 241
attack
log filter, 210
attackdef
attribute-unchanged
auth
log filter, 210
system bug-report, 344, 346
auth-alg
vpn ipsec manualkey-interface, 519
authenticate
system alertemail, 331, 334
authentication
router ospf area, 268
router ospf area virtual-link, 269
router ospf ospf-interface, 273
system ha, 377
vpn ipsec manualkey, 516
authentication based routing, 233
authentication keys, RIP v2, 251
authentication-key
authgrp
auth-key
authkey
auth-keychain
router rip interface, 289
authmethod
vpn ipsec phase1, 523
vpn ipsec phase1-interface, 531
auth-mode
authpasswd
auth-string
auth-timeout
auth-type
authusr
authusrgrp
auto
execute vpn certificate ca, 672
execute vpn certificate crl, 674
auto-dial
system modem, 409
auto-install
system, 335
Automatic Refresh Interval, 369
Autonomous System, bgp, 238
autonomous-flag
system interface config ipv6-prefix, 400
autosvr
system dns, 352
system, 336
autoupdate ips
system, 337
autoupdate override
system, 337
system, 338
Index
01-400-93051-20090415 729
autoupdate schedule
system, 339
system, 341
aux
system, 343
AUX port configuration, 343
AV/IPS signature reporting, 367
av-failopen
system global, 366
av-failopen-session
system global, 366
avquery-cache
avquery-cache-ttl
avquery-status
avupd
B
backdoor
router bgp network, 246
backplane interfaces, 370
backup ipsec interface
example, 538
monitor-phase1, 533
backup, execute, 608
bandwidth limiting for interfaces, 393
batch
execute, 611, 613
batch mode, 366
batch_cmdb
system global, 366
baudrate
system console, 347
beacon_interval
bestpath-as-path-ignore
router bgp, 238
bestpath-cmp-confed-aspath
router bgp, 238
bestpath-cmp-routerid
router bgp, 238
bestpath-med-confed
router bgp, 238
bestpath-med-missing-as-worst
router bgp, 238
BGP, 469
AS-path list, 231
BGP-4, 235
External, 238
Internal, 238
logging neighbor changes, 240
memory table, 690
RFC 1771, 235
RFC 1997, 235
storing updates from neighbor, 245
bgp
router, 235
bindthroughfw
firewall ipmacbinding setting, 112
bindtofw
blackhole, 301
router static, 301
blackhole route, 397, 402
blocked
log filter, 210
block-page-status-code
antivirus service, 80
BOOTP Vendor Extensions, 350
border-routers
router info ospf, 695
BPDU, 367
bridge protocol data unit, 367
bridged mode, 395
bsr-allow-quick-refresh
router multicast interface pim-smglobal, 259
buffer
system replacemsg auth, 415, 417, 419, 423, 435, 437
system replacemsg fortiguard-wf, 424
system replacemsg ftp, 426
system replacemsg http, 428
system replacemsg im, 431
system replacemsg mail, 433
system replacemsg spam, 439
system replacemsg sslvpn, 441
bug-report
system, 344, 345
bword
spamfilter, 306
webfilter, 592
C
ca
cache
spamfilter fortishield, 311
cache-mem-percent
webfilter fortiguard, 597
cache-mode
cache-notfound-responses
system dns, 352
capability-default-originate
capability-dynamic
capability-graceful-restart
capability-orf
capability-route-refresh
case sensitivity
Perl regular expressions, 48
Central Management Service, 612
Index
730 01-400-93051-20090415
certificate
vpn ca, 508
vpn crl, 509
vpn local, 511
cfg reload
execute, 613
cfg save
execute, 614
channel
CHAP, 390
check-reset-range
system global, 366
China, PPP option, 409
Chinese, for web-based manager
Simplified, 368
Traditional, 368
CIDR, 235
cidr-only
router info bgp, 690
cisco-exclude-genid
router multicast interface, 257
Classless Interdomain Routing (CIDR), 235
execute, 615
CLI basics, 43
CLI commands
abbreviation, 45
CLI edit shell command
abort, 37
config, 37
end, 37
get, 37
next, 37
set, 37
show, 37
unset, 37
CLI structure, 35
CLI table shell command
delete, 36
edit, 36
end, 36
get, 36
move, 36
purge, 36
rename, 36
client certificate
for SSL-VPN, 558
require for logon, 367
client-to-client-reflection
router bgp, 238
clt-cert-req
system global, 367
cluster, 375
virtual, 375
cluster-id
router bgp, 238
cmdb, 707
cnid
user ldap, 495
command completion, 44
command help, 44
comment
firewall profile, 134
comments
comments, documentation, 16
Common Criteria (CC), 354
community
community-info
community-list
router, 248
confederation-identifier
router bgp, 238
config
execute backup, 609
ha synchronize, 629
restore, 651
config checksum
system cmdb status, 707
config limit
ips anomaly, 194
config router, 19, 83, 91, 99, 563, 587
config srv-ovrd-list
configuration file
#comment character, 47
connected
connecting to the CLI, 32
through the console, 32
using SSH, 33
using Telnet, 34
connect-timer
conn-tracking
system global, 367
console
system, 347
console status, 683
get, 683
console, gui, 182
contact-info
system snmp sysinfo, 462
cost
router ospf neighbor, 272
counting to infinity loop, 290
CPU usage, SNMP event, 459
csv
log syslogd setting, 222
syslogd setting, 222
custom
ips, 197
custom field
log, 208
customer service, 16
Index
01-400-93051-20090415 731
D
daily-restart
system global, 367
dampening
router bgp, 238
dampening-max-suppress-time
router bgp, 238
dampening-reachability-half-life
router bgp, 238
dampening-reuse
router bgp, 239
dampening-route-map
router bgp, 239
dampening-suppress
router bgp, 239
dampening-unreachability-half-life
router bgp, 239
database
router info RIP, 698
database-filter-out
database-overflow
router ospf, 266
database-overflow-max-lsas
router ospf, 266
database-overflow-time-to-recover
router ospf, 266
data-size
execute ping-options, 645
date, execute, 618
day
firewall schedule recurring, 160
system autoupdate schedule, 339
daylight saving time, 367
ddns
ddns-domain
ddns-password
ddns-profile-id
ddns-server
ddns-sn
ddns-username
dead gateway detection, 368
dead gateway detection interval, 367
dead-interval
decoder
IPS, 686
default
system session-ttl, 452
default-acl
default-cost
default-gateway
system dhcp server, 349
default-gw
defaultgw
default-gw-priority
default-information-metric
router ospf, 266
default-information-metric-type
router ospf, 266
default-information-originate
router ospf, 266
router rip, 286
default-information-route-map
router ospf, 266
default-local-preference
router bgp, 239
default-metric
router ospf, 266
router rip, 286
delete
CLI table shell command, 36
denial of service (DoS) sensor, 143
denial of service attacks, 370
dense mode, 254
description
system snmp sysinfo, 462, 464
destination
system ipv6-tunnel, 404, 457
details
detection summary statistics, 367
detection-summary
system global, 367
detectserver
deterministic-med
router bgp, 239
device
router static, 301
router static6, 303
system settings, 454
df-bit
DHCP exclusion range, 351
dhcp lease-clear, execute, 619
dhcp lease-list, execute, 620
DHCP options, 350
DHCP relay, 390
system, 348
dhcp server
system, 349
Index
732 01-400-93051-20090415
DHCP servers, maximum, 349
dhcp-ipsec
vpn ipsec phase2, 540, 547
dhcp-relay-ip
dhcp-relay-service
dhcp-relay-type
dhgrp
dial-on-demand
system modem, 409
differentiated services code point (DSCP)
originating traffic, 123
reply traffic, 123
diffservcode-forward
diffservcode-rev
diffserv-forward, 123
diffserv-reverse
direction
router rip distribute-list, 288
Directory Service
configuring FSAE, 488
disconnect-admin-session, execute, 621
disc-retry-timeout
disk filter
log, 209
disk setting
log, 214
diskfull
log disk setting, 215
log memory setting, 220
display
log trafficfilter, 225
distance
router ospf, 266
router static, 301
system modem, 409
distance-external
router bgp, 239
router ospf, 266
distance-inter-area
router ospf, 266
distance-internal
router bgp, 239
distance-intra-area
router ospf, 266
distance-local
router bgp, 239
distribute-list-in
router ospf, 266
distribute-list-out
dn
user ldap, 495
dns
system, 352
DNSBL
spamfilter, 318
dns-cache-limit
system dns, 352
dns-server
dns-server-override
dns-timeout
spamfilter options, 317
dnstranslation
firewall, 107
documentation
commenting on, 16
Fortinet, 16
domain
domain name, 391
dont-capability-negotiate
downstream router, prune state, 258
dpd
dpd-retrycount, 532
dpd-retryinterval, 532
drive-standby-time
drop-blocked
drop-heuristic
drop-infected
dr-priority
dst
firewall dnstranslation, 107
router policy, 279
router static, 302
router static6, 303
system global, 367
dstaddr
dst-addr-type
Index
01-400-93051-20090415 733
dst-end-ip
dst-end-ip6
dstintf
dst-name
dst-port
dst-start-ip
dst-start-ip6
dst-subnet
dst-subnet6
Dynamic DNS service (DDNS), 391
dynamic routing, 396
E
EBGP, 238
RFC 3065, 235
ebgp-enforce-multihop
ebgp-multihop-ttl
edit
system accprofile, 322
system gre-tunnel, 373
system mac-address-table, 405
editing commands, 44
editing the configuration file, 47
eip
vpn l2tp, 552
vpn pptp, 554
email
log filter, 210
email when virus or spam detected, 433
emailbwl
spamfilter, 308
emaillists
email-log-imap
log filter, 210
email-log-pop3
log filter, 211
email-log-smtp
log filter, 211
email-pattern
enable
enc-alg
enc-key
enckey
encrypted password support, 45
encryption, 370
ipsec manualkey, 517
system ha, 377
end
firewall schedule onetime, 159
end-ip
firewall address, 104
system dhcp server config exclude-range, 350
endip
firewall ippool, 116, 117
endpoint control, 423
end-port
router policy, 279
enforce-first-as
router bgp, 239
enhanced packet-matching, 294
Equal Cost Multi-Path (ECMP), 454
equal cost multi-path (ECMP), 302
event
log filter, 211
events
system snmp communities, 459
exact-match
example command sequences, 41
execute, 607
Index
734 01-400-93051-20090415
execute command
backup, 608
batch, 611, 613
cfg reload, 613
cfg save, 614
clear system arp table, 615
date, 618
dhcp lease-clear, 619
dhcp lease-list, 620
disconnect-admin-session, 621
factoryreset, 622, 623
formatlogdisk, 624
fortiguard-log delete, 626
fortiguard-log update, 625
fsae refresh, 626
ha disconnect, 627
ha manage, 628
ha synchronize, 629
interface dhcpclient-renew, 631
interface pppoe-reconnect, 632
log delete-all, 633
log delete-filtered, 634
log delete-rolled, 635
log display, 636
log filter, 637
log fortianalyzer test-connectivity, 638
log list, 639
log roll, 640
modem dial, 641, 653
modem hangup, 642
ping, 644
ping6, 647
ping-options, 645
reboot, 648
restore, 650
router clear bfd, 649
router clear bgp, 653
router restart, 655
set-next-reboot, 659
ssh, 662
telnet, 663
time, 664
traceroute, 665
update-av, 667
update-ips, 668
update-now, 669
upd-vd-license, 670
usb-disk, 671
vpn certificate ca, 672
vpn certificate crl, 674
vpn certificate local, 675
vpn sslvpn del-tunnel, 679
expires
webfilter ftgd-ovrd, 601, 603
export
extintf
firewall vip, 170
extip
firewall vip, 170
extport
firewall vip, 171
ext-ref
F
facility
factoryreset, execute, 622, 623
failed connection attempts, 369
fail-open
system global, 199
failopen mode, av-failopen, 366
failtime
system global, 367
fast-external-failover
router bgp, 239
FB4, 412
FDN
proxy server, 341
RFC 2616, 341
service, 336
FDS
override server, 337
Federal Information Processing Standards (FIPS), 354
fieldbody
fieldname
file transfer protocol (FTP), 444
filepattern
antivirus, 72
filter
log, 209
filter-list
filter-list-in
filter-list-out
FIN packet, 370
Firefox, 370
firewall, 103
address, 104
addrgrp, 106
multicast-policy, 119
profile, 132
firewall configuration
access profile setting, 322
firmware performance optimization, 369
fixedport
format
formatlogdisk, execute, 624
fortianalyzer
system, 355
fortianalyzer filter
log, 209
Index
01-400-93051-20090415 735
log, 218
FortiClient download portal, 423
FortiGate documentation
commenting on, 16
FortiGate SNMP agent, 462, 464
FortiGate system configuration, 366
FortiGate-3016B, 394
FortiGate-ASM-FB4, 394
fortiguard
system, 357
webfilter, 596
FortiGuard Analysis and Management Service
configuration, 362
FortiGuard Distribution Network (FDN), 337, 338, 341
fortiguard filter
log, 209
fortiguard setting
log, 219
FortiGuard updates, 323, 336
fortiguard-log
system, 362
fortiguard-log delete
execute, 626
execute, 625
FortiManager
scripts, 347
fortimanager-discover-helper
Fortinet customer service, 16
Fortinet documentation, 16
Fortinet Knowledge Center, 16
FortiOS v3.0
MR2, 363
fortishield
spamfilter, 310
fortiswitch-heartbeat, 367
FortiWifi-60
wireless MAC filter, 476
wireless settings, 477
FortiWifi-60A
interface settings, 398
wireless MAC filter, 398
forward-domain
fqdn
frequency
FSAE, 367
fsae
user, 488
fsae refresh
execute, 626
ftgd-local-cat
webfilter, 599
ftgd-local-rating
webfilter, 600
ftgd-ovrd
webfilter, 601
ftgd-wf-allow
ftgd-wf-block
log filter, 211
ftgd-wf-deny
ftgd-wf-errors
log filter, 211
ftgd-wf-log
ftgd-wf-options
ftgd-wf-ovrd, 136
user group, 492
ftgd-wf-ovrd-dur
user group, 492
ftgd-wf-ovrd-dur-mode
user group, 492
ftgd-wf-ovrd-ext
user group, 492
ftgd-wf-ovrd-scope
user group, 492
ftgd-wf-ovrd-type
user group, 492
ftp
ftp, message added when virus detected, 426
ftpcomfortamount, 137
ftpcomfortinterval
ftpoversizelimit
fwdintf
system dns, 352
fwgrp
G
garbage-timer
router rip, 286
gateway, 391
default setting for VDOM, 453
router policy, 279
router static, 302
router static6, 303
ge
geography
get
get commands, 681
global
configure global settings, 57
ips, 199
system, 363
Index
736 01-400-93051-20090415
graceful_restart
router bgp, 239
grayware
antivirus, 74
GRE, 289
gre-tunnel
system, 373
group
user, 490
group-id
system ha, 377
group-name
system ha, 377
gui, 181
gwdetect
H
HA, 375
heart beat device, 466
monitored interface, 466
remote IP monitoring, 383
slave, error messages, 367
ha
arps, 376
arps-interval, 376
authentication, 377
encryption, 377
group-id, 377
group-name, 377
hbdev, 377
hb-interval, 377
hb-lost-threshold, 377
helo-holddown, 377
link-failed-signal, 377
load-balance-all, 378
mode, 378
monitor, 378
override, 378
password, 378
priority, 379
route-hold, 379
route-ttl, 379
route-wait, 379
schedule, 380
secondary-vcluster, 381
session-pickup, 380
sync-config, 380
system, 375
system status, 713
uninterruptable-upgrade, 380
vcluster2, 381
vdom, 381
weight, 381
ha disconnect, execute, 627
ha manage, execute, 628
ha synchronize, execute, 629
hardware status, 685
hbdev
system ha, 377
hb-interval
system ha, 377
hb-lost-threshold
system ha, 377
header
heartbeat
fortiswitch, 367
hello-holdtime
hello-interval
helo-holddown
system ha, 377
heuristic
antivirus, 76
high availability, 375
holddown-timer
system modem, 409
holdtime-timer
router bgp, 239
hop count., 292
hostname
system global, 368
http
firewall profile, 138, 140
HTTP session, antivirus, 428
httpcomfortinterval
http-obfuscate
system global, 368
httpoversizelimit
http-retry-count
httpsoversizelimit
https-retry-count
I
IBGP, 238
RFC 1966, 235
ICMP dropped packets logging, 211
icmpcode
firewall service custom, 162
icmptype
icq
imp2p policy, 190
Index
01-400-93051-20090415 737
icq-user
imp2p, 187
ICSA compliant logs, 211
id
webfilter ftgd-local-cat, 599
ident-accept
idle-timeout, 558
idle-timer
system modem, 409
ie6workaround
system global, 368
IEEE 802.1Q, 398
IEEE 802.3ad, 401
IGMP
RFC 1112, 253
RFC 2236, 253
RFC 3376, 253
igmp-state-limit
router multicast, 256
ignore_optional_capability
router bgp, 239
ignore-session-bytes, 199
IKE, 369
im, 140
IM, message if blocked, 431
image, 651
execute restore, 651
imap
imapoversizelimit
imoversizelimit
imp2p, 185
import
execute vpn certificate crl, 674, 678
inbandwidth
config system interface, 393
inbound
inbound traffic, limiting, 393, 395
inconsistent-as
infected
log filter, 211
info ospf
router, 695
info protocols
router, 697
info rip
router, 698
info routing-table
router, 699
initiator
input-device
router policy, 279
interface
loopback, 397, 402
proxy ARP, 168
router info RIP, 698
system, 387
system ipv6tunnel, 404, 457
system mac-address-table, 405
system modem, 409
system snmp community hosts, 460
system zone, 479
execute, 631
execute, 632
interior gateway protocol (IGP), 240
International characters, 46
Internet Explorer, 368, 370
interval
system global, 368
inter-VDOM routing, 54
intrazone
system zone, 479
introduction
Fortinet documentation, 16
Intrusion protection
DoS sensor, protection profile, 143
ip
firewall ipmacbinding table, 114
router rip neighbor, 290
system dhcp reserved-address, 348
system fortiguard, 358, 360
system snmp community hosts, 460
webfilter ftgd-ovrd, 601
IP address formats, 47
IP address overlap, 454
IP address spoofing, 112
IP datagram
TOS bits, 468
IP pool
proxy ARP, 168
transparent mode, 128
ip/subnet
spamfilter ipbwl, 313
spamfilter iptrust, 314
ip6
firewall address6, 105
Index
738 01-400-93051-20090415
ip6-address
system interface config ipv6, 399
ip6-default-life
ip6-hop-limit
ip6-link-mtu
ip6-manage-flag
ip6-max-interval
ip6-min-interval
ip6-other-flag
ip6-reachable-time
ip6-retrans-time
ip6-send-adv
ipbwl
spamfilter, 312
firewall, 112
ipmacbinding table
firewall, 114
ippool
firewall, 116
ips, 193
IPS decoder
status, 686
IPS rule
status, 687
ips-anomaly
IPSec, 289
ipsec
log filter, 211
ipsec concentrator
vpn, 514
ipsec manualkey
vpn, 516
vpn, 519
ipsec phase1
vpn, 522
vpn, 530
ipsec phase2
vpn, 539
vpn, 546
IPSec tunnel
listing, 688
ipsec tunnel list
get, 688
ipsgrp
ips-signature
ipsuserdefsig
execute backup, 609
iptrust
spamfilter, 314
ipunnumbered
IPv6, 389
6-to-4 address prefix, 104
SLAAC, 399, 400
ipv6-tunnel
system, 404
iSCSI, 656
ISP, 337
J
join-group
jumbo frames, 395
K
keepalive
fortiswitch, 367
keep-alive-timer
router bgp, 239
key-chain
router, 251
keylife, 532
keylifekbs, 541
keylifeseconds, 541
keylife-type, 541
key-string
L
l2forward
l2tp
vpn, 552
lacp-ha-slave
lacp-mode
lacp-speed
language
system global, 368
webfilter bword, 592, 594
Index
01-400-93051-20090415 739
last request
last request pid
last requst type
lcdpin
system global, 369
lcdprotection
system global, 369
lcp-echo-interval
lcp-max-echo-failures
LDAP, 369
ldap
user, 495
ldapconntimeout
system global, 369
ldap-server
user local, 498
le
lease-time
license
license key entry, 670
line continuation, 45
lines_per_view
execute logfilter, 637
Link Aggregation Control Protocol (LACP), 401
link-failed-signal
system ha, 377
list
listname
load-balance-all
system ha, 378
local
user, 498
localcert
local-gw
localid, 533
local-spi
localspi
location
system snmp sysinfo, 462, 464
log, 207
log delete-all, execute, 633
log delete-filtered, execute, 634
log delete-rolled, execute, 635
log display, execute, 636
log filter, execute, 637
execute, 638
log list, execute, 639
log roll, execute, 640
log settings, 323
log-av-block
log-av-oversize
log-av-virus
loggrp
log-im
loglocaldeny
system global, 369
log-neighbor-changes
router bgp, 240
log-spam, 154
logtraffic
log-web-content
log-web-filter-activex
log-web-filter-applet
log-web-filter-cookie
log-web-ftgd-err
log-web-url
loopback interface, 397, 402
lowspace
M
mac
system arp-table, 334
system interface, config wifi-mac_list, 398
MAC address, 397
arp-table, 334
macaddr
mac-address-table
system, 405
mac-list
mail-sig
mailsig-status
Index
740 01-400-93051-20090415
mailto
system bug-report, 344
mailto1, mailto2, mailto3
alertemail setting, 67
maintenance commands, 323
manageip
management traffic, 55
management VDOM, 55, 326
management-tunnel
system, 406
management-vdom
system global, 369
mappedip
firewall vip, 172
mappedport
firewall vip, 172
match-as-path
router route-map rule, 296
match-community
match-community-exact
match-interface
match-ip-address
match-ip-nexthop
match-metric
match-origin, 297
match-route-type
match-tag
maxfilesize
maximum transmission unit (MTU), 395
maximum-prefix
maximum-prefix-threshold
maximum-prefix-warning-only
max-log-file-size
mc-ttl-notchange
system global, 455
md5-key
member
firewall addrgrp, 106
firewall service group, 164
user group, 491
user peergrp, 502
vpn ipsec concentrator, 514
memory
memory filter
log, 209
log, 221
memory setting
log, 220
metric
router ospf redistribute, 275
router rip redistribute, 292
metric-type
mheader
spamfilter, 315
mntgrp
mode
antivirus heuristic, 76
config system ha, 378
system console, 347
system modem, 409
modem
auto-dial, 409
backup switchover, 409
dial-on-demand, 409
execute modem dial command, 641, 653
execute modem hangup command, 642
redundant, 409
standalone, 409
system, 408
monitor
system ha, 378
monitor-phase1
move
MS Windows Client, 390
msn
imp2p policy, 190
msn-user
imp2p, 188
MSS TCP, 371
mtu
mtu-ignore
Multi Exit Discriminator (MED), 238
multicast
BSR, Cisco, 260
dense mode, 254
IGMP, 253
router, 253
RP, 257
system global, 371
multicast memberships, 256
Index
01-400-93051-20090415 741
multicast-forward
system global, 455
multicast-policy
firewall, 119
multicast-routing, 256
N
name
system session-helper, 444
system snmp community, 459
NAT
in transparent mode, 128
nat
NAT device, 338
NAT mode, changing, 455
NAT/Route mode, 370
natinbound
natip
natoutbound
nat-source-vip
firewall vip, 172
nattraversal
neighbor
neighbors
neighbour-filter
NetBIOS, 395
netbios-forward
netgrp
netmask
Netscape, 370
network
network address translation (NAT), 168
Network Layer Reachability Information (NLRI), 243, 266
Network Processing Unit (NPU), 412
Network Time Protocol (NTP), 369, 370, 413
network-import-check
router bgp, 240
network-longer-prefixes
network-type
next
next-hop-self
NRLI prefix
router bgp, 243
nssa-default-information-originate
nssa-default-information-originate-metric
nssa-default-information-originate-metric-type, 268
nssa-redistribution, 268
nssa-translator-role, 268
ntpserver
system global, 369
ntpsync
system global, 369
O
obfuscated, 368
offset
old-version
imp2p, 189
onlink-flag
operating mode
opmode
optimize
system global, 369
option
options
spamfilter, 317
OSPF, 263, 468
RFC 2328, 263
TOS application routing, 468
ospf
ABR, 263
RFC 3509, 265
router, 263
OSPF, clear router, 654
other-traffic
log filter, 211
outbound
Outbound Routing Filter (ORF), 242
output-device
router policy, 279
override
system ha, 378
override-capability
oversized
log filter, 211
ovrd-auth-https
ovrd-auth-port
Index
742 01-400-93051-20090415
owner id
P
padt-retry-timeout
PAP, 390
passive
passive-interface
router ospf, 266
router rip, 286
passwd
system modem, 409
user local, 498
password
system alertemail, 331
system ha, 378
user ldap, 496
PAT
virtual IPs, 168
path maximum transmission unit (PMTU), 24, 370
paths
pattern
log filter, 211
pattern-type
peer
peergrp, 533
peerid, 533
Peer-to-Peer, message if blocked, 431
peertype, 534
performance info, 722
Perl regular expressions, using, 48
pfs
phase1name
phone
system modem, 410
PIM, dense-mode, 257
PIM, sparse-mode, 257
pim-mode
ping, execute, 644
ping6, execute, 647
ping-options, execute, 645
poisoned split horizon, 289
policy
firewall, 121
imp2p, 190
router, 278
policy check, 371
policy check, skipping, 371
poll-interval
poolname
pop3
pop3oversizelimit
pop3soversizelimit
pop3-spamaction
pop3-spamtagmsg
pop3-spamtagtype
port, 222
user fsae, 489
user ldap, 495
port 8890, 341
port address translation
virtual IPs, 168
port forwarding, 168
port range, 368
portal-heading
portforward
firewall vip, 172
power_level
ppp
log filter, 211
PPPoE, 338
PPPoE Active Discovery Terminate (PADT), 395
PPPoE auth, 390
pptp
vpn, 554
preferences
GUI console, 182
GUI topology viewer, 183
preferred-life-time
Index
01-400-93051-20090415 743
prefix
router ospf area range, 269
router ospf network, 272
router rip network, 291
prefix-list
prefix-list-in
prefix-list-out
preserve source port number, 124
Pre-shared Key (PSK), 398
primary
system dns, 352
priority
system ha, 379
system modem, 410
profile
firewall, 132
profile-status
propagation-delay
proposal
protection profile
DoS sensor, 143
protocol
firewall vip, 172
router ospf distribute-list, 271
router policy, 279
Protocol Independent Multicast (PIM), 253
protocol-number
proxy ARP, 168
FortiGate interface, 168
IP pool, 168
virtual IP, 168
Proxy ID Destination
IPSec interface mode, 688
Proxy ID Source
proxy-arp
system, 414
psksecret, 535
purge
Q
quarantine
antivirus, 77
quarfilepattern
antivirus, 79
quar-to-fortianalyzer
query-v1-port
query-v1-status
query-v2c-port
query-v2c-status
quotafull
log fortiguard setting, 219
quote-regexp
R
RADIUS, 369, 398, 420
radius
user, 503
RADIUS authentication, 55
radius-auth
system admin, 327
radius-group
system admin, 327
radius-port
system global, 369
radius-server
user local, 498
rating
webfilter ftgd-local-rating, 600
reboot, execute, 648
recalling commands, 44
received route, looping, 238
receive-version
redial
system modem, 410
redir-url
user group, 492
refresh
system global, 369
regexp
router aspath-list, 231, 233
Remote Gateway
VPN IPSec monitor field, 688
remote IP monitoring
HA, 383
Index
744 01-400-93051-20090415
remote-as
remoteauthtimeout
system global, 369
remote-gw
remotegw-ddns
remote-ip
remote-spi
remotespi
remove-private-as
rename
Rendezvous Point (RP), 257
repeat-count
replacemsg auth, 417, 419, 424, 435
system, 424
replacemsg ftp
system, 426
replacemsg http
system, 428
replacemsg im
sytem, 431
replacemsg mail
system, 433
replacemsg spam
system, 439
replacemsg sslvpn
system, 441
replay
report settings, 323
reqclientcert
request to send (RTS), 399
reset-sessionless-tcp
system global, 370
resolve
log trafficfilter, 225
restart-time
system global, 370
restore, execute, 650
retain-stale-time
retransmit-interval
RFC 1058, 286
RFC 1112, 253
RFC 1349, 468
RFC 1583, 267, 468
RFC 1700, 444
RFC 1771, 235
RFC 1966, 235
RFC 1997, 235
RFC 1997, BGP community-list, 248
RFC 2132, 350
RFC 2236, 253
RFC 2328, 263
RFC 2385, 244
RFC 2453, 286
RFC 2616, 341
RFC 3065, 235
RFC 3376, 253
RFC 3509, 265
RFC 3513, 399
RFC 3704, 455
RFC 791, 468
rfc1583-compatible
router ospf, 267
RIP
split horizon, 289, 290
rip
router, 285
rolled_number, 637
roll-schedule
disk setting, 214
roll-time
route
route, suppressed, 238
route-flap, 238
routegrp
route-hold
system ha, 379
route-limit, 256
route-map
router, 294
router bgp redistribute, 247
routemap
route-map-in
route-map-out
router, 227
router clear bfd, execute, 649
router clear bgp, execute, 653
execute, 654
Index
01-400-93051-20090415 745
router configuration, 323
router info
ospf, 695
protocols, 697
rip, 698
routing table, 699
router restart, execute, 655
router-alert-check
config router multicast config interface config igmp, 259
route-reflector-client
router-id
router bgp, 240
router ospf, 267
route-server-client
route-threshold, 256
route-ttl
system ha, 379
route-wait
system ha, 379
routing
authentication, 233
blackhole, 397, 402
enhanced packet-matching, 294
routing failover, 392
routing table priority, 410
routing table, displaying entries in, 699
routing, administrative distance, 392
routing, flap, 239
routing, inter-VDOM, 54
rp-candidate
rp-candidate-group
rp-candidate-interval, 257
rp-candidate-priority, 258
RSA RADIUS server, 420
RSA SecurID authentication, 420
rsa-certificate
RST out-of-window checking, 366
rules
IPS, 687
Runtime-only config mode, 363
runtime-only configuration mode, 366
S
SACK, 371
scan
scan-bzip2
scan-time
router bgp, 240
schedule
system ha, 380
schedule onetime
firewall, 159
schedule recurring
firewall, 160
scope
score
webfilter bword, 593
scripts, 347
secondary
system dns, 352, 354
secondary-image
secondary-vcluster
system ha, 381
secret
user radius, 504
secure copy (SCP), 365
secure copy protocol (SCP), 616
send-community
send-lifetime
send-version
send-version1-compatible, 290
SerDes (Serializer/Deserializer), 394
server
log webtrends setting, 224
user fsae, 489
user ldap, 495
user radius, 504, 506
webtrends setting, 224
servercert
server-type
service
antivirus, 80
service custom
firewall, 162
service group
firewall, 164
service predefined
firewall, 168
Service Set ID (SSID), 399
session synchronization
between two standalone FortiGate units, 446
session table, 370
session-helper
system, 444
session-pickup
system ha, 380
session-sync
system, 446
Index
746 01-400-93051-20090415
session-ttl, 452
RFC 1700, 444
system, 452
set
set-aggregator-as
set-aggregator-ip
set-aspath
set-atomic-aggregate
set-community
set-community-additive, 298
set-community-delete
set-dampening-max-suppress, 298
set-dampening-reachability-half-life
set-dampening-reuse, 298
set-dampening-suppress, 298
set-dampening-unreachability-half-life
set-extcommunity-rt
set-extcommunity-soo
set-ip-nexthop
set-metric
set-metric-type
set-next-reboot, execute, 659
set-tag
setting
alertemail, 66
setting a default gateway for an IPSec interface, 531
setting a default gateway priority, 531
setting administrative access for SSH or Telnet, 33
setting page length, 47
settings
system, 453
severity
log filter, 211
SFP interfaces, 394
SGMII (Serial Gigabit Media Independent Interface), 394
shortcut
shortest path first (SPF), 267
show
shutdown
signature
ips custom, 197, 198
log filter, 211
signature reporting, 367
single-source
sip
vpn l2tp, 552
vpn pptp, 554
sit-tunnel
system, 457
Skinny Client Call protocol (SCCP), 455
smtp, 149, 151
SMTP server, 344, 346
SMTP, blocked email, 439
smtpoversizelimit, 150
smtpsoversizelimit, 150
smtp-spamaction, 150
smtp-spamhdrip, 150
smtp-spamtagmsg, 150
smtp-spamtagtype, 151
SNMP
v1, 460
v2c, 460
snmp community
system, 458
snmp sysinfo
system, 462, 464
socket-size, 199
soft-reconfiguration
source
system ipv6-tunnel, 404, 457
spaces, entering in strings, 46
spamfilter, 305
spamwordthreshold, 153
span
system switch-interface, port spanning, 466
Spanning Tree Protocol (STP), 397
special characters, where they are allowed, 46
speed
spf-timers
router ospf, 267
Splice mode, 434
split horizon, 290
split-horizon
split-horizon-status
spoofing
IP address, 112
src
router policy, 279
srcaddr
src-addr-type
Index
01-400-93051-20090415 747
src-end-ip
srcintf
src-name
src-port
src-start-ip
src-subnet
srv-ovrd
ssh
execute, 662
SSH configuration information, 719
ssl monitor
vpn, 556
SSL VPN login message, 441
sslv2
SSL-VPN
login page, 441
user group variables, 492
sslvpn-auth
sslvpn-cache-cleaner
user group, 492
sslvpn-ccert
sslvpn-cipher
sslvpn-client-check
user group, 492
sslvpn-enable, 558
sslvpn-samba
user group, 493
sslvpn-telnet
user group, 493
sslvpn-tunnel
user group, 493
sslvpn-webapp
user group, 493
standalone session synchronization, 446
filters, 447
start
firewall schedule onetime, 159
start-ip
system dhcp server config exclude-range, 350
startip
start-port
router policy, 280
stateless address autoconfiguration client (SLAAC), 399, 400
state-refresh-interval
static
router, 301
static6
router, 303
status
administrators, 703, 720
antivirus grayware, 75
antivirus quarfilepattern, 79
FortiAnalyzer connection, 710
FortiGuard log service, 711
FortiGuard service, 712
HA, 713
hardware, 685
log fortianalyzer setting, 218
log fortiguard setting, 219
log memory setting, 220
log webtrends setting, 224
router bgp redistribute, 247
system autoupdate clientoverride, 336
system autoupdate override, 337
system cmdb, 707
system modem, 410
system performance, 722
system snmp sysinfo, 462
user local, 498
vpn l2tp, 552
vpn pptp, 555
webfilter ftgd-local-rating, 600
stop
store-blocked
Index
748 01-400-93051-20090415
store-heuristic
store-infected
stpforward
strict-capability-match
strong encryption, 370
strong-crypto
system global, 370
stub-type
subnet
subst
substitute
substitute-dst-mac
substitute-status
summary
summary-only
SYN packets, 367
sync-config
system ha, 380
synchronization
router bgp, 240
sessions between standalone FortiGate units, 446
TCP sessions between standalone FortiGate units, 446
syncinterval
system global, 370
sysgrp
syslogd filter
log, 209
syslogd setting
log, 222
syslogd2 setting
log, 222
syslogd3 setting
log, 222
system admin list, 702
system admin status, 703
system checksum, 706
system dashboard, 708
system fortianalyzer-connectivity, 710
system fortiguard-log-service status, 711
system fortiguard-service status, 712
system ha status, 713
system info admin ssh, 719
system info admin status, 720
system performance status, 722
T
tag
TCP port, session helpers, 444
TCP session synchronization
between two standalone FortiGate units, 446
filters, 447
tcp-halfclose-timer
system global, 370
tcp-option
system global, 371
tcp-portrange
technical support, 16
telnet, execute, 663
time
execute, 664
time synchronization, 370
time zone, 371
timeout
system session-ttl, 452
timeout-timer
router rip, 287
timestamp, 371
time-to-live (TTL), 455
timezone
system global, 371
topology status
get, 684
topology viewer status, 684
topology, gui, 183
tos
tos-based-priority
system, 468
tp-mc-skip-policy
system global, 371
traceroute, execute, 665
traffic
log filter, 212
Traffic Indication Messages (TIM)
traffic shaping, 393, 395
trafficfilter
log, 225
transmit-delay
router ospf interface, 275
transparent mode
IP pools, 128
NAT, 128
VIP, 128
virtual IP, 128
transparent mode, changing, 455
trap-v1-lport
Index
01-400-93051-20090415 749
trap-v1-rport
trap-v1-status
trap-v2c-lport
trap-v2c-rport
trap-v2c-status
troubleshooting
memory low, 256
trusthost1, trusthost2, trusthost3
system admin, 328
ttl
ttl-threshold
tunnel, GRE
system, 373
tunnel-endip, 559
tunnel-startip
type
firewall vip, 175
user ldap, 496
user local, 498
webfilter ftdg-ovrd, 602, 603
Type of Service (TOS), 371
type of service (TOS), 278
RFC 1583, 468
RFC 791, 468
U
UDP, 337
udp-portrange
uncompnestlimit
uncompsizelimit
undefinedhost
unicast, 290
uninterruptable-upgrade
system ha, 380
unset
unsuppress-map
update index
update-av, execute, 667
updategrp
update-ips, execute, 668
update-now, execute, 669
update-source
update-timer
router rip, 287
updgrp
upd-vd-license, execute, 670
upload
upload-delete-files
upload-destination
uploaddir
uploadip
uploadpass
uploadport
uploadsched
uploadtime
uploadtype
uploaduser
uploadzip
url
url-filter
log filter, 212
urlfilter
webfilter, 605
usb-disk, execute, 671
user, 481
User Authentication Disclaimer, 420
user-group
username
alertemail setting, 67
status modem, 410
user ldap, 496
username-smtp
using the CLI, 29
usrgrp
vpn l2tp, 552
vpn pptp, 555
Index
750 01-400-93051-20090415
V
validate-reply
valid-life-time
vcluster2
system ha, 381
VDOM
management, 326
vdom, 369
configure VDOMs, 60
system admin, 328
system ha, 381
vdom-link
system, 469
ver-1
version
IGMP, 259
router multicast interface igmp, 259
router rip, 287
view-settings
violation
log filter, 212
VIP
vip
firewall, 168
vip group, grouping vip, vipgrp, 179
VIP range, 371
vip-arp-range
system global, 371
virtual clustering, 375
Virtual Domain (VDOM), 670
Virtual IP
virtual IP, 168
NAT, 168
PAT, 168
port address translation, 168
virtual-links
virus
log filter, 212
vlanforward
vlanid
vpn, 507
vpn certificate ca
execute, 672
vpn certificate crl
execute, 674
vpn certificate local, execute, 675
VPN configuration, 323
vpn sslvpn del-tunnel, execute, 679
vpngrp
vpntunnel
W
web
log filter, 212
web browser support, 370
web filtering, blocked pages, 424
web-content
log filter, 212
webfilter, 591
webfilter configuration, 323
web-filter-activex
log filter, 212
web-filter-applet
log filter, 212
webfilter-cache
webfilter-cache-ttl
web-filter-cookie
log filter, 212
webfilter-status
webfilter-timeout
webgrp
weblists
webtrends filter
log, 209
webtrends setting
log, 224
weight
system ha, 381
WEP key, 398
where
wifi-acl
wifi-broadcast_ssid
wifi-fragment_threshold
wifi-key
wifi-mac-filter
wifi-passphrase
wifi-radius-server
wifi-rts_threshold
Index
01-400-93051-20090415 751
wifi-security
wifi-ssid
wildcard
system admin, 328
wildcard pattern matching, 48
Windows Active Directory
refresh user group info via FSAE, 626
wins-ip
wins-server
wireless interface access control, 398
wireless mac-filter
system, 476
wireless settings
system, 477
wireless, synchronize, 477
word boundary
Perl regular expressions, 48
X
xauthtype
Y
yahoo
imp2p policy, 190
yahoo-user
imp2p, 191
Z
zone, system, 479
Index
752 01-400-93051-20090415
www.fortinet.com
www.fortinet.com

FortiGate CLI Reference 01-400-93051-20090415

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate CLI Reference 01-400-93051-20090415

Uploaded by

Copyright:

Available Formats

FortiGate

You might also like