You are on page 1of 702

REFERENCE

FortiGate CLI
Version 3.0 MR6
Preliminary version: This version of the FortiGate CLI Reference was
completed shortly before the FortiOS v3.0 MR6 GA release. Consult the
most recent FortiOS 3.0 MR6 release notes and the Upgrade Guide for
FortiOS v3.0 MR6 for up-to-date information about all new MR6 features.
Fortinet Tech Docs will publish an updated version of the FortiGate CLI
Reference before the end of March 2008. Contact techdoc@fortinet.com
if you have any questions or comments about this preliminary version of
the FortiGate CLI Reference.
Note: This version of the FortiGate CLI Reference also contains CLI
commands for FortiOS Carrier 3.0 MR3

Visit http://support.fortinet.com to register your FortiGate CLI product. By registering you can receive product
updates, technical support, and FortiGuard services.

www.fortinet.com
FortiGate CLI Reference
Version 3.0 MR6
5 February 2008
01-30006-0015-20080205

© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this


publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.

Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard Antispam, FortiGuard
Antivirus, FortiGuard Intrusion Prevention, FortiGuard Web Filtering,
FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner,
FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other
countries. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
Contents

Contents
Introduction ....................................................................................... 15
About the FortiGate Unified Threat Management System ............................ 15
About this document........................................................................................ 15
FortiGate documentation ................................................................................. 16
Related documentation .................................................................................... 18
FortiManager documentation ....................................................................... 18
FortiClient documentation ............................................................................ 18
FortiMail documentation ............................................................................... 18
FortiAnalyzer documentation ....................................................................... 18
Fortinet Tools and Documentation CD ......................................................... 19
Fortinet Knowledge Center .......................................................................... 19
Comments on Fortinet technical documentation .......................................... 19
Customer service and technical support ....................................................... 19
Register your Fortinet product........................................................................ 19

What’s new ........................................................................................ 21


Using the CLI ..................................................................................... 27
CLI command syntax........................................................................................ 27
Administrator access ....................................................................................... 28
Connecting to the CLI ...................................................................................... 30
Connecting to the FortiGate console............................................................ 30
Setting administrative access on an interface .............................................. 31
Connecting to the FortiGate CLI using SSH ................................................ 31
Connecting to the FortiGate CLI using Telnet .............................................. 32
Connecting to the FortiGate CLI using the web-based manager ................. 32
CLI objects ........................................................................................................ 33
CLI command branches ................................................................................... 33
config branch................................................................................................ 34
get branch .................................................................................................... 36
show branch................................................................................................. 38
execute branch............................................................................................. 39
diagnose branch........................................................................................... 39
Example command sequences .................................................................... 39
CLI basics.......................................................................................................... 43
Command help ............................................................................................. 43
Command completion .................................................................................. 43
Recalling commands .................................................................................... 44
Editing commands........................................................................................ 44
Line continuation .......................................................................................... 44
Command abbreviation ................................................................................ 44

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 3
Contents

Environment variables ................................................................................. 44


Encrypted password support ....................................................................... 45
Entering spaces in strings ............................................................................ 45
Entering quotation marks in strings.............................................................. 45
Entering a question mark (?) in a string ....................................................... 45
International characters ............................................................................... 46
Special characters ....................................................................................... 46
IP address formats....................................................................................... 46
Editing the configuration file ......................................................................... 46
Setting screen paging .................................................................................. 47
Changing the baud rate ............................................................................... 47
Using Perl regular expressions .................................................................... 48

Working with virtual domains.......................................................... 51


Enabling virtual domain configuration........................................................... 51
Accessing commands in virtual domain configuration................................ 51
Creating and configuring VDOMs ................................................................... 52
Creating a VDOM......................................................................................... 52
Assigning interfaces to a VDOM .................................................................. 52
Setting VDOM operating mode .................................................................... 52
Changing back to NAT/Route mode ............................................................ 53
Configuring inter-VDOM routing ..................................................................... 53
Changing the management VDOM.................................................................. 54
Creating VDOM administrators ....................................................................... 54
Troubleshooting ARP traffic on VDOMs ........................................................ 55
Duplicate ARP packets ................................................................................ 55
Multiple VDOMs solution.............................................................................. 55
Forward-domain solution ............................................................................. 55
global ................................................................................................................. 57
vdom .................................................................................................................. 60

alertemail ........................................................................................... 63
setting................................................................................................................ 64

antivirus ............................................................................................. 69
filepattern .......................................................................................................... 70
grayware............................................................................................................ 72
heuristic............................................................................................................. 74
quarantine ......................................................................................................... 75
quarfilepattern .................................................................................................. 78
service ............................................................................................................... 79

FortiGate CLI Version 3.0 MR6 Reference


4 01-30006-0015-20080205
Contents

firewall................................................................................................ 81
address, address6 ............................................................................................ 82
addrgrp, addrgrp6............................................................................................. 84
dnstranslation ................................................................................................... 85
gtp (FortiOS Carrier)......................................................................................... 87
ipmacbinding setting........................................................................................ 95
ipmacbinding table ........................................................................................... 97
ippool ................................................................................................................. 99
ldb-monitor...................................................................................................... 100
multicast-policy .............................................................................................. 102
policy, policy6 ................................................................................................. 104
profile............................................................................................................... 114
schedule onetime ........................................................................................... 149
schedule recurring ......................................................................................... 150
service custom................................................................................................ 152
service group .................................................................................................. 154
vip..................................................................................................................... 155
vipgrp............................................................................................................... 164

gui..................................................................................................... 165
console ............................................................................................................ 166
topology........................................................................................................... 167

imp2p................................................................................................ 169
aim-user........................................................................................................... 170
icq-user............................................................................................................ 171
msn-user.......................................................................................................... 172
old-version ...................................................................................................... 173
policy ............................................................................................................... 174
yahoo-user ...................................................................................................... 175

ips ..................................................................................................... 177


DoS................................................................................................................... 178
custom ............................................................................................................. 181
decoder............................................................................................................ 182
global ............................................................................................................... 183
rule ................................................................................................................... 185
sensor .............................................................................................................. 186

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 5
Contents

log..................................................................................................... 189
custom-field .................................................................................................... 190
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter.... 191
disk setting...................................................................................................... 196
fortianalyzer setting ....................................................................................... 199
fortiguard setting............................................................................................ 201
memory setting............................................................................................... 202
memory global setting ................................................................................... 203
report customization ...................................................................................... 204
report definition .............................................................................................. 205
report filter ...................................................................................................... 206
report output ................................................................................................... 207
report period ................................................................................................... 209
report schedule............................................................................................... 210
report scope.................................................................................................... 211
report selection............................................................................................... 213
report summary-layout .................................................................................. 214
syslogd setting ............................................................................................... 216
trafficfilter........................................................................................................ 218
config rule .................................................................................................. 218
webtrends setting........................................................................................... 220

notification (FortiOS Carrier) ......................................................... 221


notification ...................................................................................................... 222

router................................................................................................ 223
access-list ....................................................................................................... 224
aspath-list........................................................................................................ 226
auth-path ......................................................................................................... 228
bgp ................................................................................................................... 229
config router bgp ........................................................................................ 231
config admin-distance ................................................................................ 234
config aggregate-address .......................................................................... 235
config neighbor .......................................................................................... 235
config network............................................................................................ 239
config redistribute....................................................................................... 240
community-list ................................................................................................ 242
key-chain ......................................................................................................... 245

FortiGate CLI Version 3.0 MR6 Reference


6 01-30006-0015-20080205
Contents

multicast .......................................................................................................... 247


Sparse mode .............................................................................................. 247
Dense mode............................................................................................... 248
Syntax ........................................................................................................ 248
config router multicast ................................................................................ 249
config interface ........................................................................................... 251
config pim-sm-global .................................................................................. 253
ospf .................................................................................................................. 257
Syntax ........................................................................................................ 257
config router ospf ....................................................................................... 259
config area ................................................................................................. 261
config distribute-list .................................................................................... 265
config neighbor........................................................................................... 266
config network ............................................................................................ 266
config ospf-interface ................................................................................... 267
config redistribute ....................................................................................... 269
config summary-address ............................................................................ 270
policy ............................................................................................................... 272
prefix-list.......................................................................................................... 275
rip ..................................................................................................................... 278
config router rip .......................................................................................... 279
config distance ........................................................................................... 280
config distribute-list .................................................................................... 281
config interface ........................................................................................... 281
config neighbor........................................................................................... 283
config network ............................................................................................ 283
config offset-list .......................................................................................... 284
config redistribute ....................................................................................... 284
route-map ........................................................................................................ 286
Using route maps with BGP ....................................................................... 288
static ................................................................................................................ 292
static6 .............................................................................................................. 294

spamfilter ......................................................................................... 295


bword ............................................................................................................... 296
emailbwl........................................................................................................... 299
fortishield ........................................................................................................ 301
ipbwl................................................................................................................. 303
iptrust............................................................................................................... 305
mheader........................................................................................................... 306
options............................................................................................................. 308
DNSBL ............................................................................................................. 309

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 7
Contents

system.............................................................................................. 311
accprofile......................................................................................................... 312
admin ............................................................................................................... 316
alertemail......................................................................................................... 321
arp-table .......................................................................................................... 322
auto-install ...................................................................................................... 323
autoupdate clientoverride.............................................................................. 324
autoupdate override ....................................................................................... 325
autoupdate push-update................................................................................ 326
autoupdate schedule...................................................................................... 328
autoupdate tunneling ..................................................................................... 330
aux ................................................................................................................... 332
bug-report ....................................................................................................... 333
console ............................................................................................................ 334
dhcp reserved-address .................................................................................. 335
dhcp server ..................................................................................................... 336
dns ................................................................................................................... 339
fortianalyzer, fortianalyzer2, fortianalyzer3 ................................................. 340
fortiguard......................................................................................................... 342
fortiguard-log .................................................................................................. 346
fortimanager.................................................................................................... 347
gi-gk (FortiOS Carrier).................................................................................... 349
global ............................................................................................................... 350
gre-tunnel ........................................................................................................ 358
ha ..................................................................................................................... 360
interface........................................................................................................... 373
ipv6-tunnel ...................................................................................................... 389
mac-address-table.......................................................................................... 390
management-tunnel ....................................................................................... 391
modem............................................................................................................. 393
npu ................................................................................................................... 396
proxy-arp ......................................................................................................... 397
replacemsg admin .......................................................................................... 398
replacemsg alertmail...................................................................................... 399
replacemsg auth ............................................................................................. 401
replacemsg fortiguard-wf .............................................................................. 404

FortiGate CLI Version 3.0 MR6 Reference


8 01-30006-0015-20080205
Contents

replacemsg ftp ................................................................................................ 406


replacemsg http .............................................................................................. 408
replacemsg im................................................................................................. 410
replacemsg mail.............................................................................................. 412
replacemsg mm1 (FortiOS Carrier) ............................................................... 414
replacemsg mm3 (FortiOS Carrier) ............................................................... 417
replacemsg mm4 (FortiOS Carrier) ............................................................... 419
replacemsg mm7 (FortiOS Carrier) ............................................................... 421
replacemsg nntp ............................................................................................. 424
replacemsg spam ........................................................................................... 426
replacemsg sslvpn ......................................................................................... 428
replacemsg-group (FortiOS Carrier) ............................................................. 429
replacemsg-image (FortiOS Carrier)............................................................. 432
session-helper ................................................................................................ 433
session-sync ................................................................................................... 434
Notes and limitations.................................................................................. 435
Configuring session synchronization.......................................................... 435
Configuring the session synchronization link ............................................. 436
session-ttl........................................................................................................ 439
settings ............................................................................................................ 440
snmp community ............................................................................................ 443
snmp sysinfo................................................................................................... 446
switch-interface .............................................................................................. 447
tos-based-priority ........................................................................................... 448
vdom-link......................................................................................................... 449
wireless mac-filter .......................................................................................... 451
wireless settings............................................................................................. 452
zone.................................................................................................................. 455

user................................................................................................... 457
Configuring users for authentication ........................................................... 458
Configuring users for password authentication .......................................... 458
Configuring peers for certificate authentication .......................................... 458
adgrp................................................................................................................ 459
dynamic-profile (FortiOS Carrier).................................................................. 460
msisdn-bwl (FortiOS Carrier)......................................................................... 462
msisdn-ip-filter (FortiOS Carrier) .................................................................. 464
msisdn-translation (FortiOS Carrier) ............................................................ 465

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 9
Contents

fsae .................................................................................................................. 467


group ............................................................................................................... 469
ldap .................................................................................................................. 473
local ................................................................................................................. 476
peer .................................................................................................................. 478
peergrp ............................................................................................................ 480
radius............................................................................................................... 481
settings............................................................................................................ 483
tacacs+ ............................................................................................................ 484

vpn.................................................................................................... 487
certificate ca.................................................................................................... 488
certificate crl ................................................................................................... 489
certificate local ............................................................................................... 491
certificate ocsp ............................................................................................... 492
certificate remote............................................................................................ 493
ipsec concentrator ......................................................................................... 494
ipsec forticlient ............................................................................................... 495
ipsec manualkey............................................................................................. 496
ipsec manualkey-interface............................................................................. 499
ipsec phase1 ................................................................................................... 502
ipsec phase1-interface................................................................................... 510
ipsec phase2 ................................................................................................... 519
ipsec phase2-interface................................................................................... 526
l2tp ................................................................................................................... 533
pptp.................................................................................................................. 535
ssl monitor ...................................................................................................... 537
ssl settings...................................................................................................... 538
ssl web bookmarks ........................................................................................ 541
ssl web bookmarks-group ............................................................................. 543
ssl web favorite............................................................................................... 544

webfilter ........................................................................................... 547


bword............................................................................................................... 548
exmword.......................................................................................................... 550
fortiguard......................................................................................................... 552
FortiGuard-Web category blocking ............................................................ 552
ftgd-local-cat ................................................................................................... 555

FortiGate CLI Version 3.0 MR6 Reference


10 01-30006-0015-20080205
Contents

ftgd-local-rating .............................................................................................. 556


ftgd-ovrd .......................................................................................................... 557
urlfilter ............................................................................................................. 559

execute............................................................................................. 561
backup ............................................................................................................. 562
batch ................................................................................................................ 564
central-mgmt ................................................................................................... 565
cfg reload......................................................................................................... 566
cfg save ........................................................................................................... 567
clear system arp table .................................................................................... 568
cli status-msg-only ......................................................................................... 569
cli check-template-status............................................................................... 570
date .................................................................................................................. 571
deploy .............................................................................................................. 572
dhcp lease-clear.............................................................................................. 573
dhcp lease-list................................................................................................. 574
disconnect-admin-session ............................................................................ 575
factoryreset ..................................................................................................... 576
formatlogdisk .................................................................................................. 577
fortiguard-log update ..................................................................................... 578
fsae refresh ..................................................................................................... 579
ha disconnect.................................................................................................. 580
ha manage ....................................................................................................... 581
ha synchronize................................................................................................ 583
interface dhcpclient-renew ............................................................................ 585
interface pppoe-reconnect............................................................................. 586
log delete-all.................................................................................................... 587
log delete-filtered............................................................................................ 588
log delete-rolled .............................................................................................. 589
log display ....................................................................................................... 590
log filter............................................................................................................ 591
log fortianalzyer test-connectivity ................................................................ 593
log list .............................................................................................................. 594
log roll.............................................................................................................. 595
modem dial...................................................................................................... 596
modem hangup ............................................................................................... 597

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 11
Contents

mrouter clear................................................................................................... 598


ping .................................................................................................................. 599
ping-options.................................................................................................... 600
ping6 ................................................................................................................ 602
reboot .............................................................................................................. 603
restore ............................................................................................................. 604
router clear bgp .............................................................................................. 606
router clear bfd ............................................................................................... 607
router clear ospf process .............................................................................. 608
router restart ................................................................................................... 609
send-fds-statistics.......................................................................................... 610
set-next-reboot ............................................................................................... 611
shutdown......................................................................................................... 612
ssh ................................................................................................................... 613
telnet ................................................................................................................ 614
time .................................................................................................................. 615
traceroute ........................................................................................................ 616
update-av......................................................................................................... 617
update-ips ....................................................................................................... 618
update-now ..................................................................................................... 619
upd-vd-license ................................................................................................ 620
usb-disk........................................................................................................... 621
vpn certificate ca ............................................................................................ 622
vpn certificate crl............................................................................................ 624
vpn certificate local ........................................................................................ 625
vpn certificate remote .................................................................................... 628
vpn sslvpn del-tunnel..................................................................................... 629
vpn sslvpn del-web ........................................................................................ 630

get..................................................................................................... 631
chassis status................................................................................................. 632
firewall service predefined ............................................................................ 635
gui console status .......................................................................................... 636
gui topology status ........................................................................................ 637
hardware status .............................................................................................. 638
ips decoder ..................................................................................................... 639
ips rule............................................................................................................. 640

FortiGate CLI Version 3.0 MR6 Reference


12 01-30006-0015-20080205
Contents

ipsec tunnel list............................................................................................... 641


router info bgp ................................................................................................ 642
router info bfd ................................................................................................. 644
router info multicast ....................................................................................... 645
router info ospf ............................................................................................... 647
router info protocols ...................................................................................... 649
router info rip .................................................................................................. 650
router info routing-table ................................................................................ 651
system admin list............................................................................................ 652
system admin status ...................................................................................... 653
system arp....................................................................................................... 654
system central-mgmt status .......................................................................... 655
system checksum........................................................................................... 656
system cmdb status ....................................................................................... 657
system dashboard .......................................................................................... 658
system fortianalyzer-connectivity................................................................. 659
system fortiguard-log-service status............................................................ 660
system fortiguard-service status .................................................................. 661
system ha status............................................................................................. 662
About the HA cluster index and the execute ha manage command .......... 664
system info admin ssh ................................................................................... 668
system info admin status............................................................................... 669
system performance status ........................................................................... 670
system session list......................................................................................... 672
system session status ................................................................................... 673
system status.................................................................................................. 674

Index................................................................................................. 675

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 13
Contents

FortiGate CLI Version 3.0 MR6 Reference


14 01-30006-0015-20080205
Introduction About the FortiGate Unified Threat Management System

Introduction
This chapter introduces you to the FortiGate Unified Threat Management System
and the following topics:
• About the FortiGate Unified Threat Management System
• About this document
• FortiGate documentation
• Related documentation
• Customer service and technical support
• Register your Fortinet product

About the FortiGate Unified Threat Management System


The FortiGate Unified Threat Management System supports network-based
deployment of application-level services, including virus protection and full-scan
content filtering. FortiGate units improve network security, reduce network misuse
and abuse, and help you use communications resources more efficiently without
compromising the performance of your network.
The FortiGate unit is a dedicated easily managed security device that delivers a
full suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis
System (ABACAS™) technology, which leverages breakthroughs in chip design,
networking, security, and content analysis. The unique ASIC-based architecture
analyzes content and behavior in real-time, enabling key applications to be
deployed right at the network edge where they are most effective at protecting
your networks. The FortiGate series complements existing solutions, such as
host-based antivirus protection, and enables new applications and services while
greatly lowering costs for equipment, administration, and maintenance.

About this document


This document describes how to use the FortiGate Command Line Interface
(CLI). This document contains the following chapters:
• Using the CLI describes how to connect to and use the FortiGate CLI.
• Working with virtual domains describes how to create and administer multiple
VDOMs. It also explains how enabling vdom-admin changes the way you work
with the CLI.
• alertemail is an alphabetic reference to the commands used to configure
alertemail.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 15
FortiGate documentation Introduction

• antivirus is an alphabetic reference to the commands used to configure


antivirus features.
• firewall is an alphabetic reference to the commands used to configure firewall
policies and settings.
• gui is an alphabetic reference to the commands used to set preferences for the
web-based manager CLI console and topology viewer.
• imp2p is an alphabetic reference to the commands used to configure user
access to Instant Messaging and Person-to-Person applications.
• ips is an alphabetic reference to the commands used to configure intrusion
detection and prevention features.
• log is an alphabetic reference to the commands used to configure logging.
• notification (FortiOS Carrier) is an alphabetic reference to the commands used
to configure FortiOS Carrier event notification.
• router is an alphabetic reference to the commands used to configure routing.
• spamfilter is an alphabetic reference to the commands used to configure spam
filtering features.
• system is an alphabetic reference to the commands used to configure the
FortiGate system settings.
• user is an alphabetic reference to the commands used to configure authorized
user accounts and groups.
• vpn is an alphabetic reference to the commands used to configure FortiGate
VPNs.
• webfilter is an alphabetic reference to the commands used to configure web
content filtering.
• execute is an alphabetic reference to the execute commands, which provide
some useful utilities such as ping and traceroute, and some commands used
for maintenance tasks.
• get is an alphabetic reference to commands that retrieve status information
about the FortiGate unit.

Note: Diagnose commands are also available from the FortiGate CLI. These commands
are used to display system information and for debugging. Diagnose commands are
intended for advanced users only, and they are not covered in this document. Contact
Fortinet technical support before using these commands.

FortiGate documentation
Information about FortiGate products is available from the following guides:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.

FortiGate CLI Version 3.0 MR6 Reference


16 01-30006-0015-20080205
Introduction FortiGate documentation

• FortiGate Administration Guide


Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
• FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
• FortiGate Log Message Reference
Describes the structure of FortiGate log messages and provides information
about the log messages that are generated by FortiGate units.
• FortiGate High Availability User Guide
Contains in-depth information about the FortiGate high availability feature and
the FortiGate clustering protocol.
• FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings
and how the FortiGate IPS deals with some common attacks.
• FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the web-
based manager.
• FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-mode SSL VPN access
for remote users through the web-based manager.
• FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
• FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
• FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 17
Related documentation Introduction

Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
• FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
• FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
• FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.

FortiClient documentation
• FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.
• FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient
software.

FortiMail documentation
• FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
• FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
• FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.

FortiAnalyzer documentation
• FortiAnalyzer Administration Guide
Describes how to install and configure a FortiAnalyzer unit to collect FortiGate
and FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiAnalyzer unit as a NAS
server.
• FortiAnalyzer online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.

FortiGate CLI Version 3.0 MR6 Reference


18 01-30006-0015-20080205
Introduction Customer service and technical support

Fortinet Tools and Documentation CD


All Fortinet documentation is available on the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation visit the Fortinet
Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center


Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge
Center at http://kc.forticare.com.

Comments on Fortinet technical documentation


Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support


Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.

Register your Fortinet product


Register your Fortinet product to receive Fortinet customer services such as
product updates and technical support. You must also register your product for
FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention
updates and for FortiGuard Web Filtering and AntiSpam.
Register your product by visiting http://support.fortinet.com and selecting Product
Registration.
To register, enter your contact information and the serial numbers of the Fortinet
products that you or your organization have purchased. You can register multiple
Fortinet products in a single session without re-entering your contact information.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 19
Register your Fortinet product Introduction

FortiGate CLI Version 3.0 MR6 Reference


20 01-30006-0015-20080205
What’s new

What’s new
The table below lists commands which have changed since the previous release, MR5.

Command Change
config firewall ldb-monitor New command. Configures health check settings which
can be used when enabling health checks for load
balanced real servers associated with a virtual IP.
config firewall policy, policy6
edit <index_int>
set auth-path New keyword. Enables authentication-based routing.
set auth-redirect-addr New keyword. Specifies address used in URL when
performing HTTP-to-HTTPS redirects for policy
authentication.
set custom-log-fields New keyword. Selects custom log fields to append to
the policy’s log message.
set sslvpn-auth tacacs+ New SSL VPN client authentication option. Selects
TACACS+ authentication method when the firewall
policy action is set to ssl-vpn.
config firewall profile Removed filetype option for all protocol variables
(smtp, pop3, etc.). Instead, the block option is now
used in conjunction with file-pat-table.
edit <profile_str>
set aim block-long-chat New option. Blocks oversize chat messages.
set ftgd-wf-options redir-block New option redir-block. Blocks HTTP redirects.
set ftgd-wf-ovrd-group Keyword removed.
set ftp scanextended New option scanextended. Scans for viruses and
worms using the extended database of virus definitions.
set http scanextended New option scanextended. Scans for viruses and
worms using the extended database of virus definitions.
set icq archive-full Option archive-full renamed from
content-full.
set icq archive-summary Option archive-summary renamed from
content-meta.
set ips-anomaly Keyword removed. IPS sensors, formerly signatures,
are now configured by selecting a sensor name.
set icq content-full Option content-full renamed to archive-full.
set icq content-meta Option content-meta renamed to
archive-summary.
set ips-log Keyword renamed to log-ips.
set ips-signature Keyword removed. Denial of service (DoS) sensors,
formerly anomalies, are no longer configured in
protection profiles.
set ips-sensor New keyword. Selects the IPS sensor name.
set ips-sensor-status New keyword. Enables use of IPS sensors.
set log-ips Keyword renamed from ips-log.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 21
What’s new

Command Change
config firewall profile (continued)
set msn archive-full Option archive-full renamed from
content-full.
set msn archive-summary Option archive-summary renamed from
content-meta.
set msn content-full Option content-full renamed to archive-full.
set msn content-meta Option content-meta renamed to
archive-summary.
set yahoo archive-full Option archive-full renamed from
content-full.
set yahoo archive-summary Option archive-summary renamed from
content-meta.
set yahoo content-full Option content-full renamed to archive-full.
set yahoo content-meta Option content-meta renamed to
archive-summary.
config firewall vip
edit <name_str>
set http New keyword. Enables multiplexing of port forwarded
HTTP connections into a few connections to the
destination.
set http-ip-header New keyword. Preserves the original client’s IP address
in the X-Forwarded-For HTTP header line when
using HTTP multiplexing.
set max-embryonic-connections New keyword. Specifies the maximum number of
partially established SSL or HTTP connections when
the virtual IP is performing HTTP multiplexing or SSL
offloading.
set ssl New keywords. These keywords configure SSL
acceleration that offloads SSL operations from the
set ssl-certificate destination to the FortiGate unit.
set ssl-client-session-state-max
set ssl-client-session-state-timeout
set ssl-client-session-state-type
set ssl-dh-bits
set ssl-http-location-conversion
set ssl-http-match-host
set ssl-max-version
set ssl-min-version
set ssl-send-empty-frags
set ssl-server-session-state-max
set ssl-server-session-state-timeout
set ssl-server-session-state-type
config realservers
edit <table_int>
set healthcheck New keyword. Enables check of server responsiveness
before forwarding traffic. You must also configure
monitor.
set monitor New keyword. Sets name(s) of healthcheck monitor
settings to use.

FortiGate CLI Version 3.0 MR6 Reference


22 01-30006-0015-20080205
What’s new

Command Change
config fortianalyzer Removed.
config global
config system session-sync New command is global in scope.
execute vpn sslvpn del-tunnel Command is now per-VDOM.
execute vpn sslvpn del-web Command is now per-VDOM.
config ips anomaly Command renamed to config ips DoS and
extensively revised.
config ips decoder New command. Modifies ports on which IPS expects
particular traffic types.
config ips DoS Command renamed from config ips anomaly and
extensively revised. Anomalies are now defined in DoS
sensors.
config ips global
set ip-protocol Keyword removed.
config ips group Command removed.
config ips rule New command. Displays IPS settings for each
signature.
config ips sensor New command. Configures IPS sensors to detect
attacks. IPS sensors are made up of filters that specify
signature attributes and rules to override individual
sensors.
config log custom-field New command. Customizes the log fields with a name
and/or value that appears in log messages.
config log disk setting
set full-first-warning threshold New keywords. Define percentage thresholds for
warnings as the available disk space for logs fills up.
set full-second-warning threshold
set full-final-warning threshold
config log memory setting
set diskfull overwrite The nolog and blocktraffic options are removed.
config log memory global setting New command. Configures percentage thresholds for
warnings as memory allocated to logs fills up. Also
configures maximum number of lines in memory buffer
log.
config router auth-path New command. Configures authentication-based
routing.
config system accprofile
edit <profile-name>
set <access-group> <access-level> New option for <access-group>: imp2pgrp
config system admin
edit <name_str>
set schedule New keyword. Selects schedule that determines when
an administrator can log in.
set radius-auth Keyword renamed to remote-auth.
set radius-group Keyword renamed to remote-group.
set remote-auth Keyword renamed from radius-auth.
set remote-group Keyword renamed from radius-group.
config dashboard New subcommand. Configures web-based manager
dashboard for this administrator.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 23
What’s new

Command Change
config dhcp server
set ipsec-lease-hold New keyword. Sets time to wait before expiring DHCP-
over-IPSec lease after IPSec tunnel goes down.
config system fm Command replaced by config system
fortimanager.
config system fortimanager New command. Replaces config system fm.
Configures central management on the FortiGate unit.
config system global
set auth-secure-http Keyword moved to config user settings.
set auth-type Keyword moved to config user settings.
set authtimeout Keyword moved to config user settings.
set fds-statistics-period New keyword. Sets the number of minutes in the FDS
report period when fds-statistics is enabled.
set local-anomaly Keyword removed.
config system interface
edit <interface name>
set gateway_address Keyword renamed to gwaddr.
set gwaddr Keyword renamed from gwaddr.
set ha-priority New keyword. Sets the HA priority to assign to the ping
servers configured on an interface when the interface is
added to an HA remote IP monitoring configuration.
set l2tp-client Keyword removed.
set lcp-max-echo-failures Keyword renamed to lcp-max-echo-fail.
set lcp-max-echo-fail Keyword renamed from lcp-max-echo-failures.
set pptp-client New keyword. Enables PPTP client on interface.
set pptp-user New keyword. Sets the name of the PPTP user.
set pptp-password New keyword. Sets the password for the PPTP user.
set pptp-server-ip New keyword. Sets the IP address of the PPTP server.
set pptp-auth-type New keyword. Sets the authentication type for the
PPTP user.
set pptp-timeout New keyword. Sets the PPTP idle timeout in minutes.
config l2tp-client Subcommand and all of its variables removed.
config system management-tunnel New command. Configures the remote management
tunnel and permitted remote management actions from
either the FortiManager unit or FortiGuard Management
Service.
config system session-sync New command. Configures TCP session
synchronization with another FortiGate unit.
config system settings
set p2p-rate-limit New keyword. Sets whether P2P bandwidth limit is
per-profile or per-policy.
set sip-nat-trace New keyword. Enables recording the original IP
address of the phone.
set status New keyword. Enables or disables this VDOM.
set utf8-spam-tagging New keyword. Enable conversion of spam tags to UTF8
for better non-ascii character support.
config system switch-interface New command. Groups interfaces as a virtual switch.

FortiGate CLI Version 3.0 MR6 Reference


24 01-30006-0015-20080205
What’s new

Command Change
config user fsae
edit <server_name>
set ldap_server New keyword. Sets the name of the LDAP server used
to access Windows AD user and group information.
config user radius
edit <server_name>
set auth-type New keyword. Set authentication type to CHAP, PAP,
MS-CHAP, MS-CHAPv2 or Auto.
set radius-port New keyword. Changes RADIUS port for this server.
config user settings New command. Replaces system global keywords
authtimeout, auth-type, and auth-secure-
http.
config user tacacs+ New command. Configures TACACS+ authentication.
config vpn certificate local
edit <cert_name>
set comments New keyword. Enters descriptive comment about the
certificate.
config vpn ipsec phase1-interface
set default-gw New keyword. Configures a default route for this IPSec
interface.
set default-gw-priority New keyword. Sets priority of default route defined with
set default-gw.
config vpn ssl settings
set auth-timeout You can set a value of 0 for no timeout.
set idle-timeout You can set a value of 0 for no timeout.
execute cli check-template-status New command. Reports the status of the SCP script
template.
execute fortiguard-log delete Command removed.
execute log list Removed category ids.
execute log stats display Command removed.
execute log stats reset Command removed.
execute send-fds-statistics New command. Sends an FDS statistics report
immediately.
firewall service predefined New command. Retrieves information about predefined
services.
get ips anomaly status Command removed. Replaced by get ips rule
status.
get ips custom status Command removed.
get ips decoder status New command.
get ips group status Command removed.
get ips rule status New command. Replaces get ips anomaly
status.
get system session list Command now applies per-VDOM.
get system session status New command. Returns the number of active sessions
in this VDOM. If VDOMs are not enabled, returns
number of active sessions on FortiGate unit.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 25
What’s new

FortiGate CLI Version 3.0 MR6 Reference


26 01-30006-0015-20080205
Using the CLI CLI command syntax

Using the CLI


This chapter explains how to connect to the CLI and describes the basics of using
the CLI. You can use CLI commands to view all system information and to change
all system configuration settings.
This chapter describes:
• CLI command syntax
• Administrator access
• Connecting to the CLI
• CLI objects
• CLI command branches
• CLI basics

CLI command syntax


This guide uses the following conventions to describe command syntax.
• Angle brackets < > to indicate variables.
For example:
execute restore config <filename_str>
You enter:
execute restore config myfile.bak
<xxx_ipv4> indicates a dotted decimal IPv4 address.
<xxx_v4mask> indicates a dotted decimal IPv4 netmask.
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a
dotted decimal IPv4 netmask.
<xxx_ipv6> indicates an IPv6 address.
<xxx_v6mask> indicates an IPv6 netmask.
<xxx_ipv6mask> indicates an IPv6 address followed by an IPv6 netmask.
• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords.
For example:
set opmode {nat | transparent}
You can enter set opmode nat or set opmode transparent.
• Square brackets [ ] to indicate that a keyword or variable is optional.
For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system
interface. To show the settings for the internal interface, you can enter
show system interface internal.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 27
Administrator access Using the CLI

• A space to separate options that can be entered in any combination and must
be separated by spaces.
For example:
set allowaccess {ping https ssh snmp http telnet}
You can enter any of the following:
set allowaccess ping
set allowaccess ping https ssh
set allowaccess https ping ssh
set allowaccess snmp
In most cases to make changes to lists that contain options separated by
spaces, you need to retype the whole list including all the options you want to
apply and excluding all the options you want to remove.

Administrator access
The access profile you are assigned in your administrator account controls which
CLI commands you can access. You need read access to view configurations and
write access to make changes. Access control in access profiles is divided into
groups, as follows:
Table 1: Access profile control of access to CLI commands

Access control group Available CLI commands


Admin Users (admingrp) system admin
system accprofile
Antivirus Configuration (avgrp) antivirus
Auth Users (authgrp) user
Firewall Configuration (fwgrp) firewall
FortiProtect Update (updategrp) system autoupdate
execute update-av
execute update-ips
execute update-now
IM, P2P & VoIP Configuration (imp2pgrp) imp2p
IPS Configuration (ipsgrp) ips
Log & Report (loggrp) alertemail
log
system fortianalyzer
execute log
Maintenance (mntgrp) execute backup
execute batch
execute formatlogdisk
execute restore
execute usb-disk

FortiGate CLI Version 3.0 MR6 Reference


28 01-30006-0015-20080205
Using the CLI Administrator access

Table 1: Access profile control of access to CLI commands

Network Configuration (netgrp) system arp-table


system dhcp
system interface
system zone
execute clear system arp
table
execute dhcp lease-clear
execute dhcp lease-list
execute interface
Router Configuration (routegrp) router
execute mrouter
execute router
Spamfilter Configuration (spamgrp) spamfilter
System Configuration (sysgrp) system except accprofile,
admin, arp-table,
autoupdate fortianalyzer,
interface and zone.
execute cfg
execute date
execute deploy
execute disconnect-admin-
session
execute factoryreset
execute ha
execute ping
execute ping6
execute ping-options
execute reboot
execute set-next-reboot
execute shutdown
execute ssh
execute telnet
execute time
execute traceroute
VPN Configuration (vpngrp) vpn
execute vpn
Webfilter Configuration (webgrp) webfilter

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 29
Connecting to the CLI Using the CLI

Connecting to the CLI


You can use a direct console connection, SSH, Telnet or the web-based manager
to connect to the FortiGate CLI.
• Connecting to the FortiGate console
• Setting administrative access on an interface
• Connecting to the FortiGate CLI using SSH
• Connecting to the FortiGate CLI using Telnet
• Connecting to the FortiGate CLI using the web-based manager

Connecting to the FortiGate console


Only the admin administrator or a regular administrator of the root domain can log
in by connecting to the console interface. You need:
• a computer with an available communications port
• a null modem cable, provided with your FortiGate unit, to connect the FortiGate
console port and a communications port on your computer
• terminal emulation software such as HyperTerminal for Windows

Note: The following procedure describes how to connect to the FortiGate CLI using
Windows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI


1 Connect the FortiGate console port to the available communications port on your
computer.
2 Make sure the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the FortiGate console port.
5 Select OK.
6 Select the following port settings and select OK.

Bits per second 9600 (115200 for the FortiGate-300)


Data bits 8
Parity None
Stop bits 1
Flow control None

7 Press Enter to connect to the FortiGate CLI.


A prompt similar to the following appears (shown for the FortiGate-300):
FortiGate-300 login:
8 Type a valid administrator name and press Enter.
9 Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the FortiGate CLI, and you can enter CLI commands.

FortiGate CLI Version 3.0 MR6 Reference


30 01-30006-0015-20080205
Using the CLI Connecting to the CLI

Setting administrative access on an interface


To perform administrative functions through a FortiGate network interface, you
must enable the required types of administrative access on the interface to which
your management computer connects. Access to the CLI requires SSH or Telnet
access. If you want to use the web-based manager, you need HTTPS or HTTP
access.
To use the web-based manager to configure FortiGate interfaces for SSH or
Telnet access, see the FortiGate Administration Guide.

To use the CLI to configure SSH or Telnet access


1 Connect and log into the CLI using the FortiGate console port and your terminal
emulation software.
2 Use the following command to configure an interface to accept SSH connections:
config system interface
edit <interface_name>
set allowaccess <access_types>
end
Where <interface_name> is the name of the FortiGate interface to be
configured to allow administrative access and <access_types> is a whitespace-
separated list of access types to enable.
For example, to configure the internal interface to accept HTTPS (web-based
manager), SSH and Telnet connections, enter:
config system interface
edit <name_str>
set allowaccess https ssh telnet
end

Note: Remember to press Enter at the end of each line in the command example. Also,
type end and press Enter to commit the changes to the FortiGate configuration.

3 To confirm that you have configured SSH or Telnet access correctly, enter the
following command to view the access settings for the interface:
get system interface <name_str>
The CLI displays the settings, including allowaccess, for the named interface.

Other access methods


The procedure above shows how to allow access only for Telnet or only for SSH.
If you want to allow both or any of the other management access types you must
include all the options you want to apply. For example to allow PING, HTTPS and
SSH access to an interface, the set portion of the command is set
allowaccess ping https ssh.

Connecting to the FortiGate CLI using SSH


Secure Shell (SSH) provides strong secure authentication and secure
communications to the FortiGate CLI from your internal network or the internet.
Once the FortiGate unit is configured to accept SSH connections, you can run an
SSH client on your management computer and use this client to connect to the
FortiGate CLI.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 31
Connecting to the CLI Using the CLI

Note: A maximum of 5 SSH connections can be open at the same time.

To connect to the CLI using SSH


1 Install and start an SSH client.
2 Connect to a FortiGate interface that is configured for SSH connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The FortiGate model name followed by a # is displayed.
You have connected to the FortiGate CLI, and you can enter CLI commands.

Connecting to the FortiGate CLI using Telnet


You can use Telnet to connect to the FortiGate CLI from your internal network or
the Internet. Once the FortiGate unit is configured to accept Telnet connections,
you can run a Telnet client on your management computer and use this client to
connect to the FortiGate CLI.

Caution: Telnet is not a secure access method. SSH should be used to access the
! FortiGate CLI from the Internet or any other unprotected network.

Note: A maximum of 5 Telnet connections can be open at the same time.

To connect to the CLI using Telnet


1 Install and start a Telnet client.
2 Connect to a FortiGate interface that is configured for Telnet connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the FortiGate CLI, and you can enter CLI commands.

Connecting to the FortiGate CLI using the web-based manager


The web-based manager also provides a CLI console that can be detached as a
separate window.

To connect to the CLI using the web-based manager


1 Connect to the web-based manager and log in.
For information about how to do this, see the FortiGate Administration Guide.
2 Go to System > Status.
3 If you do not see the CLI Console display, select Add Content > CLI Console.
4 Click in the CLI Console display to connect.

FortiGate CLI Version 3.0 MR6 Reference


32 01-30006-0015-20080205
Using the CLI CLI objects

CLI objects
The FortiGate CLI is based on configurable objects. The top-level objects are the
basic components of FortiGate functionality.

Table 2: CLI objects

alertemail sends email to designated recipients when it detects log messages of a


defined severity level
antivirus scans services for viruses and grayware, optionally providing quarantine
of infected files
firewall controls connections between interfaces according to policies based on
IP addresses and type of service, applies protection profiles
gui controls preferences for the web-based manager CLI console and
topology viewer
imp2p controls user access to Internet Messaging and Person-to-Person
applications
ips intrusion prevention system
log configures logging
notification configures event notification in FortiOS Carrier.
router moves packets from one network segment to another towards a network
destination, based on packet headers
spamfilter filters email based on MIME headers, a banned word list, lists of banned
email and ip addresses
system configures options related to the overall operation of the FortiGate unit,
such as interfaces, virtual domains, and administrators
user authenticates users to use firewall policies or VPNs
vpn provides Virtual Private Network access through the FortiGate unit
webfilter blocks or passes web traffic based on a banned word list, filter URLs, and
FortiGuard-Web category filtering

There is a chapter in this manual for each of these top-level objects. Each of these
objects contains more specific lower level objects. For example, the firewall object
contains objects for addresses, address groups, policies and protection profiles.

CLI command branches


The FortiGate CLI consists of the following command branches:
• config branch
• get branch
• show branch
• execute branch
• diagnose branch
Examples showing how to enter command sequences within each branch are
provided in the following sections. See also “Example command sequences” on
page 39.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 33
CLI command branches Using the CLI

config branch
The config commands configure CLI objects, such as the firewall, the router,
antivirus protection, and so on. For more information about CLI objects, see “CLI
objects” on page 33.
Top-level objects are containers for more specific lower level objects that are each
in the form of a table. For example, the firewall object contains tables of
addresses, address groups, policies and protection profiles. You can add, delete
or edit the entries in the table. Table entries consist of keywords that you can set
to particular values.
To configure an object, you use the config command to navigate to the object’s
command “shell”. For example, to configure administrators, you enter the
command
config system admin
The command prompt changes to show that you are now in the admin shell.
(admin)#
This is a table shell. You can use any of the following commands:

delete Remove an entry from the FortiGate configuration. For example in the
config system admin shell, type delete newadmin and press
Enter to delete the administrator account named newadmin.
edit Add an entry to the FortiGate configuration or edit an existing entry. For
example in the config system admin shell:
• type edit admin and press Enter to edit the settings for the default
admin administrator account.
• type edit newadmin and press Enter to create a new administrator
account with the name newadmin and to edit the default settings for
the new administrator account.
end Save the changes you have made in the current shell and leave the
shell. Every config command must be paired with an end command.
You return to the root FortiGate CLI prompt.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
move Change the position of an entry in an ordered table. For example in the
config firewall policy shell:
• type move 3 after 1 and press Enter to move the policy in the third
position in the table to the second position in the table.
• type move 3 before 1 and press Enter to move the policy in the
third position in the table to the first position in the table.
purge Remove all entries configured in the current shell. For example in the
config user local shell:
• type get to see the list of user names added to the FortiGate
configuration,
• type purge and then y to confirm that you want to purge all the user
names,
• type get again to confirm that no user names are displayed.
rename Rename a table entry. For example, in the config system admin
shell, you could rename “admin3” to “fwadmin” like this:
rename admin3 to fwadmin
show Show changes to the default configuration in the form of configuration
commands.

FortiGate CLI Version 3.0 MR6 Reference


34 01-30006-0015-20080205
Using the CLI CLI command branches

If you enter the get command, you see a list of the entries in the table of
administrators. To add a new administrator, you enter the edit command with a
new administrator name:
edit admin_1
The FortiGate unit acknowledges the new table entry and changes the command
prompt to show that you are now editing the new entry:
new entry 'admin_1' added
(admin_1)#

From this prompt, you can use any of the following commands:

abort Exit an edit shell without saving the configuration.


config In a few cases, there are subcommands that you access using a second
config command while editing a table entry. An example of this is the
command to add a secondary IP address to a network interface. See the
example “To add two secondary IP addresses to the internal interface”
on page 40.
end Save the changes you have made in the current shell and leave the
shell. Every config command must be paired with an end command.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
next Save the changes you have made in the current shell and continue
working in the shell. For example if you want to add several new user
accounts enter the config user local shell.
• Type edit User1 and press Enter.
• Use the set commands to configure the values for the new user
account.
• Type next to save the configuration for User1 without leaving the
config user local shell.
• Continue using the edit, set, and next commands to continue
adding user accounts.
• Type end and press Enter to save the last configuration and leave the
shell.
set Assign values. For example from the edit admin command shell,
typing set passwd newpass changes the password of the admin
administrator account to newpass.
Note: When using a set command to make changes to lists that contain
options separated by spaces, you need to retype the whole list including
all the options you want to apply and excluding all the options you want
to remove.
show Show changes to the default configuration in the form of configuration
commands.
unset Reset values to defaults. For example from the edit admin command
shell, typing unset password resets the password of the admin
administrator account to the default of no password.

The config branch is organized into configuration shells. You can complete and
save the configuration within each shell for that shell, or you can leave the shell
without saving the configuration. You can only use the configuration commands
for the shell that you are working in. To use the configuration commands for
another shell you must leave the shell you are working in and enter the other
shell.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 35
CLI command branches Using the CLI

get branch
Use get to display system status information. For information about these
commands, see “get” on page 631.
You can also use get within a config shell to display the settings for that shell,
or you can use get with a full path to display the settings for a particular object.
To use get from the root prompt, you must include a path to a shell. The root
prompt is the FortiGate host name followed by a #.

Example
The command get hardware status provides information about various
physical components of the FortiGate unit.
# get hardware status
Model name: Fortigate-300
ASIC version: CP
SRAM: 64M
CPU: Pentium III (Coppermine)
RAM: 250 MB
Compact Flash: 122 MB /dev/hda
Hard disk: 38154 MB /dev/hdc
Network Card chipset: Intel(R) 8255x-based Ethernet Adapter
(rev.0x0009)

Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate-300 unit.

Example
When you type get in the config system interface shell, information about
all of the interfaces is displayed.
At the (interface)# prompt, type:
get
The screen displays:
== [ internal ]
name: internal mode: static ip: 192.168.20.200
255.255.255.0 status: up netbios-forward:
disable type: physical ip6-address: ::/0 ip6-send-adv:
disable
== [ external ]
name: external mode: static ip: 192.168.100.99
255.255.255.0 status: up netbios-forward:
disable type: physical ip6-address: ::/0 ip6-send-adv:
disable
...

FortiGate CLI Version 3.0 MR6 Reference


36 01-30006-0015-20080205
Using the CLI CLI command branches

Example
When you type get in the internal interface shell, the configuration values for
the internal interface are displayed.
edit internal
At the (internal)# prompt, type:
get
The screen displays:
name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status : 0
detectserver : (null)
gwdetect : disable
ip : 192.168.20.200 255.255.255.0
and so on.

Example
You are working in the config system global shell and want to see
information about the FortiGate interfaces.
At the (global)# prompt, type:
get system interface
The screen displays:
== [ internal ]
name: internal mode: static ip: 192.168.20.200
255.255.255.0 status: up netbios-forward:
disable type: physical ip6-address: ::/0 ip6-send-adv:
disable
== [ external ]
name: external mode: static ip: 192.168.100.99
255.255.255.0 status: up netbios-forward:
disable type: physical ip6-address: ::/0 ip6-send-adv:
disable
...

Example
You want to confirm the IP address and netmask of the internal interface from the
root prompt.
At the # prompt, type:
get system interface internal

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 37
CLI command branches Using the CLI

The screen displays:


name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status : 0
detectserver : (null)
gwdetect : disable
ip : 192.168.20.200 255.255.255.0
ip6-address : ::/0
ip6-default-life : 1800
...

show branch
Use show to display the FortiGate unit configuration. By default, only changes to
the default configuration are displayed. Use show full-configuration to
display the complete configuration.
You can use show within a config shell to display the configuration of that shell,
or you can use show with a full path to display the configuration of the specified
object.
To display the configuration of all objects, you can use show from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.

Example
When you type show and press Enter within the internal interface shell, the
changes to the default internal interface configuration are displayed.
At the (internal)# prompt, type:
show
The screen displays:
config system interface
edit internal
set allowaccess ssh ping https
set ip 192.168.20.200 255.255.255.0
next
end

Example
You are working in the internal interface shell and want to see the system
global configuration. At the (internal)# prompt, type:
show system global

FortiGate CLI Version 3.0 MR6 Reference


38 01-30006-0015-20080205
Using the CLI CLI command branches

The screen displays:


config system global
set admintimeout 5
set authtimeout 15
set failtime 5
set hostname 'Fortigate-300'
set interval 5
set lcdpin 123456
set ntpserver '132.246.168.148'
set syncinterval 60
set timezone 04
end

execute branch
Use execute to run static commands, to reset the FortiGate unit to factory
defaults, to back up or restore FortiGate configuration files. The execute
commands are available only from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.

Example
At the root prompt, type:
execute reboot
and press Enter to restart the FortiGate unit.

diagnose branch
Commands in the diagnose branch are used for debugging the operation of the
FortiGate unit and to set parameters for displaying different levels of diagnostic
information. The diagnose commands are not documented in this CLI Reference
Guide.

Caution: Diagnose commands are intended for advanced users only. Contact Fortinet
! technical support before using these commands.

Example command sequences

Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate_300 unit.

To configure the primary and secondary DNS server addresses


1 Starting at the root prompt, type:
config system dns
and press Enter. The prompt changes to (dns)#.
2 At the (dns)# prompt, type ?

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 39
CLI command branches Using the CLI

The following options are displayed.


set
unset
get
show
abort
end
3 Type set ?
The following options are displayed.
primary
secondary
domain
dns-cache-limit
cache-not-found-responses
4 To set the primary DNS server address to 172.16.100.100, type:
set primary 172.16.100.100
and press Enter.
5 To set the secondary DNS server address to 207.104.200.1, type:
set secondary 207.104.200.1
and press Enter.
6 To restore the primary DNS server address to the default address, type unset
primary and press Enter.
7 To restore the secondary DNS server address to the default address, type unset
secondary and press Enter.
8 If you want to leave the config system dns shell without saving your changes,
type abort and press Enter.
9 To save your changes and exit the dns sub-shell, type end and press Enter.
10 To confirm your changes have taken effect after leaving the dns sub-shell, type
get system dns and press Enter.

To add two secondary IP addresses to the internal interface


1 Starting at the root prompt, type:
config system interface
and press Enter. The prompt changes to (interface)#.
2 At the (interface)# prompt, type ?
The following options are displayed.
edit
delete
purge
rename
get
show
end

FortiGate CLI Version 3.0 MR6 Reference


40 01-30006-0015-20080205
Using the CLI CLI command branches

3 At the (interface)# prompt, type:


edit internal
and press Enter. The prompt changes to (internal)#.
4 At the (internal)# prompt, type ?
The following options are displayed.
config
set
unset
get
show
next
abort
end
5 At the (internal)# prompt, type:
config secondaryip
and press Enter. The prompt changes to (secondaryip)#.
6 At the (secondaryip)# prompt, type ?
The following options are displayed.
edit
delete
purge
rename
get
show
end
7 To add a secondary IP address with the ID number 0, type:
edit 0
and press Enter. The prompt changes to (0)#.
8 At the (0)# prompt, type ?
The following options are displayed.
set
unset
get
show
next
abort
end
9 Type set ?
The following options are displayed.
allowaccess
detectserver
gwdetect
ip

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 41
CLI command branches Using the CLI

10 To set the secondary IP address with the ID number 0 to 192.168.100.100 and


the netmask to 255.255.255.0, type:
set ip 192.168.100.100 255.255.255.0
and press Enter.
11 To add another secondary IP address to the internal interface, type next and
press Enter.
The prompt changes to (secondaryip)#.
12 To add a secondary IP address with the ID number 1, type:
edit 1
and press Enter. The prompt changes to (1)#.
13 To set the secondary IP address with the ID number 1 to 192.168.100.90 and
the netmask to 255.255.255.0, type:
set ip 192.168.100.90 255.255.255.0
and press Enter.
14 To restore the secondary IP address with the ID number 1 to the default, type
unset ip and press Enter.
15 If you want to leave the secondary IP address 1 shell without saving your
changes, type abort and press Enter.
16 To save your changes and exit the secondary IP address 1 shell, type end and
press Enter.
The prompt changes to (internal)#.
17 To delete the secondary IP address with the ID number 1, type delete 1 and
press Enter.
18 To save your changes and exit the internal interface shell, type end and press
Enter.
19 To confirm your changes have taken effect after using the end command, type
get system interface internal and press Enter.

FortiGate CLI Version 3.0 MR6 Reference


42 01-30006-0015-20080205
Using the CLI CLI basics

CLI basics
This section includes:
• Command help
• Command completion
• Recalling commands
• Editing commands
• Line continuation
• Command abbreviation
• Environment variables
• Encrypted password support
• Entering spaces in strings
• Entering quotation marks in strings
• Entering a question mark (?) in a string
• International characters
• Special characters
• IP address formats
• Editing the configuration file
• Setting screen paging
• Changing the baud rate
• Using Perl regular expressions

Command help
You can press the question mark (?) key to display command help.
• Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
• Type a command followed by a space and press the question mark (?) key to
display a list of the options available for that command and a description of
each option.
• Type a command followed by an option and press the question mark (?) key to
display a list of additional options available for that command option
combination and a description of each option.

Command completion
You can use the tab key or the question mark (?) key to complete commands.
• You can press the tab key at any prompt to scroll through the options available
for that prompt.
• You can type the first characters of any command and press the tab key or the
question mark (?) key to complete the command or to scroll through the
options that are available at the current cursor position.
• After completing the first word of a command, you can press the space bar and
then the tab key to scroll through the options available at the current cursor
position.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 43
CLI basics Using the CLI

Recalling commands
You can recall previously entered commands by using the Up and Down arrow
keys to scroll through commands you have entered.

Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled
command. You can also use the Backspace and Delete keys and the control keys
listed in Table 3 to edit the command.

Table 3: Control keys for editing commands

Function Key combination

Beginning of line CTRL+A

End of line CTRL+E

Back one character CTRL+B

Forward one character CTRL+F

Delete current character CTRL+D

Previous command CTRL+P

Next command CTRL+N

Abort the command CTRL+C

If used at the root prompt, exit the CLI CTRL+C

Line continuation
To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation
You can abbreviate commands and command options to the smallest number of
non-ambiguous characters. For example, the command get system status
can be abbreviated to g sy st.

Environment variables
The FortiGate CLI supports the following environment variables.

$USERFROM The management access type (SSH, Telnet and so on) and the IP
address of the logged in administrator.
$USERNAME The user account name of the logged in administrator.
$SerialNum The serial number of the FortiGate unit.

Variable names are case sensitive. In the following example, the unit hostname is
set to the serial number.
config system global
set hostname $SerialNum
end

FortiGate CLI Version 3.0 MR6 Reference


44 01-30006-0015-20080205
Using the CLI CLI basics

Encrypted password support


After you enter a clear text password using the CLI, the FortiGate unit encrypts
the password and stores it in the configuration file with the prefix ENC. For
example:
show system admin user1
lists the user1 administrator password as follows:
config system admin
edit "user1"
set accprofile "prof_admin"
set password ENC XXNFKpSV3oIVk
next
end
It is also possible to enter an already encrypted password. For example, type:
config system admin
and press Enter.
Type:
edit user1
and press Enter.
Type:
set password ENC XXNFKpSV3oIVk
and press Enter.
Type:
end
and press Enter.

Entering spaces in strings


When a string value contains a space, do one of the following:
• Enclose the string in quotation marks, "Security Administrator", for
example.
• Enclose the string in single quotes, 'Security Administrator', for
example.
• Use a backslash (“\”) preceding the space, Security\ Administrator, for
example.

Entering quotation marks in strings


If you want to include a quotation mark, single quote or apostrophe in a string, you
must precede the character with a backslash character. To include a backslash,
enter two backslashes.

Entering a question mark (?) in a string


If you want to include a question mark (?) in a string, you must precede the
question mark with CTRL-V. Entering a question mark without first entering
CTRL-V causes the CLI to display possible command completions, terminating
the string.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 45
CLI basics Using the CLI

International characters
The CLI supports international characters in strings.The web-based manager
dashboard CLI Console applet supports the appropriate character set for the
current administration language. If you want to enter strings that contain Asian
characters, configure the CLI Console to use the external command input box.
International character support with external applications such as SSH clients
depends on the capabilities and settings of the application.

Special characters
The characters <, >, (, ), #, ’, and ” are not permitted in most CLI fields. The
exceptions are:
• passwords
• replacemsg buffer
• firewall policy comments
• ips custom signature
• antivirus filepattern
• antivirus exemptfilepattern
• webfilter bword
• spamfilter bword pattern
• system interface username (PPPoE mode)
• system modem phone numbers or account user names
• firewall profile comment
• spamfilter mheader fieldbody
• spamfilter mheader fieldbody
• spamfilter emailbwl email_pattern
• router info bgp regular expressions
• router aspath-list rule regular expressions

IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit
format. For example you can type either:
set ip 192.168.1.1 255.255.255.0
or
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file


You can change the FortiGate configuration by backing up the configuration file to
a TFTP server. Then you can make changes to the file and restore it to the
FortiGate unit.
1 Use the execute backup config command to back up the configuration file to
a TFTP server.

FortiGate CLI Version 3.0 MR6 Reference


46 01-30006-0015-20080205
Using the CLI CLI basics

2 Edit the configuration file using a text editor.


Related commands are listed together in the configuration file. For instance, all
the system commands are grouped together, all the antivirus commands are
grouped together and so on. You can edit the configuration by adding, changing or
deleting the CLI commands in the configuration file.
The first line of the configuration file contains information about the firmware
version and FortiGate model. Do not edit this line. If you change this information
the FortiGate unit will reject the configuration file when you attempt to restore it.
3 Use the execute restore config command to copy the edited configuration
file back to the FortiGate unit.
The FortiGate unit receives the configuration file and checks to make sure the
firmware version and model information is correct. If it is, the FortiGate unit loads
the configuration file and checks each command for errors. If the FortiGate unit
finds an error, an error message is displayed after the command and the
command is rejected. Then the FortiGate unit restarts and loads the new
configuration.

Setting screen paging


Using the config system console command, you can configure the display to
pause when the screen is full. This is convenient for viewing the lengthy output of
a command such as get system global.
When the display pauses, the bottom line of the console displays --More--. You
can then do one of the following:
• Press the spacebar to continue.
• Press Q to end the display. One more line of output is displayed, followed by
the shell prompt.
To set paged output, enter the following command:
config system console
set output more
end

Changing the baud rate


Using set baudrate in the config system console shell, you can change
the default console connection baud rate.

Note: Changing the default baud rate is available for FortiGate units with BIOS 3.03 and
higher and FortiOS version 2.50 and higher.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 47
CLI basics Using the CLI

Using Perl regular expressions


Some FortiGate features, such as spam filtering and web content filtering can use
either wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl
regular expressions.

Some differences between regular expression and wildcard


pattern matching
In Perl regular expressions, ‘.’ character refers to any single character. It is similar
to the ‘?’ character in wildcard pattern matching. As a result:
• fortinet.com not only matches fortinet.com but also matches
fortinetacom, fortinetbcom, fortinetccom and so on.
To match a special character such as '.' and ‘*’, regular expressions use the ‘\’
escape character. For example:
• To match fortinet.com, the regular expression should be
fortinet\.com.
In Perl regular expressions, ‘*’ means match 0 or more times of the character
before it, not 0 or more times of any character. For example:
• forti*\.com matches fortiiii.com but does not match fortinet.com.
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character
and the ‘*’ means 0 or more times. For example:
• the wildcard match pattern forti*.com is equivalent to the regular
expression forti.*\.com.

Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression “test” not only matches the word “test” but
also matches any word that contains the word “test” such as “atest”, “mytest”,
“testimony”, “atestb”. The notation “\b” specifies the word boundary. To match
exactly the word “test”, the expression should be \btest\b.

Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of “bad language”
regardless of case.

Table 4: Perl regular expression examples

Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
^abc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
^abc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c

FortiGate CLI Version 3.0 MR6 Reference


48 01-30006-0015-20080205
Using the CLI CLI basics

Table 4: Perl regular expression examples


ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[^abc]+ any (nonempty) string which does not contain any of a, b and c (such as
defg)
\d\d any two decimal digits, such as 42; same as \d{2}
/i makes the pattern case insensitive. For example, /bad language/i
blocks any instance of “bad language” regardless of case.
\w+ a "word": a nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk the strings 100 and mk optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl
stuff)
\x tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up
your regular expression into (slightly) more readable parts.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 49
CLI basics Using the CLI

FortiGate CLI Version 3.0 MR6 Reference


50 01-30006-0015-20080205
Working with virtual domains Enabling virtual domain configuration

Working with virtual domains


By default, the FortiGate unit has one virtual domain (root) and one administrator (admin) with
unrestricted access to the system configuration. If you enable virtual domain configuration, the super
admin account can also:
• Use the vdom command to create and configure additional virtual domains.
• Use the global command to create and assign administrators to each virtual domain.
• Use the global command to configure features that apply to all virtual domains.
This section contains the following topics:

Enabling virtual domain configuration Creating VDOM administrators


Accessing commands in virtual domain configuration Troubleshooting ARP traffic on VDOMs
Creating and configuring VDOMs global
Configuring inter-VDOM routing vdom
Changing the management VDOM

Enabling virtual domain configuration


The administrators with the super_admin profile can enable virtual domain configuration through either
the web-based manager or the CLI. In the CLI, use the following command:
config system global
set vdom-admin enable
end
Log off and then log on again with a super_admin admin account. By default, there is no password for
the default admin account.

Accessing commands in virtual domain configuration


When you log in as admin with virtual domain configuration enabled, you have only four top-level
commands:

config global Enter config global to access global commands.


In the global shell, you can execute commands that affect all virtual domains, such as
config system autoupdate.
For a list of the global commands, see “global” on page 57.
config vdom Enter config vdom to access VDOM-specific commands.
In the vdom shell, use the edit <vdom_name> command to create a new VDOM or to
edit the configuration of an existing VDOM.
In the <vdom_name> shell, you can execute commands to configure options that apply
only within the VDOM, such as config firewall policy.
For a list of VDOM-specific commands, see “vdom” on page 60.
When you have finished, enter next to edit another vdom, or end.
get system status System status. See “vdom-link” on page 449.
exit Log off.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 51
Creating and configuring VDOMs Working with virtual domains

Creating and configuring VDOMs


When virtual domain configuration is enabled, admin has full access to the global FortiGate unit
configuration and to the configuration of each VDOM. All of the commands described in this Reference
are available to admin, but they are accessed through a special top-level command shell.

Creating a VDOM
You create a new VDOM using the config vdom command. For example, to create a new VDOM
called vdomain2, you enter the following:
config vdom
edit vdomain2
end
This creates a new VDOM operating in NAT/Route mode. You can have up to 10 VDOMs on your
FortiGate unit by default.
For this VDOM to be useful, you need to assign interfaces or VLAN subinterfaces to it.

Assigning interfaces to a VDOM


By default, all interfaces belong to the root domain. You can reassign an interface or VLAN
subinterface to another VDOM if the interface is not already used in a VDOM-specific configuration
such as a firewall policy. Interfaces are part of the global configuration of the FortiGate unit, so only the
admin account can configure them.
For example, to assign port3 and port4 to vdomain2, log on as admin and enter the following
commands:
config global
config system interface
edit port3
set vdom vdomain2
next
edit port4
set vdom vdomain2
end
end

Setting VDOM operating mode


When you create a VDOM, its default operating mode is NAT/Route. You can change the operating
mode of each VDOM independently.

Changing to Transparent mode


When you change the operating mode of a VDOM from NAT/Route to Transparent mode, you must
specify the management IP address and the default gateway IP address. The following example
shows how to change vdomain2 to Transparent mode. The management IP address is
192.168.10.100, and the default gateway is 192.168.10.1:
config vdom
edit vdomain3
config system settings
set opmode transparent
set manageip 192.168.10.100 255.255.255.0
set gateway 192.168.10.1
end

FortiGate CLI Version 3.0 MR6 Reference


52 01-30006-0015-20080205
Working with virtual domains Configuring inter-VDOM routing

For more information, see “system settings” on page 440.

Changing back to NAT/Route mode


If you change a Transparent mode VDOM back to NAT/Route mode, you must specify which interface
you will use for administrative access and the IP address for that interface. This ensures that
administrative access is configured on the interface. You must also specify the default gateway IP
address and the interface that connects to the gateway. For example,
config vdom
edit vdomain3
config system settings
set opmode nat
end
config system interface
edit port1
set ip 192.168.10.100 255.255.255.0
end
For more information, see “system settings” on page 440.

Configuring inter-VDOM routing


By default, VDOMs are independent of each other and to communicate they need to use physical
interfaces that are externally connected. By using the vdom-link command that was added in
FortiOS v3.0, this connection can be moved inside the FortiGate unit, freeing up the physical
interfaces. This feature also allows you to determine the level of inter-VDOM routing you want - only 2
VDOMs inter-connected, or interconnect all VDOMs. The vdom-link command creates virtual
interfaces, so you have access to all the security available to physical interface connections. These
internal interfaces have the added bonus of being faster the physical interfaces unless the CPU load is
very heavy. As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links.
In this example you already have configured two VDOMs called v1 and v2. You want to set up a link
between them. The following command creates the VDOM link called v12_link. Once you have the link
in place, you need to bind the two ends of the link to the VDOMs it will be connecting. Then you are
free to apply firewall policies or other security measures. t.
config global
config system vdom-link
edit v12_link
end
config system interface
edit v12_link0
set vdom v1
next
edit v12_link1
set vdom v2
next
end
Note: When you are naming VDOM links you are limited to 8 characters for the base name. In the
example below the link name v12_link that is used is correct, but a link name of v12_verylongname is too
long.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 53
Changing the management VDOM Working with virtual domains

To remove the vdom-link, delete the vdom-link. You will not be able to delete the ends of the vdom-link
by themselves. To delete the above set up, enter:
config global
config system vdom-link
delete v12_link
end
Note: In an HA setup with virtual clusters, inter-VDOM routing must be entirely within one cluster. You
cannot create links between virtual clusters, and you cannot move a VDOM that is linked into another
virtual cluster. In HA mode, with multiple vclusters when you create the vdom-link in system vdom-link
there is an option to set which vcluster the link will be in.

Before inter-VDOM routing, VDOMs were completely separate entities. Now, many new configurations
are available such as a service provider configuration (a number of VDOMS that go through one main
VDOM to access the internet) or a mesh configuration (where some or all VDOMs are connected to
some or all other VDOMs). These configurations are discussed in-depth in the FortiGate VLANs and
VDOMs Guide.

Changing the management VDOM


All management traffic leaves the FortiGate unit through the management VDOM. Management traffic
includes all external logging, remote management, and other Fortinet services. By default the
management VDOM is root. You can change this to another VDOM so that the traffic will leave your
FortiGate unit over the new VDOM.
You cannot change the management VDOM if any administrators are using RADIUS authentication.
If you want to change the management VDOM to vdomain2, you enter:
config global
config system global
set management-vdom vdomain2
end

Creating VDOM administrators


The super_admin admin accounts can create regular administrators and assign them to VDOMs. The
system admin command, when accessed by admin, includes a VDOM assignment.
For example, to create an administrator, admin2, for VDOM vdomain2 with the default profile
prof_admin, you enter:
config global
config system admin
edit admin2
set accprofile prof_admin
set password hardtoguess
set vdom vdomain2
end
The admin2 administrator account can only access the vdomain2 VDOM and can connect only through
an interface that belongs to that VDOM. The VDOM administrator can access only VDOM-specific
commands, not global commands.

FortiGate CLI Version 3.0 MR6 Reference


54 01-30006-0015-20080205
Working with virtual domains Troubleshooting ARP traffic on VDOMs

Troubleshooting ARP traffic on VDOMs


Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on
FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit,
especially if it is sitting between a client and a server or between a client and a router.

Duplicate ARP packets


ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one
interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches
become unstable when they detect the same MAC address originating on more than one switch
interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not
maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network
traffic to slow down.

Multiple VDOMs solution


One solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. This means
one inbound and one outbound VLAN interface in each virtual domain. ARP packets are not forwarded
between VDOMs.
By default, physical interfaces are in the root domain. Do not configure any of your VLANs in the root
domain.
As a result of this VDOM configuration, the switches do not receive multiple ARP packets with the
same source MAC but different VLAN IDs, and the instability does not occur.

Forward-domain solution
You may run into problems using the multiple VDOMs solution. It is possible that you have more
VLANs than licensed VDOMs, not enough physical interfaces or your configuration may work better by
grouping some VLANs together. In these situations the separate VDOMs solution may not work for
you.
In these cases, the solution is to use the forward-domain <collision_group_number> command. This
command tags VLAN traffic as belonging to a particular forward-domain collision group, and only
VLANs tagged as part of that collision group receive that traffic. By default ports and VLANs are part of
forward-domain collision group 0. For more information, see the FortiGate VLANs and VDOMs Guide.
There are many benefits for this solution from reduced administration, to using fewer physical
interfaces to being able to allowing you more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on Port1 and
untagged traffic on Port2. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and
untagged traffic on Port3. All other ports are part of forward-domain collision group 0 by default.
These are the CLI commands to accomplish this setup.
config system interface
edit “port1”
next
edit "port2"
set forward_domain 340
next
edit “port3”
set forward_domain 341
next

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 55
Troubleshooting ARP traffic on VDOMs Working with virtual domains

edit "port1-340"
set forward_domain 340
set interface "port1"
set vlanid 340
next
edit "port1-341"
set forward_domain 341
set interface "port1"
set vlanid 341
next
end
There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer-
2 Installation Issues technical note.

FortiGate CLI Version 3.0 MR6 Reference


56 01-30006-0015-20080205
Working with virtual domains global

global
From the super_admin accounts, use this command to configure features that apply to all virtual
domains. Virtual domain configuration (vdom-admin) must be enabled. See “system global” on
page 350.

Syntax
This command syntax shows how you access the commands within config global. For information on
these commands, refer to the relevant sections in this Reference.
config global
config antivirus ...
config firewall service
config gui console
config imp2p ...
config ips ...
config log fortianalyzer setting
config log report definition
config log report filter
config log report output
config log report period
config log report schedule
config log report scope
config log report selection
config log syslogd setting
config log webtrends setting
config spamfilter ...
config system accprofile
config system admin
config system alertemail
config system auto-install
config system autoupdate clientoverride
config system autoupdate override
config system autoupdate override
config system autoupdate push-update
config system autoupdate schedule
config system autoupdate tunneling
config system bug-report
config system console
config system dns
config system fortiguard
config system fortianalyzer, fortianalyzer2, fortianalyzer3
config system fortiguard
config system gi-gk (FortiOS Carrier)
config system global
config system ha
config system interface
config system replacemsg admin
config system replacemsg alertmail
config system replacemsg auth
config system replacemsg fortiguard-wf
config system replacemsg ftp
config system replacemsg http

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 57
global Working with virtual domains

config system replacemsg im


config system replacemsg mail
config system replacemsg mm1 (FortiOS Carrier)
config system replacemsg mm3 (FortiOS Carrier)
config system replacemsg mm4 (FortiOS Carrier)
config system replacemsg mm7 (FortiOS Carrier)
config system replacemsg nntp
config system replacemsg spam
config system replacemsg sslvpn
config system replacemsg-group (FortiOS Carrier)
config system replacemsg-image (FortiOS Carrier)
config system session-helper
config system session-sync
config system snmp community
config system snmp sysinfo
config system vdom-link
config user dynamic-profile (FortiOS Carrier)
config vpn certificate ca
config vpn certificate crl
config vpn certificate local
config vpn certificate remote
config webfilter fortiguard
execute backup
execute batch
execute central-mgmt
execute cfg reload
execute cfg save
execute cli
execute date
execute deploy
execute dhcp lease-list
execute disconnect-admin-session
execute factoryreset
execute formatlogdisk
execute fsae refresh
execute ha disconnect
execute ha manage
execute ha synchronize
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log roll
execute reboot
execute restore
execute set-next-reboot
execute shutdown
execute time
execute update-av
execute update-ips
execute update-now
execute usb-disk

FortiGate CLI Version 3.0 MR6 Reference


58 01-30006-0015-20080205
Working with virtual domains global

execute vpn certificate ...


get firewall vip ...
end

History
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added vdom-link, vpn, webfilter, execute backup, batch, dhcp lease-client, dhcp lease-
list, fsae refresh, restore, telnet, and traceroute.
FortiOS v3.0 MR5 Added config firewall service, gui console, system console, system fortiguard, system
replacemsg admin/alertemail/auth/nntp, vpn certificate crl/local/remote, execute
central-mgmt, execute cfg ..., execute update-ips, and execute update-now.
FortiOS v3.0 MR6 Added config system session-sync, expanded command to vpn
certificate ... .Removed vpn sslvpn.

Related topics
• vdom

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 59
vdom Working with virtual domains

vdom
From the super admin account, use this command to add and configure virtual domains. The number
of virtual domains you can add is dependent on the FortiGate model. Virtual domain configuration
(vdom-admin) must be enabled. See “system global” on page 350.
Once you add a virtual domain you can configure it by adding zones, firewall policies, routing settings,
and VPN settings. You can also move physical interfaces from the root virtual domain to other virtual
domains and move VLAN subinterfaces from one virtual domain to another.
By default all physical interfaces are in the root virtual domain. You cannot remove an interface from a
virtual domain if the interface is part of any of the following configurations:
• routing
• proxy arp
• DHCP server
• zone
• firewall policy
• IP pool
• redundant pair
• link aggregate (802.3ad) group
Delete these items or modify them to remove the interface first.
You cannot delete the default root virtual domain and you cannot delete a virtual domain that is used
for system management.

Syntax
This command syntax shows how you access the commands within config global. Refer to the relevant
sections in this Reference for information on these commands.
config vdom
edit <vdom_name>
config antivirus
config firewall address, address6
config firewall addrgrp, addrgrp6
config firewall dnstranslation
config firewall ipmacbinding setting
config firewall ipmacbinding table
config firewall ippool
config firewall multicast-policy
config firewall policy, policy6
config firewall schedule onetime
config firewall schedule recurring
config firewall service custom
config firewall service group
config firewall vip
config gui
config log {disk | fortianalyzer | memory | syslogd | webtrends |
fortiguard} filter
config log fortianalyzer setting
config log memory setting
config log trafficfilter
config router ...
config system admin

FortiGate CLI Version 3.0 MR6 Reference


60 01-30006-0015-20080205
Working with virtual domains vdom

config system arp-table


config system dhcp reserved-address
config system dhcp server
config system gre-tunnel
config system interface
config system ipv6-tunnel
config system proxy-arp
config system session-ttl
config system settings
config system zone
config user adgrp
config user fsae
config user group
config user ldap
config user local
config user msisdn-bwl (FortiOS Carrier)
config user msisdn-translation (FortiOS Carrier)
config user peer
config user peergrp
config user radius
config vpn ...
execute backup
execute date
execute deploy
execute dhcp lease-list
execute disconnect-admin-session
execute fsae refresh
execute ha disconnect
execute ha manage
execute ha synchronize
execute log delete-all
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log roll
execute ping
execute ping-options
execute ping6
execute reboot
execute restore
execute router clear bgp
execute router clear ospf process
execute router restart
execute set-next-reboot
execute traceroute
execute usb-disk
execute vpn sslvpn del-tunnel
next
edit <another_vdom>
config ...
execute ...
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 61
vdom Working with virtual domains

end
Variable Description Default
edit <vdom_name> Enter a new name to create a new VDOM. Enter an existing
VDOM name to configure that VDOM.
The VDOM you enter becomes the current VDOM.
A VDOM cannot have the same name as a VLAN.
A VDOM name cannot exceed 11 characters in length.

Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If you attempt to
name a new VDOM vsys_ha or vsys_fgfm it will generate an error.

Note: Use config system settings set opmode {nat | transparent} to set the operation
mode for this VDOM to nat (NAT/Route) or transparent.

Example
This example shows how to add a virtual domain called Test1.
config system vdom
edit Test1
end

History
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added system admin, interface, ipv6-tunnel commands.
Added batch, date, reboot, execute router clear ospf process
commands.
Removed log fortianalyzer, log syslogd, log webtrends, router
graceful-restart commands.
FortiOS v3.0 MR1 Added system setting multicast-forward and multicast-ttl-notchange.
FortiOS v3.0 MR5 Removed config alertemail, and execute batch.
Added config gui, system arp-table, system proxy-arp, all of system settings.

Related topics
• global

FortiGate CLI Version 3.0 MR6 Reference


62 01-30006-0015-20080205
alertemail

alertemail
Use alertemail commands to configure the FortiGate unit to monitor logs for log messages with
certain severity levels. If the message appears in the logs, the FortiGate unit sends an email to a
predefined recipient(s) of the log message encountered. Alert emails provide immediate notification of
issues occurring on the FortiGate unit, such as system failures or network attacks.
By default, the alertemail commands do not appear if no SMTP server is configured. An SMTP
server is configured using the system alertemail commands. See “system alertemail” on page 321 for
more information.
When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses
the SMTP server name to connect to the mail server and must look up this name on your DNS server.
See “dns” on page 339 for more information about configuring DNS servers.
This chapter contains the following section:

setting

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 63
setting alertemail

setting
Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This
command can also be configured to send an alert email a certain number of days before the FDS
license expires and/or when the disk usage exceeds a certain threshold amount. You need to configure
an SMTP server before configuring alert email settings. See “system alertemail” on page 321 for more
information.

Note: The FortiGate unit must be able to look up the SMTP server name on your DNS server because the
FortiGate unit uses the SMTP server to connect to the mail server. See “system dns” on page 339 for more
information.

Syntax
config alertemail setting
set username <user-name-str>
set mailto1 <email-address-str>
set mailto2 <email-address-str>
set mailto3 <email-address-str>
set filter-mode <category> <threshold>
set email-interval <minutes-integer>
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
set emergency-interval <minutes-integer>
set alert-interval <minutes-integer>
set critical-interval <minutes-integer>
set error-interval <minutes-integer>
set warning-interval <minutes-integer>
set notification-interval <minutes-integer>
set information-interval <minutes-integer>
set debug-interval <minutes-integer>
set IPS-logs {disable | enable}
set firewall-authentication-failure-logs {disable | enable}
set HA-logs {enable | disable}
set IPsec-error-logs {disable | enable}
set FDS-update-logs {disable | enable}
set PPP-errors-logs {disable | enable}
set sslvpn-authentication-errors-logs {disable | enable}
set antivirus-logs {disable | enable}
set webfilter-logs {disable | enable}
set configuration-changes-logs {disable | enable}
set violation-traffic-logs {disable | enable}
set admin-login-logs {disable | enable}
set local-disk-usage-warning {disable | enable}
set FDS-license-expiring-warning {disable | enable}
set FDS-license-expiring-days <integer>
set local-disk-usage <percentage>
set fortiguard-log-quota-warning
end

FortiGate CLI Version 3.0 MR6 Reference


64 01-30006-0015-20080205
alertemail setting

Keywords and variables Description Default


username Enter a valid email address in the format user@domain.com. No default.
<user-name-str> This address appears in the From header of the alert email.
mailto1 Enter an email address. This is one of the email addresses where No default.
<email-address-str> the FortiGate unit sends an alert email.
mailto2 Enter an email address. This is one of the email addresses where No default.
<email-address-str> the FortiGate unit sends an alert email.
mailto3 Enter an email address. This is one of the email addresses where No default.
<email-address-str> the FortiGate unit sends an alert email.
filter-mode Enter to set the filter mode of the alert email.The following only category
<category> displays when threshold is entered:
<threshold> • emergency-interval
• alert-interval
• critical-interval
• error-interval
• warning-interval
• notification-interval
• information-interval
• debug-interval
email-interval Enter the number of minutes the FortiGate unit should wait before 5
<minutes-integer> sending out an alert email. This is not available when filter-
mode threshold is enabled.
emergency-interval Enter the number of minutes the FortiGate unit should wait before 1
<minutes-integer> sending out alert email for emergency level messages. Only
available when filter-mode threshold is entered.
alert-interval Enter the number of minutes the FortiGate unit should wait before 2
<minutes-integer> sending out an alert email for alert level messages. Only available
when filter-mode threshold is entered.
critical-interval Enter the number of minutes the FortiGate unit should wait before 3
<minutes-integer> sending out an alert email for critical level messages. Only
available when filter-mode threshold is entered.
error-interval Enter the number of minutes the FortiGate unit should wait before 5
<minutes-integer> sending out an alert email for error level messages. Only available
when filter-mode threshold is entered.
warning-interval Enter the number of minutes the FortiGate unit should wait before 10
<minutes-integer> sending out an alert email for warning level messages. Only
available when filter-mode threshold is entered.
notification-interval Enter the number of minutes the FortiGate unit should wait before 20
<minutes-integer> sending out an alert email for notification level messages. Only
available when filter-mode threshold is entered.
information-interval Enter the number of minutes the FortiGate unit should wait before 30
<minutes-integer> sending out an alert email for information level messages. Only
available when filter-mode threshold is entered.
debug-interval Enter the number of minutes the FortiGate unit should wait before 60
<minutes-integer> sending out an alert email for debug level messages. Only
available when filter-mode threshold is entered.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 65
setting alertemail

Keywords and variables Description Default


severity Select the logging severity level. This is only available when alert
{alert | critical | filter-mode threshold is entered. The FortiGate unit logs all
debug | emergency | messages at and above the logging severity level you select. For
example, if you error, the unit logs error, critical, alert,
error | information | and emergency level messages.
notification | warning} alert – Immediate action is required.
critical – Functionality is affected.
debug – Information used for diagnosing or debugging the
FortiGate unit.
emergency – The system is unusable.
error – An erroneous condition exists and functionality is
probably affected.
information – General information about system operations
notification – Information about normal events.
warning – Functionality might be affected.
IPS-logs Enable or disable IPS logs. disable
{disable | enable}
firewall- Enable or disable firewall authentication failure logs. disable
authentication-failure-
logs
{disable | enable}
HA-logs Enable or disable high availability (HA) logs. disable
{enable | disable}
IPsec-error-logs Enable or disable IPSec error logs disable
{disable | enable}
FDS-update-logs Enable or disable FDS update logs. disable
{disable | enable}
PPP-errors-logs Enable or disable PPP error logs. disable
{disable | enable}
sslvpn-authentication- Enable or disable SSL VPN authentication error logs. disable
errors-logs
{disable | enable}
antivirus-logs Enable or disable antivirus logs. disable
{disable | enable}
webfilter-logs Enable or disable web filter logs. disable
{disable | enable}
configuration-changes- Enable or disable configuration changes logs. disable
logs
{disable | enable}
violation-traffic-logs Enable or disable traffic violation logs. disable
{disable | enable}
admin-login-logs Enable or disable admin login logs disable
{disable | enable}
local-disk-usage- Enable or disable local disk usage warning in percent. For disable
warning example enter the number 15 for a warning when the local disk
{disable | enable} usage is at 15 percent. The number cannot be 0 or 100.

FDS-license-expiring- Enable or disable to receive an email notification of the expire date disable
warning of the FDS license.
{disable | enable}
FDS-license-expiring- Enter the number of days to be notified by email when the FDS 15
days license expires. For example, if you want notification five days in
<integer> advance, enter 5.

FortiGate CLI Version 3.0 MR6 Reference


66 01-30006-0015-20080205
alertemail setting

Keywords and variables Description Default


local-disk-usage Enter a number for when the local disk’s usage exceeds that 75
<percentage> number.
fortiguard-log-quota- Enter to receive an alert email when the FortiGuard Log & disable
warning Analysis server reaches its quota.

Examples
This example shows how to configure the user name, add three email addresses for sending alerts to,
and what type of emails will contain which log messages, such as HA and antivirus.
config alertemail setting
set username fortigate@ourcompany.com
set mail1 admin1@ourcompany.com
set mail2 admin2@ourcompany.com
set mail3 admin3@ourcompany.com
set filter-mode category
set HA-logs enable
set FDS-update-logs enable
set antivirus-logs enable
set webfilter-logs enable
set admin-login-logs enable
set violation-traffic-logs enable
end

History

FortiOS v2.80 Substantially revised and expanded.


FortiOS v3.0 Moved authentication, server and password to config
system alertemail.
FortiOS v3.0MR2 New keywords added for:
• IPS-logs
• firewall-authentication-failure-logs
• HA-logs
• IPSec-errors-logs
• FDS-update-logs
• PPP-errors-logs
• sslvpn-authentication-errors-logs
• antivirus-logs
• webfilter-logs
• configuration-changes-logs
• violation-traffic-logs
• admin-login-logs
• FDS-license-expiring-warning
• local-disk-usage-warning
• FDS-license-expiring-days
• local-disk-usage
FortiOS 3.0MR4 Added fortiguard-log-quota-warning keyword.

Related topics
• system alertemail
• system dns

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 67
setting alertemail

FortiGate CLI Version 3.0 MR6 Reference


68 01-30006-0015-20080205
antivirus

antivirus
Use antivirus commands to configure antivirus scanning for services, quarantine options, and to
enable or disable grayware and heuristic scanning.
This chapter contains the following sections:

filepattern
grayware
heuristic
quarantine
quarfilepattern
service

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 69
filepattern antivirus

filepattern
Use this command to add, edit or delete the file patterns used for virus blocking and to set which
protocols to check for files to block.
If you need to add configuration via CLI that requires ? as part of config, you need to input CTRL-V
first. If you enter the question mark (?) without first using CTRL-V, the question mark has a different
meaning in CLI: it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:
edit "*.xe?"
new entry '*.xe?' added

Syntax
config antivirus filepattern
edit <filepattern_list_integer>
set name <filepattern_list>
set comment <filepattern_list_comment>
config entries
edit <filepattern_string>
set action <allow | block | intercept>
set active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set file-type {unknown | ignored | activemime | arj | aspack |
base64 | bat | binhex | bzip | bzip2 | cab | com | elf | exe |
fsg | genscript | gzip | hlp | hta | html | javascript | lzh |
mime | msc | msoffice | perlscript | petite | rar | shellscript
| sis | tar | upx | uue | vbs | zip} (FortiOS Carrier)
set filter-type {pattern | type} (FortiOS Carrier)
end
Keywords and variables Description Default
<filepattern_list_integer> A unique number to identify the file pattern list.
<filepattern_list> The name of the file pattern header list.
<filepattern_list_comment> The comment attached to the file pattern header list.
<filepattern_string> The name of the file pattern being configured. This can be any
character string.
action <allow | block | The action taken when a matching file is being transferred via a block
intercept> set active protocol.
• Select allow to have the FortiGate unit allow matching files.
• Select block to have the FortiGate unit block matching files.
• Select intercept to allow matching files, with a copy sent to
a quarantine. Note that the store-intercepted command
in config antivirus quarantine must also be
configured to quarantine intercepted files.
The intercept action is supported in FortiOS Carrier.
active The action specified will affect the file pattern in the selected Varies.
{ftp http im imap mm1 mm3 protocols.
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.

FortiGate CLI Version 3.0 MR6 Reference


70 01-30006-0015-20080205
antivirus filepattern

Keywords and variables Description Default


file-type This command is only available and valid when filter-type unknown
{unknown | ignored | is set to type.
activemime | arj | aspack Select the type of file the file filter will search for. Note that
unlike the file pattern filter, this file type filter will examine the file
| base64 | bat | binhex | contents to determine the what type of file it is. The file name
bzip | bzip2 | cab | com | and file extension is ignored.
elf | exe | fsg | genscript Because of the way the file type filter works, renaming files to
| gzip | hlp | hta | html | make them appear to be of a different type will not allow them
javascript | lzh | mime | past the FortiGate unit without detection.
msc | msoffice | Two of the available options are not file types:
perlscript | petite | rar • Select unknown to configure a rule affecting every file format
the file type filter unit does not recognize. Unknown includes
| shellscript | sis | tar | every file format not available in the file-type command.
upx | uue | vbs | zip} • Select ignored to configure a rule affecting traffic the
(FortiOS Carrier) FortiGate unit typically does not scan. This includes primarily
streaming audio and video.
filter-type {pattern | Select the file filter detection method. pattern
type} • Enter pattern to examine files only by their names. For
(FortiOS Carrier) example, if filter-type is set to pattern, and the pattern
is *.zip, all files ending in .zip will trigger this file filter. Even
files ending in .zip that are not actually ZIP archives will trigger
this filter.
• Enter type to examine files only by their contents. Using the
above example, if filter-type is set to type, and the type
is zip, all ZIP archives will trigger this file filter. Even files
renamed with non-zip file extensions will trigger this filter.

History

FortiOS v2.80 Substantially revised.


FortiOS v3.0 Added IM. Added multiple-list capability for models 800 and above.

Related topics
• antivirus heuristic
• antivirus grayware
• antivirus quarantine
• antivirus quarfilepattern
• antivirus service

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 71
grayware antivirus

grayware
Use this command to enable or disable grayware scanning for the specified category.
Grayware programs are unsolicited commercial software programs that get installed on computers,
often without the user’s consent or knowledge. Grayware programs are generally considered an
annoyance, but these programs can cause system performance problems or be used for malicious
purposes.
The FortiGate unit scans for known grayware executable programs in each category enabled. The
category list and contents are added or updated whenever the FortiGate unit receives a virus update
package. New categories may be added at any time and are loaded with virus updates. By default, all
new categories are disabled.

Adware Adware is usually embedded in freeware programs and causes ads to


pop up whenever the program is opened or used.
BHO BHOs (Browser Helper Objects) are DLL files that are often installed
as part of a software package so the software can control the behavior
of Internet Explorer 4.x and higher. Not all BHOs are malicious, but the
potential exists to track surfing habits and gather other information.
Dial Dialers allow others to use the PC modem to call premium numbers or
make long distance calls.
Download Download components are usually run at Windows startup and are
designed to install or download other software, especially advertising
and dial software.
Game Games are usually joke or nuisance games that may be blocked from
network users.
HackerTool
Hijacker Browser hijacking occurs when a ‘spyware’ type program changes
web browser settings, including favorites or bookmarks, start pages,
and menu options.
Joke Joke programs can include custom cursors and programs that appear
to affect the system.
Keylog Keylogger programs can record every keystroke made on a keyboard
including passwords, chat, and instant messages.
Misc The miscellaneous grayware category.
NMT Network management tools can be installed and used maliciously to
change settings and disrupt network security.
P2P P2P, while a legitimate protocol, is synonymous with file sharing
programs that are used to swap music, movies, and other files, often
illegally.
Plugin Browser plugins can often be harmless Internet browsing tools that are
installed and operate directly from the browser window. Some toolbars
and plugins can attempt to control or record and send browsing
preferences.
RAT Remote administration tools allow outside users to remotely change
and monitor a computer on a network.
Spy Spyware, like adware, is often included with freeware. Spyware is a
tracking and analysis program that can report users’ activities, such as
web browsing habits, to the advertiser’s web site where it may be
recorded and analyzed.
Toolbar While some toolbars are harmless, spyware developers can use these
toolbars to monitor web habits and send information back to the
developer.

Grayware scanning is enabled in a protection profile when Virus Scan is enabled.

FortiGate CLI Version 3.0 MR6 Reference


72 01-30006-0015-20080205
antivirus grayware

Syntax
config antivirus grayware <category_name_str>
set status {enable | disable}
end

Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase.

Keywords and variables Description Default


<category_name_str> The grayware category being configured.
status {enable | disable} Enable or disable grayware scanning for the specified category. disable

Example
This example shows how to enable grayware scanning for Adware programs.
config antivirus grayware Adware
set status enable
end

History

FortiOS v2.80 New.

Related topics
• antivirus filepattern
• antivirus heuristic
• antivirus quarantine
• antivirus quarfilepattern
• antivirus service
• system autoupdate schedule
• execute update-av

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 73
heuristic antivirus

heuristic
Use this command to configure heuristic scanning for viruses in binary files.

Syntax
config antivirus heuristic
set mode {pass | block | disable}
end
Keywords and variables Description Default
mode Enter pass to enable heuristics but pass detected files to the pass
{pass | block | disable} recipient. Suspicious files are quarantined if quarantine is
enabled.
Enter block to enable heuristics and block detected files. A
replacement message is forwarded to the recipient. Blocked files
are quarantined if quarantine is enabled.
Enter disable to disable heuristics.

Example
This example shows how to disable heuristic scanning.
config antivirus heuristic
set mode disable
end

History

FortiOS v2.80 New.

Related topics
• antivirus filepattern
• antivirus quarantine
• antivirus quarfilepattern
• antivirus service

FortiGate CLI Version 3.0 MR6 Reference


74 01-30006-0015-20080205
antivirus quarantine

quarantine
Use this command to set file quarantine options.
FortiGate units with a local disk can quarantine blocked and infected files. The quarantined files are
removed from the content stream and stored on the FortiGate local disk. Users receive a message
informing them that the removed files have been quarantined.
FortiGate units that do not have a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit.
View the file names and status information about the file in the quarantined file list. Submit specific files
and add file patterns to the autoupload list so they are automatically uploaded to Fortinet for analysis.

Syntax
config antivirus quarantine
set agelimit <hours_integer>
set drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS
Carrier)
set lowspace {drop-new | ovrw-old}
set maxfilesize <MB_integer>
set quar-to-fortianalyzer {enable | disable}
set store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp}
(FortiOS Carrier)
end
Keywords and variables Description Default
agelimit <hours_integer> Specify how long files are kept in quarantine to a maximum of 479 0
hours. The age limit is used to formulate the value in the TTL
column of the quarantined files list. When the limit is reached the
TTL column displays EXP and the file is deleted (although a
record is maintained in the quarantined files list). Entering an age
limit of 0 (zero) means files are stored on disk indefinitely
depending on low disk space action.
drop-blocked Do not quarantine blocked files found in traffic for the specified imap
{ftp http im imap mm1 mm3 protocols. The files are deleted. nntp
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future.
HTTP, FTP, MM1, MM3, MM4, and MM7 traffic types supported in
FortiOS Carrier.
drop-heuristic Do not quarantine files found by heuristic scanning in traffic for the http
{ftp http im imap mm1 mm3 specified protocols. im
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future. imap
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS nntp
Carrier. pop3
smtp
drop-infected Do not quarantine virus infected files found in traffic for the im
{ftp http im imap mm1 mm3 specified protocols. imap
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future. nntp
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 75
quarantine antivirus

Keywords and variables Description Default


drop-intercepted Do not quarantine intercepted files found in traffic for the specified imap
{ftp http imap mm1 mm3 protocols. The files are deleted. smtp
mm4 mm7 pop3 smtp} pop3
http
(FortiOS Carrier) ftp mm1
mm3 mm4
mm7
lowspace Select the method for handling additional files when the FortiGate ovrw-old
{drop-new | ovrw-old} hard disk is running out of space.
Enter ovwr-old to drop the oldest file (lowest TTL), or
drop-new to drop new quarantine files.
maxfilesize <MB_integer> Specify, in MB, the maximum file size to quarantine. 0
The FortiGate unit keeps any existing quarantined files over the
limit. The FortiGate unit does not quarantine any new files larger
than this value. The file size range is 0-499 MB. Enter 0 for
unlimited file size.
quar-to-fortianalyzer For FortiGate units that do not have a local disc, send infected disable
{enable | disable} files to a FortiAnalyzer unit.
store-blocked Quarantine blocked files found in traffic for the specified protocols. No
{ftp http im imap mm1 mm3 NNTP support for this keyword will be added in the future. default.
mm4 mm7 nntp pop3 smtp} HTTP, FTP, MM1, MM3, MM4, and MM7 traffic types supported in
FortiOS Carrier.
store-heuristic Quarantine files found by heuristic scanning in traffic for the No
{ftp http im imap mm1 mm3 specified protocols. default.
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
store-infected Quarantine virus infected files found in traffic for the specified No
{ftp http im imap mm1 mm3 protocols. default.
mm4 mm7 nntp pop3 smtp} NNTP support for this keyword will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
store-intercepted Quarantine intercepted files found in traffic for the specified imap
{ftp http imap mm1 mm3 protocols. smtp
mm4 mm7 pop3 smtp} pop3
http
(FortiOS Carrier) ftp mm1
mm3 mm4
mm7

Example
This example shows how to set the quarantine age limit to 100 hours, not quarantine blocked files
from SMTP and POP3 traffic, not quarantine heuristic tagged files from SMTP and POP3 traffic,
set the quarantine to drop new files if the memory is full, set the maximum file size to quarantine
at 2 MB, quarantine files from IMAP traffic with blocked status, quarantine files with heuristic
status in IMAP, HTTP, and FTP traffic.config antivirus quarantine
set agelimit 100
set drop-blocked smtp pop3
set drop-heuristic smtp pop3
set lowspace drop-new
set maxfilesize 2
set store-blocked imap
set store-heuristic imap http ftp
end

FortiGate CLI Version 3.0 MR6 Reference


76 01-30006-0015-20080205
antivirus quarantine

History

FortiOS v2.80 Substantially revised.


FortiOS v2.80 MR2 The enable_auto_upload keyword was changed to
enable-auto-submit.
FortiOS v3.0 Added IM and NNTP options.
FortiOS v3.0 MR5 Removed set enable-auto-submit, set sel-status, set
use-fpat, set use-status.

Related topics
• antivirus filepattern
• antivirus heuristic
• antivirus quarfilepattern
• antivirus service

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 77
quarfilepattern antivirus

quarfilepattern
Use this command to configure the file patterns used by automatic file uploading. This command is
only available on FortiGate units with a hard drive.
Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file
patterns to be uploaded to the autoupload list using the * wildcard character. File patterns are applied
for autoupload regardless of file blocking settings.
Also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly
from the quarantined files list. For more information, see antivirus quarantine.

Syntax
config antivirus quarfilepattern
edit pattern_str
set status {enable | disable}
end

Keywords and variables Description Default


pattern_str The file pattern to be quarantined.
status {enable | disable} Enable or disable using a file pattern. disable

Example
Use the following commands to enable automatic upload of *.bat files.
config antivirus quarfilepattern
edit *.bat
set status enable
end

History

FortiOS v2.80 New.


FortiOS v3.0 Entire command removed.
MR5

Related topics
• antivirus filepattern
• antivirus heuristic
• antivirus quarantine
• antivirus service

FortiGate CLI Version 3.0 MR6 Reference


78 01-30006-0015-20080205
antivirus service

service
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in
HTTP, HTTPS, FTP, POP3, IMAP, and SMTP traffic and what ports the FortiGate unit scans for these
services.
For HTTPS, you can only configure the ports.

Syntax
config antivirus service <service_str>
set port <port_integer>
set scan-bzip2 {enable | disable}
set uncompnestlimit <depth_integer>
set uncompsizelimit <MB_integer>
end
Keywords and variables Description Default
<service_str> The service being configured: HTTP, HTTPS, FTP, IM, IMAP,
NNTP, POP3, SMTP.
port <port_integer> Configure antivirus scanning on a nonstandard port number or HTTP: 80
multiple port numbers for the service. Use ports from the HTTPS: 443
range 1-65535. Add up to 20 ports. FTP: 21
IMAP: 143
NNTP: 119
POP3: 110
SMTP: 25
scan-bzip2 {enable | Enable to allow the antivirus engine to scan the contents of disable
disable} bzip2 compressed files. Requires antivirus engine 1.90 for full
functionality. Bzip2 scanning is extemely CPU intensive.
Unless this feature is required, leave scan-bzip2 disabled.
uncompnestlimit Set the maximum number of archives in depth the AV engine 12
<depth_integer> will scan with nested archives. The limit is from 2 to 100. The
supported compression formats are arj, bzip2, cab, gzip, lha,
lzh, msc, rar, tar, and zip. Bzip2 support is disabled by default.
uncompsizelimit Set the maximum uncompressed file size that can be buffered 10 (MB)
<MB_integer> to memory for virus scanning. Enter a value in megabytes
between 1 and the maximum oversize threshold. Enter “?” to
display the range for your FortiGate unit. Enter 0 for no limit
(not recommended).

Note: If the file in uncompnestlimit has more levels than the limit you set, or if the file in
uncompsizelimit is larger than the limit you set, the file will pass through without being virus scanned.

How file size limits work


The uncompsizelimit applies to the uncompressed size of the file. If other files are included within the
file, the uncompressed size of each one is checked against the uncompsizelimit value. If any one of
the uncompressed files is larger than the limit, the file is passed without scanning, but the total size of
all uncompressed files within the original file can be greater than the uncompsizelimit.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 79
service antivirus

Example
This example shows how to set the maximum uncompressed file size that can be buffered to memory
for scanning at 15 MB, and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic.
config antivirus service http
set uncompsizelimit 15
set port 70
set port 80
set port 443
end

History

FortiOS v2.80 Substantially revised.


FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.
FortiOS v3.0 Combined all services into one section. Added IM. Added
scan_bzip2. Removed client comforting and file size limit
commands.
FortiOS v3.0 MR3 Added support for HTTPS. But only ports can be configured.

Related topics
• antivirus filepattern
• antivirus heuristic
• antivirus quarantine
• antivirus quarfilepattern

FortiGate CLI Version 3.0 MR6 Reference


80 01-30006-0015-20080205
firewall

firewall
Use firewall commands to configure firewall policies and the data they use, including protection
profiles, IP addresses and virtual IP addresses, schedules, and services. You can also configure DNS
translation, IP/MAC binding, and multicast policies.
This chapter contains the following sections:

address, address6
addrgrp, addrgrp6
dnstranslation
gtp (FortiOS Carrier)
ipmacbinding setting
ipmacbinding table
ippool
ldb-monitor
multicast-policy
policy, policy6
profile
schedule onetime
schedule recurring
service custom
service group
vip
vipgrp

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 81
address, address6 firewall

address, address6
Use this command to configure firewall addresses used in firewall policies. An IPv4 firewall address is
a set of one or more IP addresses, represented as a domain name, an IP address and a subnet mask,
or an IP address range. An IPv6 firewall address is an IPv6 6-to-4 address prefix.
By default, FortiGate units have the firewall address All, which represents any IP address.
Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall
policies. If an address is selected in a policy, it cannot be deleted until it is deselected from the policy.

Syntax
config firewall address
edit <name_str>
set associated-interface <interface_str>
set end-ip <address_ipv4>
set fqdn <domainname_str>
set start-ip <address_ipv4>
set subnet <address_ipv4mask>
set type {ipmask | iprange | fqdn}
end
config firewall address6
edit <name_str>
set ip6 <address_ipv6prefix>
end
Keywords and variables Description Default
The following commands are for config firewall address.
<name_str> Enter the name of the address. No default.
associated-interface Enter the name of the associated interface. No default.
<interface_str> If not configured, the firewall address is bound to an interface
during firewall policy configuration.
end-ip <address_ipv4> If type is iprange, enter the last IP address in the range. 0.0.0.0
fqdn <domainname_str> If type is fqdn, enter the fully qualified domain name (FQDN). No default.
start-ip <address_ipv4> If type is iprange, enter the first IP address in the range. 0.0.0.0
subnet <address_ipv4mask> If type is ipmask, enter an IP address then its subnet mask, in 0.0.0.0
dotted decimal format and separated by a space, or in CIDR 0.0.0.0
format with no separation. For example, you could enter either:
• 172.168.2.5/32
• 172.168.2.5 255.255.255.255
The IP address can be for a single computer or a subnetwork.
The subnet mask corresponds to the class of the IP address
being added.
• A single computer’s subnet mask is 255.255.255.255 or
/32.
• A class A subnet mask is 255.0.0.0 or /8.
• A class B subnet mask is 255.255.0.0 or /26.
• A class C subnet mask is 255.255.255.0 or /24.
type {ipmask | iprange | Select whether this firewall address is a subnet address, an ipmask
fqdn} address range, or fully qualified domain name.
The following command is for config firewall address6.
<name_str> Enter the name of the IPv6 address prefix. No default.
ip6 <address_ipv6prefix> If the IP address is IPv6, enter an IPv6 IP address prefix. ::/0

FortiGate CLI Version 3.0 MR6 Reference


82 01-30006-0015-20080205
firewall address, address6

Example
This example shows how to add one IPv4 address of each type: ipmask, iprange, and fqdn. It also
shows how to configure an IPv6 address prefix.
config firewall address
edit Example_Subnet
set type ipmask
set subnet 192.168.1.0 255.255.255.0
next
edit Example_Range
set type iprange
set start-ip 10.10.1.10
set end-ip 10.10.1.30
next
edit Example_Domain
set type fqdn
set fqdn www.example.com
end
config firewall address6
edit Example_ipv6_Prefix
set ip6 2002:CF8E:83CA::/48
end

History

FortiOS v2.80 Substantially revised. IP address range option added. Requiring that an address be added
to an interface removed.
FortiOS v3.0 Added fqdn.
FortiOS v3.0 MR4 Added option associated-interface.

Related topics
• firewall addrgrp, addrgrp6
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 83
addrgrp, addrgrp6 firewall

addrgrp, addrgrp6
Use this command to configure firewall address groups used in firewall policies.
You can organize related firewall addresses into firewall address groups to simplify firewall policy
configuration. For example, rather than creating three separate firewall policies for three firewall
addresses, you could create a firewall address group consisting of the three firewall addresses, then
create one firewall policy using that firewall address group.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in
the policy.

Syntax
config firewall addrgrp, addrgrp6
edit <name_str>
set member <name_str>
end

Keywords and variables Description Default


<name_str> Enter the name of the address group. No default.
member <name_str> Enter one or more names of firewall addresses to add to the No default.
address group. Separate multiple names with a space. To
remove an address name from the group, retype the entire new
list, omitting the address name.

Example
This example shows how to add two firewall addresses to a firewall address group.
config firewall addrgrp
edit Group1
set Example_Subnet Example_Range
end

History

FortiOS v2.80 Revised.

Related topics
• firewall address, address6
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


84 01-30006-0015-20080205
firewall dnstranslation

dnstranslation
Use this command to add, edit or delete a DNS translation entry.
If DNS translation is configured, the FortiGate unit rewrites the payload of outbound DNS query replies
from internal DNS servers, replacing the resolved names’ internal network IP addresses with external
network IP address equivalents, such as a virtual IP address on a FortiGate unit’s external network
interface. This allows external network hosts to use an internal network DNS server for domain name
resolution of hosts located on the internal network.
For example, if a virtual IP provided network address translation (NAT) between a public network, such
as the Internet, and a private network containing a web server, hosts on the public network could
access the web server by using its virtual IP address. However, if hosts attempted to access the web
server by domain name, and the DNS server performing name resolution for that domain name was
also located on the private network, the DNS query reply would contain a private network IP address,
which is not routable from the external network. To solve this, you might configure DNS translation,
and substitute the web server’s private network IP address with the virtual IP address in DNS query
replies to the public network.
DNS translation mappings between src and dst must be one-to-one; you cannot create one-to-many
or many-to-one mappings. For example, if src is a single IP address, it cannot be DNS translated into
a dst subnet; dst must be a single IP address, like src. If src is a subnet, dst must also be a
subnet.

Syntax
config firewall dnstranslation
edit <index_int>
set dst <destination_ipv4>
set netmask <address_ipv4mask>
set src <source_ipv4>
end

Keywords and variables Description Default


<index_int> Enter the unique ID number of the DNS translation entry. No default.
dst <destination_ipv4> Enter the IP address or subnet on the external network to 0.0.0.0
substitute for the resolved address in DNS query replies.
dst can be either a single IP address or a subnet on the
external network, but must be equal in number to the number
of mapped IP addresses in src.
netmask If src and dst are subnets rather than single IP addresses, 0.0.0.0
<address_ipv4mask> enter the netmask for both src and dst.
src <source_ipv4> Enter the IP address or subnet on the internal network to 0.0.0.0
compare with the resolved address in DNS query replies. If the
resolved address matches, the resolved address is substituted
with dst.

Example
This example shows how to translate the resolved addresses in DNS query replies, from an internal
(source) subnet to an external (destination) subnet.
config firewall dnstranslation
edit 1
set src 192.168.100.12
set dst 172.16.200.190
set netmask 255.255.255.0
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 85
dnstranslation firewall

History
FortiOS v2.80 Revised.

Related topics
• firewall vip

FortiGate CLI Version 3.0 MR6 Reference


86 01-30006-0015-20080205
firewall gtp (FortiOS Carrier)

gtp (FortiOS Carrier)


Use this command to configure GTP (GPRS Tunneling Protocol) profiles.

Syntax
config firewall gtp
edit <name_str>
config apn
edit index_int
set action {allow | deny}
set selection-mode {ms net vrf}
set value <networkid_str>
end
config ie-remove-policy
edit <index_int>
set remove-ies {apn-restriction rat-type rai uli imei}
set sgsn-addr <addr/group_str>
end
config imsi
edit <index_int>
set action {allow | deny}
set apn <networkid_str>
set mcc-mnc <mccmnc_str>
set selection-mode {ms net vrf}
end
config ip-policy
edit <index_int>
set action {allow | deny}
set dstaddr <address_str>
set srcaddr <address_str>
end
config noip-policy
edit <index_int>
set action {allow | deny}
set start <protocol_int>
set end <protocol_int>
set type {etsi | ietf}
end
config policy
edit <index_int>
set action {allow | deny}
set apn <apn_str>
set imei <imei_str>
set imsi <imsi_str>
set max-apn-restriction {all | private-1 | private-2 | public-1 |
public-2}
set messages {create-req create-res update-req update-res}
set rai <rai_str>
set rat-type {any geran utran wlan}
set uli <uli_str>
end
set addr-notify <Gi_ipv4>
set apn-filter {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 87
gtp (FortiOS Carrier) firewall

set authorized-sgsns <addr/grp_str>


set context-id <id_int>
set control-plane-message-rate-limit <limit_int>
set create-aa-pdp {allow | deny}
set create-pdp {allow | deny}
set data-record {allow | deny}
set default-apn-action {allow | deny}
set default-imsi-action {allow | deny}
set default-ip-action {allow | deny}
set default-noip-action {allow | deny}
set default-policy-action {allow | deny}
set delete-aa-pdp {allow | deny}
set delete-pdp {allow | deny}
set denied-log {enable | disable}
set echo {allow | deny}
set error-indication {allow | deny}
set extension-log {enable | disable}
set failure-report {allow | deny}
set forwarded-log {enable | disable}
set fwd-relocation {allow | deny}
set fwd-srns-context {allow | deny}
set gtp-in-gtp {allow | deny}
set gtp-pdu {allow | deny}
set handover-group
set identification {allow | deny}
set ie-remover {enable | disable}
set imsi-filter {enable | disable}
set interface-notify <interface_str>
set invalid-reserved-field {allow | deny}
set ip-filter {enable | disable}
set log-freq <drop_int>
set max-message-length <bytes_int>
set min-message-length <bytes_int>
set miss-must-ie {allow | deny}
set node-alive {allow | deny}
set noip-filter {enable | disable}
set note-ms-present {allow | deny}
set out-of-state-ie {allow | deny}
set out-of-state-message {allow | deny}
set pdu-notification {allow | deny}
set policy-filter {enable | disable}
set port-notify <port_int>
set ran-info {allow | deny}
set rate-limited-log {enable | disable}
set redirection {allow | deny}
set relocation-cancel {allow | deny}
set reserved-ie {allow | deny}
set send-route {allow | deny}
set seq-number-validate {enable | disable}
set sgsn-context {allow | deny}
set spoof-src-addr {allow | deny}

FortiGate CLI Version 3.0 MR6 Reference


88 01-30006-0015-20080205
firewall gtp (FortiOS Carrier)

set state-invalid-log {enable | disable}


set support-extension {allow | deny}
set traffic-count-log {enable | disable}
set tunnel-limit <limit_int>
set tunnel-limit-log {enable | disable}
set tunnel-timeout <time_int>
set unknown-message-action {allow | deny}
set update-pdp {allow | deny}
set version-not-support {allow | deny}
end

Keywords and variables Description Default


<name_str> Enter the name of this GTP profile. No default.
apn
The following commands are the options for config apn.
index_int Enter the unique ID number of the APN filter profile. No default.
action {allow | deny} Select to allow or deny traffic matching both the APN and allow
Selection Mode specified for this APN filter profile.
selection-mode {ms net Select the selection mode or modes required for the APN. ms net vrf
vrf} The selection mode indicates where the APN originated
and whether the Home Location Register (HLR) has
verified the user subscription.
• Enter ms to specify a mobile station provided APN,
subscription not verified. This Selection Mode indicates
that the mobile station (MS) provided the APN and that
the HLR did not verify the user's subscription to the
network.
• Enter net to specify a network-provided APN,
subscription not verified. This Selection Mode indicates
that the network provided a default APN because the
MS did not specify one, and that the HLR did not verify
the user's subscription to the network.
• Enter vrf to specify a mobile station or network-
provided APN, subscription verified. This Selection
Mode indicates that the MS or the network provided the
APN and that the HLR verified the user's subscription to
the network.
value <networkid_str> Enter the network ID and operator ID of the APN. No default.
ie-remove-policy
The following commands are the set options for config ie-remove-policy.
<index_int> Enter the unique ID number of the IE removal policy. No default.
remove-ies Select the information elements to be removed from apn-
{apn-restriction rat-type messages prior to being forwarding to the HGGSN. Any restriction
rai uli imei} combination of R6 information elements (RAT, RAI, ULI, rat-type
IMEI-SV and APN restrictions) may be specified. rai uli imei
sgsn-addr Enter an SGSN address or group the IE removal policy all
<addr/group_str> will be applied to.
imsi
The following commands are the options for config imsi.
<index_int> Enter the unique ID number of the IMSI filtering policy. No default.
action {allow | deny} Select to allow or deny traffic matching both the APN and allow
Selection Mode specified for this APN filter profile
apn <networkid_str> Enter the network ID and operator ID of the APN. No default.
mcc-mnc <mccmnc_str> Enter the MCC and MNC. No default.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 89
gtp (FortiOS Carrier) firewall

Keywords and variables Description Default


selection-mode {ms net Select the selection mode or modes. The selection mode ms net vrf
vrf} indicates where the APN originated and whether the
Home Location Register (HLR) has verified the user
subscription.
• Enter ms to specify a mobile station provided APN,
subscription not verified. This Selection Mode indicates
that the mobile station (MS) provided the APN and that
the HLR did not verify the user's subscription to the
network.
• Enter net to specify a network-provided APN,
subscription not verified. This Selection Mode indicates
that the network provided a default APN because the
MS did not specify one, and that the HLR did not verify
the user's subscription to the network.
• Enter vrf to specify a mobile station or network-
provided APN, subscription verified. This Selection
Mode indicates that the MS or the network provided the
APN and that the HLR verified the user's subscription to
the network.
ip-policy
The following commands are the options for config ip-policy.
<index_int> Enter the unique ID number of the encapsulated IP traffic No default.
filtering policy.
action {allow | deny} Select to allow or deny traffic matching both the source allow
and destination addresses specified for this APN filter
profile
dstaddr <address_str> Enter the name of a destination address or address No default.
group.
srcaddr <address_str> Enter the name of a source address or address group. No default.
noip-policy
The following commands are the options for config noip-policy.
<index_int> Enter the unique ID number of the encapsulated non-IP No default.
traffic filtering policy.
action {allow | deny} Select to allow or deny traffic matching the message allow
protocol specified for this APN filter profile
start <protocol_int> Enter the number of the start protocol. Acceptable rate 0
values range from 0 to 255.
end <protocol_int> Enter the number of the end protocol. Acceptable rate 0
values range from 0 to 255.
type {etsi | ietf} Select an ETSI or IETF protocol type. etsi
policy
The following commands are the options for config policy.
<index_int> Enter the unique ID number of the advanced filtering No default.
policy.
action {allow | deny} Select to allow or deny traffic matching the message allow
attributes specified for this advanced filtering policy
apn <apn_str> Enter the APN suffix, if required. No default.
imei <imei_str> Enter the IMEI (SV) pattern, if required. No default.
imsi <imsi_str> Enter the IMSI prefix, if required. No default.
max-apn-restriction Select the maximum APN restriction. all
{all | private-1 |
private-2 | public-1 |
public-2}

FortiGate CLI Version 3.0 MR6 Reference


90 01-30006-0015-20080205
firewall gtp (FortiOS Carrier)

Keywords and variables Description Default


messages {create-req Enter the type or types of GTP messages. create-req
create-res update-req
update-res}
rai <rai_str> Enter the RAI pattern. No default.
rat-type {any geran utran Enter the RAT type or types. any
wlan}
uli <uli_str> Enter the ULI pattern. No default.
The following commands are the options for edit <profile_str>.
addr-notify <Gi_ipv4> Enter the IP address of the Gi firewall. 0.0.0.0
apn-filter {enable | Select to apply APN filter policies. disable
disable}
authorized-sgsns Enter authorized SSGN addresses or groups. Any SSGN all
<addr/grp_str> groups not specified will not be able to send packets to
the GGSN. All firewall addresses and groups defined on
the FortiGate unit are available for use with this
command.
context-id <id_int> Enter the security context ID. This ID must match the ID 696
entered on the server Gi firewall.
control-plane-message- Enter the control plane message rate limit. Acceptable 0
rate-limit <limit_int> rate values range from 0 (no limiting) to 2147483674
packets per second.
FortiGate units can limit the packet rate to protect the
GSNs from possible Denial of Service (DoS) attacks,
such as Border gateway bandwidth saturation or a GTP
flood.
create-aa-pdp {allow | Select to allow or deny all create AA pop messages. allow
deny}
create-pdp {allow | deny} Select to allow or deny all create pop messages. allow
data-record {allow | Select to allow or deny all data record messages. allow
deny}
default-apn-action {allow Select to allow or deny any APN that is not explicitly allow
| deny} defined with in an APN policy.
default-imsi-action Select to allow or deny any IMSI that is not explicitly allow
{allow | deny} defined in an IMSI policy.
default-ip-action {allow Select to allow or deny any encapsulated IP address allow
| deny} traffic that is not explicitly defined in an IP policy.
default-noip-action Select to allow or deny any encapsulated non-IP protocol allow
{allow | deny} that is not explicitly defined in a non-IP policy.
default-policy-action Select to allow or deny any traffic that is not explicitly allow
{allow | deny} defined in an advanced filtering policy.
delete-aa-pdp {allow | Select to allow or deny all delete AA pop messages. allow
deny}
delete-pdp {allow | deny} Select to allow or deny all delete pop messages. allow
denied-log {enable | Select to log denied GTP packets. disable
disable}
echo {allow | deny} Select to allow or deny all echo messages. allow
error-indication {allow | Select to allow or deny all error indication messages. allow
deny}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 91
gtp (FortiOS Carrier) firewall

Keywords and variables Description Default


extension-log {enable | Select to log extended information about GTP packets. disable
disable} When enabled, this additional information will be included
in log entries:
• IMSI
• MSISDN
• APN
• Selection Mode
• SGSN address for signaling
• SGSN address for user data
• GGSN address for signaling
• GGSN address for user data
failure-report {allow | Select to allow or deny all failure report messages. allow
deny}
forwarded-log {enable | Select to log forwarded GTP packets. disable
disable}
fwd-relocation {allow | Select to allow or deny all forward relocation messages. allow
deny}
fwd-srns-context {allow | Select to allow or deny all forward SRNS messages. allow
deny}
gtp-in-gtp {allow | deny} Select to allow or deny GTP packets that contains allow
another GTP packet in its message body.
gtp-pdu {allow | deny} Select to allow or deny all G-PDU messages. allow
handover-group Endeavor requests will be honored only from the
addresses listed in the specified address group. This way,
an entrusted GSN cannot high-jack a GTP tunnel with a
endeavor request.
identification {allow | Select to allow or deny all identification messages. allow
deny}
ie-remover {enable | Select whether to use information element removal disable
disable} policies.
imsi-filter {enable | Select whether to use IMSI filter policies. disable
disable}
interface-notify Enter any local interface of the FortiGate unit. The
<interface_str> interface IP address will be used to send the “clear
session” message.
invalid-reserved-field Select to allow or deny GTP packets with invalid reserved deny
{allow | deny} fields. Depending on the GTP version, a varying number
of header fields are reserved and should contain specific
values. If the reserved fields contain incorrect values, the
packet will be blocked if this keyword is set to deny.
ip-filter {enable | Select whether to use encapsulated IP traffic filtering disable
disable} policies.
log-freq <drop_int> Enter the number of messages to drop between logged 0
messages.
An overflow of log messages can sometimes occur when
logging rate-limited GTP packets exceed their defined
threshold. To conserve resources on the syslog server
and the FortiGate unit, you can specify that some log
messages are dropped. For example, if you want only
every twentieth message to be logged, set a logging
frequency of 19. This way, 19 messages are skipped and
the next logged.
Acceptable frequency values range from 0 to
2147483674. When set to ‘0’, no messages are skipped.

FortiGate CLI Version 3.0 MR6 Reference


92 01-30006-0015-20080205
firewall gtp (FortiOS Carrier)

Keywords and variables Description Default


max-message-length Enter the maximum GTP message size, in bytes, that the 1452
<bytes_int> FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes.
When set to ‘0’, the maximum size restriction is disabled.
min-message-length Enter the minimum GTP message size, in bytes, that the 0
<bytes_int> FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes.
When set to ‘0’, the minimum size restriction is disabled.
miss-must-ie {allow | Select to allow or deny passage of GTP packets with deny
deny} missing mandatory information elements to the GGSN.
node-alive {allow | deny} Select to allow or deny all node alive messages. allow
noip-filter {enable | Enable or disable the configured encapsulated non-IP disable
disable} traffic filtering policies.
note-ms-present {allow | Select to allow or deny all note MS GPRS present allow
deny} messages.
out-of-state-ie {allow | Select to allow or deny passage of GTP Packets with out deny
deny} of sequence information elements.
out-of-state-message Select to allow or deny out of state messages. deny
{allow | deny} The GTP protocol requires a certain state to be kept by
both the GGSN and SGSN. Since the GTP has a state,
some message types can only be sent when in specific
states. Packets that do not make sense in the current
state should be filtered or rejected
pdu-notification {allow | Select to allow or deny all pdu notification messages. allow
deny}
policy-filter {enable | Enable or disable the configured advanced filtering disable
disable} policies.
port-notify <port_int> Enter the server firewall’s listening port number. 21123
ran-info {allow | deny} Select to allow or deny all RAN info relay messages. allow
rate-limited-log {enable Enable or disable the logging of rate-limited GTP packets. disable
| disable}
redirection {allow | Select to allow or deny all redirection messages. allow
deny}
relocation-cancel {allow Select to allow or deny all relocation cancel messages. allow
| deny}
reserved-ie {allow | Select to allow or deny GTP messages with reserved or deny
deny} undefined information elements.
send-route {allow | deny} Select to allow or deny all send route messages. allow
seq-number-validate Enable or disable sequence number validation disable
{enable | disable} The GTP packet header contains a sequence number.
The receiving GGSN and the sending GGSN use this
number to ensure the packets are in sequence. The
FortiGate unit can assume this task and save GGSN
resources.
sgsn-context {allow | Select to allow or deny all SGSN context messages. allow
deny}
spoof-src-addr {allow | Select to allow or deny packets containing spoofed MS deny
deny} addresses.
As the MS address is negotiated within the PDP Context
creation handshake, any packets originating from the MS
that contain a different source address will be detected
and dropped if this keyword is set to deny.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 93
gtp (FortiOS Carrier) firewall

Keywords and variables Description Default


state-invalid-log {enable Enable or disable the logging of GTP packets that have disable
| disable} failed stateful inspection.
support-extension {allow Select to allow or deny all support extension messages. allow
| deny}
traffic-count-log {enable Enable or disable logging the total number of control and disable
| disable} user data messages received from and forwarded to the
GGSNs and SGSNs the FortiGate unit protects.
tunnel-limit <limit_int> Enter the maximum number of GTP tunnels according to 0
the GSN capacity.
tunnel-limit-log {enable Enable or disable packets dropped because the disable
| disable} maximum limit of GTP tunnels for the destination GSN is
reached.
tunnel-timeout <time_int> Enter a tunnel timeout value, in seconds. By setting a 86400
timeout value, you can configure the FortiGate unit to
remove hanging tunnels.
Acceptable values range from 0 to 2147483674 seconds.
When set to ‘0’, the timeout is disabled.
unknown-message-action Select to allow or deny all unknown message types. allow
{allow | deny}
update-pdp {allow | deny} Select to allow or deny all update pdp messages. allow
version-not-support Select to allow or deny all version not supported allow
{allow | deny} messages.

History
FortiOS v3.00 Revised.

Related topics
• firewall vip

FortiGate CLI Version 3.0 MR6 Reference


94 01-30006-0015-20080205
firewall ipmacbinding setting

ipmacbinding setting
Use this command to configure IP to MAC address binding settings.
IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP
spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the
FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of
a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more
difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC
address known for that host, fraudulent connections are more difficult to construct.
To configure the table of IP addresses and the MAC addresses bound to them, see “ipmacbinding
table” on page 97. To enable or disable IP/MAC binding for an individual FortiGate unit network
interface, see ipmac in “system interface” on page 373.

Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is
changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC
binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating
the IP/MAC binding table, see “ipmacbinding table” on page 97.

Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC
! address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP
server.

Syntax
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end
Keywords and variables Description Default
bindthroughfw Select to use IP/MAC binding to filter packets that a firewall policy disable
{enable | disable} would normally allow through the FortiGate unit.
bindtofw Select to use IP/MAC binding to filter packets that would normally disable
{enable | disable} connect to the FortiGate unit.
undefinedhost Select how IP/MAC binding handles packets with IP and MAC block
{allow | block} addresses that are not defined in the IP/MAC list for traffic going
through or to the FortiGate unit.
• allow: Allow packets with IP and MAC address pairs that are not in
the IP/MAC binding list.
• block: Block packets with IP and MAC address pairs that are not in
the IP/MAC binding list.
This option is available only when either or both bindthroughfw and
bindtofw are enable.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 95
ipmacbinding setting firewall

Example
This example shows how to enable IP/MAC binding for traffic both going to and through the FortiGate
unit, and block undefined hosts (IP/MAC address pairs).
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end

History

FortiOS v2.80 Revised.

Related topics
• firewall ipmacbinding table

FortiGate CLI Version 3.0 MR6 Reference


96 01-30006-0015-20080205
firewall ipmacbinding table

ipmacbinding table
Use this command to configure IP and MAC address pairs in the IP/MAC binding table. You can bind
multiple IP addresses to the same MAC address, but you cannot bind multiple MAC addresses to the
same IP address.
To configure the IP/MAC binding settings, see “ipmacbinding setting” on page 95. To enable or disable
IP/MAC binding for an individual FortiGate unit network interface, see ipmac in “system interface” on
page 373.

Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is
changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC
binding list, the new or changed hosts will not have access to or through the FortiGate unit.

Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC
! address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP
server.

Syntax
config firewall ipmacbinding table
edit <index_int>
set ip <address_ipv4>
set mac <address_hex>
set name <name_str>
set status {enable | disable}
end

Keywords and variables Description Default


<index_int> Enter the unique ID number of this IP/MAC pair. No default.
ip <address_ipv4> Enter the IP address to bind to the MAC address. 0.0.0.0
To allow all packets with the MAC address, regardless of the IP
address, set the IP address to 0.0.0.0.
mac <address_hex> Enter the MAC address. 00:00:00:
To allow all packets with the IP address, regardless of the MAC 00:00:00
address, set the MAC address to 00:00:00:00:00:00.
name <name_str> Enter a name for this entry on the IP/MAC address table. noname
(Optional.)
status {enable | disable} Select to enable this IP/MAC address pair. disable
Packets not matching any IP/MAC binding will be dropped.
Packets matching an IP/MAC binding will be matched against
the firewall policy list.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 97
ipmacbinding table firewall

Example
This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table.
config firewall ipmacbinding table
edit 1
set ip 172.16.44.55
set mac 00:10:F3:04:7A:4C
set name RemoteAdmin
set status enable
end

History

FortiOS v2.80 Revised.

Related topics
• firewall ipmacbinding setting

FortiGate CLI Version 3.0 MR6 Reference


98 01-30006-0015-20080205
firewall ippool

ippool
Use this command to configure IP address pools that you can use to configure NAT mode firewall
policies. An IP pool, also called a dynamic IP pool, is a range of IP addresses added to a firewall
interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address to an
address randomly selected from the IP pool. To use IP pools, the IP pool interface must be the same
as the firewall policy destination interface.
Add an IP pool if in order to add NAT mode policies that translate source addresses to addresses
randomly selected from the IP pool rather than being limited to the IP address of the destination
interface. IP pools are only available in NAT/Route mode. Add multiple IP pools to any interface and
configure the firewall policy to select the IP pool to use for that firewall policy.

Syntax
config firewall ippool
edit <index_int>
set endip <address_ipv4>
set interface <name_str>
set startip <address_ipv4>
end

Keywords and variables Description Default


<index_int> The unique ID number of this IP pool. No default.
endip <address_ipv4> The end IP of the address range. The end IP must be higher 0.0.0.0
than the start IP. The end IP does not have to be on the same
subnet as the IP address of the interface for which you are
adding the IP pool.
interface <name_str> Enter the name of a network interface, binding the IP pool to No default.
that interface. On FortiGate-200 models and greater, the
network interface can also be a VLAN subinterface.
startip <address_ipv4> The start IP of the address range. The start IP does not have to 0.0.0.0
be on the same subnet as the IP address of the interface for
which you are adding the IP pool.

Example
You might use the following commands to add an IP pool to the internal network interface. The IP pool
would then be available when configuring firewall policies.
config firewall ippool
edit 1
set startip 192.168.1.100
set endip 192.168.1.200
set interface internal
end

History
FortiOS v2.80 Revised.

Related topics
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 99
ldb-monitor firewall

ldb-monitor
Use this command to configure health check settings.
Health check settings can be used by load balancing VIPs to determine if a real server is currently
responsive before forwarding traffic. One health check is sent per interval using the specified protocol,
port and HTTP-GET, where applicable to the protocol. If the server does not respond during the
timeout period, the health check fails and, if retries are configured, another health check is performed.
If all health checks fail, the server is deemed unavailable, and another real server is selected to receive
the traffic according to the selected load balancing algorithm.
Health check settings can be re-used by multiple real servers. For details on enabling health checking
and using configured health check settings, see “firewall vip” on page 155.

Syntax
config firewall ldb-monitor
edit <name_str>
set http-get <httprequest_str>
set http-match <contentmatch_str>
set interval <seconds_int>
set port <port_int>
set retry <retries_int>
set timeout <seconds_int>
set type {http | ping | tcp}
end

Keywords and variables Description Default


<name_str> Enter the name of the health check monitor. No default.
http-get Enter the path (URI) of the HTTP-GET request to use when No default.
<httprequest_str> testing the responsivity of the server.
This option appears only if type is http.
http-match Enter the content of the server’s reply to the HTTP request that No default.
<contentmatch_str> must be matched for the health check to succeed. If the
FortiGate unit does not receive a reply from the server, or its
reply does not contain matching content, the health check fails.
This option appears only if type is http.
interval <seconds_int> Enter the interval time in seconds between health checks. 10
port <port_int> Enter the port number that will be used by the health check. 0
This option does not appear if type is ping.
retry <retries_int> Enter the number of times that the FortiGate unit should retry 3
the health check if a health check fails. If all health checks,
including retries, fail, the server is deemed unavailable.
timeout <seconds_int> Enter the timeout in seconds. If the FortiGate unit does not 2
receive a response to the health check in this period of time, the
the health check fails.
type {http | ping | tcp} Select the protocol used by the health check monitor. No default.

Example
You might configure a health check for a server using the HTTP protocol to retrieve a web page. To
ensure that a web page reply containing an error message, such as an HTTP 404 page, does not
inadvertently cause the health check to succeed, you might search the reply for text that does not
occur in any web server error page, such as unique text on a main page.

FortiGate CLI Version 3.0 MR6 Reference


100 01-30006-0015-20080205
firewall ldb-monitor

config firewall ldp-monitor


edit httphealthchecksettings
set type http
set port 8080
set http-get “/index.php”
set http-match “Welcome to Example, Inc.”
set interval 5
set timeout 2
set retry 2
end

History
FortiOS v3.0 MR6 New command. Configures health check settings which can be used when enabling
health checks for load balanced real servers associated with a virtual IP. This extends and
replaces deprecated commands in config realserver for health check by ICMP
ECHO (ping).

Related topics
• firewall vip

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 101
multicast-policy firewall

multicast-policy
Use this command to configure a source NAT IP. This command can also be used in Transparent
mode to enable multicast forwarding by adding a multicast policy.
The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP
address.

Syntax
config firewall multicast-policy
edit <index_int>
set action {accept | deny}
set dnat <address_ipv4>
set dstaddr <address_ipv4mask>
set dstintf <name_str>
set nat <address_ipv4>
set srcaddr <address_ipv4mask>
set srcintf <name_str>
set protocol <multicastlimit_int>
set start-port <port_int>
set end-port <port_int>
end

Keywords and variables Description Default


<index_int> Enter the unique ID number of this multicast policy. No default.
action {accept | deny} Enter the policy action. accept
dnat <address_ipv4> Enter an IP address to destination network address translate 0.0.0.0
(DNAT) externally received multicast destination addresses to
addresses that conform to your organization's internal
addressing policy.
dstaddr Enter the destination IP address and netmask, separated by a 0.0.0.0
<address_ipv4mask> space, to match against multicast NAT packets. 0.0.0.0
dstintf <name_str> Enter the destination interface name to match against multicast No default.
NAT packets.
nat <address_ipv4> Enter the IP address to substitute for the original source IP 0.0.0.0
address.
srcaddr Enter the source IP address and netmask to match against 0.0.0.0
<address_ipv4mask> multicast NAT packets. 0.0.0.0
srcintf <name_str> Enter the source interface name to match against multicast No default.
NAT packets.
protocol Limit the number of protocols (services) sent out via multicast 0
<multicastlimit_int> using the FortiGate unit.
start-port <port_int> The beginning of the port range used for multicast. No default.
end-port <port_int> The end of the port range used for multicast. 65535

FortiGate CLI Version 3.0 MR6 Reference


102 01-30006-0015-20080205
firewall multicast-policy

Example
This example shows how to configure a multicast NAT policy.
config firewall multicast-policy
edit 1
set dstaddr 10.0.0.1 255.255.255.0
set dstintf dmz
set nat 10.0.1.1
set srcaddr 192.168.100.12 255.255.255.0
set srcintf internal
end

History

FortiOS v2.80 Revised.


FortiOS v3.0 MR4 Added protocol, start-port, and end-port to multicast-policy.
FortiOS v3.0 MR5 Added dnat.

Related topics
• system global

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 103
policy, policy6 firewall

policy, policy6
Use this command to add, edit, or delete firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions
used by the FortiGate unit to decide what to do with a connection request. The policy directs the
firewall to allow the connection, deny the connection, require authentication before the connection is
allowed, or apply IPSec or SSL VPN processing.

Note: If you are creating an IPv6 policy, some of the IPv4 options, such as NAT and VPN settings, are not
applicable.

Syntax
config firewall policy, policy6
edit <index_int>
set action {accept | deny | ipsec | ssl-vpn}
set auth-cert <certificate_str>
set auth-path {enable | disable}
set auth-redirect-addr <domainname_str>
set comments <comment_str>
set custom-log-fields <fieldid_int>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <dscp_bin>
set diffservcode-rev <dscp_bin>
set disclaimer {enable | disable}
set dstaddr <name_str>
set dstintf <name_str>
set fixedport {enable | disable}
set forticlient-check {enable | disable}
set forticlient-ra-notinstalled {enable | disable}
set forticlient-ra-notlicensed {enable | disable}
set forticlient-ra-db-outdated {enable | disable}
set forticlient-ra-no-av {enable | disable}
set forticlient-ra-no-fw {enable | disable}
set forticlient-ra-no-wf {enable | disable}
set forticlient-redir-portal {enable | disable}
set fsae {enable | disable}
set fsae-guest-profile <profile_str>
set gbandwidth <limit_int>
set groups <name_str>
set gtp_profile <name_str> (FortiOS Carrier)
set inbound {enable | disable}
set ippool {enable | disable}
set logtraffic {enable | disable}
set maxbandwidth <limit_int>
set nat {enable | disable}
set natinbound {enable | disable}
set natip <address_ipv4mask>
set natoutbound {enable | disable}
set ntlm {enable | disable}
set outbound {enable | disable}
set poolname <name_str>

FortiGate CLI Version 3.0 MR6 Reference


104 01-30006-0015-20080205
firewall policy, policy6

set priority {high | low | medium}


set profile <name_str>
set profile-status {enable | disable}
set redirect-url <name_str>
set schedule <name_str>
set service <name_str>
set srcaddr <name_str>
set srcintf <name_str>
set sslvpn-auth {any | ldap | local | radius | tacacs+}
set sslvpn-ccert {enable | disable}
set sslvpn-cipher {0 | 1 | 2}
set status {enable | disable}
set tcp-mss-sender <maximumsize_int>
set tcp-mss-receiver <maximumsize_int>
set trafficshaping {enable | disable}
set vpntunnel <name_str>
end
Keywords and variables Description Default
<index_int> Enter the unique ID number of this policy. No default.
action Select the action that the FortiGate unit will perform on traffic deny
{accept | deny | ipsec | matching this firewall policy.
ssl-vpn} • accept: Allow packets that match the firewall policy. Also
enable or disable nat to make this a NAT policy (NAT/Route
mode only), enable or disable ippool so that the NAT policy
selects a source address for packets from a pool of IP
addresses added to the destination interface, and enable or
disable fixedport so that the NAT policy does not translate
the packet source port.
• deny: Deny packets that match the firewall policy.
• ipsec: Allow and apply IPSec VPN. When action is set to
ipsec, you must specify the vpntunnel attribute. You may
also enable or disable the inbound, outbound,
natoutbound, and natinbound attributes and/or specify a
natip value.
• ssl-vpn: Allow and apply SSL VPN. When action is set to
ssl-vpn, you may specify values for the sslvpn-auth,
sslvpn-ccert, and sslvpn-cipher attributes.
For IPv6 policies, only accept and deny options are
available.
auth-cert Select a HTTPS server certificate for policy authentication. No default.
<certificate_str> self-sign is the built-in, self-signed certificate; if you have
added other certificates, you may select them instead.
auth-path {enable | Select to apply authentication-based routing. You must also disable
disable} specify a RADIUS server, and the RADIUS server must be
configured to supply the name of an object specified in config
router auth-path. For details on configuring
authentication-based routes, see “router auth-path” on
page 228.
auth-redirect-addr Enter the IP address or domain name that the FortiGate unit will No default.
<domainname_str> use when performing an HTTP-to-HTTPS URL redirects for
firewall policy authentication.
To prevent web browser security warnings, this should match
the CN field of the specified auth-cert, which is usually a
fully qualified domain name (FQDN).
This option appears only if groups is configured.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 105
policy, policy6 firewall

Keywords and variables Description Default


comments <comment_str> Enter a description or other information about the policy. No default.
(Optional)
comment_str is limited to 63 characters. Enclose the string in
single quotes to enter special characters or spaces. For more
information, see “Entering spaces in strings” on page 45
custom-log-fields Enter custom log field index numbers to append one or more No default.
<fieldid_int> custom log fields to the log message for this policy. Separate
multiple log custom log field indices with a space. (Optional.)
This option takes effect only if logging is enabled for the policy,
and requires that you first define custom log fields. For details,
see “log custom-field” on page 190.
diffserv-forward Enable or disable application of the differentiated services code disable
{enable | disable} point (DSCP) value to the DSCP field of forward (original)
traffic. If enabled, also configure diffservcode-forward.
diffserv-reverse Enable or disable application of the differentiated services code disable
{enable | disable} point (DSCP) value to the DSCP field of reverse (reply) traffic. If
enabled, also configure diffservcode-rev.
diffservcode-forward Enter the differentiated services code point (DSCP) value that 000000
<dscp_bin> the FortiGate unit will apply to the field of originating (forward)
packets. The value is 6 bits binary. The valid range is 000000-
111111.
This option appears only if diffserv-forward is enable.
For details and DSCP configuration examples, see the
Knowledge Center article Differentiated Services Code Point
(DSCP) behavior.
diffservcode-rev Enter the differentiated services code point (DSCP) value that 000000
<dscp_bin> the FortiGate unit will apply to the field of reply (reverse)
packets. The value is 6 bits binary. The valid range is 000000-
111111.
This option appears only if diffserv-rev is enable
For details and DSCP configuration examples, see the
Knowledge Center article Differentiated Services Code Point
(DSCP) behavior.
disclaimer {enable | Enable to display the authentication disclaimer page, which is disable
disable} configured with other replacement messages. The user must
accept the disclaimer to connect to the destination.
This option appears only if profile or groups
(authentication) is configured, and only appears on some
models.
dstaddr <name_str> Enter one or more destination firewall addresses, or a virtual IP, No default.
if creating a NAT policy. Separate multiple firewall addresses
with a space.
If action is set to ipsec, enter the name of the IP address to
which IP packets may be delivered at the remote end of the
IPSec VPN tunnel. For details, see “Defining IP source and
destination addresses” in the FortiGate IPSec VPN User Guide.
If action is set to ssl-vpn, enter the name of the IP address
that corresponds to the host, server, or network that remote
clients need to access behind the FortiGate unit.
For details on configuring virtual IPs, see “vip” on page 155.
dstintf <name_str> Enter the destination interface for the policy. The interface can No default.
be a physical interface, a VLAN subinterface, or a zone.
If action is set to ipsec, enter the name of the interface to
the external (public) network.
If action is set to ssl-vpn, enter the name of the interface to
the local (private) network.
Note: If a interface or VLAN subinterface has been added to a
zone, the interface or VLAN subinterface cannot be used for
dstintf.

FortiGate CLI Version 3.0 MR6 Reference


106 01-30006-0015-20080205
firewall policy, policy6

Keywords and variables Description Default


fixedport Enable to preserve packets’ source port number, which may disable
{enable | disable} otherwise be changed by a NAT policy. Some applications do
not function correctly if the source port number is changed, and
may require this option.
If fixedport is enable, you should usually also enable IP
pools; if you do not configure an IP pool for the policy, only one
connection can occur at a time for this port.
forticlient-check Enable to perform FortiClient Host Security software disable
{enable | disable} verifications. To specify the action that the FortiGate unit takes
if a verification fails, also configure:
• forticlient-ra-notinstalled
• forticlient-ra-notlicensed
• forticlient-ra-db-outdated
• forticlient-ra-no-av
• forticlient-ra-no-fw
• forticlient-ra-no-wf
• forticlient-redir-portal
This feature is available only on FortiGate-1000A, FortiGate-
3600A and FortiGate-5005FA2 models, and can detect
FortiClient Host Security software version 3.0 MR2 or later.
forticlient-ra- Deny access to this firewall policy if the host does not have disable
notinstalled FortiClient Host Security software installed. This option is
{enable | disable} available only if forticlient-check is enable.

forticlient-ra- Deny access to this firewall policy if the host does not have a disable
notlicensed licensed copy of FortiClient Host Security software installed.
{enable | disable} This option is available only if forticlient-check is
enable.
forticlient-ra- Deny access to this firewall policy if the FortiClient Host disable
db-outdated Security antivirus database on the host is out of date. This
{enable | disable} option is available only if forticlient-check is enable.

forticlient-ra-no-av Deny access to this firewall policy if the FortiClient Host disable
{enable | disable} Security antivirus feature is not enabled on the host. This option
is available only if forticlient-check is enable.
forticlient-ra-no-fw Deny access to this firewall policy if the FortiClient Host disable
{enable | disable} Security firewall is not enabled on the host. This option is
available only if forticlient-check is enable.
forticlient-ra-no-wf Deny access to this firewall policy if FortiClient Host Security disable
{enable | disable} web filtering is not enabled on the host. This option is available
only if forticlient-check is enable.
forticlient-redir-portal Redirect denied users to the internal web portal. The portal disable
{enable | disable} page displays the reason the user was denied access. If a
FortiClient installation package is stored on the FortiGate unit,
the user can download FortiClient Host Security software from
the portal. You can change the TCP port for the portal using the
forticlient-portal-port keyword. For details, see
“system global” on page 350.
fsae {enable | disable} Enable or disable Active Directory authentication. disable
If you enable this option, you must also define the user groups
and the guest account protection profile. For details, see “fsae-
guest-profile <profile_str>” on page 107 and “groups
<name_str>” on page 108.
fsae-guest-profile Enter the name of the protection profile used when a guest No default.
<profile_str> account authenticates using FSAE.
gbandwidth <limit_int> Enter the amount of bandwidth guaranteed to be available for 0
traffic controlled by the policy. bandwidth_int can be 0 to
100000 Kbytes/second.
This option appears only if trafficshaping is enable.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 107
policy, policy6 firewall

Keywords and variables Description Default


groups <name_str> Enter one or more user group names for users that authenticate No default.
to use this policy. When user groups are created, they are
paired with protection profiles.
This option appears only if action is accept.
gtp_profile <name_str> When a GTP profile is being used, enter the name of a profile to No default.
(FortiOS Carrier) add the GTP profile to the policy. The name_str variable is
case-sensitive. For details on configuring GTP profiles, see “gtp
(FortiOS Carrier)” on page 87.
inbound When action is set to ipsec, enable or disable traffic from disable
{enable | disable} computers on the remote private network to initiate an IPSec
VPN tunnel.
ippool When the action is set to accept and NAT is enabled, configure disable
{enable | disable} a NAT policy to translate the source address to an address
randomly selected from the first IP pool added to the
destination interface of the policy. If fixedport is specified for
a service or for dynamic NAT, use IP pools.
logtraffic Enable or disable recording traffic log messages for this policy. disable
{enable | disable}
maxbandwidth <limit_int> Enter the maximum amount of bandwidth available for traffic 0
controlled by the policy. bandwidth_int can be 0 to 100000
Kbytes/second. If maximum bandwidth is set to 0 no traffic is
allowed by the policy.
This option appears only if trafficshaping is enable.
nat {enable | disable} Enable or disable network address translation (NAT). NAT disable
translates the address and the port of packets accepted by the
policy. When NAT is enabled, ippool and fixedport can
also be enabled or disabled.
FortiOS v3.0 also supports NAT in transparent mode. For
details see “Example Two: Adding a NAT policy in transparent
mode” on page 111.
This option appears only if action is accept or ssl-vpn.
natinbound Enable or disable translating the source addresses IP packets disable
{enable | disable} emerging from the tunnel into the IP address of the FortiGate
unit’s network interface to the local private network.
This option appears only if action is ipsec.
natip <address_ipv4mask> When action is set to ipsec and natoutbound is enabled, 0.0.0.0
specify the source IP address and subnet mask to apply to 0.0.0.0
outbound clear text packets before they are sent through the
tunnel.
If you do not specify a natip value when natoutbound is
enabled, the source addresses of outbound encrypted packets
are translated into the IP address of the FortiGate unit’s
external interface. When a natip value is specified, the
FortiGate unit uses a static subnetwork-to-subnetwork mapping
scheme to translate the source addresses of outbound IP
packets into corresponding IP addresses on the subnetwork
that you specify. For example, if the source address in the
firewall encryption policy is 192.168.1.0/24 and the natip
value is 172.16.2.0/24, a source address of 192.168.1.7 will be
translated to 172.16.2.7.
natoutbound When action is set to ipsec, enable or disable translating the disable
{enable | disable} source addresses of outbound encrypted packets into the IP
address of the FortiGate unit’s outbound interface. Enable this
attribute in combination with the natip attribute to change the
source addresses of IP packets before they go into the tunnel.
ntlm {enable | disable} Enable or disable Active Directory authentication via NTLM. disable
If you enable this option, you must also define the user groups.
For details, see “groups <name_str>” on page 108.

FortiGate CLI Version 3.0 MR6 Reference


108 01-30006-0015-20080205
firewall policy, policy6

Keywords and variables Description Default


outbound When action is set to ipsec, enable or disable traffic from disable
{enable | disable} computers on the local private network to initiate an IPSec VPN
tunnel.
poolname <name_str> Enter the name of the IP pool. No default.
This variable appears only if nat and ippool are enable and
when dstintf is the network interface bound to the IP pool.
priority Select the priority level for traffic controlled by the policy. high
{high | low | medium} This option appears only if trafficshaping is enable.
profile <name_str> Enter the name of a protection profile to use with the policy. No default.
This option appears only if profile-status is enable.
profile-status Enable or disable using a protection profile with the policy. If disable
{enable | disable} enabled, also configure profile.
This is automatically disabled if a user group with an associated
protection profile has been configured in groups. In that case,
the protection profile is determined by the user group, rather
than the firewall policy.
redirect-url <name_str> Enter a URL, if any, that the user is redirected to after No default.
authenticating and/or accepting the user authentication
disclaimer. This option is available on some models, and only
appears if disclaimer is enable.
schedule <name_str> Enter the name of the one-time or recurring schedule to use for No default.
the policy.
service <name_str> Enter the name of one or more services, or a service group, to No default.
match with the firewall policy. Separate multiple services with a
space.
srcaddr <name_str> Enter one or more source firewall addresses for the policy. No default.
Separate multiple firewall addresses with a space.
If action is set to ipsec, enter the private IP address of the
host, server, or network behind the FortiGate unit.
If action is set to ssl-vpn and the firewall encryption policy
is for web-only mode clients, type all.
If action is set to ssl-vpn and the firewall encryption policy
is for tunnel mode clients, enter the name of the IP address
range that you reserved for tunnel mode clients. To define an
address range for tunnel mode clients, see “ssl settings” on
page 538.
srcintf <name_str> Enter the source interface for the policy. The interface can be a No default.
physical interface, a VLAN subinterface or a zone.
If the interface or VLAN subinterface has been added to a zone,
interface or VLAN subinterface cannot be used for srcintf.
If action is set to ipsec, enter the name of the interface to
the local (private) network.
If action is set to ssl-vpn, enter the name of the interface
that accepts connections from remote clients.
sslvpn-auth If action is set to ssl-vpn, enter one of the following client any
{any | ldap | local | authentication options:
radius | tacacs+} • If you want the FortiGate unit to authenticate remote clients
using any local user group, a RADIUS server, or LDAP
server, type any.
• If the user group is a local user group, type local.
• If the remote clients are authenticated by an external RADIUS
server, type radius.
• If the remote clients are authenticated by an external LDAP
server, type ldap.
• If the remote clients are authenticated by an external
TACACS+ server, type tacacs+.
You must also set the name of the group which will use the
authentication method. For details, see “groups <name_str>”
on page 108.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 109
policy, policy6 firewall

Keywords and variables Description Default


sslvpn-ccert If action is set to ssl-vpn, enable or disable the use of disable
{enable | disable} security certificates to authenticate remote clients.
sslvpn-cipher {0 | 1 | 2} If action is set to ssl-vpn, enter one of the following options 0
to determine the level of SSL encryption to use. The web
browser on the remote client must be capable of matching the
level that you select:
• To use any cipher suite, type 0.
• To use a 164-bit or greater cipher suite (high), type 1.
• To use a 128-bit or greater cipher suite (medium), type 2.
status Enable or disable the policy. enable
{enable | disable}
tcp-mss-sender Enter a TCP Maximum Sending Size number for the sender. 0
<maximumsize_int> When a FortiGate unit is configured to use PPPoE to connect to
an ISP, certain web sites may not be accessible to users. This
occurs because a PPPoE frame takes an extra 8 bytes off the
standard Ethernet MTU of 1500.
When the server sends the large packet with DF bit set to 1, the
ADSL provider’s router either does not send an “ICMP
fragmentation needed” packet or the packet is dropped along
the path to the web server. In either case, the web server never
knows fragmentation is required to reach the client.
In this case, configure the tcp-mss-sender option to enable
access to all web sites. For more information, see the article
Cannot view some web sites when using PPPoE on the Fortinet
Knowledge Center.
tcp-mss-receiver Enter a TCP MSS number for the receiver. 0
<maximumsize_int>
trafficshaping Enable or disable traffic shaping. Also configure gbandwidth, disable
{enable | disable} maxbandwidth, and priority.
vpntunnel <name_str> Enter the name of a Phase 1 IPSec VPN configuration to apply No default.
to the tunnel.
This option appears only if action is ipsec.

Example One: Adding a policy in NAT/Route mode


On a FortiGate-100, FortiGate-200, or FortiGate-300, use the following example to add policy number
2 that allows users on the external network to access a web server on a DMZ network. The policy:
• Is for connections from the external interface (srcintf is external) to the DMZ interface
(dstintf is dmz)
• Is enabled
• Allows users from any IP address on the Internet to access the web server (srcaddr is all)
• Allows access to an address on the DMZ network (dstaddr is dmz_web_server)
• Sets the schedule to Always so that users can access the web server 24 hours a day, seven
days a week
• Sets the service to HTTP to limit access to the web server to HTTP connections
• Sets action to accept to allow connections
• Applies network address translation (nat is enabled)
• Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum
bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to
medium (trafficshaping enabled, gbandwidth set to 100, maxbandwidth set to 500,
priority set to medium)

FortiGate CLI Version 3.0 MR6 Reference


110 01-30006-0015-20080205
firewall policy, policy6

config firewall policy


edit 2
set srcintf external
set dstintf dmz
set status enable
set srcaddr all
set dstaddr dmz_web_server
set schedule Always
set service HTTP
set action accept
set nat enable
set trafficshaping enable
set gbandwidth 100
set maxbandwidth 500
set priority medium
end

Example Two: Adding a NAT policy in transparent mode


For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different
networks with two different subnet addresses. Then you can create firewall policies to translate source
or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the
other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP.
To support NAT in Transparent mode you can add a second management IP. These two management
IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit
network interfaces will respond to connections to both of these IP addresses.
In the example below, all of the PCs on the internal network (subnet address 192.168.1.0/24) are
configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is
set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the
internal network attempts to connect to the internet, the PC's default route sends packets destined for
the internet to the FortiGate unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of
10.1.1.99.
The example describes adding an internal to wan1 firewall policy to relay these packets from the
internal interface out the wan1 interface to the Internet. Because the wan1 interface does not have an
IP address of its own, you must add an IP pool to the wan1 interface that translates the source
addresses of the outgoing packets to an IP address on the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent
by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1
interface with their source address translated to 10.1.1.201. These packets can now travel across the
Internet to their destination. Reply packets return to the wan1 interface because they have a
destination address of 10.1.1.201. The internal to wan1 NAT policy translates the destination address
of these return packets to the IP address of the originating PC and sends them out the internal
interface to the originating PC.
Use the following steps to configure NAT in Transparent mode
• Adding two management IPs
• Adding an IP pool to the wan1 interface
• Adding an internal to wan1 firewall policy

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 111
policy, policy6 firewall

Adding two management IPs


Use the following commands to add two management IPs. The second management IP is the default
gateway for the internal network.
config system settings
set manageip 10.1.1.99/24 192.168.1.99/24
end

Adding an IP pool to the wan1 interface


Use the following command to add an IP pool to the wan1 interface:
config firewall ippool
edit nat-out
set interface "wan1"
set startip 10.1.1.201
set endip 10.1.1.201
end

Adding an internal to wan1 firewall policy


Use the following command to add an internal to wan1 firewall policy with NAT enabled that also
includes an IP pool:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set scraddr "all"
set dstaddr "all"
set action accept

FortiGate CLI Version 3.0 MR6 Reference


112 01-30006-0015-20080205
firewall policy, policy6

set schedule "always"


set service "ANY"
set nat enable
set ippool enable
set poolname nat-out
end
Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT
and add the IP Pool.

History

FortiOS v2.80 Revised.


FortiOS v2.80 MR2 Replaced usrgrp keyword with userdomain.
Added poolname keyword.
FortiOS v2.80 MR3 Removed userdomain keyword.
Added groups keyword.
FortiOS v2.80 MR6 Removed authentication keyword. Authentication is automatically enabled for a policy
when one or more user group are set with the groups keyword.
FortiOS v3.0 Added ssl-vpn options: sslvpn-ccert, sslvpn-cipher, and sslvpn-auth. The encrypt
action name changed to ipsec. Updated ipsec options: vpntunnel, inbound,
outbound, natoutbound, natinbound, and natip. Added fsae. Changes to
profile and profile_status.
Added tcp-mms-sender and tcp-mss-receiver.
FortiOS v3.0 MR4 Added the command ntlm. Described the new ability to add multiple entries for the
following commands: srcaddr, dstaddr, and service.
Nat policy in transparent mode example added.
FortiOS v3.0 MR5 Added secure-vlan keyword. This is available only on the FortiGate-224B unit.
FortiOS v3.0 MR6 New variable custom-log-fields <fieldid_int>. Selects custom log fields to
append to the policy’s log message.
FortiOS v3.0 MR6 New option tacacs+. Selects TACACS+ authentication method when the firewall policy
action is set to ssl-vpn.
FortiOS v3.0 MR6 New variable auth-path {enable | disable}. Enables or disables authentication-
based routing.
FortiOS v3.0 MR6 New variable auth-redirect-addr <domainname_str>. Specifies address used in
URL when performing HTTP-to-HTTPS redirects for policy authentication.

Related topics
• firewall address, address6
• firewall profile
• firewall schedule onetime
• firewall schedule recurring
• firewall service custom
• firewall service group

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 113
profile firewall

profile
Use this command to configure protection profiles which can be applied to traffic by selecting the
protection profile in one or more firewall policies, or by associating a protection profile with a firewall
user group. The firewall policy will apply the subset of the protection profile that is relevant to the
service or service group.

Syntax
config firewall profile
edit <profile_str>
set aim {enable-inspect | } {archive-full archive-summary block-audio
block-encrypt block-file block-im block-long-chat block-photo
inspect-anyport no-content-summary}
set bittorrent {block | pass | limit}
set bittorrent-limit <limit_int>
set comment <comment_str>
set edonkey {block | pass | limit}
set edonkey-limit <limit_int>
set filepattable <index_int> (not in FortiOS Carrier)
set file-pat-table <index_int> (FortiOS Carrier)
set file-type-table <index_int> (FortiOS Carrier)
set ftgd-wf-allow {all | <category_str>}
set ftgd-wf-deny {all | <category_str>}
set ftgd-wf-enable {all | <category_str>}
set ftgd-wf-disable {all | <category_str>}
set ftgd-wf-https-options {allow-ovrd error-allow rate-server-ip
strict-blocking}
set ftgd-wf-log {all | <category_str>}
set ftgd-wf-options {allow-ovrd error-allow http-err-detail
rate-image-urls rate-server-ip redir-block strict-blocking}
set ftgd-wf-ovrd {all | <category_str>}
set ftp {archive-full archive-summary avmonitor avquery block
clientcomfort filetype no-content-summary oversize quarantine scan
scanextended splice}
set ftpcomfortamount <size_int>
set ftpcomfortinterval <seconds_int>
set ftpoversizelimit <size_int>
set gnutella {block | pass | limit}
set gnutella-limit <limit_int>
set http {activexfilter archive-full archive-summary avmonitor
avquery bannedword block chunkedbypass clientcomfort cookiefilter
exemptword filetype fortiguard-wf javafilter no-content-summary
oversize quarantine rangeblock scan scanextended strict-file
urlfilter}
set httpcomfortamount <size_int>
set httpcomfortinterval <seconds_int>
set httpoversizelimit <size_int>
set http-retry-count <retry_int>
set https {allow-ssl-unknown-sess-id block-invalid-url fortiguard-wf
no-content-summary urlfilter}
set icq {enable-inspect | } {archive-full archive-summary block-audio
block-file block-im block-photo inspect-anyport no-content-
summary}

FortiGate CLI Version 3.0 MR6 Reference


114 01-30006-0015-20080205
firewall profile

set im { avmonitor avquery block oversize quarantine scan}


set imap { archive-full archive-summary avmonitor avquery bannedword
block filetype fragmail no-content-summary oversize quarantine
scan spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit
spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl}
set imapoversizelimit <size_int>
set imap-spamaction {pass | tag}
set imap-spamtagmsg <message_str>
set imap-spamtagtype {header | subject} {spaminfo | }
set imoversizelimit <size_int>
set imoversizechat <size_int>
set ips-sensor <name_str>
set ips-sensor-status {enable | disable}
set kazaa {block | pass | limit}
set kazaa-limit <limit_int>
set log-antispam-mass-mms {enable | disable} (FortiOS Carrier)
set log-av-block {enable | disable}
set log-av-msisdn-filter {enable | disable} (FortiOS Carrier)
set log-av-oversize {enable | disable}
set log-av-virus {enable | disable}
set log-im {enable | disable}
set log-intercept {enable | disable} (FortiOS Carrier)
set log-ips {enable | disable}
set log-mms-notification {enable | disable} (FortiOS Carrier)
set log-p2p {enable | disable}
set log-spam {enable | disable}
set log-voip {enable | disable}
set log-voip-violations {enable | disable}
set log-web-content {enable | disable}
set log-web-filter-activex {enable | disable}
set log-web-filter-applet {enable | disable}
set log-web-filter-cookie {enable | disable}
set log-web-ftgd-err {enable | disable}
set log-web-url {enable | disable}
set mail-sig <signature_str>
set mailsig-status {enable | disable}
set mm1 {archive-full archive-summary avmonitor avquery bannedword
block chunkedbypass clientcomfort exemptword filetype msisdn-bwl
no-content-summary oversize quarantine scan server-comfort
strict-file} (FortiOS Carrier)
set mm3 {archive-full archive-summary avmonitor avquery bannedword
block filetype fragmail msisdn-bwl no-content-summary oversize
quarantine scan splice} (FortiOS Carrier)
set mm4 {archive-full archive-summary avmonitor avquery bannedword
block filetype fragmail msisdn-bwl no-content-summary oversize
quarantine scan splice} (FortiOS Carrier)
set mm7 {archive-full archive-summary avmonitor avquery bannedword
block chunkedbypass clientcomfort exemptword filetype msisdn-bwl
no-content-summary oversize quarantine scan server-comfort
strict-file} (FortiOS Carrier)
set mm1-addr-hdr <identifier_str> (FortiOS Carrier)
set mm1-addr-source {cookie | http-header} (FortiOS Carrier)
set mm1-convert-hex {enable | disable} (FortiOS Carrier)
set mm1-retr-dupe {enable | disable} (FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 115
profile firewall

set mm1comfortamount <size_int> (FortiOS Carrier)


set mm1comfortinterval <seconds_int> (FortiOS Carrier)
set mm7-addr-hdr <identifier_str> (FortiOS Carrier)
set mm7-addr-source {cookie | http-header} (FortiOS Carrier)
set mm7-convert-hex {enable | disable} (FortiOS Carrier)
set mm7comfortamount <size_int> (FortiOS Carrier)
set mm7comfortinterval <seconds_int> (FortiOS Carrier)
set mms-bword-table <index_int> (FortiOS Carrier)
set mms-bword-threshold (FortiOS Carrier)
set mms-exmword-table (FortiOS Carrier)
set mms-file-pat-table <index_int> (FortiOS Carrier)
set mms-file-type-table <index_int> (FortiOS Carrier)
set mms-msisdn-bwl-table <index_int> (FortiOS Carrier)
set msisdn-prefix {enable | disable} (FortiOS Carrier)
set msisdn-prefix-string (FortiOS Carrier)
set msisdn-prefix-range-min (FortiOS Carrier)
set msisdn-prefix-range-max (FortiOS Carrier)
set msn {enable-inspect | } {archive-full archive-summary block-audio
block-file block-im block-photo no-content-summary}
set nntp {archive-full archive-summary avmonitor avquery block
filetype no-content-summary oversize scan spam-mail-log }
set nntpoversizelimit <limit_int>
set p2p {enable | disable}
set pop3 {archive-full archive-summary avmonitor avquery bannedword
block filetype fragmail no-content-summary oversize quarantine scan
spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit
spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl}
set pop3oversizelimit <size_int>
set pop3-spamaction {pass | tag}
set pop3-spamtagmsg <message_str>
set pop3-spamtagtype {header | subject} {spaminfo | }
set replacemsg-group <name_str>
set skype {block | pass}
set smtp {archive-full archive-summery avmonitor avquery bannedword
block filetype fragmail no-content-summary oversize quarantine scan
spam-mail-log spamemailbwl spamfsip spamfschksum spamfsurl
spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice}
set smtp-spam-localoverride {enable | disable}
set smtpoversizelimit <size_int>
set smtp-spamaction {discard | pass | tag}
set smtp-spamhdrip {enable | disable}
set smtp-spamtagmsg <message_str>
set smtp-spamtagtype {header | subject} {spaminfo | }
set spambwordtable <index_int>
set spamemaddrtable <index_int>
set spamipbwltable <index_int>
set spamiptrusttable <index_int>
set spammheadertable <index_int>
set spamrbltable <index_int>
set spambwordthreshold <value_int>
set webbwordtable <index_int> (not in FortiOS Carrier)
set web-bword-table <index_int> (FortiOS Carrier)
set webbwordthreshold <value_int> (not in FortiOS Carrier)
set web-bword-threshold <value_int> (FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


116 01-30006-0015-20080205
firewall profile

set webexmwordtable <index_int> (not in FortiOS Carrier)


set web-exmword-table <index_int> (FortiOS Carrier)
set weburlfiltertable <index_int>
set winny {block | pass | limit}
set winny-limit <limit_int>
set yahoo {enable-inspect | } {archive-full archive-summary
block-audio block-file block-im block-photo inspect-anyport no-
content-summary}
config dupe {mm1 | mm4} (FortiOS Carrier)
set status {enable | disable}
set action {archive block intercept log}
set block-time <minutes_int>
set limit <duplicatetrigger_int>
set window <minutes_int>
get protocol
end
config flood {mm1 | mm4} (FortiOS Carrier)
set status {enable | disable}
set action {archive block intercept log}
set block-time <minutes_int>
set limit <floodtrigger_int>
set window <minutes_int>
get protocol
end
config notification {mm1 | mm3 | mm4 | mm7} (FortiOS Carrier)
set bword-int <noticeinterval_int>
set bword-int-mode {minutes | hours}
set bword-status {enable | disable}
set detect-server {enable | disable}
set dupe-int <interval_int>
set dupe-int-mode {hours | minutes}
set dupe-status
set file-block-int <noticeinterval_int>
set file-block-int-mode {hours | minutes}
set file-block-status {enable | disable}
set flood-int <interval_int>
set flood-int-mode {hours | minutes}
set flood-status
set from-in-header {enable | disable}
set mmsc-hostname
set mmsc-password <passwd_str>
set mmsc-port
set mmsc-url
set mmsc-username <user_str>
set msg-protocol {mm1 | mm3 | mm4 | mm7}
set msg-type {deliver-req | send-req}
set msisdn-bwl-int <interval_int>
set msisdn-bwl-int-mode {hours | minutes}
set msisdn-bwl-status {enable | disable}
set rate-limit <limit_int>
set tod-window-start <window_time>
set tod-window-end <window_time>
set vas-id <vas_str>
set vasp-id <vasp_str>

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 117
profile firewall

set virus-int <interval_int>


set virus-int-mode {hours | minutes}
set virus-status {enable | disable}
end
config sccp
set status {enable | disable}
set archive-summary {enable | disable}
set block-mcast {enable | disable}
set max-calls <limit_int>
set no-content-summary {enable | disable}
set verify-header {enable | disable}
end
config simple
set status {enable | disable}
set archive-full {enable | disable}
set archive-summary {enable | disable}
set block-message {enable | disable}
set message-rate <limit_int>
end
config sip
set status {enable | disable}
set ack-rate <rate_int>
set archive-summary {enable | disable}
set block-ack {enable | disable}
set block-bye {enable | disable}
set block-cancel {enable | disable}
set block-info {enable | disable}
set block-invite {enable | disable}
set block-long-lines {enable | disable}
set block-notify {enable | disable}
set block-options {enable | disable}
set block-prack {enable | disable}
set block-publish {enable | disable}
set block-refer {enable | disable}
set block-register {enable | disable}
set block-subscribe {enable | disable}
set block-unknown {enable | disable}
set block-update {enable | disable}
set call-keepalive <limit_int>
set info-rate <rate_int>
set invite-rate <limit_int>
set max-dialogs <limit_int>
set max-line-length <limit_int>
set no-sdp-fixup {enable | disable}
set notify-rate <limit_int>
set options-rate <limit_int>
set prack-rate <limit_int>
set preserve-override {enable | disable}
set primary-secondary {enable | disable}
set refer-rate <limit_int>
set register-rate <limit_int>
set rtp {enable | disable}
set strict-register {enable | disable}
set subscribe-rate <limit_int>

FortiGate CLI Version 3.0 MR6 Reference


118 01-30006-0015-20080205
firewall profile

set timeout-buffer <calls_int>


set update-rate <limit_int>
end
end
Keywords and variables Description Default
<profile_str> Enter the name of this protection profile. No default.
The following commands are the set options for edit <profile str>.
aim Enter enable-inspect to enable inspection of AOL inspect-
{enable-inspect | } Instant Messenger (AIM) traffic, then enter any additional anyport
{archive-full archive- options, separated by a space.
summary block-audio • archive-full: Content archive both metadata and
the chat itself.
block-encrypt block-file
• archive-summary: Content archive chat metadata.
block-im block-long-chat
• block-audio: Block audio content.
block-photo
• block-encrypt: Block encrypted session.
inspect-anyport no-
• block-file: Block file transfers.
content-summary}
• block-im: Block instant messages.
• block-long-chat: Block oversize instant messages.
• block-photo: Block photo sharing.
• inspect-anyport: Inspect AIM traffic on any port that
is not used by a FortiGate proxy.
• no-content-summary: Omit content information from
the dashboard.
bittorrent Select the action the FortiGate unit performs on BitTorrent pass
{block | pass | limit} peer-to-peer (P2P) traffic.
• block: Block BitTorrent traffic.
• pass: Allow BitTorrent traffic.
• limit: Restrict bandwidth used by BitTorrent.
Configure bittorrent-limit to specify the
bandwidth limit.
This option is available only if p2p is enable.
bittorrent-limit Enter the maximum amount of bandwidth BitTorrent 0
<limit_int> connections are allowed to use, up to 100000 KB/s. If this
variable is set to zero (0), BitTorrent traffic is not allowed.
This option appears only if bittorrent is set to limit.
The bandwidth limit can be applied separately for each
firewall policy that uses the protection profile, or shared
by all firewall policies that use the protection profile. By
default, the limit is applied separately to each firewall
policy. For information on configuring per policy or per
protection profile P2P bandwidth limiting, see the p2p-
rate-limiting variable in “system settings” on
page 440.
comment <comment_str> Enter a comment about the protection profile. If the No default.
comment contains spaces or special characters, surround
the comment with double quotes (“). Comments can be
up to 64 characters long.
edonkey Select the action the FortiGate unit performs on eDonkey pass
{block | pass | limit} peer-to-peer (P2P) traffic.
• block: Block eDonkey traffic.
• pass: Allow eDonkey traffic.
• limit: Restrict bandwidth used by eDonkey. Configure
edonkey-limit to specify the bandwidth limit.
This option is available only if p2p is enable.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 119
profile firewall

Keywords and variables Description Default


edonkey-limit Enter the maximum amount of bandwidth eDonkey 0
<limit_int> connections are allowed to use, up to 100000 KB/s. If this
variable is set to zero (0), eDonkey traffic is not allowed.
This option appears only if edonkey is set to limit.
The bandwidth limit can be applied separately for each
firewall policy that uses the protection profile, or shared
by all firewall policies that use the protection profile. By
default, the limit is applied separately to each firewall
policy. For information on configuring per policy or per
protection profile P2P bandwidth limiting, see the p2p-
rate-limiting variable in “system settings” on
page 440.
filepattable <index_int> Enter the ID number of the file pattern list to be used with 0
(not in FortiOS Carrier) the protection profile.
This option appears only on FortiGate-800 models and
greater.
file-pat-table Enter the ID number of the file pattern list to be used with No default.
<index_int> the protection profile.
(FortiOS Carrier) This option appears only on FortiGate-800 models and
greater.
file-type-table Enter the ID number of the file type list to be used with the No default.
<index_int> protection profile.
(FortiOS Carrier) In the web-based manager, both the file pattern and file
type filters and configured and enabled together, with the
File Filter controls. In the CLI, the file pattern and file type
filters are separately adjustable, and each can even use
different tables.
ftgd-wf-allow Enter all, or enter one or more category codes, All categories
{all | <category_str>} representing FortiGuard Web Filtering web page not specified as
categories or category groups that you want to allow. deny or monitor.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
See also “webfilter fortiguard” on page 552.
ftgd-wf-deny Enter all, or enter one or more category codes, No default.
{all | <category_str>} representing FortiGuard Web Filtering web page
categories or category groups that you want to block.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
See also “webfilter fortiguard” on page 552.
ftgd-wf-enable Enable categories for use in local ratings. You can enable No default.
{all | <category_str>} categories, classes, and groups.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
See also “webfilter fortiguard” on page 552.

FortiGate CLI Version 3.0 MR6 Reference


120 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


ftgd-wf-disable Disable categories for use in local ratings. You can No default.
{all | <category_str>} disable categories, classes, and groups.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
See also “webfilter fortiguard” on page 552.
ftgd-wf-https-options Select the options for FortiGuard Web Filtering category strict-
{allow-ovrd blocking. blocking
error-allow • allow-ovrd: Allow authenticated rating overrides.
rate-server-ip • error-allow to allow web pages with a rating error to
strict-blocking} pass through.
• rate-server-ip: Rate both the URL and the IP
address of the requested site, providing additional
security against circumvention attempts.
• strict-blocking to block any web pages if any
classification or category matches the rating.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
ftgd-wf-log Enter all, or enter one or more category codes, No default.
{all | <category_str>} representing FortiGuard Web Filtering web page
categories or category groups that you want to log.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
ftgd-wf-options Select options for FortiGuard web filtering, separating strict-
{allow-ovrd multiple options with a space. blocking
error-allow • allow-ovrd: Allow authenticated rating overrides.
http-err-detail • error-allow: Allow web pages with a rating error to
rate-image-urls pass through.
rate-server-ip • http-err-detail: Display a replacement message
for 4xx and 5xx HTTP errors. If error pages are allowed,
redir-block malicious or objectionable sites could use these
strict-blocking} common error pages to circumvent web category
blocking. This option does not apply to HTTPS.
• rate-image-urls: Rate images by URL. Blocked
images are replaced with blanks. This option does not
apply to HTTPS.
• rate-server-ip: Send both the URL and the IP
address of the requested site for checking, providing
additional security against attempts to bypass the
FortiGuard system.
• redir-block: Block HTTP redirects. Many web sites
use HTTP redirects legitimately; however, in some
cases, redirects may be designed specifically to
circumvent web filtering, as the initial web page could
have a different rating than the destination web page of
the redirect.
• strict-blocking: Block any web pages if any
classification or category matches the rating. This
option does not apply to HTTPS.
To remove an option from the list or add an option to the
list, retype the list with the option removed or added.
These options take effect only if FortiGuard web filtering is
enabled for the protocol.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 121
profile firewall

Keywords and variables Description Default


ftgd-wf-ovrd Enter all, or enter one or more category codes, No default.
{all | <category_str>} representing FortiGuard Web Filtering web page
categories or category groups that you want to allow
users to override. If filtering overrides are enabled for the
protocol and a user requests a web page from a category
that is blocked, the user is presented with an
authentication challenge; if they successfully
authenticate, they are permitted to bypass the filter and
access the web page. User groups permitted to
authenticate are defined in the firewall policy. For details,
see “groups <name_str>” on page 108.
To view a list of available category codes with their
descriptions, enter get, then locate entries for ftgd-wf-
enable, such as g01 Potentially Liable, 1 Drug
Abuse, and c06 Spam URL.
Separate multiple codes with a space. To delete entries,
use the unset command to delete the entire list.
ftp Select actions, if any, the FortiGate unit will perform with splice
{archive-full FTP connections.
archive-summary • archive-full: Content archive both metadata and
avmonitor the file itself.
avquery • archive-summary: Content archive metadata.
block • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
clientcomfort
• avquery: Use the FortiGuard AV query service.
filetype
• block: Deny files matching the file pattern selected by
no-content-summary filepattable (not in FortiOS Carrier) or file-pat-
oversize table (FortiOS Carrier), even if the files do not contain
quarantine viruses.
scan scanextended • clientcomfort: Apply client comforting and prevent
splice} client timeout.
• filetype: Block specific types of files even if the files
do not contain viruses. The file type table used is set
with the file-type-table command. (FortiOS
Carrier)
• no-content-summary: Omit the content summary
from the dashboard.
• oversize: Block files that are over the file size limit.
• quarantine: Quarantine files that contain viruses.
This feature is available for FortiGate units that contain
a hard disk or are connected to a FortiAnalyzer unit.
• scan: Scan files for viruses and worms.
• scanextended: Scan files for viruses and worms,
using both the current FortiGuard Antivirus wild list
database and the extended database, which consists of
definitions for older viruses that FortiGuard has not
recently observed in the wild. For details on the
extended database, see the FortiGate Administration
Guide.
• splice: Simultaneously scan a message and send it to
the recipient. If the FortiGate unit detects a virus, it
prematurely terminates the connection.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
ftpcomfortamount Enter the number of bytes client comforting sends each 1
<size_int> interval to show that an FTP download is progressing.
The interval time is set using ftpcomfortinterval.
ftpcomfortinterval Enter the time in seconds before client comforting starts 10
<seconds_int> after an FTP download has begun. It is also the interval
between subsequent client comforting sends. The amount
of data sent each interval is set using
ftpcomfortamount.

FortiGate CLI Version 3.0 MR6 Reference


122 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


ftpoversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
ftpoversizelimit, the file is passed or blocked,
depending on whether ftp contains the oversize
option. The maximum file size for scanning in memory is
10% of the FortiGate unit’s RAM.
gnutella Select the action the FortiGate unit performs on Gnutella pass
{block | pass | limit} peer-to-peer (P2P) traffic.
• block: Block Gnutella traffic.
• pass: Allow Gnutella traffic.
• limit: Restrict bandwidth used by Gnutella. Configure
gnutella-limit to specify the bandwidth limit.
This option is available only if p2p is enable.
gnutella-limit Enter the maximum amount of bandwidth Gnutella 0
<limit_int> connections are allowed to use, up to 100000 KB/s. If this
variable is set to zero (0), Gnutella traffic is not allowed.
This option appears only if gnutella is set to limit.
The bandwidth limit can be applied separately for each
firewall policy that uses the protection profile, or shared
by all firewall policies that use the protection profile. By
default, the limit is applied separately to each firewall
policy. For information on configuring per policy or per
protection profile P2P bandwidth limiting, see the p2p-
rate-limiting variable in “system settings” on
page 440.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 123
profile firewall

Keywords and variables Description Default


http Select actions, if any, the FortiGate unit will perform with rangeblock
{activexfilter HTTP connections.
archive-full • activexfilter: Block ActiveX plugins.
archive-summary • archive-full: Content archive both metadata and
avmonitor the request.
avquery • archive-summary: Content archive metadata.
bannedword • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
block
• avquery: Use the FortiGuard Antivirus service for virus
chunkedbypass detection using MD5 checksums. This feature is
clientcomfort disabled by default.
cookiefilter • bannedword: Block web pages containing content in
exemptword the banned word list.
filetype • block: Deny files matching the file pattern selected by
fortiguard-wf filepattable (not in FortiOS Carrier) or file-pat-
table (FortiOS Carrier), even if the files do not contain
javafilter viruses.
no-content-summary • chunkedbypass: Allow web sites that use chunked
oversize encoding for HTTP to bypass the firewall. Chunked
quarantine encoding means the HTTP message body is altered to
rangeblock allow it to be transferred in a series of chunks. Use of
scan this feature is a risk. Malicious content could enter the
network if web content is allowed to bypass the firewall.
scanextended
• clientcomfort: Apply client comforting and prevent
strict-file client timeout.
urlfilter} • cookiefilter: Block cookies.
• exemptword: Exempt words from content blocking.
• filetype: Block specific types of files even if the files
do not contain viruses. The file type table used is set
with the file-type-table command. (FortiOS
Carrier)
• fortiguard-wf: Use FortiGuard Web Filtering.
• javafilter: Block Java applets.
• no-content-summary: Omit content information from
the dashboard.
• oversize: Block files that are over the file size limit.
• quarantine: Quarantine files that contain viruses.
This feature is available for FortiGate units that contain
a hard disk or are connected to a FortiAnalyzer unit.
• rangeblock: Block ddownloading parts of a file that
have already been partially downloaded. Enabling this
option prevents the unintentional download of virus files
hidden in fragmented files. Note that some types of files,
such as PDF, fragment files to increase download speed
and enabling this option can cause download
interruptions. Enabling this option may break certain
applications that use the Range Header in the HTTP
protocol, such as YUM, a Linux update manager.
• scan: Scan files for viruses and worms.
• strict-file to perform stricter checking for blocked
files as specified by antivirus file patterns. This more
thorough checking can effectively block some web sites
with elaborate scripting using .exe or .dll files if
those patterns are blocked.
• urlfilter: Use the URL filter list.
Separate multiple options with a space.To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
httpcomfortamount Enter the number of bytes client comforting sends each 1
<size_int> interval to show an FTP download is progressing. The
interval time is set using httpcomfortinterval.

FortiGate CLI Version 3.0 MR6 Reference


124 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


httpcomfortinterval Enter the time in seconds before client comforting starts 10
<seconds_int> after an HTTP download has begun. It is also the interval
between subsequent client comforting sends. The amount
of data sent each interval is set using
httpcomfortamount.
httpoversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
httpoversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile
http command. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
http-retry-count Enter the number of times to retry establishing an HTTP 0
<retry_int> connection when the connection fails on the first try. The
range is 0 to 100.
This allows the web server proxy to repeat the connection
attempt on behalf of the browser if the server refuses the
connection the first time. This works well and reduces the
number of hang-ups or page not found errors for busy
web servers.
Entering zero (0) effectively disables this feature.
https Select actions, if any, the FortiGate unit will perform with No default.
{allow-ssl-unknown-sess- HTTPS connections.
id • allow-ssl-unknown-sess-id: Allow SSL sessions
block-invalid-url whose ID has not been previously filtered.
fortiguard-wf • block-invalid-url: Block SSL sites whose URL
cannot be determined.
no-content-summary
• fortiguard-wf: Enable FortiGuard Web Filtering.
urlfilter}
• no-content-summary: Omit content information from
the dashboard.
• Enter urlfilter to enable the URL filter list.
Separate multiple options with a space.To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
icq {enable-inspect | } Enter enable-inspect to enable inspection of ICQ inspect-anyp
{archive-full Instant Messenger traffic, then enter any additional ort
archive-summary options, separated by a space.
block-audio block-file • archive-full: Content archive both metadata and
the chat itself.
block-im block-photo
• archive-summary: Content archive metadata.
inspect-anyport no-
• block-audio: Block audio content.
content-summary}
• block-file: Block file transfers.
• block-im: Block instant messages.
• block-photo: Block photo sharing.
• inspect-anyport: Inspect ICQ traffic on any port that
is not used by a FortiGate proxy.
• no-content-summary: Omit content information from
the dashboard.
im { Select actions, if any, the FortiGate unit will perform with No default.
avmonitor instant message (IM) connections.
avquery • avmonitor: Log detected viruses, but allow them
block through the firewall without modification.
oversize • avquery: Use the FortiGuard Antivirus service for virus
detection using MD5 checksums.
quarantine
• oversize: Block files that are over the file size limit.
scan}
• quarantine: Quarantine files that contain viruses.
This feature is available for FortiGate units that contain
a hard disk or are connected to a FortiAnalyzer unit.
• scan: Scan files for viruses and worms.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 125
profile firewall

Keywords and variables Description Default


imap { Select actions, if any, the FortiGate unit will perform with fragmail
archive-full IMAP connections. spamfssubmit
archive-summary • archive-full: Content archive both metadata and
avmonitor the email itself.
avquery • archive-summary: Content archive metadata.
bannedword • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
block
• avquery: Use the FortiGuard Antivirus service for virus
filetype detection using MD5 checksums.
fragmail • bannedword: Block email containing content on the
no-content-summary banned word list.
oversize • block: Deny files matching the file pattern selected by
quarantine filepattable (not in FortiOS Carrier) or file-pat-
scan table (FortiOS Carrier), even if the files do not contain
viruses.
spam-mail-log
• filetype: Block specific types of files even if the files
spamemailbwl do not contain viruses. The file type table used is set
spamfschksum with the file-type-table command. (FortiOS
spamfsip Carrier)
spamfssubmit • fragmail: Allow fragmented email. Fragmented email
spamfsurl cannot be scanned for viruses.
spamhdrcheck • no-content-summary: Omit content information from
spamipbwl the dashboard.nto email, ftp, and http categories.
spamraddrdns • oversize: Block files that are over the file size limit.
spamrbl} • quarantine to enable quarantining files that contain
viruses. This feature is available for FortiGate units that
contain a hard disk.
• scan: Scan files for viruses and worms.
• spam-mail-log to include spam in mail log.
• spamemailbwlto enable filtering based on the email
address list.
• spamfschksum to enable the FortiGuard Antispam
email message checksum spam check.
• spamfsip to enable the FortiGuard Antispam filtering
IP address blacklist.
• spamfssubmit to add a link to the message body to
allow users to report messages incorrectly marked as
spam. If an email message is not spam, simply click the
link in the message to inform FortiGuard of the false
positive.
• spamfsurl to enable the FortiGuard Antispam filtering
URL blacklist.
• spamhdrcheck to enable filtering based on the MIME
header list.Enter spamipbwl to enable filtering based
on the email ip address.
• spamaddrdns to enable filtering based on the return
email DNS check.
• spamrbl to enable checking traffic against configured
DNS-based Blackhole List (DNSBL) and Open Relay
Database List (ORDBL) servers.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.

FortiGate CLI Version 3.0 MR6 Reference


126 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


imapoversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
imapoversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile
imap command. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
Note: For email scanning, the oversize threshold refers to
the final size of the email after encoding by the email
client, including attachments. Email clients may use a
variety of encoding types and some encoding types
translate into larger file sizes than the original attachment.
The most common encoding, base64, translates 3 bytes
of binary data into 4 bytes of base64 data. So a file may
be blocked or logged as oversized even if the attachment
is several megabytes smaller than the configured
oversize threshold.
imap-spamaction Select the action that this profile uses for filtered IMAP tag
{pass | tag} email. Enter pass or tag.
• pass: Disable spam filtering for IMAP traffic.
• tag: Tag spam email with text configured using text set
in imap-spamtagmsg and the location set using
imap-spamtagtype.
imap-spamtagmsg Enter a word or phrase (tag) to affix to email identified as Spam
<message_str> spam.
When typing a tag, use the same language as the
FortiGate unit’s current administrator language setting.
Tag text using other encodings may not be accepted. For
example, when entering a spam tag that uses Japanese
characters, first verify that the administrator language
setting is Japanese; the FortiGate unit will not accept a
spam tag written in Japanese characters while the
administrator language setting is English. For details on
changing the language setting, see “system global” on
page 350.
Note: To correctly enter the tag, your SSH or telnet client
must also support your language’s encoding.
Alternatively, you can use the web-based manager’s CLI
widget to enter the tag.
Tags must not exceed 64 bytes. The number of
characters constituting 64 bytes of data varies by text
encoding, which may vary by the FortiGate administrator
language setting.
Tags containing space characters, such as multiple words
or phrases, must be surrounded by quote characters (‘)to
be accepted by the CLI.
imap-spamtagtype Select to affix the tag to either the MIME header or the subject
{header | subject} subject line, and whether or not to append spam spaminfo
{spaminfo | } information to the spam header, when an email is
detected as spam. Also configure imap-spamtagmsg.
If you select to affix the tag to the subject line, the
FortiGate unit will convert the entire subject line, including
tag, to UTF-8 by default. This improves display for some
email clients that cannot properly display subject lines
that use more than one encoding. For details on disabling
conversion of subject line to UTF-8, see “system settings”
on page 440.
imoversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
imoversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile im
command. The maximum file size for scanning in memory
is 10% of the FortiGate unit’s RAM.
imoversizechat Enter the maximum allowed length of chat messages in 8192
<size_int> bytes, from 2048 to 65536.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 127
profile firewall

Keywords and variables Description Default


ips-sensor Enter the name of an IPS sensor (set of signatures). No default.
<name_str>
ips-sensor-status Select to use an IPS sensor. If enabled, also configure disable
{enable | disable} ips-sensor.
This option does not select denial of service (DoS)
sensors. For details on configuring DoS sensors, see “ips
DoS” on page 178.
kazaa Select the action the FortiGate unit performs on Kazaa pass
{block | pass | limit} peer-to-peer (P2P) traffic.
• block: Block Kazaa traffic.
• pass: Allow Kazaa traffic.
• limit: Restrict bandwidth used by Kazaa. Configure
kazaa-limit to specify the bandwidth limit.
This option is available only if p2p is enable.
kazaa-limit <limit_int> Enter the maximum amount of bandwidth Kazaa 0
connections are allowed to use, up to 100000 KB/s. If this
variable is set to zero (0), Kazaa traffic is not allowed.
This option appears only if kazaa is set to limit.
The bandwidth limit can be applied separately for each
firewall policy that uses the protection profile, or shared
by all firewall policies that use the protection profile. By
default, the limit is applied separately to each firewall
policy. For information on configuring per policy or per
protection profile P2P bandwidth limiting, see the p2p-
rate-limiting variable in “system settings” on
page 440.
log-antispam-mass-mms Select to log duplicate or flood MMS notification disable
{enable | disable} messages. Also select the log action for each
(FortiOS Carrier) protocol and bulk MMS message event that you
want to log. For details, see “action {archive block
intercept log}” on page 140 and “action {archive
block intercept log}” on page 140.
log-av-block Select to log file pattern or file type blocking. disable
{enable | disable}
log-av-msisdn-filter Select to log MSISDN blocking, intercepts, and archiving. disable
{enable | disable}
(FortiOS Carrier)
log-av-oversize Select to log oversize file and email blocking. disable
{enable | disable}
log-av-virus Select to log viruses detected. disable
{enable | disable}
log-im Select to log IM activity by profile. disable
{enable | disable}
log-intercept Select to log MMS intercept actions. disable
{enable | disable}
(FortiOS Carrier)
log-ips Select to log IPS events. disable
{enable | disable}
log-mms-notification Select to log MMS notification messages. disable
{enable | disable}
(FortiOS Carrier)
log-p2p Select to log P2P activity. disable
{enable | disable}
log-spam Select to log spam detected. disable
{enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


128 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


log-voip Select to log VoIP activity. disable
{enable | disable}
log-voip-violations Select to log VoIP events. disable
{enable | disable}
log-web-content Select to log web content blocking. disable
{enable | disable}
log-web-filter-activex Select to log ActiveX plugin blocking. disable
{enable | disable}
log-web-filter-applet Select to log Java applet blocking. disable
{enable | disable}
log-web-filter-cookie Select to log cookie blocking. disable
{enable | disable}
log-web-ftgd-err Select to log FortiGuard rating errors. enable
{enable | disable}
log-web-url Select to log URL blocking. disable
{enable | disable}
mail-sig <signature_str> Enter a signature to add to outgoing email. If the signature No default.
contains spaces, surround it with single or double quotes
(‘ or “).
This option is applied only if mailsig-status is
enable.
mailsig-status Select to add a signature to outgoing email. Also disable
{enable | disable} configure mail-sig.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 129
profile firewall

Keywords and variables Description Default


mm1 {archive-full Select actions, if any, the FortiGate unit will take on MMS No default.
archive-summary messages of the specified protocol. (FortiOS Carrier)
avmonitor avquery • archive-full: Content archive both metadata and
bannedword the MMS message itself.
block • archive-summary: Content archive metadata.
chunkedbypass • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
clientcomfort
• avquery: Use the FortiGuard Antivirus service for virus
exemptword detection using MD5 checksums.
filetype • bannedword: Block messages containing content in
msisdn-bwl the banned word list.
no-content-summary • block: Block messages matching the file patterns
oversize selected by mms-file-pat-table, even if the files do
quarantine not contain viruses.
scan server-comfort • chunkedbypass: Allow web sites that use chunked
encoding for HTTP to bypass the firewall. Chunked
strict-file} encoding means the HTTP message body is altered to
mm3 {archive-full allow it to be transferred in a series of chunks. Use of no-content-
archive-summary this feature is a risk. Malicious content could enter the summary
network if web content is allowed to bypass the firewall. splice
avmonitor avquery This option only available for the mm1 and mm7
bannedword commands.
block • clientcomfort: Apply client comforting to prevent
filetype client timeout. This option is available only for mm1 and
fragmail mm7.
msisdn-bwl • exemptword: Exempt words from content blocking.
This option only available for the mm1 and mm7
no-content-summary commands.
oversize • filetype: Block specific types of files even if the files
quarantine do not contain viruses. The file type table used is set
scan splice} with the mms-file-type-table command.
mm4 {archive-full • fragmail: Pass fragmented email messages. splice
Fragmented email messages cannot be scanned for
archive-summary viruses. This option only available for the mm3 and mm4
avmonitor avquery commands.
bannedword • msisdn-bwl: Block messages based on the MSISDN.
block The MSISDN filtering list used is set with the mms-
filetype msisdn-bwl-table command.
fragmail • no-content-summary: Omit MMS filtering statistics
from the dashboard.
msisdn-bwl
• oversize: Block files that are over the file size limit.
no-content-summary
• quarantine: Quarantine files that contain viruses.
oversize This feature is available for FortiGate units that contain
quarantine a hard disk or are connected to a FortiAnalyzer unit.
scan splice} • scan: Scan files for viruses and worms.
mm7 {archive-full • server-comfort: Apply server comforting and No default.
archive-summary prevent server timeout. This option is available only for
mm1 and mm7.
avmonitor avquery
• splice: Simultaneously scan a message and send it to
bannedword the recipient. If the FortiGate unit detects a virus, it
block prematurely terminates the connection and returns an
chunkedbypass error message to the recipient, listing the virus name
clientcomfort and infected file name. This option is available only for
mm3 and mm4.
exemptword
• strict-file: Perform stricter checking for blocked
filetype files as specified in config antivirus
msisdn-bwl filepattern. This can prevent circumvention by web
no-content-summary sites with elaborate scripting using .exe or .dll files if
oversize quarantine scan those patterns are blocked. This option is available only
server-comfort for mm1 and mm7.
strict-file}
(FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


130 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


mm1-addr-hdr Enter the sender address (MSISDN) identifier. x-up-
<identifier_str> If mm1-addr-source is http-header, the address and calling-
(FortiOS Carrier) its identifier in the HTTP request header is in the format line-id
of:
<Sender Address Identifier>: <MSISDN
Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address
Identifier.
If mm1-addr-source is cookie, the address and its
identifier in the HTTP request header’s Cookie field is in
the format of attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-line-
id=6044301297
where x-up-calling-line-id would be the sender
address identifier.
mm1-addr-source {cookie Select to extract the sender’s address from the HTTP http-header
| http-header} header field or a cookie.
(FortiOS Carrier)
mm1-convert-hex {enable Select to convert the sender address from ASCII to disable
| disable} hexadecimal or from hexadecimal to ASCII. This is
(FortiOS Carrier) required by some applications.

mm1-retr-dupe {enable | Select to scan MM1 mm1-retr messages for duplicates. disable
disable} By default, mm1-retr messages are not scanned for
(FortiOS Carrier) duplicates as they may often be the same without
necessarily being bulk or spam.
This option is available only if status is enable for the
config dupe mm1 command.
mm1comfortamount Enter the number of bytes client comforting sends each 1
<size_int> interval to show a download is progressing.
(FortiOS Carrier) The interval time is set using mm1comfortinterval.
mm1comfortinterval Enter the time in seconds before client comforting starts 10
<seconds_int> after a download has begun. It is also the interval
(FortiOS Carrier) between subsequent client comforting sends.
The amount of data sent each interval is set using
mm1comfortamount.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 131
profile firewall

Keywords and variables Description Default


mm7-addr-hdr Enter the sender address (MSISDN) identifier. x-up-
<identifier_str> If mm7-addr-source is http-header, the address and calling-
(FortiOS Carrier) its identifier in the HTTP request header is in the format line-id
of:
<Sender Address Identifier>: <MSISDN
Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address
Identifier.
If mm7-addr-source is cookie, the address and its
identifier in the HTTP request header’s Cookie field is in
the format of attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-line-
id=6044301297
where x-up-calling-line-id would be the sender
address identifier.
mm7-addr-source {cookie Select to extract the sender’s address from the HTTP http-header
| http-header} header field or a cookie.
(FortiOS Carrier)
mm7-convert-hex {enable Select to convert the sender address from ASCII to disable
| disable} hexadecimal or from hexadecimal to ASCII. This is
(FortiOS Carrier) required by some applications.

mm7comfortamount Enter the number of bytes client comforting sends each 1


<size_int> interval to show a download is progressing.
(FortiOS Carrier) The interval time is set using mm7comfortinterval.
mm7comfortinterval Enter the time in seconds before client comforting starts 10
<seconds_int> after a download has begun. It is also the interval
(FortiOS Carrier) between subsequent client comforting sends.
The amount of data sent each interval is set using
mm7comfortamount.
mms-bword-table Enter the ID number of the web content block filter to be No default.
<index_int> used for MMS traffic.
(FortiOS Carrier) The web content block tables can be configured using the
config webfilter bword command.
mms-bword-threshold Enter the maximum score an MMS message can have 10
(FortiOS Carrier) before being blocked. If the combined scores of the
content block patterns appearing in an MMS message
exceed the threshold value, the message will be blocked.
mms-exmword-table Enter the ID number of the webfilter exempt word list to No default.
(FortiOS Carrier) be used with the protection profile.
The web content exempt tables can be configured using
the config webfilter exmword command.
mms-file-pat-table Enter the ID number of the file pattern list to be used for No default.
<index_int> MMS traffic with the protection profile.
(FortiOS Carrier) This variable appears only on FortiGate-800 and above
units.
mms-file-type-table Enter the ID number of the file type list to be used for No default.
<index_int> MMS traffic with the protection profile.
(FortiOS Carrier) In the web-based manager, both the file pattern and file
type filters and configured and enabled together, with the
File Filter controls. In the CLI, the file pattern and file type
filters are separately adjustable, and each can use
different tables.

FortiGate CLI Version 3.0 MR6 Reference


132 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


mms-msisdn-bwl-table Enter the ID number of the MSISDN filtering table to use No default.
<index_int> for MMS traffic with the protection profile.
(FortiOS Carrier)
msisdn-prefix {enable | Select to add the country code to the extracted MSISDN disable
disable} for logging and notification purposes. You can limit the
(FortiOS Carrier) number length for the test numbers used for internal
monitoring without a country code.
msisdn-prefix-string Enter the MSISDN prefix. No default.
(FortiOS Carrier) This option appears only if msisdn-prefix is enable.
msisdn-prefix-range-min Enter the minimum length. If this and msisdn-prefix- 0
(FortiOS Carrier) range-max are set to zero (0), length is not limited.
This option appears only if msisdn-prefix is enable.
msisdn-prefix-range-max Enter the maximum length. If this and msisdn-prefix- 0
(FortiOS Carrier) range-min are set to zero (0), length is not limited.
This option appears only if msisdn-prefix is enable.
msn {enable-inspect | } Enter enable-inspect to enable inspection of No default.
{archive-full archive- Microsoft Messenger traffic, then enter additional options,
summary block-audio if any.
block-file block-im • archive-full: Content archive both metadata and
the chat itself.
block-photo no-content-
• archive-summary: Content archive metadata.
summary}
• block-audio: Block audio content.
• block-file: Block file transfers.
• block-im: Block instant messages.
• block-photo: Block photo sharing.
• no-content-summary: Omit content information from
the dashboard.
nntp {archive-full Select actions, if any, the FortiGate unit will perform with No default.
archive-summary NNTP connections.
avmonitor avquery block • archive-full: Content archive both metadata and
filetype the mail itself.
no-content-summary • archive-summary: Content archive metadata.
oversize scan spam-mail- • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
log }
• avquery: Use the FortiGuard Antivirus query service.
• block: Deny files matching the file pattern selected by
filepattable (not in FortiOS Carrier) or file-pat-
table (FortiOS Carrier), even if the files do not contain
viruses.
• filetype: Block specific types of files even if the files
do not contain viruses. The file type table used is set
with the file-type-table command. (FortiOS
Carrier)
• no-content-summary: Omit content information from
the dashboard.
• oversize: Block files that are over the file size limit.
• scan: Scan files for viruses and worms.
• spam-mail-log: Include spam in the mail log.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
nntpoversizelimit Enter the maximum in-memory file size that will be 10
<limit_int> scanned, in megabytes. If the file is larger than the
ntpoversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile
nntp command. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 133
profile firewall

Keywords and variables Description Default


p2p {enable | disable} Select to inspect peer-to-peer (P2P) traffic. If disabled, disable
P2P traffic passing through the FortiGate unit will not
receive inspection or statistics tracking.
pop3 Select actions, if any, the FortiGate unit will perform with fragmail
{archive-full archive- POP3 connections. spamfssubmit
summary avmonitor • archive-full: Content archive both metadata and
avquery bannedword block the email itself.
filetype fragmail • archive-summary: Content archive metadata.
no-content-summary • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
oversize quarantine scan
• avquery: Use the FortiGuard Antivirus query service.
spam-mail-log
• bannedword: Block email containing content in the
spamemailbwl banned word list.
spamfschksum spamfsip • block: Deny files matching the file pattern selected by
spamfssubmit spamfsurl filepattable (not in FortiOS Carrier) or file-pat-
spamhdrcheck spamipbwl table (FortiOS Carrier), even if the files do not contain
spamraddrdns spamrbl} viruses.
• filetype: Block specific types of files even if the files
do not contain viruses. The file type table used is set
with the file-type-table command. (FortiOS
Carrier)
• fragmail: Allow fragmented email. Fragmented email
cannot be scanned for viruses.
• no-content-summary: Omit content information from
the dashboard.nto email, FTP, and HTTP categories.
• oversize: Block files that are over the file size limit.
• quarantine: Quarantine files that contain viruses.
This feature is available for FortiGate units that contain
a hard disk or a connection to a FortiAnalyzer unit.
• scan: Scan files for viruses and worms.
• spam-mail-log: Include spam in the email log.
• spamemailbwl: Block email containing addresses in
the email address list.
• spamfschksum: Use FortiGuard Antispam email
message checksum spam checking.
• spamfsip: Use the FortiGuard Antispam IP address
blacklist.
• spamfssubmit: Add a link to the message body to
allow users to report messages incorrectly marked as
spam. If an email message is not spam, click the link in
the message to inform FortiGuard of the false positive.
• spamfsurl: Use the FortiGuard Antispam URL
blacklist.
• spamhdrcheck: Filter email using the MIME header
list.
• spamipbwl: Filter email using the email IP address.
• spamaddrdns: Filter email using the return email DNS
check.
• spamrbl: Filter email using the configured DNS-based
Blackhole List (DNSBL) and Open Relay Database List
(ORDBL) servers.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.

FortiGate CLI Version 3.0 MR6 Reference


134 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


pop3oversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
pop3oversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile
pop3 command. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
Note: For email scanning, the oversize threshold refers to
the final size of the email after encoding by the email
client, including attachments. Email clients may use a
variety of encoding types and some encoding types
translate into larger file sizes than the original attachment.
The most common encoding, base64, translates 3 bytes
of binary data into 4 bytes of base64 data. So a file may
be blocked or logged as oversized even if the attachment
is several megabytes smaller than the configured
oversize threshold.
pop3-spamaction Select the action to perform on POP3 email that is tag
{pass | tag} detected as spam.
• pass: Disable spam filtering for POP3 traffic.
• tag: Tag spam email with text configured using the
pop3-spamtagmsg keyword and the location set using
the pop3-spamtagtype keyword.
pop3-spamtagmsg Enter a word or phrase (tag) to affix to email identified as Spam
<message_str> spam.
When typing a tag, use the same language as the
FortiGate unit’s current administrator language setting.
Tag text using other encodings may not be accepted. For
example, when entering a spam tag that uses Japanese
characters, first verify that the administrator language
setting is Japanese; the FortiGate unit will not accept a
spam tag written in Japanese characters while the
administrator language setting is English. For details on
changing the language setting, see “system global” on
page 350.
Note: To correctly enter the tag, your SSH or telnet client
must also support your language’s encoding.
Alternatively, you can use the web-based manager’s CLI
widget to enter the tag.
Tags must not exceed 64 bytes. The number of
characters constituting 64 bytes of data varies by text
encoding, which may vary by the FortiGate administrator
language setting.
Tags containing space characters, such as multiple words
or phrases, must be surrounded by quote characters (‘)to
be accepted by the CLI.
pop3-spamtagtype Select to affix the tag to either the MIME header or the subject
{header | subject} subject line, and whether or not to append spam spaminfo
{spaminfo | } information to the spam header, when an email is
detected as spam. Also configure pop3-spamtagmsg.
If you select to affix the tag to the subject line, the
FortiGate unit will convert the entire subject line, including
tag, to UTF-8 by default. This improves display for some
email clients that cannot properly display subject lines
that use more than one encoding. For details on disabling
conversion of subject line to UTF-8, see “system settings”
on page 440.
replacemsg-group Enter the name of the replacement message group to be No default.
<name_str> used with this protection profile.
(FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 135
profile firewall

Keywords and variables Description Default


skype Select the action the FortiGate unit performs on Skype pass
{block | pass} peer-to-peer (P2P) traffic.
• block: Block Skype traffic.
• pass: Allow Skype traffic.
This option is available only if p2p is enable.
smtp Select actions, if any, the FortiGate unit will perform with no-content-
{archive-full archive- SMTP connections. summary
summery avmonitor • archive-full: Content archive both metadata and splice
avquery bannedword block the email itself.
filetype fragmail • archive-summary: Content archive metadata.
no-content-summary • avmonitor: Log detected viruses, but allow them
through the firewall without modification.
oversize quarantine scan
• avquery: Use the FortiGuard AV query service.
spam-mail-log
• bannedword: Block email containing content in the
spamemailbwl spamfsip banned word list.
spamfschksum spamfsurl • block: Deny files matching the file pattern selected by
spamhdrcheck spamhelodns filepattable (not in FortiOS Carrier) or file-pat-
spamipbwl spamraddrdns table (FortiOS Carrier), even if the files do not contain
spamrbl splice} viruses.
• filetype: Block specific types of files even if the files
do not contain viruses. The file type table used is set
with the file-type-table command. (FortiOS
Carrier)
• fragmail: Allow fragmented email. Fragmented email
cannot be scanned for viruses.
• no-content-summary: Omit content information from
the dashboard.
• oversize: Block files that are over the file size limit.
• quarantine: Quarantine files that contain viruses.
This feature is available for FortiGate units that contain
a hard disk or a connection to a FortiAnalyzer unit.
• scan: Scan files for viruses and worms.
• spam-mail-log: Include spam in the email log.
• spamemailbwl: Filter email using the email address
list.
• spamfsip: Use the FortiGuard Antispam filtering IP
address blacklist.
• spamfschksum: Use FortiGuard Antispam email
message checksum spam checking.
• spamfssubmit: Add a link to the message body
allowing users to report messages incorrectly marked
as spam. If an email message is not spam, click the link
in the message to report the false positive.
• spamfsurl: Use the FortiGuard Antispam filtering URL
blacklist.
• spamhdrcheck: Filter email using the MIME header
list.
• spamhelodns: Filter email using an HELO/EHLO DNS
check.
• spamipbwl: Filter email using the source IP or subnet
address.
• spamaddrdns: Filter email using a return email DNS
check.
• spamrbl: Filter email using configured DNS-based
Blackhole List (DNSBL) and Open Relay Database List
(ORDBL) servers.

FortiGate CLI Version 3.0 MR6 Reference


136 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


smtp (continued) • splice: Simultaneously scan a message and send it to
the recipient. If the FortiGate unit detects a virus, it
prematurely terminates the connection, and returns an
error message to the sender, listing the virus and
infected file name. splice is selected when scan is
selected. With streaming mode enabled, select either
Spam Action (Tagged or Discard) for SMTP spam.
When streaming mode is disabled for SMTP, infected
attachments are removed and the email is forwarded
(without the attachment) to the SMTP server for delivery
to the recipient.
Throughput is higher when streaming mode is enabled.
Separate multiple options with a space. To remove an
option from the list or add an option to the list, retype the
list with the option removed or added.
smtp-spam-localoverride Select to override SMTP remote check, which includes IP disable
{enable | disable} RBL check, IP FortiGuard antispam check, and HELO
DNS check, with the locally defined black/white antispam
list.
smtpoversizelimit Enter the maximum in-memory file size that will be 10
<size_int> scanned, in megabytes. If the file is larger than the
smtpoversizelimit, the file is passed or blocked,
depending on whether oversize is set in the profile
smtp command. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
Note: For email scanning, the oversize threshold refers to
the final size of the email after encoding by the email
client, including attachments. Email clients may use a
variety of encoding types and some encoding types
translate into larger file sizes than the original attachment.
The most common encoding, base64, translates 3 bytes
of binary data into 4 bytes of base64 data. So a file may
be blocked or logged as oversized even if the attachment
is several megabytes smaller than the configured
oversize threshold.
smtp-spamaction Select the action that this profile uses for filtered SMTP discard
{discard | pass | tag} email. Tagging appends custom text to the subject or
header of email identified as spam. When scan or
streaming mode (also called splice) is selected, the
FortiGate unit can only discard spam email. Discard
immediately drops the connection. Without streaming
mode or scanning enabled, chose to discard, pass, or tag
SMTP spam. In the US Domestic distribution, streaming
mode is permanently enabled for SMTP, and the tag
option is not available.
• discard: Do not pass email identified as spam.
• pass: Disable spam filtering for SMTP traffic.
• tag: Tag spam email with text configured using the
smtp-spamtagmsg keyword and the location set using
the smtp-spamtagtype keyword.
smtp-spamhdrip Select to check header IP addresses for spamfsip, disable
{enable | disable} spamrbl, and spamipbwl filters.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 137
profile firewall

Keywords and variables Description Default


smtp-spamtagmsg Enter a word or phrase (tag) to affix to email identified as Spam
<message_str> spam.
When typing a tag, use the same language as the
FortiGate unit’s current administrator language setting.
Tag text using other encodings may not be accepted. For
example, when entering a spam tag that uses Japanese
characters, first verify that the administrator language
setting is Japanese; the FortiGate unit will not accept a
spam tag written in Japanese characters while the
administrator language setting is English. For details on
changing the language setting, see “system global” on
page 350.
Note: To correctly enter the tag, your SSH or telnet client
must also support your language’s encoding.
Alternatively, you can use the web-based manager’s CLI
widget to enter the tag.
Tags must not exceed 64 bytes. The number of
characters constituting 64 bytes of data varies by text
encoding, which may vary by the FortiGate administrator
language setting.
Tags containing space characters, such as multiple words
or phrases, must be surrounded by quote characters (‘)to
be accepted by the CLI.
smtp-spamtagtype Select to affix the tag to either the MIME header or the subject
{header | subject} subject line, and whether or not to append spam spaminfo
{spaminfo | } information to the spam header, when an email is
detected as spam. Also configure smtp-spamtagmsg.
If you select to affix the tag to the subject line, the
FortiGate unit will convert the entire subject line, including
tag, to UTF-8 by default. This improves display for some
email clients that cannot properly display subject lines
that use more than one encoding. For details on disabling
conversion of subject line to UTF-8, see “system settings”
on page 440.
spambwordtable Enter the ID number of the spamfilter banned word list to 0
<index_int> be used with the protection profile.
This variable appears only on FortiGate-800 and above
units.
spamemaddrtable Enter the ID number of the spamfilter email address list to 0
<index_int> be used with the protection profile.
This variable appears only on FortiGate-800 and above
units.
spamipbwltable Enter the ID number of the spamfilter IP address 0
<index_int> black/white list to be used with the protection profile.
This variable appears only on FortiGate-800 and above
units.
spamiptrusttable Enter the ID number of the spamfilter IP trust list to be 0
<index_int> used with the protection profile.
This variable only appears on FortiGate-800 models and
greater.
spammheadertable Enter the ID number of the spamfilter MIME header list to 0
<index_int> be used with the protection profile.
This variable only appears on FortiGate-800 models and
greater.
spamrbltable <index_int> Enter the ID number of the spamfilter DNSBL list to be 0
used with the protection profile.
This variable only appears on FortiGate-800 models and
greater.

FortiGate CLI Version 3.0 MR6 Reference


138 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


spambwordthreshold If the combined scores of the banned word patterns 10
<value_int> appearing in an email message exceed the threshold
value, the message will be processed according to the
Spam Action setting.
webbwordtable Enter the ID number of the webfilter banned word list to 0
<index_int> be used with the protection profile.
(not in FortiOS Carrier) This variable only appears on FortiGate-800 models and
greater.
web-bword-table Enter the ID number of the webfilter banned word list to No default.
<index_int> be used with the protection profile.
(FortiOS Carrier) This variable only appears on FortiGate-800 models and
greater.
webbwordthreshold Enter the maximum score a web page can have before 10
<value_int> being blocked. If the combined scores of the content
(not in FortiOS Carrier) block patterns appearing on a web page exceed the
threshold value, the page will be blocked.
web-bword-threshold Enter the maximum score a web page can have before 10
<value_int> being blocked. If the combined scores of the content
(FortiOS Carrier) block patterns appearing on a web page exceed the
threshold value, the page will be blocked.
webexmwordtable Enter the ID number of the webfilter exempt word list to 0
<index_int> be used with the protection profile.
(not in FortiOS Carrier) This variable only appears on FortiGate-800 models and
greater.
web-exmword-table Enter the ID number of the webfilter exempt word list to No default.
<index_int> be used with the protection profile.
(FortiOS Carrier) This variable only appears on FortiGate-800 models and
greater.
weburlfiltertable Enter the ID number of the webfilter URL filter list to be 0
<index_int> used with the protection profile.
This variable appears only on FortiGate-800 models and
greater.
winny Select the action the FortiGate unit performs on WinNY pass
{block | pass | limit} peer-to-peer (P2P) traffic.
• block: Block WinNY traffic.
• pass: Allow WinNY traffic.
• limit: Restrict bandwidth used by WinNY. Configure
winny-limit to specify the bandwidth limit.
This option is available only if p2p is enable.
winny-limit <limit_int> Enter the maximum amount of bandwidth WinNY 0
connections are allowed to use, up to 100000 KB/s. If this
variable is set to zero (0), WinNY traffic is not allowed.
This option appears only if winny is set to limit.
The bandwidth limit can be applied separately for each
firewall policy that uses the protection profile, or shared
by all firewall policies that use the protection profile. By
default, the limit is applied separately to each firewall
policy. For information on configuring per policy or per
protection profile P2P bandwidth limiting, see the p2p-
rate-limiting variable in “system settings” on
page 440.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 139
profile firewall

Keywords and variables Description Default


yahoo Enter enable-inspect to enable inspection of Yahoo inspect-
{enable-inspect | } Messenger traffic, then enter any additional options. anyport
{archive-full archive- Separate multiple options with a space.
summary block-audio • archive-full: Content archive both metadata and
the chat itself.
block-file block-im
• archive-summary: Content archive metadata.
block-photo
• block-audio: Block audio content.
inspect-anyport no-
• block-file: Block file transfers.
content-summary}
• block-im: Block instant messages.
• block-photo: Block photo sharing.
• inspect-anyport: Inspect traffic on any port that is
not used by a FortiGate proxy.
• no-content-summary: Omit content information from
the dashboard.
dupe
The following commands are the options for config dupe.
(FortiOS Carrier)
{mm1 | mm4} Select to configure detection of excessive MMS message No default.
duplicates for the MM1 or MM4 protocol.
status {enable | Select to detect and act upon duplicate MMS messages. disable
disable}
(FortiOS Carrier)
action {archive block Select which actions to take, if any, when excessive archive
intercept log} duplicate messages are detected. To select more than block
(FortiOS Carrier) one action, separate each action with a space. intercept
• archive: Content archive excessive duplicates. log
• block: Block and intercept excess duplicates. If block
is selected, messages are also intercepted, even if
intercept is not selected.
• intercept: Intercept excess duplicates.
• log: Log excess duplicates. This option takes effect
only if logging is enabled for bulk MMS message
detection. See “log-antispam-mass-mms {enable |
disable}” on page 128.
This option appears only if status is enable for the
MMS protocol.
block-time <minutes_int> Enter the amount of time in minutes during which the 100
(FortiOS Carrier) FortiGate unit will perform the action after a message
flood is detected.
This option appears only if status is enable for the
MMS protocol.
limit Enter the number of messages which signifies excessive 100
<duplicatetrigger_int> message duplicates if exceeded within the window.
(FortiOS Carrier) This option appears only if status is enable for the
MMS protocol.
window <minutes_int> Enter the period of time in minutes during which 60
(FortiOS Carrier) excessive message duplicates will be detected if the
limit is exceeded.
This option appears only if status is enable for the
protocol (MM1 or MM4).
protocol The MMS protocol to which excessive MMS message Varies by “{mm1
(FortiOS Carrier) duplicate detection will be applied. | mm4}” on
This variable can be viewed with the get command, but page 140.
cannot be set.

FortiGate CLI Version 3.0 MR6 Reference


140 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


flood
The following commands are the options for config flood.
(FortiOS Carrier)
status Select to detect and act upon excessive MMS message disable
{enable | disable} activity.
(FortiOS Carrier)
{mm1 | mm4} Select to configure detection of excessive MMS message No default.
activity for the MM1 or MM4 protocol.
status Select to detect and act upon excessive MMS message disable
{enable | disable} activity.
(FortiOS Carrier)
action Select which actions to take, if any, when excessive archive
{archive block intercept message activity is detected. To select more than one block
log} action, separate each action with a space. intercept
• archive: Content archive excessive messages. log
(FortiOS Carrier)
• block: Block and intercept excess messages. If block
is selected, messages are also intercepted, even if
intercept is not selected.
• intercept: Intercept excess messages.
• log: Log excess messages. This option takes effect
only if logging is enabled for bulk MMS message
detection. See “log-antispam-mass-mms {enable |
disable}” on page 128.
This option appears only if status is enable for the
MMS protocol.
block-time <minutes_int> Enter the amount of time in minutes during which the 100
(FortiOS Carrier) FortiGate unit will perform the action after a message
flood is detected.
This option appears only if status is enable for the
MMS protocol.
limit <floodtrigger_int> Enter the number of messages which signifies excessive 100
(FortiOS Carrier) message activity if exceeded within the window.
This option appears only if status is enable for the
MMS protocol.
window <minutes_int> Enter the period of time in minutes during which 60
(FortiOS Carrier) excessive message activity will be detected if the limit
is exceeded.
This option appears only if status is enable for the
MMS protocol.
protocol The MMS protocol to which excessive MMS message Varies by “{mm1
(FortiOS Carrier) activity detection will be applied. | mm4}” on
This variable can be viewed with the get command, but page 141.
cannot be set.
notification
The following commands are the options for config notification.
(FortiOS Carrier)
{mm1 | mm3 | mm4 | mm7} Select to which MMS interfaces notification will apply. No default.
(FortiOS Carrier)
bword-int Enter the banned word notification send interval. 24
<noticeinterval_int>
(FortiOS Carrier)
bword-int-mode Select whether the value specified in the bword-int hours
{minutes | hours} command is minutes or hours.
(FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 141
profile firewall

Keywords and variables Description Default


bword-status Select to send notices for banned word events. disable
{enable | disable}
(FortiOS Carrier)
detect-server Select to automatically determine the server address. enable
{enable | disable}
(FortiOS Carrier)
dupe-int <interval_int> Enter the amount of time between notifications of 24
(FortiOS Carrier) excessive MMS duplicates. Also set dupe-status to
enable and select the time unit in dupe-int-mode.
dupe-int-mode Select the unit of time in minutes or hours for dupe-int. hours
{hours | minutes}
(FortiOS Carrier)
dupe-status Select to send notices for excessive MMS message disable
(FortiOS Carrier) duplicate events.
file-block-int Enter the amount of time between notifications of file 24
<noticeinterval_int> block events. Also set file-block-status to enable
(FortiOS Carrier) and select the time unit in file-block-int-mode.

file-block-int-mode Select whether the value specified in the hours


{hours | minutes} file-block-int command is minutes or hours.
(FortiOS Carrier)
file-block-status Select to send notices for file block events. disable
{enable | disable}
flood-int <interval_int> Enter the amount of time between notifications of 24
(FortiOS Carrier) excessive MMS activity. Also set flood-status to
enable and select the time unit in flood-int-mode.
flood-int-mode Select the unit of time in minutes or hours for flood- hours
{hours | minutes} int.
(FortiOS Carrier)
flood-status Select to send notices for excessive MMS message disable
(FortiOS Carrier) activity events.
from-in-header Select to insert the “from” address in the HTTP header. disable
{enable | disable}
(FortiOS Carrier)
mmsc-hostname Enter the FQDN or the IP address of the destination No default.
(FortiOS Carrier) server.
mmsc-password Enter the password required for sending messages using No default.
<passwd_str> this server. (Optional)
(FortiOS Carrier)
mmsc-port Enter the port number the server is using. Varies by msg-
(FortiOS Carrier) protocol.
mmsc-url Enter the URL address of the server. No default.
(FortiOS Carrier)
mmsc-username <user_str> Enter the user-name required for sending messages No default.
(FortiOS Carrier) using this server. (Optional)
msg-protocol Select the protocol to use for sending notification Default varies
{mm1 | mm3 | mm4 | mm7} messages. by config
(FortiOS Carrier) notification
{mm1 | mm3 |
mm4 | mm7}.
msg-type Select the type of notification message directed to either a deliver-req
{deliver-req | send-req} VASP or a MMSC.
(FortiOS Carrier)

FortiGate CLI Version 3.0 MR6 Reference


142 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


msisdn-bwl-int Enter the amount of time between notifications for 24
<interval_int> MSISDN black/white list events. Also set msisdn-bwl-
(FortiOS Carrier) status to enable and select the time unit in msisdn-
bwl-int-mode.
msisdn-bwl-int-mode Select the unit of time in minutes or hours for msisdn- hours
{hours | minutes} bwl-int.
(FortiOS Carrier)
msisdn-bwl-status Select to send notices for MSISDN black/white list events. disable
{enable | disable}
(FortiOS Carrier)
rate-limit <limit_int> Enter the number of notifications to send per second. If 0
(FortiOS Carrier) you enter zero (0), the notification rate is not limited.
tod-window-start Select the time of day to begin sending notifications. If 00:00
<window_time> you select a start and end time of zero (00:00),
(FortiOS Carrier) notifications are not limited by time of day.

tod-window-end Select the time of day to stop sending notifications. If you 00:00
<window_time> select a start and end time of zero (00:00), notifications
(FortiOS Carrier) are not limited by time of day.

vas-id <vas_str> Enter the value added service (VAS) ID to be used when No default.
(FortiOS Carrier) sending a notification message.
vasp-id <vasp_str> Enter the value added service provider (VASP) ID to be No default.
(FortiOS Carrier) used when sending a notification message.
virus-int <interval_int> Enter the amount of time between notifications for 24
(FortiOS Carrier) antivirus events. Also set virus-status to enable and
select the time unit in virus-int-mode.
virus-int-mode Select the unit of time in minutes or hours for virus- hours
{hours | minutes} int.
(FortiOS Carrier)
virus-status Select to send notices for antivirus events. disable
{enable | disable}
(FortiOS Carrier)
sccp
The following commands are the options for config sccp.
status Select to inspect SCCP traffic. Other SCCP inspection disable
{enable | disable} options become available if this option is set to enable.
archive-summary Select to content archive call metadata. disable
{enable | disable} This option appears only if status is enable.
block-mcast Select to block multicast RTP connections. disable
{enable | disable} This option appears only if status is enable.
max-calls <limit_int> Enter the maximum calls per minute per SCCP client 0
(max 65535).
This option appears only if status is enable.
no-content-summary Select to omit monitoring of content information from disable
{enable | disable} dashboard.
This option appears only if status is enable.
verify-header Select to verify SCCP header content. disable
{enable | disable} This option appears only if status is enable.
simple
The following commands are the options for config simple.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 143
profile firewall

Keywords and variables Description Default


status Select to inspect SIMPLE traffic. Other SIMPLE disable
{enable | disable} inspection options become available if this option is set to
enable.
archive-full Select to content archive full contents of chat messages. disable
{enable | disable}
archive-summary Select to content archive summary information for chat disable
{enable | disable} messages.
block-message Select to block SIMPLE instant messages. disable
{enable | disable}
message-rate <limit_int> Enter the MESSAGE request rate limit per second, per 0
policy.
sip
The following commands are the options for config sip.
status Select to inspect SIP traffic. Other SIP inspection options disable
{enable | disable} become available if this option is set to enable.
ack-rate <rate_int> Enter the ACK rate limit per second, per policy. 0
This option appears only if status is enable.
archive-summary Select to content archive call metadata. disable
{enable | disable} This option appears only if status is enable.
block-ack Select to block ACK requests. disable
{enable | disable} This option appears only if status is enable.
block-bye Select to block BYE requests. disable
{enable | disable} This option appears only if status is enable.
block-cancel Select to block CANCEL requests. disable
{enable | disable} This option appears only if status is enable.
block-info Select to block INFO requests. disable
{enable | disable} This option appears only if status is enable.
block-invite Select to block INVITE requests. disable
{enable | disable} This option appears only if status is enable.
block-long-lines Select to block requests with headers exceeding max- enable
{enable | disable} line-length.
This option appears only if status is enable.
block-notify Select to block NOTIFY requests. disable
{enable | disable} This option appears only if status is enable.
block-options Select to block OPTIONS requests. disable
{enable | disable} This option appears only if status is enable.
block-prack Select to block prack requests. disable
{enable | disable} This option appears only if status is enable.
block-publish Select to block PUBLISH requests. disable
{enable | disable} This option appears only if status is enable.
block-refer Select to block REFER requests. disable
{enable | disable} This option appears only if status is enable.
block-register Select to block REGISTER requests. disable
{enable | disable} This option appears only if status is enable.
block-subscribe Select to block SUBSCRIBE requests. disable
{enable | disable} This option appears only if status is enable.
block-unknown Select to block unrecognized SIP requests. enable
{enable | disable} This option appears only if status is enable.

FortiGate CLI Version 3.0 MR6 Reference


144 01-30006-0015-20080205
firewall profile

Keywords and variables Description Default


block-update Select to block UPDATE requests. disable
{enable | disable} This option appears only if status is enable.
call-keepalive Enter the number of minutes to continue tracking calls 0
<limit_int> with no RTP.
This option appears only if status is enable.
info-rate <rate_int> Enter the INFO rate limit per second, per policy. 0
This option appears only if status is enable.
invite-rate <limit_int> Enter the INVITE request rate limit per second, per policy. 0
This option appears only if status is enable.
max-dialogs <limit_int> Enter the maximum number of concurrent calls. 0
This option appears only if status is enable.
max-line-length Enter the maximum SIP header line length (78-4096). 998
<limit_int> This option appears only if status is enable.
no-sdp-fixup Select to preserve the SDP packet. disable
{enable | disable} This option appears only if status is enable.
notify-rate <limit_int> Enter the NOTIFY rate limit per second, per policy. 0
This option appears only if status is enable.
options-rate <limit_int> Enter the OPTIONS rate limit per second, per policy. 0
This option appears only if status is enable.
prack-rate <limit_int> Enter the PRACK rate limit per second, per policy. 0
This option appears only if status is enable.
preserve-override Select to omit the original IP address from SDP i line. disable
{enable | disable} When disabled, IP addresses are appended.
This option appears only if status is enable.
primary-secondary Select to monitor primary/secondary outbound proxy disable
{enable | disable} redundancy.
This option appears only if status is enable.
refer-rate <limit_int> Enter the REFER rate limit per second, per policy. 0
This option appears only if status is enable.
register-rate Enter the REGISTER request rate limit (per second, per 0
<limit_int> policy).
This option appears only if status is enable.
rtp {enable | disable} Select for RTP NAT traversal. enable
This option appears only if status is enable.
strict-register Select to allow only the registrar to connect. disable
{enable | disable} This option appears only if status is enable.
subscribe-rate Enter the SUBSCRIBE rate limit per second, per policy. 0
<limit_int> This option appears only if status is enable.
timeout-buffer Enter the maximum number of timed out calls to buffer. 0
<calls_int> This option appears only if status is enable.
update-rate <limit_int> Enter the UPDATE rate limit per second, per policy. 0
This option appears only if status is enable.

Example
This example shows how to:
• create a profile called spammail
• enable filtering of email according to the email banned word list, the MIME header list, and the
return DNS check, enable spam to be logged and tagged with the tag “Spam” in the subject for
POP3 traffic

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 145
profile firewall

• enable filtering of email based on the DNSBL server, and discard messages identified as spam for
SMTP traffic
config firewall profile
edit spammail
set pop3 spamemailbwl spamhdrcheck spamraddrdns
set pop3-spamaction log tag
set pop3-spamtagmsg Spam
set pop3-spamtagtype subject
set smtp spamrbl
set smtp-spamaction discard
end
This example shows how to:
• add HTTP category blocking to the spammail profile created above
• configure category blocking to deny access to web pages categorized as Games (20),
Personals and Dating (37), Shopping and Auction (42) and the category group Objectionable or
Controversial (g02)
• configure category monitoring to log access to web pages categorized as Computer Security
(50) and the category group Potentially Bandwidth Consuming (g04)
config firewall profile
edit spammail
set ftgd-wf-deny 20 37 42 g02
set ftgd-wf-log 50 g04
end

History

FortiOS v2.80 Substantially revised.


FortiOS v2.80 MR2 Removed log variable from imap-spamaction, pop3-spamaction, and smtp-
spamaction keywords.
FortiOS v2.80 MR3 Added splice variable to ftp and smtp keywords. Moved from config
antivirus ftp service and config antivirus smtp service.
Added chunkedbypass variable to http keyword.
FortiOS v2.80 MR5 Added http_err_detail to cat_options keyword.
FortiOS v2.80 MR6 Removed buffer_to_disk variable from ftp, http, imap, pop3, and smtp
keywords.
Added spamfeip variable to imap, pop3, and smtp keywords.
Changed content_log variable to content-archive for ftp, http, imap,
pop3, and smtp keywords.
FortiOS v2.80 MR7 Changed spamfeip variable to spamfsip for the FortiShield Antispam Service.
Added no-content-summary variable to ftp, http, imap, pop3, and smtp
keywords.
FortiOS v2.80 MR8 Added spamfsurl for the FortiShield spam filter URL blacklist to imap, pop3, and
smtp keywords.
FortiOS v3.0 Added keywords for FortiGuard. New options added for ftp, http, imap,
pop3, smtp, imap-spamtagtype, pop3-spamtagtype, smtp-
spamtagtype. Added keywords for IM. Added new keywords for IPS. Added new
keywords for logging. Added smtp-spamhdrip to profile. Added all IM and P2P
options. Added client comforting and oversize file commands. Added NNTP-related
commands. Added list selection commands for FortiGate-800 models and greater.
FortiOS v3.0 MR3 Added new options avquery and exemptword for HTTP. Removed options
fileexempt, mail_log and spamfschksum from HTTP, POP3 and IMAP.
Added new options archive-full, archive-summary and avquery for
IMAP, POP3, and AIM. Removed options content-archive and fileexempt
from IMAP and IM.

FortiGate CLI Version 3.0 MR6 Reference


146 01-30006-0015-20080205
firewall profile

FortiOS v3.0 MR4 Added no-content-summary to AIM, ICQ, MSN, and Yahoo options. Removed
transfer-log, from the same commands as it is not a feature.
FortiOS v3.0 MR4 Added VoIP config commands for SCCP, Simple, and SIP protocols.
Added associated-interface, nntpoversizelimit, imoversizechat,
log-voip, log-voip-violations, and HTTPS commands.
Removed the following options and commands: nntp-spamaction,
nntp-spamtagtype, nntp-spamtagmsg.
Added set smtp-spam-localoverride command.
FortiOS v3.0 MR6 New option redir-block for variable ftgd-wf-options. Blocks HTTP redirects.
FortiOS v3.0 MR6 Removed variables ips-signature and ips-anomaly. IPS sensors, formerly
signatures, are now configured by selecting a sensor name. Denial of service (DoS)
sensors, formerly anomalies, are no longer configured in protection profiles.
FortiOS v3.0 MR6 New variables ips-sensor-status and ips-sensor. Enables IPS sensors, and
selects the IPS sensor name.
FortiOS v3.0 MR6 Renamed variable ips-log to log-ips.
FortiOS v3.0 MR6 New option block-long-chat for variable aim. Blocks oversize chat messages.
FortiOS v3.0 MR6 Renamed options content-full and content-meta to archive-full and
archive-summary, respectively, for the msn, icq, and yahoo variables.
FortiOS v3.0 MR6 Removed variable ftgd-wf-ovrd-group.
FortiOS v3.0 MR6 New option scanextended for the ftp and http variables. Scans for viruses and
worms using the extended database of virus definitions.
FortiOS Carrier v3.0 MR3 New variable imoversizechat. Limits the size of individual chat messages.
FortiOS Carrier v3.0 MR3 New command config dupe. Configures detection of excessive MMS message
duplicates.
FortiOS Carrier v3.0 MR3 New command config flood. Configures detection of excessive MMS message
activity.
FortiOS Carrier v3.0 MR3 New variables msisdn-prefix, msisdn-string, msisdn-prefix-range-min
and msisdn-prefix-range-max. Configures MSISDN prefixes.
FortiOS Carrier v3.0 MR3 New variable mm1-retr-dupe. Scans mm1-retr MMS messages for duplicates.
By default, mm1-retr messages are not scanned for duplicates as they may often
be the same without necessarily being bulk or spam.
FortiOS Carrier v3.0 MR3 New variables mm1-addr-hdr, mm1-addr-source, mm1-convert-hex, mm7-
addr-hdr, mm7-addr-source, mm7-convert-hex. Configures MSISDN
extraction and conversion to hexadecimal for MM1 and MM7 MMS messages.
FortiOS Carrier v3.0 MR3 New variables msisdn-bwl-int, msisdn-bwl-int-mode, msisdn-bwl-
status in the config notification subcommand. Configures MMS notification
intervals when MSISDN black/white list events occur.
FortiOS Carrier v3.0 MR3 New variables dupe-int, dupe-int-mode, dupe-status in the config
notification subcommand. Configures MMS notification intervals when
excessive MMS message duplicates are detected.
FortiOS Carrier v3.0 MR3 New variables flood-int, flood-int-mode, flood-status in the config
notification subcommand. Configures MMS notification intervals when
excessive MMS message activity is detected.
FortiOS Carrier v3.0 MR3 New variable rate-limit in the config notification subcommand. Limits the
rate at which MMS notices are sent.
FortiOS Carrier v3.0 MR3 New variables tod-window-start and tod-window-end in the config
notification subcommand. Configures the window of time during which MMS
notices are sent.
FortiOS Carrier v3.0 MR3 New variable no-sdp-fixup in the config sip subcommand. Preserves the
original SDP packet.
FortiOS Carrier v3.0 MR3 New variables notify-rate, options-rate, prack-rate, preserve-
override, refer-rate, subscribe-rate, and update-rate in the config
sip subcommand. Limits the rate at which certain types of SIP traffic are forwarded.
FortiOS Carrier v3.0 MR3 New variable preserve-override in the config sip subcommand. Omits the
original IP address from SDP i line.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 147
profile firewall

FortiOS Carrier v3.0 MR3 New variable primary-secondary in the config sip subcommand. Monitors
primary/secondary outbound proxy redundancy.
FortiOS Carrier v3.0 MR3 New variable timeout-buffer in the config sip subcommand. Configures the
maximum number of timed out calls to buffer.

Related topics
• firewall policy, policy6
• alertemail
• antivirus
• ips
• webfilter

FortiGate CLI Version 3.0 MR6 Reference


148 01-30006-0015-20080205
firewall schedule onetime

schedule onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive. Use one-time schedules for policies that
are effective once for the period of time specified in the schedule.

Note: To edit a schedule, define the entire schedule, including the changes. This means entering all of the
schedule parameters, both those that are changing and those that are not.

Syntax
config firewall schedule onetime
edit <name_str>
set end <hh:mm> <yyyy/mm/dd>
set start <hh:mm> <yyyy/mm/dd>
end
Keywords and variables Description Default
<name_str> Enter the name of this schedule. No default.
end <hh:mm> <yyyy/mm/dd> Enter the ending day and time of the schedule. 00:00
• hh - 00 to 23 2001/01/01
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31
start <hh:mm> Enter the starting day and time of the schedule. 00:00
<yyyy/mm/dd> • hh - 00 to 23 2001/01/01
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31

Example
Use the following example to add a one-time schedule named Holiday that is valid from 5:00 pm on
3 September 2004 until 8:45 am on 7 September 2004.
config firewall schedule onetime
edit Holiday
set start 17:00 2004/09/03
set end 08:45 2004/09/07
end

History

FortiOS v2.80 Revised.

Related topics
• firewall policy, policy6
• firewall schedule recurring

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 149
schedule recurring firewall

schedule recurring
Use this command to add, edit, and delete recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create
policies that repeat weekly. Use recurring schedules to create policies that are effective only at
specified times of the day or on specified days of the week.

Note: If a recurring schedule is created with a stop time that occurs before the start time, the schedule starts at the
start time and finishes at the stop time on the next day. You can use this technique to create recurring schedules
that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the start and stop
times to the same time.

Syntax
config firewall schedule recurring
edit <name_str>
set day <name_str>
set end <hh:mm>
set start <hh:mm>
end

Keywords and variables Description Default


<name_str> Enter the name of this schedule. No default.
day <name_str> Enter the names of one or more days of the week for which the sunday
schedule is valid. Separate multiple names with a space.
end <hh:mm> Enter the ending time of the schedule. 00:00
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only
start <hh:mm> Enter the starting time of the schedule. 00:00
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only

Example
This example shows how to add a recurring schedule named access so that it is valid Monday to
Friday from 7:45 am to 5:30 pm.
config firewall schedule recurring
edit access
set day monday tuesday wednesday thursday friday
set start 07:45
set end 17:30
end
Edit the recurring schedule named access so that it is no longer valid on Fridays.
config firewall schedule recurring
edit access
set day monday tuesday wednesday thursday
set start 07:45
set end 17:30
end

FortiGate CLI Version 3.0 MR6 Reference


150 01-30006-0015-20080205
firewall schedule recurring

History

FortiOS v2.80 Revised.

Related topics
• firewall policy, policy6
• firewall schedule onetime

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 151
service custom firewall

service custom
Use this command to configure a firewall service that is not in the predefined service list.

Note: To display a list of all predefined service names, enter the command get firewall service
predefined ?. To display a predefined service’s details, enter the command get firewall
service predefined <service_str>. For details, see “get firewall service predefined” on
page 635.

Syntax
config firewall service custom
edit <name_str>
set icmpcode <code_int>
set icmptype <type_int>
set protocol {ICMP | IP | TCP/UDP}
set protocol-number <protocol_int>
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
end
Keywords and variables Description Default
<name_str> Enter the name of this custom service. No default
icmpcode <code_int> Enter the ICMP code number. Find ICMP type and code No default.
numbers at www.iana.org.
icmptype <type_int> Enter the ICMP type number. The range for type_int is from 0
0-255. Find ICMP type and code numbers at www.iana.org.
protocol Enter the protocol used by the service. IP
{ICMP | IP | TCP/UDP}
protocol-number For an IP service, enter the IP protocol number. For information 0
<protocol_int> on protocol numbers, see http://www.iana.org.
tcp-portrange For TCP services, enter the destination and source port ranges. No default.
<dstportlow_int>[- If the destination port range can be any port, enter 1-65535. If
<dstporthigh_int>: the destination is only a single port, simply enter a single port
<srcportlow_int>- number for dstportlow_int and no value for
dstporthigh_int.
<srcporthigh_int>]
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for srcportlow_int and no value for
srcporthigh_int.
udp-portrange For UDP services, enter the destination and source port No default.
<dstportlow_int>[- ranges.
<dstporthigh_int>: If the destination port range can be any port, enter 1-65535. If
<srcportlow_int>- the destination is only a single port, simply enter a single port
number for dstportlow_int and no value for
<srcporthigh_int>] dstporthigh_int.
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for srcportlow_int and no value for
srcporthigh_int.

FortiGate CLI Version 3.0 MR6 Reference


152 01-30006-0015-20080205
firewall service custom

Example
This example shows how to add a custom service called Custom_1. The service destination port
range is TCP 4501 to 4503. The service can use any source port.
config firewall service custom
edit Custom_1
set protocol TCP/UDP
set tcp-portrange 4501-4503
end
A second example shows how to add a custom service called Custom_2. The service destination port
range is TCP 4545 to 4550. The service uses source port 9620.
config firewall service custom
edit Custom_1
set protocol TCP/UDP
set tcp-portrange 4545-4550:9620
end

History

FortiOS v2.80 Revised.


FortiOS v3.00 The portrange command split into tcp-portrange and udp-portrange.

Related topics
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 153
service group firewall

service group
Use this command to configure firewall service groups.
To simplify policy creation, you can create groups of services and then add one policy to provide or
block access for all the services in the group. A service group can contain predefined services and
custom services in any combination. A service group cannot contain another service group.

Note: To edit a service group, enter all of the members of the service group, both those changing and those
staying the same.

Syntax
config firewall service group
edit <name_str>
set member <name_str>
end

Keywords and variables Description Default


<group-name_str> Enter the name of this service group. No default.
member <service_str> Enter one or more names of predefined or custom firewall No default.
services to add to the service group. Separate multiple names
with a space. To view the list of available services enter set
member ? at the prompt.
<service_str> is case-sensitive.

Example
This example shows how to add a service group called web_Services that includes the FTP, HTTP,
HTTPS, and Real Audio services.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO
end
This example shows how to add the TELNET service to the web_Services service group.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO TELNET
end

History

FortiOS v2.80 Revised.

Related topics
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


154 01-30006-0015-20080205
firewall vip

vip
Use this command to configure virtual IPs and their associated address and port mappings (NAT).
Virtual IPs can be used to allow connections through a FortiGate unit using network address
translation (NAT) firewall policies. Virtual IPs use Proxy ARP so that the FortiGate unit can respond to
ARP requests on a network for a server that is actually installed on another network. Proxy ARP is
defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external
interface can respond to connection requests for users who are actually connecting to a server on the
DMZ or internal network.

Note: Virtual IPs are not available in Transparent mode.

Depending on your configuration of the virtual IP, its mapping may involve port address translation
(PAT), also known as port forwarding or network address port translation (NAPT), and/or network
address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of:
• static vs. dynamic NAT mapping
• the dynamic NAT’s load balancing style, if using dynamic NAT mapping
• full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a
firewall policy with a virtual IP.

Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to the same
mapped IP address.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range.
Static NAT with Port Static, one-to-one NAT mapping with port forwarding: an external IP address is always
Forwarding translated to the same mapped IP address, and an external port number is always
translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range. If using
port number ranges, the external port number range corresponds to a mapped port
number range containing an equal number of port numbers, and each port number in the
external range is always translated to the same port number in the mapped range.
Load Balancing Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
mapped IP addresses. For each session, a load balancing algorithm dynamically selects
an IP address from the mapped IP address range to provide more even traffic distribution.
The external IP address is not always translated to the same mapped IP address.
Load Balancing Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
with Port translated to one of the mapped IP addresses. For each session, a load balancing
Forwarding algorithm dynamically selects an IP address from the mapped IP address range to provide
more even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Dynamic Virtual IPs Dynamic, many-to-few or many-to-one NAT mapping: if you set the external IP address of
a virtual IP to 0.0.0.0, the interface maps traffic destined for any IP address, and is
dynamically translated to a mapped IP address or address range.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 155
vip firewall

Server Load Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
Balancing mapped IP addresses, as determined by the selected load balancing algorithm for more
even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up
to eight. Real servers can be configured with health check monitors. Health check monitors
can be used to gauge server responsiveness before forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
Balancing with Port translated to one of the mapped IP addresses, as determined by the selected load
Forwarding balancing algorithm for more even traffic distribution.The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up
to eight. Real servers can be configured with health check monitors. Health check monitors
can be used to gauge server responsiveness before forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting policy does not
perform full (source and destination) NAT; instead, it performs destination network address translation
(DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP address, but
does not translate the source address. The private network is aware of the source’s public IP address.
For reply traffic, the FortiGate unit translates packets’ private network source IP address to match the
destination address of the originating packets, which is maintained in the session table.

Virtual IPs have the following requirements.


• The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
• The Mapped IP Address/Range must not include any interface IP addresses.
• If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the External IP
Address/Range cannot be 0.0.0.0.
• When port forwarding, the External IP Address/Range cannot include any interface IP
addresses.
• When port forwarding, the count of mapped port numbers and external port numbers must be
the same, and the last port number in the range must not exceed 65535.
• Virtual IP names must be different from address or address group names.
• Duplicate entries or overlapping ranges are not permitted.

Syntax
config firewall vip
edit <name_str>
config realservers
edit <table_int>
set dead-interval <seconds_int>
set healthcheck {enable | disable}
set ip <server_ip>
set healthcheck {enable | disable}
set ping-detect {enable | disable}
set port <port_ip>
set wake-interval <seconds_int>
set weight <loadbalanceweight_int>
end
set arp-reply {enable | disable}
set extintf <name_str>
set extip <address_ipv4>
set extport <port_int>
set http {enable | disable}
set http-ip-header {enable | disable}
set ldb-method {round-robin | static | weighted}

FortiGate CLI Version 3.0 MR6 Reference


156 01-30006-0015-20080205
firewall vip

set mappedip [<start_ipv4>-<end_ipv4>]


set mappedport <port_int>
set max-embryonic-connections <initiated_int>
set portforward {enable | disable}
set protocol {tcp | udp}
set ssl {full | half | off}
set ssl-certificate <certificate_str>
set ssl-client-session-state-max <sessionstates_int>
set ssl-client-session-state-timeout <timeout_int>
set ssl-client-session-state-type {both | client | disable | time}
set ssl-dh-bits <bits_int>
set ssl-http-location-conversion {enable | disable}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
set ssl-send-empty-frags {enable | disable}
set type {load-balance | server-load-balance | static-nat}
end
Keywords and variables Description Default
<name_str> Enter the name of this virtual IP address. No default.
arp-reply Select to respond to ARP requests for this virtual IP address. enable
{enable | disable}
extintf <name_str> Enter the name of the interface connected to the source No default.
network that receives the packets that will be forwarded to the
destination network. The interface name can be any FortiGate
network interface, VLAN subinterface, IPSec VPN interface,
or modem interface.
extip <address_ipv4> Enter the IP address on the external interface that you want to 0.0.0.0
map to an address on the destination network.
If type is static-nat and mappedip is an IP address
range, the FortiGate unit uses extip as the first IP address in
the external IP address range, and calculates the last IP
address required to create an equal number of external and
mapped IP addresses for one-to-one mapping.
To configure a dynamic virtual IP that accepts connections
destined for any IP address, set extip to 0.0.0.0.
extport <port_int> Enter the external port number that you want to map to a port 0
number on the destination network.
If you want to configure a static NAT virtual IP that maps a
range of external port numbers to a range of destination port
numbers, set extip to the first port number in the range.
Then set mappedport to the start and end of the destination
port range. The FortiGate unit automatically calculates the
end of the extport port number range.
To configure a dynamic virtual IP that accepts connections for
any port, set extport to 0.
http {enable | disable} Select to use the FortiGate unit’s HTTP proxy to multiplex disable
multiple client connections destined for the web server into a
few connections between the FortiGate unit and the web
server. This can improve performance by reducing server
overhead associated with establishing multiple connections.
The server must be HTTP/1.1 compliant.
This option appears only if portforward is enable.
http-ip-header Select to preserve the client’s IP address in the X- disable
{enable | disable} Forwarded-For HTTP header line. This can be useful if you
require logging on the server of the client’s original IP
address. If this option is not selected, the header will contain
the IP address of the FortiGate unit.
This option appears only if portforward and http are
enable.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 157
vip firewall

Keywords and variables Description Default


ldb-method Select the load balancing method. static
{round-robin | static | • round-robin: Directs request to the next server, and
weighted} treats all servers as equals regardless of response time or
number of connections. Unresponsive servers are avoided.
A separate server is required.
• static: Distributes load evenly across all servers;
separate servers are not required.
• weighted: Servers with a higher weight value will receive
a larger percentage of connections at any one time. Server
weights can be set in config realservers set
weight
This option appears only if type is server-load-balance.
mappedip Enter the IP address or IP address range on the destination 0.0.0.0
[<start_ipv4>-<end_ipv4>] network to which the external IP address is mapped.
If type is static-nat and mappedip is an IP address
range, the FortiGate unit uses extip as the first IP address in
the external IP address range, and calculates the last IP
address required to create an equal number of external and
mapped IP addresses for one-to-one mapping.
If type is load-balance and mappedip is an IP address
range, the FortiGate unit uses extip as a single IP address
to create a one-to-many mapping.
mappedport <port_int> Enter the port number on the destination network to which the 0
external port number is mapped.
You can also enter a port number range to forward packets to
multiple ports on the destination network.
For a static NAT virtual IP, if you add a map to port range the
FortiGate unit calculates the external port number range.
max-embryonic-connections Enter the maximum number of partially established SSL or 1000
<initiated_int> HTTP connections. This should be greater than the maximum
number of connections you want to establish per second.
This option appears only if portforward is enable, and
http is enable or ssl is not off.
portforward Select to enable port forwarding. You must also specify the disable
{enable | disable} port forwarding mappings by configuring extport and
mappedport.
protocol {tcp | udp} Select the protocol, TCP or UDP, to use when forwarding tcp
packets.

FortiGate CLI Version 3.0 MR6 Reference


158 01-30006-0015-20080205
firewall vip

Keywords and variables Description Default


ssl {full | half | off} Select whether or not to accelerate SSL communications with off
the destination by using the FortiGate unit to perform SSL
operations, and indicate which segments of the connection
will receive SSL offloading.
• full: Select to apply SSL to both parts of the connection:
the segment between client and the FortiGate unit, and the
segment between the FortiGate unit and the server. The
segment between the FortiGate unit and the server will use
encrypted communications, but the handshakes will be
abbreviated. This results in performance which is less than
the option half, but still improved over communications
without SSL acceleration, and can be used in failover
configurations where the failover path does not have an SSL
accelerator. If the server is already configured to use SSL,
this also enables SSL acceleration without requiring
changes to the server’s configuration.
• half: Select to apply SSL only to the part of the connection
between the client and the FortiGate unit. The segment
between the FortiGate unit and the server will use clear text
communications. This results in best performance, but
cannot be used in failover configurations where the failover
path does not have an SSL accelerator.
• off: Do not apply SSL acceleration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if portforward is enable, and
only on FortiGate models whose hardware support SSL
acceleration, such as FortiGate-3600A.
ssl-certificate Enter the name of the SSL certificate to use with SSL No default.
<certificate_str> acceleration.
This option appears only if ssl is not off.
ssl-client-session-state- Enter the maximum number of SSL session states to keep for 1000
max <sessionstates_int> the segment of the SSL connection between the client and the
FortiGate unit.
This option appears only if ssl is not off.
ssl-client-session-state- Enter the number of minutes to keep the SSL session states 30
timeout <timeout_int> for the segment of the SSL connection between the client and
the FortiGate unit.
This option appears only if ssl is not off.
ssl-client-session-state- Select which method the FortiGate unit should use when both
type {both | client | deciding to expire SSL sessions for the segment of the SSL
disable | time} connection between the client and the FortiGate unit.
• both: Select to expire SSL session states when either ssl-
client-session-state-max or ssl-client-
session-state-timeout is exceeded, regardless of
which occurs first.
• count: Select to expire SSL session states when ssl-
client-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when ssl-
client-session-state-timeout is exceeded.
This option appears only if ssl is not off.
ssl-dh-bits <bits_int> Enter the number of bits of the prime number used in the 1024
Diffie-Hellman exchange for RSA encryption of the SSL
connection. Larger prime numbers are associated with
greater cryptographic strength.
This option appears only if ssl is not off.
ssl-http-location- Select to replace http with https in the reply’s Location disable
conversion HTTP header field.
{enable | disable} For example, in the reply, Location:
http://example.com/ would be converted to Location:
https://example.com/ .
This option appears only if ssl is half.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 159
vip firewall

Keywords and variables Description Default


ssl-http-match-host Select to apply Location conversion to the reply’s HTTP disable
{enable | disable} header only if the host name portion of Location matches
the request’s Host field, or, if the Host field does not exist,
the host name portion of the request’s URI. If disabled,
conversion occurs regardless of whether the host names in
the request and the reply match.
For example, if host matching is enabled, and a request
contains Host: example.com and the reply contains
Location: http://example.cc/, the Location field
does not match the host of the original request and the reply’s
Location field remains unchanged. If the reply contains
Location: http://example.com/, however, then the
FortiGate unit detects the matching host name and converts
the reply field to Location: https://example.com/ .
This option appears only if ssl is half, and ssl-http-
location-conversion is enable.
ssl-max-version {ssl-3.0 Enter the maximum version of SSL/TLS to accept in tls-1.1
| tls-1.0 | tls-1.1} negotiation.
This option appears only if ssl is not off.
ssl-min-version {ssl-3.0 Enter the minimum version of SSL/TLS to accept in ssl-3.0
| tls-1.0 | tls-1.1} negotiation.
This option appears only if ssl is not off.
ssl-send-empty-frags Select to precede the record with empty fragments to thwart enable
{enable | disable} attacks on CBC IV. You might disable this option if SSL
acceleration will be used with an old or buggy SSL
implementation which cannot properly handle empty
fragments.
This option appears only if ssl is not off, and applies only to
SSL 3.0 and TLS 1.0.
ssl-server-session-state- Enter the maximum number of SSL session states to keep for 1000
max <sessionstates_int> the segment of the SSL connection between the server and
the FortiGate unit.
This option appears only if ssl is full.
ssl-server-session-state- Enter the number of minutes to keep the SSL session states 30
timeout <timeout_int> for the segment of the SSL connection between the server
and the FortiGate unit.
This option appears only if ssl is full.
ssl-server-session-state- Select which method the FortiGate unit should use when both
type {both | client | deciding to expire SSL sessions for the segment of the SSL
disable | time} connection between the server and the FortiGate unit.
• both: Select to expire SSL session states when either ssl-
server-session-state-max or ssl-server-
session-state-timeout is exceeded, regardless of
which occurs first.
• count: Select to expire SSL session states when ssl-
server-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when ssl-
server-session-state-timeout is exceeded.
This option appears only if ssl is full.
type Select the type of static or dynamic NAT applied to the virtual static-nat
{load-balance | IP.
server-load-balance | • load-balance: Dynamic NAT load balancing with server
static-nat} selection from an IP address range. This option is
deprecated and may be removed in future.
• server-load-balance: Dynamic NAT load balancing
with server selection from among up to eight
realservers, determined by your selected load balancing
algorithm and server responsiveness monitors.
• static-nat: Static NAT.

FortiGate CLI Version 3.0 MR6 Reference


160 01-30006-0015-20080205
firewall vip

Keywords and variables Description Default


The following commands are available only if type is server-load-balance.
realservers • Use this command to configure destinations to be used No default.
when the virtual IP is load balanced.
This option appears only if type is server-load-balance.
<table_int> • Enter an index number used to identify the server that you No default.
are configuring. 0 means the lowest available number.
This option appears only if type is server-load-balance.
dead-interval Enter the interval of time that a connection can remain idle 10
<seconds_int> before it is dropped. A range of 10-255 seconds can be used.
This option is deprecated and may be removed in future.
Instead, configure monitor.
healthcheck Enable to check the responsiveness of the server before disable
{enable | disable} forwarding traffic. You must also configure monitor.
ip <server_ip> Enter the IP address of a real server in the load balanced 0.0.0.0
server cluster.
monitor <healthcheck_str> Enter one or more names of health check monitor settings to No default.
use when performing a health check, separating each name
with a space. If any of the configured health check monitors
detect failures, the FortiGate unit will deem the server
unresponsive, and will not forward traffic to that server. For
details on configuring health check monitor settings, see
“firewall ldb-monitor” on page 100.
This option appears only if healthcheck is enable.
ping-detect Select to test the server’s responsiveness by ICMP PING. disable
{enable | disable} This option is available only if healthcheck is enable.
port <port_ip> Used to specify the port used if port forwarding is enabled. 10
wake-interval Enter the interval of time the connection will try to detect a 10
<seconds_int> server before giving up. A range of 10-255 seconds can be
used.
This option is deprecated and may be removed in future.
Instead, configure monitor.
weight Enter the weight value of a specific server. The weight can be 1
<loadbalanceweight_int> any value from 1 to 255. Servers with a greater weight receive
a greater proportion of forwarded connections.
This option is available only if ldb-method is weighted.

Example
This example shows how to add a static NAT virtual IP named Web_Server that allows users on the
Internet to connect to a web server on the internal network. The internet address of the web server is
64.32.21.34 and the real IP address of the web server on the internal network is 192.168.1.44.
config firewall vip
edit Web_Server
set extintf external
set extip 64.32.21.34
set mappedip 192.168.1.44
end
This example shows how to edit the static NAT virtual IP named Web_Server to change the real IP
address of the web server on the internal network to 192.168.110.23.
config firewall vip
edit web_Server
set mappedip 192.168.110.23
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 161
vip firewall

This example shows how to add a static NAT port forwarding virtual IP that uses port address
translation to allow external access to a web server on the internal network if there is no separate
external IP address for the web server. In this example, the IP address of the external interface is
192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93.
config firewall vip
edit web_Server
set portforward enable
set extintf external
set extip 192.168.100.99
set extport 80
set mappedip 192.168.1.93
set mappedport 80
end
This example shows how to enter a static NAT virtual IP named Server_Range that allows Internet
users to connect to a range of 10 virtual IP addresses on the Internet and have the IP addresses in this
range mapped to a range of IP addresses on the DMZ network. The DMZ network contains 10 servers
with IP addresses from 10.10.10.20 to 10.10.10.29. The Internet IP addresses for these servers are in
the range 219.34.56.10 to 219.34.56.19. In this example you do not have to enter the external IP
address range. Instead you enter the first IP address in the external IP address range and the
FortiGate unit calculates the end of the IP address range based on the number of IP addresses
defined by the mapped IP address range. Also in the example, port2 is connected to the Internet.
config firewall vip
edit Server_Range
set extintf port2
set extip 219.34.56.10
set mappedip 10.10.10.20 10.10.10.19
end
This example shows how to enter a load balancing virtual IP named Ext_Load_Balance that allows
Internet users to connect to a single virtual IP address on the Internet and have that IP address
mapped to a range of IP addresses on the network connected to port5. You might use a configuration
such as this to load balance connections from the internet to an internal server farm. In the example
the Internet is connected to port2 and the virtual IP address is 67.34.56.90 and the IP address range
on the network connected to port5 is 172.20.120.10 to 172.20.120.30.
config firewall vip
edit Server_Range
set type load-balance
set extintf port2
set extip 67.34.56.90
set mappedip 172.20.120.10-172.20.120.30
end

History

FortiOS v2.80 Revised.


FortiOS v3.00 Revised.
FortiOS v3.00 Added server-load-balance to set type.
FortiOS v3.0 MR4 Added the following commands and options: config realserver.
FortiOS v3.0 MR5 extintf <name_str> variable now accepts modem interface names. Formerly, it
accepted a network interface, VLAN subinterface, or IPSec VPN virtual interface.

FortiGate CLI Version 3.0 MR6 Reference


162 01-30006-0015-20080205
firewall vip

FortiOS v3.0 MR6 New variables monitor and healthcheck. Enables health checking for real
servers and specifies which of the health check settings to use.
FortiOS v3.0 MR6 New variables:
• ssl, ssl-certificate
• ssl-client-session-state-max
• ssl-client-session-state-timeout
• ssl-client-session-state-type
• ssl-dh-bits
• ssl-http-location-conversion
• ssl-http-match-host
• ssl-max-version
• ssl-min-version
• ssl-send-empty-frags
• ssl-server-session-state-max
• ssl-server-session-state-timeout
• ssl-server-session-state-type
Enables SSL acceleration by offloading SSL operations from the destination to the
FortiGate unit, and configures various aspects of the offloading, including to which
segment(s) of the connection the FortiGate unit will apply SSL, and what encryption
strength and other options to use.
FortiOS v3.0 MR6 New variable max-embryonic-connections. Specifies the maximum number of
partially established SSL or HTTP connections when the virtual IP is performing
HTTP multiplexing or SSL offloading.
FortiOS v3.0 MR6 New variable http. Enables multiplexing of port forwarded HTTP connections into a
few connections to the destination.
FortiOS v3.0 MR6 New variable http-ip-header. Preserves the original client’s IP address in the X-
Forwarded-For HTTP header line when using HTTP multiplexing.

Related topics
• firewall policy, policy6
• firewall ldb-monitor
• vipgrp

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 163
vipgrp firewall

vipgrp
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ
interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into
one VIP group and create one external-to-DMZ policy, instead of two policies, to control the traffic.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es)
and port number(s).

Syntax
config firewall vipgrp
edit <name_str>
set interface <name_str>
set member <virtualip_str>
end
Keywords and variables Description Default
<name_str> Enter the name of the virtual IP group. No default.
interface Enter the name of the interface to which the virtual IP group will No default.
<name_str> be bound.
member Enter one or more virtual IPs that will comprise the virtual IP No default.
<virtualip_str> group.

Example
config firewall vipgrp
edit group_one
set interface internal
set member vipone viptwo vipthree
end

History

FortiOS v3.0 MR4 Command vipgrp added.

Related topics
• firewall policy, policy6
• vip

FortiGate CLI Version 3.0 MR6 Reference


164 01-30006-0015-20080205
gui

gui
This chapter covers the commands to restore web-based manager CLI console and topology viewer.
This chapter contains the following sections:

console
topology

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 165
console gui

console
Use this command to configure the web-based manager CLI console.

Syntax
config gui console
set preferences <filedata>
end
To obtain base-64 encoded data from a configured CLI console, use:
show gui console

Variables Description Default


preferences <filedata> Base64-encoded file to upload containing the commands to
set up the CLI console GUI on the FortiGate unit.

Example
This example shows how to upload the data file (topguifile) containing commands to set up the
topology GUI on the FortiGate unit and the background image (backgroundfile).
config gui console
set preferences pref-file
end

History

FortiOS v3.00 MR5 New.

FortiGate CLI Version 3.0 MR6 Reference


166 01-30006-0015-20080205
gui topology

topology
Use this command to configure the web-based manager topology viewer.

Syntax
config gui topology
set background-image <filedatabackground>
set database <filedatabase>
set preferences <filedatapref>
end
To obtain base-64 encoded data from a configured topology viewer, use:
show gui topology

Variables Description Default


background-image Base64-encoded file to upload containing the commands to
<filedatabackground> set up the background image of the web-based manager
topology viewer.
database <filedatabase> Base64-encoded file to upload containing the data used to set
up the web-based manager topology viewer.
preferences <filedatapref> Base64-encoded file to upload containing the commands to
set the preferences of the web-based manager topology
viewer.

Example
This example shows how to upload the data file (topguifile) containing commands to set up the
topology GUI on the FortiGate unit and the background image (backgroundfile).
config gui topology
set preferences topguifile
set background-image backgroundfile
end

History

FortiOS v3.00 MR5 New.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 167
topology gui

FortiGate CLI Version 3.0 MR6 Reference


168 01-30006-0015-20080205
imp2p

imp2p
Use imp2p commands to configure user access to Instant Messaging and Person-to-Person
applications, and to configure a global policy for unknown users who might use these applications.
This chapter contains the following sections:

aim-user
icq-user
msn-user
old-version
policy
yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 169
aim-user imp2p

aim-user
Use this command to permit or deny a specific user the use of AOL Instant Messenger.

Syntax
config imp2p aim-user
edit <name_str>
set action {permit | deny}
end

Keywords and variables Description Default


name_str The name of the AIM user.
action {permit | deny} Permit or deny the use of AOL Instant Messenger by this user. deny

Example
This example shows how to add user_1 and permit the user to use the AIM protocol if the policy is set
to allow AOL Instant Messenger.
config imp2p aim-user
edit user_1
set action permit
end

History

FortiOS v3.0 New

Related topics
• imp2p icq-user
• imp2p msn-user
• imp2p old-version
• imp2p policy
• imp2p yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


170 01-30006-0015-20080205
imp2p icq-user

icq-user
Use this command to permit or deny a specific user the use of ICQ Instant Messenger.

Syntax
config imp2p icq-user
edit <name_str>
set action {permit | deny}
end

Keywords and variables Description Default


name_str The name of the ICQ user.
action {permit | deny} Permit or deny the use of the ICQ Instant Messenger by this deny
user.

Example
This example shows how to add user_1 and permit the user to use the ICQ protocol if the policy is set
to allow ICQ Instant Messenger.
config imp2p icq-user
edit user_1
set action permit
end

History

FortiOS v3.0 New

Related topics
• imp2p aim-user
• imp2p msn-user
• imp2p old-version
• imp2p policy
• imp2p yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 171
msn-user imp2p

msn-user
Use this command to permit or deny a specific user the use of MSN Messenger.

Syntax
config imp2p msn-user
edit <name_str>
set action {permit | deny}
end

Keywords and variables Description Default


name_str The name of the MSN user.
action {permit | deny} Permit or deny the use of MSN Messenger by this user. deny

Example
This example shows how to add user_1 and permit the user to use the MSN protocol if the policy is set
to allow MSN Messenger.
config imp2p msn-user
edit user_1
set action permit
end

History

FortiOS v3.0 New

Related topics
• imp2p aim-user
• imp2p icq-user
• imp2p old-version
• imp2p policy
• imp2p yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


172 01-30006-0015-20080205
imp2p old-version

old-version
Some older versions of IM protocols are able to bypass file blocking because the message types are
not recognized. The following command provides the option to disable these older IM protocol
versions. Supported IM protocols include:
• MSN 6.0 and above
• ICQ 4.0 and above
• AIM 5.0 and above
• Yahoo 6.0 and above

Syntax
config imp2p old-version
set aim {block | best-effort}
set icq {block | best-effort}
set msn {block | best-effort}
set yahoo {block | best-effort}
end
Keywords and variables Description Default
aim {block | best-effort} Enter block to block the session if the version is too old. block
Enter best-effort to inspect the session based on the
policy.
icq {block | best-effort} Enter block to block the session if the version is too old. block
Enter best-effort to inspect the session based on the
policy.
msn {block | best-effort} Enter block to block the session if the version is too old. block
Enter best-effort to inspect the session based on the
policy.
yahoo Enter block to block the session if the version is too old. block
{block | best-effort} Enter best-effort to inspect the session based on the
policy.

Example
This example shows how to block older versions of MSN Messenger and inspect older versions of
Yahoo Messenger.
config imp2p old-version
set msn block
set yahoo best-effort
end

History

FortiOS v3.0 New

Related topics
• imp2p aim-user
• imp2p icq-user
• imp2p msn-user
• imp2p policy
• imp2p yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 173
policy imp2p

policy
Use this command to create a global policy for instant messenger applications. If an unknown user
attempts to use one of the applications, the user can either be permitted use and added to a white list,
or be denied use and added to a black list.

Syntax
config imp2p policy
set aim {allow | deny}
set icq {allow | deny}
set msn {allow | deny}
set yahoo {allow | deny}
end
Keywords and variables Description Default
aim {allow | deny} Allow an unknown user and add the user to the white list. deny
Deny an unknown user and add the user to the black list.
icq {allow | deny} Allow an unknown user and add the user to the white list. deny
Deny an unknown user and add the user to the black list.
msn {allow | deny} Allow an unknown user and add the user to the white list. deny
Deny an unknown user and add the user to the black list.
yahoo {allow | deny} Allow an unknown user and add the user to the white list. deny
Deny an unknown user and add the user to the black list.

Example
This example shows how to configure the IM/P2P policy to allow AOL Instant Messenger, MSN
Messenger, and Yahoo Messenger but deny ICQ Instant Messenger.
config imp2p policy
set aim allow
set msn allow
set icq deny
set yahoo allow
end

History

FortiOS v3.0 New

Related topics
• imp2p aim-user
• imp2p icq-user
• imp2p msn-user
• imp2p old-version
• imp2p yahoo-user

FortiGate CLI Version 3.0 MR6 Reference


174 01-30006-0015-20080205
imp2p yahoo-user

yahoo-user
Use this command to permit or deny a specific user the use of Yahoo Messenger.

Syntax
config imp2p yahoo-user
edit <name_str>
set action {permit | deny}
end

Keywords and variables Description Default


name_str The name of the Yahoo user.
action {permit | deny} Permit or deny the use of Yahoo Messenger by this user. deny

Example
This example shows how to add user_1 and permit the user to use the Yahoo protocol if the policy is
set to allow Yahoo Messenger.
config imp2p yahoo-user
edit user_1
set action permit
end

History

FortiOS v3.0 New

Related topics
• imp2p aim-user
• imp2p icq-user
• imp2p msn-user
• imp2p old-version
• imp2p policy

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 175
yahoo-user imp2p

FortiGate CLI Version 3.0 MR6 Reference


176 01-30006-0015-20080205
ips

ips
Use ips commands to configure IPS sensors to define which signatures are used to examine traffic and
what actions are taken when matches are discovered. DoS sensors can also be defined to examine
traffic for anomalies
This chapter contains the following sections:

DoS
custom
decoder
global
rule
sensor
Note: If the IPS test can’t find the destination MAC address, the peer interface will be used. To ensure
packets get IPS inspection, there must be a Peer Interface. Both interfaces must be in the same VDOM,
and one interface cannot be both the peer and original interface. For information on how to set the Peer
Interface see “interface” on page 373.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 177
DoS ips

DoS
FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic
anomalies that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP,
UDP, and ICMP protocols can be identified.

Flooding If the number of sessions targeting a single destination in one second is over a threshold, the
destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is
scanning.
Source session If the number of concurrent sessions from a single source is over a threshold, the source
limit session limit is reached.
Destination If the number of concurrent sessions to a single destination is over a threshold, the destination
session limit session limit is reached.

Enable or disable logging for each anomaly, and select the action taken in response to detecting an
anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.

Note: It is important to estimate the normal and expected traffic on the network before changing the default
anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high
could allow some attacks.

The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
config limit
Access the config limit subcommand using the config ips anomaly <name_str>
command. Use this command for session control based on source and destination network address.
This command is available for tcp_src_session, tcp_dst_session, icmp_src_session,
icmp_dst_session, udp_src_session, udp_dst_session.
The default entry cannot be edited. Addresses are matched from more specific to more general. For
example, if thresholds are defined for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24
bit netmask is matched before the entry with the 16 bit netmask.

Syntax
config ips DoS
edit <sensor_int>
config address
edit <address_int>
set dst-ip <dst_ipv4mask>
set dst-port <dstport_int>
set src-ip <src_ipv4mask>
end
config anomaly
edit <anomaly_str>
set status {enable | disable}
set log {enable | disable}
set action {block | pass}
set threshold <threshold_int>
end
set comment <comment_str>
set name <name_str>
set status {disable | enable}
end

FortiGate CLI Version 3.0 MR6 Reference


178 01-30006-0015-20080205
ips DoS

Keywords and variables Description Default


sensor_int The DoS sensor number. Enter ‘?’ to display a list of senor
numbers. Enter an unused number to create a new sensor.
address_int Enter the protected address integer. This is an ID number used
to reference a specified protected address source/destination/
port combination.
dst-ip <dst_ipv4mask> Enter the destination IP address and subnet to which this 0.0.0.0
sensor will apply. The default is all addresses. 0.0.0.0
dst-port <dstport_int> Enter the destination port to which this sensor will apply. The 0
default is all ports.
src-ip <src_ipv4mask> Enter the source IP address and subnet to which this sensor 0.0.0.0
will apply. The default is all addresses. 0.0.0.0
anomaly_str Enter the name of the anomaly you want to configure. Display a
list of the available anomaly types by entering ‘?’.
status {enable | disable} Enable or disable the specified anomaly in the current DoS disable
sensor.
log {enable | disable} Enable or disable logging of the specified anomaly in the enable
current DoS sensor.
action {block | pass} Pass or block traffic in which the specified anomaly is detected. pass
threshold <threshold_int> Enter the number of times the specified anomaly must be varies by
detected in network traffic before the action is triggered. anomaly
comment <comment_str> Enter a description of the DoS sensor. This will be displayed in
the DoS sensor list. Descriptions with spaces must be enclosed
in quotation marks.
name <name_str> Enter a name for the DoS sensor. This will be displayed in the
DoS sensor list. Names with spaces must be enclosed in
quotation marks.
status {disable | enable} Enable or disable the current DoS sensor. disable

Example
This example shows how to create a DoS sensor, name it, and enable blocking of the udp_flood
anomaly with the default threshold.
config ips DoS
edit 12
set name test
set comment "This is for test"
config anomaly
edit udp_flood
set action block
set status enable
end
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 179
DoS ips

History

FortiOS v2.80 Substantially revised.


FortiOS v3.0 Added severity, default-action, and default-severity.
FortiOS v3.0 MR5 Under the config limit command, set ipaddress was
removed. dst-ip, service, and src-ip commands were added.
FortiOS v3.0 MR6 Completely revised. Anomalies now defined in DoS sensors allowing
the creation of multiple sensors to tailor behavior depending on traffic
source, destination, and port, if required.

Related topics
• ips custom
• ips global
• ips fail-open {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


180 01-30006-0015-20080205
ips custom

custom
Create custom IPS signatures and add them to IPS sensors.
Custom signatures provide the power and flexibility to customize FortiGate Intrusion Protection for
diverse network environments. The FortiGate predefined signatures cover common attacks. If an
unusual or specialized application or an uncommon platform is being used, add custom signatures
based on the security alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic.
The custom signature settings are configured when it is defined as a signature override in an IPS
sensor. This way, a single custom signature can be used in multiple sensors with different settings in
each. See “ips sensor” on page 186 for details.
For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical
Bulletin.

Note: Custom signatures are an advanced feature. This document assumes the user has previous experience
writing intrusion detection signatures.

Syntax
config ips custom
edit <sig_str>
set signature <signature_str>
end
Keywords and variables Description Default
sig_str The name of the custom signature.
signature <signature_str> Enter the custom signature. The signature must be enclosed in No default.
single quotes.

Example
This example shows how to add a custom signature.
config ips custom
edit bad_things
set signature 'F-SBID (--protocol tcp; --flow bi_direction;
--pattern "nude cheerleader"; --no_case)'
end

History

FortiOS v2.80 Substantially revised.


FortiOS v3.0 Removed all options except signature. Other settings are configured
MR6 when specifying the signature in a signature override.

Related topics
• ips global
• execute backup
• execute restore
• ips fail-open {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 181
decoder ips

decoder
The Intrusion Protection system looks for certain types of traffic on specific ports. Using the decoders
command, you can change ports if your configuration uses non-standard ports.

Syntax
config ips decoder
edit <decoder_str>
set port_list <port_int>
end
Keywords and variables Description Default
decoder_str Enter the name of the decoder. Enter ‘?’ for a list.
port_list <port_int> Enter the ports which the decoder will examine. Multiple ports varies by
can be specified by separating them with commas and decoder
enclosing the list in quotes.

Example
This example shows how to modify the dns_decoder to examine ports 1, 2, and 3 instead of the default
53.
config ips decoder dns_decoder
set port_list "1,2,3"
end

FortiGate CLI Version 3.0 MR6 Reference


182 01-30006-0015-20080205
ips global

global
Use this command to ignore sessions after a set amount of traffic has passed.

Syntax
config ips global
set anomaly-mode {continuous | periodical}
set engine-count <integer>
set fail-open {enable | disable}
set ignore-session-bytes <byte_integer>
set session-limit-mode {accurate | heuristic}
set socket-size <ips_buffer_size>
set traffic-submit {enable | disable}
end
Keywords and variables Description Default
anomaly-mode {continuous Enter continuous to start blocking packets once attack starts. continuous
| periodical} Enter periodical to allow configured number of packets per
second.
engine-count <integer> Enter the number of intrusion protection engines to run. Multi- 0
processor FortiGate units can more efficiently process traffic
with multiple engines running. When set to the default value of
0, the FortiGate unit determines the optimal number of intrusion
protection engines to run.
fail-open If for any reason the IPS should cease to function, it will fail enable
{enable | disable} open by default. This means that crucial network traffic will not
be blocked and the Firewall will continue to operate while the
problem is resolved.
ignore-session-bytes Set the number of bytes after which the session is ignored. 204800
<byte_integer>
session-limit-mode Enter accurate to accurately count the concurrent sessions. heuristic
{accurate | heuristic} This option demands more resource. Enter heuristic to
heuristically count the concurrent sessions.
socket-size Set intrusion protection buffer size. The default value is correct model-
<ips_buffer_size> in most cases. dependent
traffic-submit Submit attack characteristics to FortiGuard Service disable
{enable | disable}

Example
This example shows how to set intrusion protection to ignore sessions after 204800 bytes.
config ips global
set ignore-session-bytes 204800
end

This example shows how to see the current configuration of ips global.
# get ips global
anomaly-mode : continuous
engine-count : 0
fail-open : enable
ignore-session-bytes: 204800
session-limit-mode : heuristic
socket-size : 8 (MB)
traffic-submit : disable

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 183
global ips

History

FortiOS v3.0 New.


FortiOS v3.0 MR4 Merged get ips global including example.
FortiOS v3.0 MR6 Removed the ip-protocol option.

Related topics
• execute backup
• execute restore
• ips fail-open {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


184 01-30006-0015-20080205
ips rule

rule
The IPS sensors use signatures to detect attacks. These signatures can be listed with the rules
command. Details about the default settings of each signature can also be displayed.

Syntax
config ips rule <rule_str>
get
Keywords and variables Description Default
rule_str Enter the name of a signature. For a complete list of the
predefined signatures, enter ‘?’ instead of a signature name.

Example
This example shows how to display the current configuration of the Apache.Long.Header.DoS
signature.
# config ips rule Apache.Long.Header.DoS
(Apache.Long.He~d) # get
name : Apache.Long.Header.DoS
status : enable
log : enable
log-packet : disable
action : pass
group : web_server
severity : medium
location : server
os : Windows, Linux, BSD, Solaris
application : Apache
service : TCP, HTTP
rule-id : 11206
rev : 2.450
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 185
sensor ips

sensor
The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override
rules. Each filter specifies a number of signature attributes and all signatures matching all the specified
attributes are included in the filter. Override rules allow you to override the settings of individual
signatures.

Syntax
config ips sensor
edit <sensor_str>
config filter
edit <filter_str>
set location {all | client | server}
set severity {all | info low medium high critical}
set protocol <protocol_str>
set os {all | other windows linux bsd solaris macos}
set application <app_str>
set status {default | enable | disable}
set log {default | enable | disable}
set action {block | default | pass | reject}
end
config override
edit <override_int>
config exempt-ip
edit <exempt_int>
set dst-ip <dest_ipv4mask>
set src-ip <source_ipv4mask>
end
set action {block | pass | reset}
set log {disable | enable}
set log-packet {disable | enable}
set status {disable | enable}
end
set comment <comment_str>
end
Keywords and variables Description Default
sensor_str Enter the name of an IPS sensor. For a list of the IPS sensors,
enter ‘?’ instead of an IPS sensor name. Enter a new name to
create a sensor.
filter_str Enter the name of a filter. For a list of the filters in the IPS
sensor, enter ‘?’ instead of a filter name. Enter a new name to
create a filter.
location {all | client | Specify the type of system to be protected. all
server} • client selects signatures for attacks against client
computers.
• server selects signatures for attacks against servers.
• all selects both client and server signatures.
severity {all | info low Specify the severity level or levels. all
medium high critical} Specify all to include all severity levels.
protocol <protocol_str> Specify the protocols to be examined. Enter ‘?’ to display a list all
of the available protocols. All will include all protocols. Other
will include all unlisted protocols.

FortiGate CLI Version 3.0 MR6 Reference


186 01-30006-0015-20080205
ips sensor

Keywords and variables Description Default


os {all | other windows Specify the operating systems to be protected. All will include all
linux bsd solaris macos} all operating systems. Other will include all unlisted operating
systems.
application <app_str> Specify the applications to be protected. Enter ‘?’ to display a all
list of the available applications. All will include all
applications. Other will include all unlisted applications.
status {default | enable Specify the status of the signatures included in the filter. default
| disable} • enable will enable the filter.
• disable will disable the filter.
• default will enable the filter and only use the filters with a
default status of enable. Filters with a default status of
disable will not be used.
log {default | enable | Specify the logging status of the signatures included in the filter. default
disable} • enable will enable logging.
• disable will disable logging.
• default will enable logging for only the filters with a default
logging status of enable. Filters with a default logging status
of disable will not be logged.
action {block | default | Specify what action is taken with traffic in which signatures ar default
pass | reject} detected.
• block will drop the session with the offending traffic.
• default will use the default signature action.
• pass will allow the traffic.
• reject will reset the session.
override_int Enter the rule ID of an override filter. The rule ID is number
assigned to a filter, pre-defined or custom, and it specified
which filter is being overridden. For a list of the currently
defined overrides, enter ‘?’ instead of a rule ID.
Rule IDs are an attribute of every signature. Use the
config ips rule command to list the signatures or view
them in the GUI.
exempt_int Each override can apply to any number of source addresses,
destination addresses, or source/destination pairs. The
addresses are referenced by exempt_id values.
dst-ip <dest_ipv4mask> Enter the destination IP address and subnet to which this 0.0.0.0
sensor will apply. The default is all addresses. 0.0.0.0
src-ip <source_ipv4mask> Enter the source IP address and subnet to which this sensor 0.0.0.0
will apply. The default is all addresses. 0.0.0.0
action {block | pass | Specify the action to be taken for this override. pass
reset} • block will drop the session.
• pass will allow the traffic.
• reset will reset the session.
log {disable | enable} Specify whether the log should record when the override disable
occurs.
log-packet {disable | When enabled, packet logging will save the packet that triggers disable
enable} the override. You can download the packets in pcap format for
diagnostic use. This feature is only available in FortiGate units
with internal hard drives.
status {disable | enable} Enable or disable the override. disable
comment <comment_str> Enter a description of the IPS sensor. This description will
appear in the ISP sensor list. Descriptions with spaces must be
enclosed in quotes.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 187
sensor ips

Example
This example shows how to create an IPS sensor containing a filter that includes all signatures to
protect against Windows server attacks.
config ips sensor
edit dept_srv
set comment "Department file servers"
config filter
edit win_srv
set location server
set os windows
set action block
end
end

History

FortiOS v3.0 MR6 New.

FortiGate CLI Version 3.0 MR6 Reference


188 01-30006-0015-20080205
log

log
Use the config log commands to set the logging type, the logging severity level, and the logging
location for the FortiGate unit.

Note: In Transparent mode, certain log settings and options may not be available because certain
features do not support logging or are not available in this mode. For example, SSL VPN events are not
available in Transparent mode.

custom-field
{disk | fortianalyzer | memory | syslogd | webtrends |
fortiguard} filter
disk setting
fortianalyzer setting
fortiguard setting
memory setting
memory global setting
report customization
report definition
report filter
report output
report period
report schedule
report scope
report selection
report summary-layout
syslogd setting
trafficfilter
webtrends setting

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 189
custom-field log

custom-field
Use the following command to customize the log fields with a name and/or value. The custom name
and/or value will appear in the log message.

Syntax
config log custom-field
edit id <integer>
set name <name>
set value <integer>
end
Keywords and variables Description Default
id <integer> Enter the identification number for the log field. No default
name <name> Enter a name to identify the log. No default
value <integer> Enter a firewall policy number to associate a firewall policy No default
with the logs.

Example
This example shows how to configure a customized field for logs for branch offices in a company and
are associated with specific firewall policies.
config log custom-field
edit 1
set name company_branch1
set value 2
next
edit 2
set name company_branch2
set value 4
next
edit 3
set name company_branch3
set value 5
end

History

FortiOS v3.0 MR6 New.

Related topics
• {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

FortiGate CLI Version 3.0 MR6 Reference


190 01-30006-0015-20080205
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}


filter
Use this command to configure log filter options. Log filters define the types of log messages sent to
each log location. Use the ? command to view each filter setting since not all filter settings display for
each device.
Filter settings include commands for multiple Syslog servers or multiple FortiAnalyzer units. For
example, config log fortianalyzer2 filter. See “fortianalyzer setting” on page 199 for more
information about configuring multiple FortiAnalyzer units, and “syslogd setting” on page 216 for more
information about configuring multiple Syslog servers.
When enabling filter settings for VoIP, also enable VoIP settings in a protection profile. VoIP calls
cannot be properly logged unless both filter and protection profile settings for VoIP are enabled. See
“firewall” on page 81 about enabling VoIP settings in a protection profile.
Filter settings for fortiguard are only available when FortiGuard Analysis Services is enabled. Filter
settings for disk is available for FortiGate units with hard disks. FortiGuard Log & Analysis was
renamed to FortiGuard Analysis Services for FortiOS 3.0 MR5.

Syntax
config log {disk | fortianalyzer | memory | syslogd | webtrends |
fortiguard} filter
set admin {disable | enable}
set allowed {disable | enable}
set anomaly {disable | enable}
set attack {disable | enable}
set auth {disable | enable}
set blocked {disable | enable}
set dhcp {disable | enable}
set email {disable | enable}
set email-log-imap {disable | enable}
set email-log-pop3 {disable | enable}
set email-log-smtp {disable | enable}
set event {disable | enable}
set ha {disable | enable}
set ftgd-wf-block {disable | enable}
set ftgd-wf-errors {disable | enable}
set gtp {disable | enable}(FortiOS Carrier)
set im {disable | enable}
set im-all {disable | enable}
set infected {disable | enable}
set ipsec {disable | enable}
set msisdn-bwl {disable | enable}(FortiOS Carrier)
set other-traffic {disable | enable}
set oversized {disable | enable}
set pattern {disable | enable}
set ppp {disable | enable}
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
set signature {disable | enable}
set sslvpn-log-adm {disable | enable}
set sslvpn-log-auth {disable | enable}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 191
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log

set sslvpn-log-session {disable | enable}


set system {disable | enable}
set traffic {disable | enable}
set url-filter {disable | enable}
set violation {disable | enable}
set virus {disable | enable}
set voip {disable | enable}
set voip-all {disable | enable}
set web {disable | enable}
set web-content {disable | enable}
set web-filter-activex {disable | enable}
set web-filter-applet {disable | enable}
set web-filter-cookie {disable | enable}
end
Keywords and variables Description Default
admin Enable or disable logging all administrative events, such as user enable
{disable | enable} logins, resets, and configuration updates in the event log. This
keyword is available when event is enabled.
allowed Enable or disable logging all traffic that is allowed according to enable
{disable | enable} the firewall policy settings in the traffic log. This keyword is
available when traffic is enabled.
anomaly Enable or disable logging all detected and prevented attacks enable
{disable | enable} based on unknown or suspicious traffic patterns, and the action
taken by the FortiGate unit in the attack log. This keyword is
available when attack is enabled.
attack Enable or disable the attack log. enable
{disable | enable}
auth Enable or disable logging all firewall-related events, such as user enable
{disable | enable} authentication in the event log. This keyword is available when
event is enabled.
blocked Enable or disable logging all instances of blocked files. enable
{disable | enable}
dhcp Enable or disable logging of DHCP service messages. enable
{disable | enable}
email Enable or disable the spam filter log. enable
{disable | enable}
email-log-imap Enable or disable logging of spam detected in IMAP traffic. enable
{disable | enable} email enable only.
email-log-pop3 Enable or disable logging of spam detected in POP3 traffic. enable
{disable | enable} email enable only.
email-log-smtp Enable or disable logging of spam detected in SMTP traffic. enable
{disable | enable} email enable only.
event Enable or disable the event log. enable
{disable | enable}
ha Enable or disable HA activity messages. enable
{disable | enable}
ftgd-wf-block Enable or disable logging of web pages blocked by FortiGuard enable
{disable | enable} category filtering in the web filter log. This keyword is available
when web is enabled.
ftgd-wf-errors Enable or disable logging all instances of FortiGuard category enable
{disable | enable} filtering rating errors. This keyword is available when web is
enabled.

FortiGate CLI Version 3.0 MR6 Reference


192 01-30006-0015-20080205
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

Keywords and variables Description Default


gtp {disable | enable} Enable or disable logging for GTP messages. enable
(FortiOS Carrier)
im Enable or disable logging of instant messages and Peer-to-Peer enable
{disable | enable} (P2P) events.
im-all Enable or disable logging of instant messages. enable
{disable | enable}
infected Enable or disable logging of all virus infections in the antivirus enable
{disable | enable} log. This keyword is available when virus is enabled.
ipsec Enable or disable logging of IPSec negotiation events, such as enable
{disable | enable} progress and error reports in the event log. This keyword is
available when event is enabled.
msisdn-bwl Enable or disable logging of MSISDN filter block messages. enable
{disable | enable}
(FortiOS Carrier)
other-traffic Enable or disable ICSA compliant logs. This setting is disable
{disable | enable} independent from the traffic setting. Traffic log entries include
generating traffic logs:
• for all dropped ICMP packets
• for all dropped invalid IP packets
• for session start and on session deletion
This setting is not rate limited. A large volume of invalid packets
can dramatically increase the number of log entries.
oversized Enable or disable logging of oversized files in the antivirus log. enable
{disable | enable} This keyword is available when virus is enabled.
pattern Enable or disable logging of all pattern update events, such as enable
{disable | enable} antivirus and IPS pattern updates and update failures in the event
log. This keyword is available when event is enabled.
ppp Enable or disable logging of all L2TP, PPTP, and PPPoE-related enable
{disable | enable} events, such as manager and socket creation processes, in the
event log. This keyword is available when event is enabled.
severity Select the logging severity level. The FortiGate unit logs all informa
{alert | critical | debug messages at and above the logging severity level you select. For tion
| emergency | error | example, if you select error, the unit logs error, critical,
alert and emergency level messages.
information |
emergency - The system is unusable.
notification | warning}
alert - Immediate action is required.
critical - Functionality is affected.
error - An erroneous condition exists and functionality is
probably affected.
warning - Functionality might be affected.
notification - Information about normal events.
information - General information about system operations.
debug - Information used for diagnosing or debugging the
FortiGate unit.
signature Enable or disable logging of detected and prevented attacks enable
{disable | enable} based on the attack signature, and the action taken by the
FortiGate unit, in the attack log. This keyword is available when
attack is enabled.
sslvpn-log-adm Enable or disable logging of SSL-VPN administration. enable
{disable | enable}
sslvpn-log-auth Enable or disable logging of SSL-VPN user authentication. enable
{disable | enable}
sslvpn-log-session Enable or disable logging of SSL-VPN sessions. enable
{disable | enable}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 193
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log

Keywords and variables Description Default


system Enable or disable logging of system activity messages. enable
{disable | enable}
traffic Enable or disable the traffic log. enable
{disable | enable}
url-filter Enable or disable logging of blocked URLs (specified in the URL enable
{disable | enable} block list) in the web filter log. This keyword is available when
web is enabled.
violation Enable or disable logging of all traffic that violates the firewall enable
{disable | enable} policy settings in the traffic log. This keyword is available when
trafic is enabled.
virus Enable or disable the antivirus log. enable
{disable | enable}
voip Enable or disable to log VoIP events. If enabling VoIP, also enable
{disable | enable} enable VoIP settings in a protection profile. See “firewall” on
page 81 about enabling VoIP settings in a protection profile.
voip-all Enable or disable to log all subcategories of VoIP events. If enable
{disable | enable} enabling VoIP, also enable VoIP settings in a protection profile.
See “firewall” on page 81 about enabling VoIP settings in a
protection profile.
web Enable or disable the web filter log. enable
{disable | enable}
web-content Enable or disable logging of blocked content (specified in the enable
{disable | enable} banned words list) in the web filter log. This keyword is available
when web is enabled.
web-filter-activex Enable or disable the logging of Active X block messages enable
{disable | enable}
web-filter-applet Enable or disable the logging of java applet block messages enable
{disable | enable}
web-filter-cookie Enable or disable the logging of cookie block messages enable
{disable | enable}

Example
This example shows how to set the logging severity level to warning, enable virus logging for infected
files, and enable event logging for anomaly and IPSec events.
config log disk filter
set severity warning
set virus enable
set infected enable
set event enable
set anomaly enable
set ipsec enable
end

History

FortiOS v2.80 Substantially revised.


FortiOS v2.8 MR2 Removed email_content keyword.
Added email_log_imap, email_log_pop3, and email_log_smtp keywords.

FortiGate CLI Version 3.0 MR6 Reference


194 01-30006-0015-20080205
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

FortiOS v3.0 cat-monitor, exempt and content-keywords commands removed.


url-block command renamed to url-filter.
cat-block and cat-errors commands renamed to ftgd-wf-block and ftgd-wf-
errors respectively.
New keywords im, im-all and sslvpn-auth, sslvpn-adm, sslvpn-session,
web-filter-activex, web-filter-applet and web-filter-cookie added.

FortiOS v3.0 MR4 Added the FortiGuard Log & Analysis command, fortiguard for configuring the filter
settings for the FortiGuard Log & Analysis server. Also added VoIP commands.
Added keywords for FortiOS Carrier.

Related topics
• log fortianalyzer setting
• log memory setting
• log syslogd setting
• log webtrends setting
• log trafficfilter
• log report definition
• firewall

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 195
disk setting log

disk setting
Use this command to configure log settings for logging to the local disk. Disk logging is only available
for FortiGate units with an internal hard disk. You can also use this command to configure the
FortiGate unit to upload current log files to an FTP server every time the log files are rolled.

Syntax
config log disk setting
set status {enable | disable}
set log full-first-warning threshold
set log full-second-warning threshold
set log full-final-warning threshold
set max-log-file-size <integer max>
set roll-schedule {daily | weekly}
set roll-time <hh:mm>
set diskfull {nolog | overwrite}
set upload {enable | disable}
set upload-destination {fortianalyzer | ftp-server}
set uploadip <class_ip>
set uploadport <port_integer>
set uploaduser <user_str>
set uploadpass <passwd>
set uploaddir <dir_name_str>
set uploadtype {attack event im spamfilter traffic virus voip
webfilter}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <time_integer>
set upload-delete-files {enable | disable}
set drive-standby-time <0-19800>
end
Keywords and variables Description Default
status Enter enable to enable logging to the local disk. disable
{enable | disable}
full-first-warning Enter to configure the first warning before reaching the 75
threshold threshold. You can enter a number between 1 and 100.
full-second-warning Enter to configure the second warning before reaching the 90
threshold threshold. You can enter a number between 1 and 100.
full-final-warning Enter to configure the final warning before reaching the 95
threshold threshold. You can enter a number between 1 and 100.
max-log-file-size Enter the maximum size of the log file (in MB) that is saved to 100
<integer max> the local disk.
When the log file reaches the specified maximum size, the
FortiGate unit saves the current log file and starts a new active
log file. The default maximum log file size 1 MB and the
maximum log file size allowed is 1024MB.
roll-schedule Enter the frequency of the log rolling. When set, the FortiGate daily
{daily | weekly} unit will roll the log event if the maximum size has not been
reached.
roll-time Enter the time of day, in the format hh:mm, when the FortiGate 00:00
<hh:mm> unit saves the current log file and starts a new active log file.

FortiGate CLI Version 3.0 MR6 Reference


196 01-30006-0015-20080205
log disk setting

Keywords and variables Description Default


diskfull Enter the action to take when the local disk is full. When you overwrite
{nolog | overwrite} enter nolog, the FortiGate unit will stop logging, and
overwrite will begin overwriting the oldest file once the local
disk is full.
upload Enable or disable uploading log files to a remote directory. disable
{enable | disable} Enable upload to upload log files to an FTP server whenever
a log file rolls.
Use the uploaddir, uploadip, uploadpass, uploadport,
and uploaduser keywords to add this information required to
connect to the FTP server and upload the log files to a specific
location on the server.
Use the uploadtype keyword to select the type of log files to
upload.
Use the upload-delete-files keyword to delete the files
from the hard disk once the FortiGate unit completes the file
transfer.
All upload keywords are available after enabling the upload
command.
upload-destination Select to upload log files directly to a FortiAnalyzer unit or to an disable
{fortianalyzer | ftp- FTP server. When you select to upload log files directly to a
server} FortiAnalyzer unit, you can also schedule when to upload the
log files, when the log file rolls, and so on.
uploadip Enter the IP address of the FTP server. This is required. 0.0.0.0
<class_ip>
uploadport Enter the port number used by the FTP server. The default port 21
<port_integer> is 21. Port 21 is the standard FTP port.
uploaduser Enter the user account for the upload server. This is required. No default.
<user_str>
uploadpass Enter the password required to connect to the FTP server. This No default
<passwd> is required.
uploaddir Enter the name of the path on the FTP server where the log No default
<dir_name_str> files will be transferred to. If you do not specify a remote
directory, the log files are uploaded to the root directory of the
FTP server.
uploadtype Select the log files to upload to the FTP server. You can enter traffic
{attack event im one or more of the log file types separated by spaces. Use a event
spamfilter traffic space to separate the log file types. If you want to remove a log spamfilter
file type from the list or add a log file type to the list, you must virus
virus voip webfilter} retype the list with the log file type removed or added. webfilter
voip
im
uploadzip Enter enable to compress the log files after uploading to the disable
{disable | enable} FTP server. If disable is entered, the log files are uploaded to
the FTP server in plain text format.
uploadsched Enable log uploads at a specific time of the day. When set to disable
{disable | enable} disable, the FortiGate unit uploads the logs when the logs are
rolled.
uploadtime Enter the time of day when the FortiGate unit uploads the logs. 0
<time_integer> The uploadsched setting must first be set to enable.
upload-delete-files Enable or disable the removal of the log files once the enable
{enable | disable} FortiGate unit has uploaded the log file to the FTP server.
drive-standby-time Set the power management for the hard disk. Enter the number 0
<0-19800> of seconds, up to 19800. If there is no hard disk activity within
the defined time frame, the hard disk will spin down to conserve
energy. Setting the value to 0 disables the setting.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 197
disk setting log

Example
This example shows how to enable logging to the local disk, set the action to stop logging when the
disk is full, log files have a maximum size of 300MB, roll log files daily and start a new one at 1:30pm
every day.
config log disk setting
set status enable
set diskfull nolog
set max-log-file-size 300
set roll-schedule daily
set roll-time 01:30
end
This example shows how to enable uploading the traffic log and content archive files to an FTP server.
The FTP server has the IP address 172.30.120.24, the user name is ftpone, the password is ftppass1,
and the directory on the FTP server is fortigate\login.
config log disk setting
set upload enable
set uploadip 172.30.120.24
set uploaduser ftpone
set uploadpass ftppass1
set uploadtype traffic content
set uploaddir fortigate\logs
end

History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR2 Removed ftppasswd, ftpserver, and ftpuser keywords.
Added upload keyword.
Added upload, uploaddir, uploadip, uploadpass, uploadport, uploadtype,
and uploaduser keywords.
FortiOS v3.0 Renamed keyword filesize to max-log-file-size.
Removed duration and unit keywords.
Added upload-delete-files command.
FortiOS v3.0 MR2 Removed roll-day command.
FortiOS v3.0 MR4 Additional log files new to FortiOS 3.0MR4 were added to uploadtype keyword, voip
and im.
FortiOS v3.0 MR5 Removed the keyword, content, from uploadtype command.
Added keyword, upload-destination, for uploading log files to a FortiAnalyzer unit.
FortiOS v3.0 MR6 Added keywords full-first-warning threshold,
full-second-warning-threshold, and full-final-warning threshold.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log memory setting
• log syslogd setting
• log trafficfilter
• log webtrends setting
• log report definition

FortiGate CLI Version 3.0 MR6 Reference


198 01-30006-0015-20080205
log fortianalyzer setting

fortianalyzer setting
Use this command to configure the FortiGate unit to send log files to a FortiAnalyzer unit. See
“fortianalyzer, fortianalyzer2, fortianalyzer3” on page 340 to set the FortiAnalyzer configuration
settings.
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and
data storage. Detailed log reports provide historical as well as current analysis of network and email
activity to help identify security issues and reduce network misuse and abuse.
Using the CLI, you can send logs to up to three different FortiAnalyzer units for maximum fail-over
protection of log data. After configuring logging to FortiAnalyzer units, the FortiGate unit will send the
same log packets to all configured FortiAnalyzer units. Additional FortiAnalyzer units are configured
using the fortianalyzer 2 and fortianalyzer 3 commands.
Use the multi-report command to enable configuring FortiAnalyzer reports. By default,
multi-report is disabled and only the default FortiAnalyzer report is available.

Note: The FortiAnalyzer CLI commands are not cumulative. Using a syntax similar to the following is not
valid:
config log fortianalyzer fortianalyzer2 fortianalyzer3 setting

Syntax
config log fortianalyzer setting
set status {disable | enable}
set multi-report {enable | disable}
set max-buffer-size
end
Keywords and variables Description Default
status {disable | enable} Enter enable to enable logging to a FortiAnalyzer unit. disable
multi-report Enter enable configuring of multiple reports. You need to disable
{enable | disable} enable this command to configure any FortiAnalyzer reports.
max-buffer-size Enter a number between 0 to 4095MB for the maximum buffer 10
size for the FortiAnalyzer unit. The number 0 disables the
maximum buffer size.

Example
This example shows how to enable logging to a FortiAnalyzer unit.
config log fortianalyzer setting
set status enable
end

History

FortiOS v2.80 New.


FortiOS v2.80 MR2 Added localid and psksecret keywords.
FortiOS v3.0 Moved all FortiAnalyzer configuration keywords under config system fortianalyzer.
Command includes up to three FortiAnalyzer units, fortianalyzer2 and
fortianalyzer3.
Changed FortiLog product name to FortiAnalyzer
FortiOS v3.0 MR4 Added multi-report keyword.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 199
fortianalyzer setting log

Related topics
• system fortianalyzer, fortianalyzer2, fortianalyzer3
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log memory setting
• log syslogd setting
• log webtrends setting
• log trafficfilter
• log report definition

FortiGate CLI Version 3.0 MR6 Reference


200 01-30006-0015-20080205
log fortiguard setting

fortiguard setting
Use this command for configuring FortiGuard Analysis Service settings. See the FortiGate
Administration Guide for more information about subscription-based FortiGuard Analysis Service,
including enabling logging to a FortiGuard Analysis server.

Note: The fortiguard setting command is only available when FortiGuard Analysis Service
subscription-based services are enabled. The storage space is a specified amount, and varies,
depending on the services requested.

Syntax
config log fortiguard setting
set quotafull {nolog | overwrite}
set status {disable | enable}
end
Keywords and variables Description Default
quotafull {nolog | Enter the action to take when the specified storage space on overwrite
overwrite} the FortiGuard Analysis server is full. When you enter nolog,
the FortiGate unit will stop logging, and overwrite will
begin overwriting the oldest file.
status {disable | enable} Enter to enable the FortiGuard Analysis server. disable

Example
In this example, the FortiGate unit is logging to a FortiGuard Analysis server, and will stop logging
when the maximum storage space on the server is reached.
config log fortiguard setting
set quotafull nolog
set status enable
end

History

FortiOS v3.0 MR4 New.

Related topics
• {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 201
memory setting log

memory setting
Use this command to configure log settings for logging to the FortiGate system memory.
The FortiGate system memory has a limited capacity and only displays the most recent log entries.
Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all
available memory is used, by default the FortiGate unit begins to overwrite the oldest messages. All
log entries are deleted when the FortiGate unit restarts.

Syntax
config log memory setting
set diskfull <overwrite>
set status {disable | enable}
end
Keywords and variables Description Default
diskfull <overwrite> Enter the action to take when the memory is reaching its overwrite
capacity. nolog means the FortiGate unit will stop logging,
overwrite means the FortiGate unit will begin overwriting
the oldest file and blocktraffic means the FortiGate unit
will block traffic when the memory is full.
status {disable | enable} Enter enable to enable logging to the FortiGate system disable
memory.

Example
This example shows how to enable logging to the FortiGate system memory, and configure the
FortiGate unit to stop logging when the log memory buffer is full.
config log memory setting
set status enable
set diskfull overwrite
end

History

FortiOS v2.80 Substantially revised.


FortiOS v3.0 Added diskfull keyword.
FortiOS v3.0 MR6 Removed blocktraffic and nolog keywords.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log syslogd setting
• log webtrends setting
• log trafficfilter
• log report definition
• memory global setting

FortiGate CLI Version 3.0 MR6 Reference


202 01-30006-0015-20080205
log memory global setting

memory global setting


Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the
FortiGate system memory.
The FortiGate system memory has a limited capacity and displays only the most recent log entries.
Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all
available memory is used, by default, the FortiGate unit begins to overwrite the oldest log messages.
All log entries are deleted when the FortiGate unit restarts.

Syntax
config log memory global setting
set full-final-warning-threshold
set full-first-warning-threshold
set full-second-warning-threshold
set max-lines
end
Keywords and variables Description Default
full-final-warning- Enter to configure the final warning before reaching the 95
threshold threshold. You can enter a number between 1 and 100.
full-first-warning- Enter to configure the first warning before reaching the 75
threshold threshold. You can enter a number between 1 and 100.
full-second-warning- Enter to configure the second warning before reaching the 90
threshold threshold. You can enter a number between 1 and 100.
max-lines Enter the maximum number of lines in the memory buffer log. No default

Example
This example shows how to configure the first, second, and final threshold warnings as well as the
maximum lines for the memory buffer log.
config log memory global setting
set first-full-warning-threshold 40
set second-full-warning-threshold 60
set final-full-warning-threshold 80
set max-lines 60
end

History

FortiOS v3.0 MR6 New.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log syslogd setting
• log webtrends setting
• log trafficfilter
• log report definition
• memory setting

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 203
report customization log

report customization
Use this command to customize your report with the company name, or to customize footers and
headers.

Syntax
config log report customization
set company <company_name>
set footer-option {custom | report-title} <footer>
set header <header_name>
end

Keywords and variables Description Default


company <company_name> Enter your company name to display on the report. No default
footer-option {custom | Enter to display the report-title in the footers of the report, report-title
report-title} <footer> or custom to customize the footers.
When customizing the footer, you can enter the footer
comment by using footer instead of entering
footer-option custom
header <header_name> Enter a header for the report. No default

Example
This example shows how to customize the report with the company name XYN, along with a
customized footer and header for the report.
config log report definition
set description "A weekly traffic report for the FortiGate-60"
set title "Weekly Report"
set footer “XYN: Weekly Report”
set header “XYN: Week of June 21”
end

History

FortiOS v3.0 New for this release.


FortiOS v3.0 MR5 Added footer for entering the footer comment without selecting footer-option
custom.

Related topics
• report filter
• report output
• report period
• report schedule
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


204 01-30006-0015-20080205
log report definition

report definition
Use this command to add information to the report, including the title of the report and a description of
what is contained in the report.

Syntax
config log report definition
set description <report_description>
set title <report_title>
end
Keywords and variables Description Default
description Enter a description for the report describing what the report No default
<report_description> contains. Enclose the description in quotes. For example,
“This report contains network traffic
statistics.”
title <report_title> Enter a title for the report. If the title is more than one word, No default
enclose the title in quotes. For example, “Network Traffic
Statistics.”

Example
This example shows how to set the report name and title.
config log report definition
set description "A weekly traffic report for the FortiGate-60"
set title "Weekly Report"
end

History

FortiOS v3.0 New for this release.

Related topics
• report filter
• report output
• report period
• report schedule
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 205
report filter log

report filter
Use this command to view or remove information from a report to provide a more concise report. For
example, you only want reports on specific error messages, or you do not want include certain IP
address destinations.

Syntax
config log report filter
set filter-string <filter_string>
end
Keywords and variables Description Default
filter-string Enter a filter string to define what is included in the report. No default
<filter_string>

History

FortiOS v3.0 New for this release.

Related topics
• report definition
• report output
• report period
• report schedule
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


206 01-30006-0015-20080205
log report output

report output
Use this command to configure a file format for the report for email recipients, saved to the
FortiAnalyzer hard disk. Use this command to also configure the FortiAnalyzer unit to upload the report
files to an FTP server when completed.

Syntax
config log report output
config addresses
edit address <address_str>
set from <from_sender>
set server <server_ip>
next
end
set email {html | pdf | rtf | txt}
set email-attachment-name <name_str>
set email-body <string>
set email-subject <subject_str>
set file {html | pdf | rtf | txt}
set upload {enable | disable}
set upload-delete {enable | disable}
set upload-dir <directory_str>
set upload-gzipped {enable | disable}
set upload-ip <ip_str>
set upload-password <passwd_str>
set upload-server-type {FTP | SCP | SFTP}
set upload-username <username_str>
end
Keywords and variables Description Default
edit address Enter the email recipients for the FortiAnalyzer report. No default
<address_str>
set from <from_sender> Enter the sender’s email address. No default
set server <server_ip> Enter the server IP address. No default
email Select the file format for the FortiAnalyzer unit sends to the No default
{html | pdf | rtf | txt} email recipients.
email-attachment-name Enter the email output attachment name. No default
<name_str>
email-body Enter the email output body. No default.
<string>
email-subject Enter the email’s subject for the subject line. No default
<subject_str>
file Select the file format the FortiAnalyzer saves to its hard disk. html
{html | pdf | rtf | txt}
upload {enable | disable} Set whether the FortiAnalyzer unit uploads the report files to disable
an FTP server.
All upload keywords are available when upload is enabled.
upload-delete Enable or disable the removal of the log files once the disable
{enable | disable} FortiGate unit has uploaded the log file to the FTP server.
upload-dir Enter the target directory in the uploading server. For example, No default
<directory_str> the file is in d:\, so it would be d:\george_files_xyn2006.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 207
report output log

Keywords and variables Description Default


upload-gzipped Enable or disable the compressing of the log files before disable
{enable | disable} uploading to the FTP server. This keyword is available when
upload is enabled.
upload-server-type Enter the upload server type. FTP
{FTP | SCP | SFTP}
upload-ip <ip_str> Enter the IP address required to connect to the FTP server. No default
This keyword is available when upload is enabled.
upload-password Enter the password required to connect to the FTP server. No default
<passwd_str> This keyword is available when upload is enabled.
upload-username Enter the user name required to connect to the FTP server. No default
<username_str> This keyword is available when upload is enabled.

Example
This example shows how to set the report output to HTML and PDF formats.
config log report output
set output file html pdf
end

History

FortiOS v3.0 New for this release.


FortiOS v3.0 MR2 Added the following keywords:
• email-subject
• upload-server-type
• upload-dir

Related topics
• report definition
• report filter
• report period
• report schedule
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


208 01-30006-0015-20080205
log report period

report period
Use this command to select the time span for the report period or select a specific time frame. When
the FortiAnalyzer unit generates the report, it uses the log data found within the specified time period
only.

Syntax
config log report period
set type {last-14-days | last-2-weeks |last-30-days | last-7-days
|last-month | last-n-days | last-n-hours | last-n-weeks | last-
quarter | last week | other | this-month | this-quarter | this-week |
this-year | today | yesterday}
end
Keywords and variables Description Default
type {last-14-days | Select a time period for the report. This command is required last-7-
last-2-weeks |last-30- before entering the end and start date for the report period. days
days | last-7-days |last- The end and start date will not appear unless a type is
selected.
month | last-n-days |
last-n-hours | last-n-
weeks | last-quarter |
last week | other | this-
month | this-quarter |
this-week | this-year |
today | yesterday}

Example
This example shows how to set the reporting period to the previous weeks data.
config log report period
set type last-week
end

History

FortiOS v3.0 New for this release.


FortiOS v3.0 MR2 The keyword last-n is no longer available.

Related topics
• report definition
• report filter
• report output
• report schedule
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 209
report schedule log

report schedule
Use this command to set a schedule when the FortiAnalyzer unit generates the reports.

Syntax
config log report schedule
set type {daily | dates | days | none}
set dates {1-31}
set days {mon | tue | wed | thu | fri | sat |sun}
set time <hh:mm>
end
Keywords and variables Description Default
type {daily | dates | Select when the FortiAnalyzer unit initiates the report. With a none
days | none} selection of none, the FortiAnalyzer administrator must start
the report manually from the FortiAnalyzer unit.
dates {1-31} Select the days of the month when the FortiAnalyzer unit runs No default
the report. Separate multiple dates with a space.
For example, set dates 1 15 30.
days {mon | tue | wed | Select the days of the week when the FortiAnalyzer unit runs No default
thu | fri | sat |sun} the report. Separate multiple dates with a space.
For example, set days mon wed.
time <hh:mm> Select the time of the day when the FortiAnalyzer unit runs the 00:00
report.

Example
This example shows how to set the report to run every Monday at 9:56.
config log report schedule
set type days
set days mon
set time 09:56
end

History

FortiOS v3.0 New for this release.

Related topics
• report definition
• report filter
• report output
• report period
• report scope
• report selection

FortiGate CLI Version 3.0 MR6 Reference


210 01-30006-0015-20080205
log report scope

report scope
Use this command to select the type of results you would like to include in the report.

Syntax
config log report scope
set audit <integer>
set exclude-summary {enable |disable}
set include-nodata {enable | disable}
set include-summary {enable | disable}
set include-table-of-content {enable | disable}
set obfuscate-user {enable | disable}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set result {all}
set top1 {1-30}
set top2 {1-30}
end
Keywords and variables Description Default
audit <integer> Enter a number from 1 to 10000 to display the top number of 100
values in all audit reports.
exclude-summary Enable to exclude summary information in the report. enable
{enable |disable}
include-nodata Enable to include no summary information in the report. disable
{enable | disable}
include-summary Enable to include the summary information in the report. disable
{enable | disable}
include-table-of-content Enable to include the table of contents in the report. disable
{enable | disable}
obfuscate-user Enable to include obfsucate user group names in the report. disable
{enable | disable}
resolve-host Enable or disable the report to include actual user names disable
{enable | disable} rather than IP addresses. IP aliases must be configured on the
FortiAnalyzer unit. For example, User One instead of
10.10.10.1
resolve-service Enable or disable the report to include names rather than port disable
{enable | disable} numbers. For example, HTTP instead of port 80.
result {all} Set to include the results for all virtual domains all

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 211
report scope log

Keywords and variables Description Default


top1 {1-30} For some report types, you can set the top ranked items for 6
the report. These reports have “Top” in their name, and will
always show only the top number of entries. For example,
report on the most active mail clients within the organization
rather than all mail clients. Enter the value for the first “top”
results.
Reports that do not include “Top” in their name will always
show all information. Changing the values for top field will not
affect these reports.
top2 {1-30} For some report types, you can set the top ranked items for 3
the report. These reports have “Top” in their name, and will
always show only the top number of entries. For example,
report on the most active mail clients within the organization
rather than all mail clients. Enter the value for the second “top”
results.
Reports that do not include “Top” in their name will always
show all information. Changing the values for top field will not
affect these reports.

Example
This example shows how to set the resolving of the host and service names in the report.
config log report scope
set resolve-host enable
set resolve-service enable
end

History
FortiOS v3.0 New for this release.
FortiOS v3.0 MR4 Added the following keywords:
• exclude-summary
• include-summary
• include-nodata
• include-table-of-contents
• obfsucate-user
FortiOS v3.0 MR5 Added the keyword, audit.

Related topics
• report definition
• report filter
• report output
• report period
• report schedule
• report selection

FortiGate CLI Version 3.0 MR6 Reference


212 01-30006-0015-20080205
log report selection

report selection
Use this command to select the reports to include within the report profile.

Syntax
config log report selection
set selection <report_category> [<report> <report>...]
end
Keywords and variables Description Default
selection Select the report types to include. No default
<report_category>
[<report> <report>...]

For a list of report categories and reports, see the list in the command line interface.

Example
This example shows how to set the network activity report.
config log report selection
set network-activity net-date-dir net-dir
end

History

FortiOS v3.0 New for this release.

Related topics
• report definition
• report filter
• report output
• report period
• report schedule
• report scope

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 213
report summary-layout log

report summary-layout
Use this command to customize the summary reports.

Syntax
config log report summary-layout
set summary-column {1 | 2 | 3 | 4}
config summary-reports
edit name <sum_category> [<sum_report> <sum_report>...]
set order <integer>
set style {bar | line | pie}
set topN <integer>
end
Keywords and variables Description Default
summary-column Select a number for the number of columns included in the 2
{1 | 2 | 3 | 4} summary layout.
summary-reports Enter to configure and edit summary reports. No default
name <sum_category> Select a report name to configure and edit. Enter enter No default.
[<sum_report> name to view all summary reports so you can choose which
<sum_report>...] one to configure and edit.

order <integer> Enter a number to specify the display order of query in report. 100
style {bar | line | pie} Select the style for the summary report. pie
topN <integer> Enter a number to show the top values of the first variable in 1-10
Ranked Reports. The maximum value is 100.

Example
In this example, the number of columns in the summary layout is three. There are four summary
reports included in this report, the summary protocol distribution, total viruses detected, total spam
activity, and total web filter activity. The summary report, total viruses detected, will come first and all
summary reports will be pie charts.
config log report summary-layout
set summary-column 3
config summary-reports
edit name sum-proto
set order 4
set style column
set topN 5
next
edit name sum-tv
set order 1
set style bar
set topN 5
next
edit name sum-mf
set order 2
set style line
set topN 5
next

FortiGate CLI Version 3.0 MR6 Reference


214 01-30006-0015-20080205
log report summary-layout

edit name sum-wf


set order 3
set style pie
set topN 5
end
end

History

FortiOS v3.0 MR4 New for this release.

Related topics
• report definition
• report filter
• report output
• report period
• report schedule
• report scope

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 215
syslogd setting log

syslogd setting
Use this command to configure log settings for logging to a remote syslog server. You can configure
the FortiGate unit to send logs to a remote computer running a syslog server.
Using the CLI, you can send logs to up to three different syslog servers. Configure additional syslog
servers using syslogd2 and syslogd3 commands and the same keywords outlined below.
Note: Syslog CLI commands are not cumulative. Using a syntax similar to the following is not valid:
config log syslogd syslogd2 syslogd3 setting

Syntax
config log syslogd setting
set csv {disable | enable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon |
ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 |
local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set server <address_ipv4>
set status {disable | enable}
end
Keywords and variables Description Default
csv {disable | enable} Enter enable to enable the FortiGate unit to produce the log in disable
Comma Separated Value (CSV) format. If you do not enable
CSV format the FortiGate unit produces plain text files.
facility {alert | audit | Enter the facility type. facility identifies the source of the log local7
auth | authpriv | clock | message to syslog. You might want to change facility to
cron | daemon | ftp | distinguish log messages from different FortiGate units.
Available facility types are:
kernel | local0 | local1
• alert: log alert
| local2 | local3 |
• audit: log audit
local4 | local5 | local6
• auth: security/authorization messages
| local7 | lpr | mail |
• authpriv: security/authorization messages (private)
news | ntp | syslog |
• clock: clock daemon
user | uucp}
• cron: cron daemon performing scheduled commands
• daemon: system daemons running background system
processes
• ftp: File Transfer Protocol (FTP) daemon
• kernel: kernel messages
• local0 – local7: reserved for local use
• lpr: line printer subsystem
• mail: email system
• news: network news subsystem
• ntp: Network Time Protocol (NTP) daemon
• syslog: messages generated internally by the syslog
daemon
port <port_integer> Enter the port number for communication with the syslog server. 514
server <address_ipv4> Enter the IP address of the syslog server that stores the logs. No default.
status {disable | enable} Enter enable to enable logging to a remote syslog server. disable

FortiGate CLI Version 3.0 MR6 Reference


216 01-30006-0015-20080205
log syslogd setting

Example
This example shows how to enable logging to a remote syslog server, configure an IP address and
port for the server, and enable logging in CSV format.
config log syslogd setting
set status enable
set server 220.210.200.190
set port 601
set csv enable
end

History

FortiOS v2.80 Substantially revised.


FortiOS v2.80 MR3 Added alert and audit keywords for use with facility keyword.
FortiOS v3.0 Command includes up to three syslog servers, syslogd2 and syslogd3.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log memory setting
• log webtrends setting
• log trafficfilter
• log report definition

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 217
trafficfilter log

trafficfilter
Use this command to configure the following global settings for traffic logging:
• resolve IP addresses to host names
• display the port number or service (protocol) in the log message

Syntax
config log trafficfilter
set display {name | port}
set resolve {disable | enable}
end
The config log trafficfilter command has 1 subcommand.
config rule

Keywords and variables Description Default


display {name | port} Enter name to enable the display of the service name in the port
traffic log messages. Enter port to display the port number
used by traffic in traffic log messages.
resolve Enter enable to enable resolving IP addresses to host names disable
{disable | enable} in traffic log messages.

Example
This example shows how to display the service name and enable resolving IP addresses to host
names in log messages.
config log trafficfilter
set display name
set resolve enable
end

config rule
Access the rule subcommand using the log trafficfilter command.
Use the following commands to configure traffic filter rules based on source IP address, destination IP
address, and service (protocol).

Syntax
config rule
edit <name_str>
set dst <any_ip&any_netmask>
set service <name_str>
set src <class_ip&net_netmask>
end

FortiGate CLI Version 3.0 MR6 Reference


218 01-30006-0015-20080205
log trafficfilter

Keywords and variables Description Default


dst <any_ip&any_netmask> Enter the destination IP address and netmask where you want 0.0.0.0
to filter traffic logs to. 0.0.0.0
service <name_str> Enter the service that you want to filter traffic logs. You can No default.
choose from any of the predefined services listed and any
custom services you have configured. See “service custom” on
page 152.
src Enter the source IP address and netmask where you want to 0.0.0.0
<class_ip&net_netmask> filter traffic logs to. 0.0.0.0

Example
This example shows how to configure a traffic filter called TF_1, to configure the source and
destination IP and netmask, and to set the service to HTTP.
config log trafficfilter
config rule
edit TF_1
set dst 220.210.200.190 255.255.255.0
set src 192.168.100.1 255.255.255.0
set service HTTP
end
end

History

FortiOS v2.80 Revised.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log memory setting
• log syslogd setting
• log webtrends setting
• log report definition

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 219
webtrends setting log

webtrends setting
Use this command to configure log settings for logging to a remote computer running a NetIQ
WebTrends firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with
NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.

Syntax
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Keywords and variables Description Default
server <address_ipv4> Enter the IP address of the WebTrends server that stores the No default.
logs.
status {disable | enable} Enter enable to enable logging to a WebTrends server. disable

Example
This example shows how to enable logging to and set an IP address for a remote WebTrends server.
config log webtrends setting
set status enable
set server 220.210.200.190
end

History

FortiOS v2.80 Substantially revised.

Related topics
• log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
• log fortianalyzer setting
• log memory setting
• log syslogd setting
• log trafficfilter
• log report definition

FortiGate CLI Version 3.0 MR6 Reference


220 01-30006-0015-20080205
notification (FortiOS Carrier)

notification (FortiOS Carrier)


This chapter covers the commands to configure event notification.
This chapter contains the following sections:

notification

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 221
notification notification (FortiOS Carrier)

notification
Use this command to configure event notification.

Syntax
config notification
set maximum-retries <integer>
set maximum-sessions <integer>
set mem-percent <integer>
end

Variables Description Default


maximum-retries <integer> Enter the maximum number of retries allowed for each 20
notification message.
maximum-sessions <integer> Enter the maximum number of simultaneous sessions with the 2048
MMSC.
mem-percent <integer> Enter the percentage of memory the notification cache is 5
allowed to use.

History

FortiOS v3.00 MR5 New.

FortiGate CLI Version 3.0 MR6 Reference


222 01-30006-0015-20080205
router

router
Routers move packets from one network segment to another towards a network destination. When a
packet reaches a router, the router uses data in the packet header to look up a suitable route on which
to forward the packet to the next segment. The information that a router uses to make routing decisions
is stored in a routing table. Other factors related to the availability of routes and the status of the
network may influence the route selection that a router makes when forwarding a packet to the next
segment.
The FortiGate unit supports many advanced routing functions and is compatible with industry standard
Internet routers. The FortiGate unit can communicate with other routers to determine the best route for
a packet.
The following router commands are available to configure options related to FortiGate router
communications and packet forwarding:

access-list key-chain rip


aspath-list multicast route-map
auth-path ospf static
bgp policy static6
community-list prefix-list

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 223
access-list router

access-list
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate routing
processes. For an access list to take effect, it must be called by a FortiGate routing process (for
example, a process that supports RIP or OSPF).
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this
prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more
specific prefix.

Note: The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be
used for this purpose. See “prefix-list” on page 275.

The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of
the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found
the default action is deny.

Syntax
config router access-list
edit <access_list_name>
config rule
edit <access_list_id>
set action {deny | permit}
set exact-match {enable | disable}
set prefix { <prefix_ipv4mask> | any }
set wildcard <address_ipv4> <wildcard_mask>
end
end

Note: The action and prefix keywords are required. The exact-match keyword is optional.

Variables Description Default


edit <access_list_name> Enter a name for the access list. An access list and a No default.
prefix list cannot have the same name.
config rule variables
edit <access_list_id> Enter an entry number for the rule. The number must be No default.
an integer.
action {deny | permit} Set the action to take for this prefix. permit
exact-match {enable | disable} By default, access list rules are matched on the prefix or disable
any more specific prefix. Enable exact-match to match
only the configured prefix.
prefix { Enter the prefix for this access list rule, either: any
<prefix_ipv4mask> | any } • Type the IP address and network mask.
• Type any to match any prefix.
wildcard <address_ipv4> Enter the IP address and reverse (wildcard) mask to No default.
<wildcard_mask> process. The value of the mask (for example,
0.0.255.0) determines which address bits to match. A
value of 0 means that an exact match is required, while a
binary value of 1 indicates that part of the binary network
address does not have to match. You can specify
discontinuous masks (for example, to process “even” or
“odd” networks according to any network address octet).
For best results, do not specify a wildcard attribute
unless prefix is set to any.

FortiGate CLI Version 3.0 MR6 Reference


224 01-30006-0015-20080205
router access-list

Example
This example shows how to add an access list named acc_list1 with two rules. The first rule denies
the subnet that exactly matches the prefix 192.168.50.0 255.255.255.0 and permits all other
subnets that match the prefix 192.168.0.0 255.255.0.0.
config router access-list
edit acc_list1
config rule
edit 1
set prefix 192.168.50.0 255.255.255.0
set action deny
set exact-match enable
next
edit 2
set prefix 192.168.0.0 255.255.0.0
set action permit
set exact-match disable
end
end
The next example shows how to add an access list that permits all subnets matching network address
10.20.4.1 through 10.20.4.255 (addresses 10.20.4.x are processed):
config router access-list
edit acc_list2
config rule
edit 1
set action permit
set wildcard 10.20.4.0 0.0.0.255
end
end
The next example shows how to add an access list that permits “odd” subnets according to the third-
octet of network address 172.16.x.0 (networks 172.16.1.0, 172.16.3.0, 172.16.5.0, and so on are
processed):
config router access-list
edit acc_list3
config rule
edit 1
set action permit
set wildcard 172.16.1.0 0.0.254.0
end
end

History

FortiOS v2.80 New.


FortiOS v3.0 Added wildcard attribute. Changed exact_match keyword to exact-match.

Related topics
• router ospf
• router prefix-list
• router rip

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 225
aspath-list router

aspath-list
Use this command to set or unset BGP AS-path list parameters. By default, BGP uses an ordered list
of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination.
A list of AS numbers is called an AS path. You can filter BGP routes using AS path lists.
When the FortiGate unit receives routing updates from other autonomous systems, it can perform
operations on updates from neighbors and choose the shortest path to a destination. The shortest path
is determined by counting the number of AS numbers in the AS path. The path that has the least
number of AS numbers is considered the shortest AS path.
Use the config router aspath-list command to define an access list that examines the
AS_PATH attributes of BGP routes to match routes. Each entry in the AS-path list defines a rule for
matching and selecting routes based on the setting of the AS_PATH attribute. The default rule in an AS
path list (which the FortiGate unit applies last) denies the matching of all routes.

Syntax
config router aspath-list
edit <aspath_list_name>
config rule
edit <as_rule_id>
set action {deny | permit}
set regexp <regexp_str>
end
end

Note: The action and regexp keywords are required.

Variables Description Default


edit <aspath_list_name> Enter a name for the AS path list. No default.
config rule variables
edit <as_rule_id> Enter an entry number for the rule. The number must be an No default.
integer.
action {deny | permit} Deny or permit operations on a route based on the value of No default.
the route’s AS_PATH attribute.
regexp <regexp_str> Specify the regular expression that will be compared to the Null.
AS_PATH attribute (for example, ^730$).
The value is used to match AS numbers. Delimit a complex
regexp_str value using double-quotation marks.

Example
This example shows how to create an AS-path list named ebgp_in. The list contains a single rule that
permits operations on BGP routes whose AS_PATH attribute references an AS number of 333, 334,
338, or 71. The AS path list will match routes that originate in AS 333, AS 334, AS 338, or AS 71.
config router aspath-list
edit ebgp_in
config rule
edit 1
set action permit
set regexp _(333|334|338|71)$
end
end

FortiGate CLI Version 3.0 MR6 Reference


226 01-30006-0015-20080205
router aspath-list

History

FortiOS v3.0 New.

Related topics
• router bgp
• router community-list
• Using route maps with BGP
• router key-chain

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 227
auth-path router

auth-path
Authentication based routing allows firewall policies to determine how to direct network traffic flows.

To configure authentication based routing:


• A RADIUS authentication server must be configured.
• A user must be configured to use the RADIUS server, and added to a user group.
• The router auth-path object must be configured.
• A custom service must be configured for RADIUS traffic, and included in a firewall custom service
group along with other types of traffic that will be allowed to pass through the firewall.
• A firewall policy must be configured to have authentication based routing enabled.

Syntax
config router auth-path
edit <aspath_list_name>
set device <interface>
set gateway <gway_ipv4>
end
Variables Description Default
edit <auth_path_name> Enter a name for the authentication path. No default.
device <interface> Specify the interface for this path. No default.
gateway <gway_ipv4> Specify the gateway IP address for this path. Null.

History

FortiOS v3.0 MR6 New.

Related topics
• user local
• user radius
• firewall policy, policy6

FortiGate CLI Version 3.0 MR6 Reference


228 01-30006-0015-20080205
router bgp

bgp
Use this command to set or unset BGP-4 routing parameters. BGP can be used to perform Classless
Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains
using an alternative route if a link between a FortiGate unit and a BGP peer (such as an ISP router)
fails. Fortinet BGP-4 complies with RFC 1771 and supports IPv4 addressing.
When BGP is enabled, the FortiGate unit sends routing table updates to the upstream ISP router
whenever any part of the routing table changes. The update advertises which routes can be used to
reach the FortiGate unit. In this way, routes are made known from the border of the internal network
outwards (routes are pushed forward) instead of relying on upstream routers to propagate alternative
paths to the FortiGate unit.
FortiGate BGP supports the following extensions to help manage large numbers of BGP peers:
• Communities — The FortiGate unit can set the COMMUNITY attribute of a route to assign the route
to predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY attribute of
learned routes to perform local filtering and/or redistribution.
• Internal BGP (IBGP) route reflectors — The FortiGate unit can operate as a route reflector or
participate as a client in a cluster of IBGP peers (see RFC 1966).
• External BGP (EBGP) confederations — The FortiGate unit can operate as a confederation
member, using its AS confederation identifier in all transactions with peers that are not members of
its confederation (see RFC 3065).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly
locate hardware failures in the network. Routers running BFD communicate with each other, and if a
timer runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated. BFD support was added in
FortiOS v3.0 MR4, and can only be configured through the CLI.

Syntax
config router bgp
set always-compare-med {enable | disable}
set as <local_as_id>
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set cluster-id <address_ipv4>
set confederation-identifier <peerid_integer>
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
set default-local-preference <preference_integer>
set deterministic-med {enable | disable}
set distance-external <distance_integer>
set distance-internal <distance_integer>
set distance-local <distance_integer>
set enforce-first-as {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 229
bgp router

set fast-external-failover {enable | disable}


set graceful_restart {enable | disable}
set holdtime-timer <seconds_integer>
set ignore_optional_capability {enable | disable}
set keep-alive-timer <seconds_integer>
set log-neighbor-changes {enable | disable}
set network-import-check {enable | disable}
set router-id <address_ipv4>
set scan-time <seconds_integer>
set synchronization {enable | disable}
config admin-distance
edit <route_entry_id>
set distance <integer>
set neighbor-prefix <ip_and_netmask>
set route-list <string>
end
config aggregate-address
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix <address_ipv4mask>
set summary-only {enable | disable}
end
config neighbor
edit <neighbor_address_ipv4>
set activate {enable | disable}
set advertisement-interval <seconds_integer>
set allowas-in <seconds_integer>
set allowas-in-enable {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-orf {both | none | recieve | send}
set capability-route-refresh {enable | disable}
set connect-timer <seconds_integer>
set description <text_str>
set distribute-list-in <access-list-name_str>
set distribute-list-out <access-list-name_str>
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set ebgp-multihop {enable | disable}
set ebgp-multihop-ttl <seconds_integer>
set filter-list-in <aspath-list-name_str>
set filter-list-out <aspath-list-name_str>
set holdtime-timer <seconds_integer>
set interface <interface-name_str>
set keep-alive-timer <seconds_integer>
set maximum-prefix <prefix_integer>
set maximum-prefix-threshold <percentage_integer>
set maximum-prefix-warning-only {enable | disable}
set next-hop-self {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}

FortiGate CLI Version 3.0 MR6 Reference


230 01-30006-0015-20080205
router bgp

set prefix-list-in <prefix-list-name_str>


set prefix-list-out <prefix-list-name_str>
set remote-as <id_integer>
set remove-private-as {enable | disable}
set retain-stale-time <seconds_integer>
set route-map-in <routemap-name_str>
set route-map-out <routemap-name_str>
set route-reflector-client {enable | disable}
set route-server-client {enable | disable}
set send-community {both | disable | extended | standard}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set strict-capability-match {enable | disable}
set unsuppress-map <route-map-name_str>
set update-source <interface-name_str>
set weight <weight_integer>
end
config network
edit <network_id>
set backdoor {enable | disable}
set prefix <address_ipv4mask>
set route-map <routemap-name_str>
end
config redistribute {connected | static | rip | ospf}
set status {enable | disable}
set route-map <route-map-name_str>
end
end

config router bgp


Use this command to enable a Border Gateway Protocol version 4 (BGP-4) process on the FortiGate
unit, define the interfaces making up the local BGP network (see “config network” on page 239), and
set operating parameters for communicating with BGP neighbors (see “config neighbor” on page 235).
When multiple routes to the FortiGate unit exist, BGP attributes determine the best route and the
FortiGate unit communicates this information to its BGP peers. The best route is added to the IP
routing table of the BGP peer, which in turn propagates this updated routing information to upstream
routers.
FortiGate units maintain separate entries in their routing tables for BGP routes. See “Using route maps
with BGP” on page 288. To reduce the size of the BGP routing table and conserve network resources,
you can optionally aggregate routes to the FortiGate unit. An aggregate route enables the FortiGate
unit to advertise one block of contiguous IP addresses as a single, less-specific address. You can
implement aggregate routing either by redistributing an aggregate route (see “config redistribute” on
page 240) or by using the conditional aggregate routing feature (see “config aggregate-address” on
page 235).

Note: In the following table, the as and router-id keywords are required. All other keywords are optional.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 231
bgp router

Variables Description Default


always-compare-med Enable or disable the comparison of MULTI_EXIT_DISC disable
{enable | disable} (Multi Exit Discriminator or MED) attributes for identical
destinations advertised by BGP peers in different
autonomous systems.
as <local_as_id> Enter an integer to specify the local autonomous system (AS) 0
number of the FortiGate unit. The range is from 1 to 65 535.
When the local_as_id number is different than the AS
number of the specified BGP neighbor (see “remote-as
<id_integer>” on page 238), an External BGP (EBGP)
session is started. Otherwise, an Internal BGP (IBGP)
session is started. A value of 0 is not allowed.
bestpath-as-path-ignore Enable or disable the inclusion of an AS path in the selection disable
{enable | disable} algorithm for choosing a BGP route.
bestpath-cmp-confed- Enable or disable the comparison of the disable
aspath {enable | disable} AS_CONFED_SEQUENCE attribute, which defines an
ordered list of AS numbers representing a path from the
FortiGate unit through autonomous systems within the local
confederation.
bestpath-cmp-routerid Enable or disable the comparison of the router-ID values for disable
{enable | disable} identical EBGP paths.
bestpath-med-confed Enable or disable the comparison of MED attributes for routes disable
{enable | disable} advertised by confederation EBGP peers.
bestpath-med-missing-as- This keyword is available when bestpath-med-confed is disable
worst {enable | disable} set to enable.
When bestpath-med-confed is enabled, treat any
confederation path with a missing MED metric as the least
preferred path.
client-to-client- Enable or disable client-to-client route reflection between enable
reflection IBGP peers. If the clients are fully meshed, route reflection
{enable | disable} may be disabled.

cluster-id <address_ipv4> Set the identifier of the route-reflector in the cluster ID to 0.0.0.0
which the FortiGate unit belongs. If 0 is specified, the
FortiGate unit operates as the route reflector and its
router-id value is used as the cluster-id value. If the
FortiGate unit identifies its own cluster ID in the
CLUSTER_LIST attribute of a received route, the route is
ignored to prevent looping.
confederation-identifier Set the identifier of the confederation to which the FortiGate 0
<peerid_integer> unit belongs. The range is from 1 to 65 535.
dampening {enable | Enable or disable route-flap dampening on all BGP routes. disable
disable} See RFC 2439. (A flapping route is unstable and continually
transitions down and up.) If you set dampening, you may
optionally set dampening-route-map or define the
associated values individually using the dampening-*
keywords.
dampening-max-suppress- This keyword is available when dampening is set to 60
time <minutes_integer> enable.
Set the maximum time (in minutes) that a route can be
suppressed. The range is from 1 to 255. A route may
continue to accumulate penalties while it is suppressed.
However, the route cannot be suppressed longer than
minutes_integer.
dampening-reachability- This keyword is available when dampening is set to 15
half-life enable.
<minutes_integer> Set the time (in minutes) after which any penalty assigned to
a reachable (but flapping) route is decreased by half. The
range is from 1 to 45.

FortiGate CLI Version 3.0 MR6 Reference


232 01-30006-0015-20080205
router bgp

Variables Description Default


dampening-reuse This keyword is available when dampening is set to 750
<reuse_integer> enable.
Set a dampening-reuse limit based on accumulated
penalties. The range is from 1 to 20 000. If the penalty
assigned to a flapping route decreases enough to fall below
the specified reuse_integer, the route is not suppressed.
dampening-route-map This keyword is available when dampening is set to Null.
<routemap-name_str> enable.
Specify the route-map that contains criteria for dampening.
You must create the route-map before it can be selected
here. See “route-map” on page 286 and “Using route maps
with BGP” on page 288.
dampening-suppress This keyword is available when dampening is set to 2 000
<limit_integer> enable.
Set a dampening-suppression limit. The range is from 1 to
20 000. A route is suppressed (not advertised) when its
penalty exceeds the specified limit.
dampening-unreachability- This keyword is available when dampening is set to 15
half-life enable.
<minutes_integer> Set the time (in minutes) after which the penalty on a route
that is considered unreachable is decreased by half. The
range is from 1 to 45.
default-local-preference Set the default local preference value. A higher value 100
<preference_integer> signifies a preferred route. The range is from 0 to
4 294 967 295.
deterministic-med Enable or disable deterministic comparison of the MED disable
{enable | disable} attributes of routes advertised by peers in the same AS.
distance-external Set the administrative distance of EBGP routes. The range is 20
<distance_integer> from 1 to 255. If you set this value, you must also set values
for distance-internal and distance-local.
distance-internal This keyword is available when distance-external is set. 200
<distance_integer> Set the administrative distance of IBGP routes. The range is
from 1 to 255.
distance-local This keyword is available when distance-external is set. 200
<distance_integer> Set the administrative distance of local BGP routes. The
range is from 1 to 255.
enforce-first-as Enable or disable the addition of routes learned from an disable
{enable | disable} EBGP peer when the AS number at the beginning of the
route’s AS_PATH attribute does not match the AS number of
the EBGP peer.
fast-external-failover Immediately reset the session information associated with enable
{enable | disable} BGP external peers if the link used to reach them goes down.
graceful_restart Graceful restart capability limits the effects of software disable
{enable | disable} problems by allowing forwarding to continue when the control
plane of the router fails. It also reduces routing flaps by
stabilizing the network.
holdtime-timer The maximum amount of time (in seconds) that may expire 240
<seconds_integer> before the FortiGate unit declares any BGP peer down. A
keepalive message must be received every
seconds_integer seconds, or the peer is declared down.
The value can be 0 or an integer in the 3 to 65 535 range.
ignore_optional_capabilit Don’t send unknown optional capability notification message. disable
y {enable | disable}
keep-alive-timer The frequency (in seconds) that a keepalive message is sent 60
<seconds_integer> from the FortiGate unit to any BGP peer. The range is from 0
to 65 535. BGP peers exchange keepalive messages to
maintain the connection for the duration of the session.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 233
bgp router

Variables Description Default


log-neighbor-changes Enable or disable the logging of changes to BGP neighbor disable
{enable | disable} status.
network-import-check Enable or disable the advertising of the BGP network in IGP enable
{enable | disable} (see “config network” on page 239).
router-id <address_ipv4> Specify a fixed identifier for the FortiGate unit. A value of 0.0.0.0
0.0.0.0 is not allowed.
scan-time Configure the background scanner interval (in seconds) for 60
<seconds_integer> next-hop route scanning. The range is from 5 to 60.
synchronization Only advertise routes from iBGP if routes are present in an disable
{enable | disable} interior gateway protocol (IGP) such as RIP or OSPF.

Example
The following example defines the number of the AS of which the FortiGate unit is a member. It also
defines an EBGP neighbor at IP address 10.0.1.2.
config router bgp
set as 65001
set router-id 172.16.120.20
config neighbor
edit 10.0.1.2
set remote-as 65100
end
end

config admin-distance
Use this subcommand to set administrative distance modifications for bgp routes.

Variables Description Default


edit <route_entry_id> Enter an ID number for the entry. The number must be an integer. No default.
distance <integer> The administrative distance to apply to the route. This value can No default.
be from 1 to 255.
neighbor-prefix Neighbor address prefix. This variable must be a valid IP address No default.
<ip_and_netmask> and netmask.
route-list <string> The list of routes this distance will be applied to. No default.
The routes in this list can only come from the access-list which can
be viewed at config router access-list.

Example
This example shows how to manually adjust the distance associated with a route. It shows adding 25
to the weight of the route, that it will apply to neighbor routes with an IP address of 192.168.0.0 and a
netmask of 255.255.0.0, that are also permitted by the access-list “downtown_office”.
config router bgp
config admin-distance
edit 1
set distance 25
set neighbour-prefix 192.168.0.0 255.255.0.0
set route-list downtown_office
next
end
end

FortiGate CLI Version 3.0 MR6 Reference


234 01-30006-0015-20080205
router bgp

config aggregate-address
Use this subcommand to set or unset BGP aggregate-address table parameters. The subcommand
creates a BGP aggregate entry in the FortiGate routing table.
When you aggregate routes, routing becomes less precise because path details are not readily
available for routing purposes. The aggregate address represents addresses in several autonomous
systems. Aggregation reduces the length of the network mask until it masks only the bits that are
common to all of the addresses being summarized.

Note: The prefix keyword is required. All other keywords are optional.

Variables Description Default


edit <aggr_addr_id> Enter an ID number for the entry. The number must be an No default.
integer.
as-set {enable | disable} Enable or disable the generation of an unordered list of AS disable
numbers to include in the path information. When as-set is
enabled, a set-atomic-aggregate value (see “Using
route maps with BGP” on page 288) does not have to be
specified.
prefix <address_ipv4mask> Set an aggregate prefix. Include the IP address and netmask. 0.0.0.0
0.0.0.0
summary-only Enable or disable the advertising of aggregate routes only disable
{enable | disable} (the advertising of specific routes is suppressed).

Example
This example shows how to define an aggregate prefix of 192.168.0.0/16. The as-set command
enables the generation of an unordered list of AS numbers to include in the path information.
config router bgp
config aggregate-address
edit 1
set prefix 192.168.0.0/16
set as-set enable
end
end

config neighbor
Use this subcommand to set or unset BGP neighbor configuration settings. The subcommand adds a
BGP neighbor configuration to the FortiGate unit.
You can clear all or some BGP neighbor connections (sessions) using the exec router clear bgp
command (see “router clear bgp” on page 606).

Note: The remote-as keyword is required. All other keywords are optional.

Variables Description Default


edit <neighbor_address_ipv4> Enter the IP address of the BGP neighbor. No default.
activate {enable | disable} Enable or disable the address family for the BGP enable
neighbor.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 235
bgp router

Variables Description Default


advertisement-interval Set the minimum amount of time (in seconds) that the 30
<seconds_integer> FortiGate unit waits before sending a BGP routing
update to the BGP neighbor. The range is from 0 to
600.
allowas-in <seconds_integer> This keyword is available when allowas-in-enable unset
is set to enable.
Set the amount of time (in seconds) that the FortiGate
unit waits before readvertising to the BGP neighbor all
prefixes that contain duplicate AS numbers. The range
is from 1 to 10.
allowas-in-enable Enable or disable the readvertising of all prefixes disable
{enable | disable} containing duplicate AS numbers. Set the amount of
time that must expire before readvertising through the
allowas-in keyword.
attribute-unchanged [as-path] Propagate unchanged BGP attributes to the BGP Empty set.
[med] [next-hop] neighbor.
• To advertise unchanged AS_PATH attributes, select
as-path.
• To advertise unchanged MULTI_EXIT_DISC
attributes, select med.
• To advertise the IP address of the next-hop router
interface (even when the address has not changed),
select next-hop.
An empty set is a supported value.
bfd {enable | disable} Enable to turn on Bi-Directional Forwarding Detection disable
(BFD) for this neighbor. This indicates that this neighbor
is using BFD.
capability-default-originate Enable or disable the advertising of the default route to disable
{enable | disable} BGP neighbors.
capability-dynamic Enable or disable the advertising of dynamic capability disable
{enable | disable} to BGP neighbors.
capability-graceful-restart Enable or disable the advertising of graceful-restart disable
{enable | disable} capability to BGP neighbors.
capability-orf {both | disable Enable or disable the advertising of Outbound Routing disable
| receive | send} Filter (ORF) prefix-list capability to the BGP neighbor.
• To enable send and receive capability, select both.
• To enable receive capability, select receive.
• To enable send capability, select send.
To disable the advertising of ORF prefix-list capability,
select disable.
capability-orf {both | none | Accept/Send outbound router filter none
recieve | send} (ORF) lists to/from this neighbor:
• both - both accept and send ORF lists
• none - do not accept or send ORF lists
• recieve - only accept ORF lists
• send - only send ORF lists
capability-route-refresh Enable or disable the advertising of route-refresh enable
{enable | disable} capability to the BGP neighbor.
connect-timer Set the maximum amount of time (in seconds) that the -1 (not set)
<seconds_integer> FortiGate unit waits to make a connection with a BGP
neighbor before the neighbor is declared unreachable.
The range is from 0 to 65 535.
description <text_str> Enter a one-word (no spaces) description to associate Null.
with the BGP neighbor configuration settings.

FortiGate CLI Version 3.0 MR6 Reference


236 01-30006-0015-20080205
router bgp

Variables Description Default


distribute-list-in Limit route updates from the BGP neighbor based on Null.
<access-list-name_str> the Network Layer Reachability Information (NLRI)
defined in the specified access list. You must create the
access list before it can be selected here. See “access-
list” on page 224.
distribute-list-out Limit route updates to the BGP neighbor based on the Null.
<access-list-name_str> NLRI defined in the specified access list. You must
create the access list before it can be selected here.
See “access-list” on page 224.
dont-capability-negotiate Enable or disable capability negotiations with the BGP disable
{enable | disable} neighbor.
ebgp-enforce-multihop Enable or disable the enforcement of Exterior BGP disable
{enable | disable} (EBGP) multihops.
ebgp-multihop Enable or disable communications with EBGP disable
{enable | disable} neighbors that are not one hop away. When you enable
ebgp-multihop, set an ebgp-multihop-ttl value
to change the Time-To-Live (TTL) duration of the EBGP
packets.
ebgp-multihop-ttl This keyword is available when ebgp-multihop is set 255
<seconds_integer> to enable.
Define a TTL value (in hop counts) for BGP packets
sent to the BGP neighbor. The range is from 1 to 255.
filter-list-in Limit inbound BGP routes according to the specified Null.
<aspath-list-name_str> AS-path list. You must create the AS-path list before it
can be selected here. See “aspath-list” on page 226.
filter-list-out Limit outbound BGP routes according to the specified Null.
<aspath-list-name_str> AS-path list. You must create the AS-path list before it
can be selected here. See “aspath-list” on page 226.
holdtime-timer The amount of time (in seconds) that must expire -1 (not set)
<seconds_integer> before the FortiGate unit declares the BGP neighbor
down. This value overrides the global holdtime-
timer value (see “holdtime-timer
<seconds_integer>” on page 233). A keepalive
message must be received every seconds_integer
from the BGP neighbor or it is declared down. The
value can be 0 or an integer in the 3 to 65 535 range.
interface <interface-name_str> Specify a descriptive name for the BGP neighbor Null.
interface.
keep-alive-timer The frequency (in seconds) that a keepalive message -1 (not set)
<seconds_integer> is sent from the FortiGate unit to the BGP neighbor.
This value overrides the global keep-alive-timer
value (see “keep-alive-timer
<seconds_integer>” on page 233). The range is
from 0 to 65 535.
maximum-prefix Set the maximum number of NLRI prefixes to accept unset
<prefix_integer> from the BGP neighbor. When the maximum is
reached, the FortiGate unit disconnects the BGP
neighbor. The range is from 1 to 4 294 967 295.
Changing this value on the FortiGate unit does not
disconnect the BGP neighbor. However, if the neighbor
goes down because it reaches the maximum number of
prefixes and you increase the maximum-prefix value
afterward, the neighbor will be reset.
maximum-prefix-threshold This keyword is available when maximum-prefix is 75
<percentage_integer> set.
Specify the threshold (as a percentage) that must be
exceeded before a warning message about the
maximum number of NLRI prefixes is displayed. The
range is from 1 to 100.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 237
bgp router

Variables Description Default


maximum-prefix-warning-only This keyword is available when maximum-prefix is disable
{enable | disable} set.
Enable or disable the display of a warning when the
maximum-prefix-threshold has been reached.
next-hop-self Enable or disable advertising of the FortiGate unit’s IP disable
{enable | disable} address (instead of the neighbor’s IP address) in the
NEXT_HOP information that is sent to IBGP peers.
override-capability Enable or disable IPv6 addressing for a BGP neighbor disable
{enable | disable} that does not support capability negotiation.
passive {enable | disable} Enable or disable the sending of Open messages to disable
BGP neighbors.
prefix-list-in Limit route updates from a BGP neighbor based on the Null.
<prefix-list-name_str> Network Layer Reachability Information (NLRI) in the
specified prefix list. The prefix list defines the NLRI
prefix and length advertised in a route. You must create
the prefix list before it can be selected here. See
“prefix-list” on page 275
prefix-list-out Limit route updates to a BGP neighbor based on the Null.
<prefix-list-name_str> NLRI in the specified prefix list. The prefix list defines
the NLRI prefix and length advertised in a route. You
must create the prefix list before it can be selected
here. See “prefix-list” on page 275
remote-as <id_integer> Adds a BGP neighbor to the FortiGate configuration unset
and sets the AS number of the neighbor. The range is
from 1 to 65 535. If the number is identical to the
FortiGate AS number, the FortiGate unit communicates
with the neighbor using internal BGP (IBGP).
Otherwise, the neighbor is an external peer and the
FortiGate unit uses EBGP to communicate with the
neighbor.
remove-private-as Remove the private AS numbers from outbound disable
{enable | disable} updates to the BGP neighbor.
restart_time <seconds_integer> Sets the time until a restart happens. The time until the 0
restart can be from 0 to 3600 seconds.
retain-stale-time This keyword is available when capability- 0
<seconds_integer> graceful-restart is set to enable.
Specify the time (in seconds) that stale routes to the
BGP neighbor will be retained. The range is from 1 to
65 535.
route-map-in Limit route updates or change the attributes of route Null.
<routemap-name_str> updates from the BGP neighbor according to the
specified route map. You must create the route-map
before it can be selected here. See “route-map” on
page 286 and “Using route maps with BGP” on
page 288.
route-map-out Limit route updates or change the attributes of route Null.
<routemap-name_str> updates to the BGP neighbor according to the specified
route map. You must create the route-map before it can
be selected here. See “route-map” on page 286 and
“Using route maps with BGP” on page 288.
route-reflector-client This keyword is available when remote-as is identical disable
{enable | disable} to the FortiGate AS number (see “as
<local_as_id>” on page 232).
Enable or disable the operation of the FortiGate unit as
a route reflector and identify the BGP neighbor as a
route-reflector client.
route-server-client Enable or disable the recognition of the BGP neighbor disable
{enable | disable} as route-server client.

FortiGate CLI Version 3.0 MR6 Reference


238 01-30006-0015-20080205
router bgp

Variables Description Default


send-community {both | disable Enable or disable the sending of the COMMUNITY both
| extended | standard} attribute to the BGP neighbor.
• To advertise extended and standard capabilities,
select both.
• To advertise extended capabilities, select extended.
• To advertise standard capabilities, select standard.
• To disable the advertising of the COMMUNITY
attribute, select disable.
shutdown {enable | disable} Administratively enable or disable the BGP neighbor. disable
soft-reconfiguration Enable or disable the FortiGate unit to store unmodified disable
{enable | disable} updates from the BGP neighbor to support inbound
soft-reconfiguration.
strict-capability-match Enable or disable strict-capability negotiation matching disable
{enable | disable} with the BGP neighbor.
unsuppress-map Specify the name of the route-map to selectively Null.
<route-map-name_str> unsuppress suppressed routes. You must create the
route-map before it can be selected here. See “route-
map” on page 286 and “Using route maps with BGP” on
page 288.
update-source Specify the name of the local FortiGate interface to use Null.
<interface-name_str> for TCP connections to neighbors. The IP address of
the interface will be used as the source address for
outgoing updates.
weight <weight_integer> Apply a weight value to all routes learned from a unset
neighbor. A higher number signifies a greater
preference. The range is from 0 to 65 535.

Example
This example shows how to set the AS number of a BGP neighbor at IP address 10.10.10.167 and
enter a descriptive name for the configuration.
config router bgp
config neighbor
edit 10.10.10.167
set remote-as 2879
set description BGP_neighbor_Site1
end
end

config network
Use this subcommand to set or unset BGP network configuration parameters. The subcommand is
used to advertise a BGP network (that is, an IP prefix)—you specify the IP addresses making up the
local BGP network.
When you enable the network-import-check attribute on the FortiGate unit (see “network-
import-check {enable | disable}” on page 234) and you specify a BGP network prefix
through the config network command, the FortiGate unit searches its routing table for a matching
entry. If an exact match is found, the prefix is advertised. A route-map can optionally be used to modify
the attributes of routes before they are advertised.

Note: The prefix keyword is required. All other keywords are optional.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 239
bgp router

Variables Description Default


edit <network_id> Enter an ID number for the entry. The number must be an No default.
integer.
backdoor Enable or disable the route as a backdoor, which causes an disable
{enable | disable} administrative distance of 200 to be assigned to the route.
Backdoor routes are not advertised to EBGP peers.
prefix <address_ipv4mask> Enter the IP address and netmask that identifies the BGP 0.0.0.0
network to advertise. 0.0.0.0
route-map Specify the name of the route-map that will be used to modify Null.
<routemap-name_str> the attributes of the route before it is advertised. You must
create the route-map before it can be selected here. See
“route-map” on page 286 and “Using route maps with BGP” on
page 288.

Example
This example defines a BGP network at IP address 10.0.0.0/8. A route map named BGP_rmap1 is
used to modify the attributes of the local BGP routes before they are advertised.
config router bgp
config network
edit 1
set prefix 10.0.0.0/8
set route-map BGP_rmap1
end
end

config router route-map


edit BGP_rmap1
config rule
edit 1
set set-community no-export
end
end

config redistribute
Use this subcommand to set or unset BGP redistribution table parameters. You can enable BGP to
provide connectivity between connected, static, RIP, and/or OSPF routes. BGP redistributes the routes
from one protocol to another. When a large internetwork is divided into multiple routing domains, use
the subcommand to redistribute routes to the various domains. As an alternative, you can use the
config network subcommand to advertise a prefix to the BGP network (see “config network” on
page 239).
The BGP redistribution table contains four static entries. You cannot add entries to the table. The
entries are defined as follows:
• connected—Redistribute routes learned from a direct connection to the destination network.
• static—Redistribute the static routes defined in the FortiGate routing table.
• rip—Redistribute routes learned from RIP.
• ospf—Redistribute routes learned from OSPF.
When you enter the subcommand, end the command with one of the four static entry names (that is,
config redistribute {connected | static | rip | ospf}).

FortiGate CLI Version 3.0 MR6 Reference


240 01-30006-0015-20080205
router bgp

Note: The status and route-map keywords are optional.

Variables Description Default


status {enable | disable} Enable or disable the redistribution of connected, static, RIP, or disable
OSPF routes.
route-map Specify the name of the route map that identifies the routes to Null.
<route-map-name_str> redistribute. You must create the route map before it can be
selected here. See “route-map” on page 286 and “Using route
maps with BGP” on page 288. If a route map is not specified, all
routes are redistributed to BGP.

Example
The following example changes the status and route-map fields of the connected entry.
config router bgp
config redistribute connected
set status enable
set route-map rmap1
end
end

History
FortiOS v3.0 New.

Related topics
• router aspath-list
• router community-list
• Using route maps with BGP
• router key-chain

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 241
community-list router

community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997).
Each entry in the community list defines a rule for matching and selecting routes based on the setting
of the COMMUNITY attribute. The default rule in a community list (which the FortiGate unit applies
last) denies the matching of all routes.
You add a route to a community by setting its COMMUNITY attribute. A route can belong to more than
one community. A route may be added to a community because it has something in common with the
other routes in the group (for example, the attribute could identify all routes to satellite offices).
When the COMMUNITY attribute is set, the FortiGate unit can select routes based on their
COMMUNITY attribute values.

Syntax
config router community-list
edit <community_name>
set type {standard | expanded}
config rule
edit <community_rule_id>
set action {deny | permit}
set match <criteria>
set regexp <regular_expression>
end
end

Note: The action keyword is required. All other keywords are optional.

Variables Description Default


edit <community_name> Enter a name for the community list. No default.
type {standard | expanded} Specify the type of community to match. If you select standard
expanded, you must also specify a config rule regexp
value. See “regexp <regular_expression>” on
page 243.
config rule variables
edit <community_rule_id> Enter an entry number for the rule. The number must be an No default.
integer.
action {deny | permit} Deny or permit operations on a route based on the value of No default.
the route’s COMMUNITY attribute.

FortiGate CLI Version 3.0 MR6 Reference


242 01-30006-0015-20080205
router community-list

Variables Description Default


match <criteria> This keyword is available when set type is set to Null.
standard.
Specify the criteria for matching a reserved community.
• Use decimal notation to match one or more COMMUNITY
attributes having the syntax AA:NN, where AA represents
an AS, and NN is the community identifier. Delimit complex
expressions with double-quotation marks (for example,
“123:234 345:456”).
• To match all routes in the Internet community, type
internet.
• To match all routes in the LOCAL_AS community, type
local-AS. Matched routes are not advertised locally.
• To select all routes in the NO_ADVERTISE community, type
no-advertise. Matched routes are not advertised.
• To select all routes in the NO_EXPORT community, type
no-export. Matched routes are not advertised to EBGP
peers. If a confederation is configured, the routes are
advertised within the confederation.
regexp This keyword is available when set type is set to Null.
<regular_expression> expanded.
Specify an ordered list of COMMUNITY attributes as a regular
expression. The value or values are used to match a
community. Delimit a complex regular_expression value
using double-quotation marks.

Example
This example creates a community list named Satellite_offices. The list permits operations on
BGP routes whose COMMUNITY attribute is set to no-advertise.
config router community-list
edit Satellite_offices
set type standard
config rule
edit 1
set action permit
set match no-advertise
end
end
The next example creates a community list named ext_community. The list permits operations on
BGP routes whose COMMUNITY attribute has the number 3 in the second part of the first instance
and the number 86 in the second part of the second instance. For example, the community list could
match routes having the following COMMUNITY attribute values: “100:3 500:86 300:800”, “1:3 4:86”,
or “69:3 69:86 69:69 70:800 600:333”).
config router community-list
edit ext_community
set type expanded
config rule
edit 1
set action permit
set regexp “.*:3 .*:86”
end
end

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 243
community-list router

History

FortiOS v3.0 New.

Related topics
• router aspath-list
• router bgp
• router Using route maps with BGP
• router key-chain

FortiGate CLI Version 3.0 MR6 Reference


244 01-30006-0015-20080205
router key-chain

key-chain
Use this command to manage RIP version 2 authentication keys. You can add, edit or delete keys
identified by the specified key number.
RIP version 2 uses authentication keys to ensure that the routing information exchanged between
routers is reliable. For authentication to work both the sending and receiving routers must be set to use
authentication, and must be configured with the same keys.
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are
used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates
from one key to the next according to the scheduled send and receive lifetimes. The sending and
receiving routers should have their system dates and times synchronized, but overlapping the key
lifetimes ensures that a key is always available even if there is some difference in the system times.
See “config system global” on page 243 to ensure that the FortiGate system date and time are correct.

Syntax
config router key-chain
edit <key_chain_name>
config key
edit <key_id>
set accept-lifetime <start> <end>
set key-string <password>
set send-lifetime <start> <end>
end
end

Note: The accept-lifetime, key-string, and send-lifetime keywords are required.

Variables Description Default


edit <key_chain_name> Enter a name for the key chain list. No default.
config key variables
edit <key_id> Enter an ID number for the key entry. The number must be No default.
an integer.
accept-lifetime <start> <end> Set the time period during which the key can be received. No default.
The start time has the syntax hh:mm:ss day month
year. The end time provides a choice of three settings:
• hh:mm:ss day month year
• a duration from 1 to 2147483646 seconds
• infinite (for a key that never expires)
The valid settings for hh:mm:ss day month year are:
• hh - 0 to 23
• mm - 0 to 59
• ss - 0 to 59
• day - 1 to 31
• month - 1 to 12
• year - 1993 to 2035

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 245
key-chain router

Variables Description Default


key-string <password> The <password_str> can be up to 35 characters long. No default.
send-lifetime <start> <end> Set the time period during which the key can be sent. The No default.
start time has the syntax hh:mm:ss day month year.
The end time provides a choice of three settings:
• hh:mm:ss day month year
• a duration from 1 to 2147483646 seconds
• infinite (for a key that never expires)
The valid settings for hh:mm:ss day month year are:
• hh - 0 to 23
• mm - 0 to 59
• ss - 0 to 59
• day - 1 to 31
• month - 1 to 12
• year - 1993 to 2035

Example
This example shows how to add a key chain named test1 with three keys. The first two keys each
have send and receive lifetimes of 13 hours, and the 3rd key has send and receive lifetimes that never
expire.
config router key-chain
edit test1
config key
edit 1
set accept-lifetime 10:00:00 1 6 2004 46800
set send-lifetime 10:00:00 1 6 2004 46800
set key-string 1a2b2c4d5e6f7g8h
next
edit 2
set accept-lifetime 22:00:00 1 6 2004 46800
set send-lifetime 22:00:00 1 6 2004 46800
set key-string 9i1j2k3l4m5n6o7p
next
edit 3
set accept-lifetime 10:00:00 2 6 2004 infinite
set send-lifetime 10:00:00 2 6 2004 infinite
set key-string 123abc456def789g
end
end

History

FortiOS v2.80 New.

Related topics
• router rip
• system global

FortiGate CLI Version 3.0 MR6 Reference


246 01-30006-0015-20080205
router multicast

multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root
virtual domain. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC
3973) and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. Multicast routing is only available in the root virtual domain. It is not supported
in Transparent mode (TP mode).

Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in
between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode
must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense
mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is
connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast)
packets or decapsulated data (IP traffic) between the source and destination.

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at
least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points
(RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can
perform any of these functions at any time as configured.

Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to
which each RP sends the multicast address or addresses of the multicast group(s) that it can service.
The selected BSR chooses one RP per multicast group and makes this information available to all of
the PIM routers in the domain through bootstrap messages. PIM routers use the information to build
packet distribution trees, which map each multicast group to a specific RP. Packet distribution trees
may also contain information about the sources and receivers associated with particular multicast
groups.

Note: When a FortiGate interface is configured as a multicast interface, sparse mode is enabled on it by default to
ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from
a specific source. If the sources of multicast traffic and their receivers are close to each other and the PIM domain
contains a dense population of active receivers, you may choose to enable dense mode throughout the PIM
domain instead.

An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and
pruning the information contained in distribution trees, a single stream of multicast packets (for
example, a video feed) originating from the source can be forwarded to a certain RP to reach a
multicast destination.
Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which
neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information
that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally
elected DR registers the sender with the RP that is associated with the target multicast group. The RP
uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast
group. The IP packets are replicated only when necessary to distribute the data to branches of the
RP’s distribution tree.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 247
multicast router

To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP)
version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a
particular multicast group. The locally elected DR receives the request and adds the host to the
multicast group that is associated with the connected network segment by sending a join message
towards the RP for the group. Afterward, the DR queries the hosts on the connected network segment
continually to determine whether the hosts are active. When the DR no longer receives confirmation
that at least one member of the multicast group is still active, the DR sends a prune message towards
the RP for the group.

Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source
begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from
the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM
routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers
that have requested traffic for multicast group address G can access the information if needed.
To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees
based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages
from downstream PIM routers to determine if receivers are actually present on directly connected
network segments. The PIM routers exchange state refresh messages to update their distribution
trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to
build a multicast forwarding table. The information in the multicast forwarding table determines whether
packets are forwarded downstream. The forwarding table is updated whenever the TIB is modified.
PIM routers receive data streams every few minutes and update their forwarding tables using the
source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is
stopped by PIM routers that do not have downstream receivers—PIM routers that do not manage
multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic
for multicast address G, the closest PIM router sends a graft message upstream to begin receiving
multicast packets.

Syntax
config router multicast
set igmp-state-limit <limit_integer>
set multicast-routing {enable | disable}
set route-limit <limit_integer>
set route-threshold <threshold_integer>
config interface
edit <interface_name>
set cisco-exclude-genid {enable | disable}
set dr-priority <priority_integer>
set hello-holdtime <holdtime_integer>
set hello-interval <hello_integer>
set neighbour-filter <access_list_name>
set passive {enable | disable}
set pim-mode {sparse-mode | dense-mode}
set propagation-delay <delay_integer>
set rp-candidate {enable | disable}
set rp-candidate-group <access_list_name>
set rp-candidate-interval <interval_integer>
set rp-candidate-priority <priority_integer>
set state-refresh-interval <refresh_integer>
set ttl-threshold <ttl_integer>
end

FortiGate CLI Version 3.0 MR6 Reference


248 01-30006-0015-20080205
router multicast

config join-group
edit address <address_ipv4>
end
config igmp
set access-group <access_list_name>
set immediate-leave-group <access_list_name>
set last-member-query-count <count_integer>
set last-member-query-interval <interval_integer>
set query-interval <interval_integer>
set query-max-response-time <time_integer>
set query-timeout <timeout_integer>
set router-alert-check { enable | disable }
set version {1 | 2 | 3}
end
end
config pim-sm-global
set accept-register-list <access_list_name>
set bsr-allow-quick-refresh {enable | disable}
set bsr-candidate {enable | disable}
set bsr-priority <priority_integer>
set bsr-interface <interface_name>
set bsr-hash <hash_integer>
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <access_list_name>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set message-interval <interval_integer>
set register-rate-limit <rate_integer>
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <interface_name>
set register-source-ip <address_ipv4>
set register-suppression <suppress_integer>
set rp-register-keepalive <keepalive_integer>
set spt-threshold {enable | disable}
set spt-threshold-group <access_list_name>
set ssm {enable | disable}
set ssm-range <access_list_name>
config rp-address
edit <rp_id>
set ip-address <address_ipv4>
set group <access_list_name>
end
end

config router multicast


You can configure a FortiGate unit to support PIM using the config router multicast CLI
command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping
information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping
information and if required, processes the multicast traffic associated with specific multicast groups.

Note: The end-user multicast client-server applications must be installed and configured to initiate
Internet connections and handle broadband content such as audio/video information.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 249
multicast router

Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user
could type in a class D multicast group address, an alias for the multicast group address, or a call-
conference number to initiate the session. Rather than sending multiple copies of generated IP traffic
to more than one specific IP destination address, PIM-enabled routers encapsulate the data and use
the one multicast group address to forward multicast packets to multiple destinations. Because one
destination address is used, a single stream of data can be sent. Client applications receive multicast
data by requesting that the traffic destined for a certain multicast group address be delivered to them—
end-users may use phone books, a menu of ongoing or future sessions, or some other method through
a user interface to select the address of interest.
A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group
address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D
addresses must be assigned in advance. Because there is no way to determine in advance if a certain
multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch
to a different multicast address).

To configure a PIM domain


1 If you will be using sparse mode, determine appropriate paths for multicast packets.
2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing
protocol.
3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs,
record the IP addresses of the PIM-enabled interfaces on those RPs.
4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units,
use the config router multicast command to set global operating
parameters.
5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate
BSRs.
6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
7 If required, adjust the default settings of PIM-enabled interface(s).

Note: All keywords are optional.

Variables Description Default


igmp-state-limit If memory consumption is an issue, specify a limit on the 3200
<limit_integer> number of IGMP states (multicast memberships) that the
FortiGate unit will store. The value represents the maximum
combined number of IGMP states (multicast memberships)
that can be handled by all interfaces. Traffic associated with
excess IGMP membership reports is not delivered. The range
is from 96 to 64 000.
multicast-routing Enable or disable PIM routing. disable
{enable | disable}
route-limit If memory consumption is an issue, set a limit on the number 2147483674
<limit_integer> of multicast routes that can be added to the FortiGate routing
table. The range is from 1 to 2 147 483 674.
route-threshold Specify the number of multicast routes that can be added to 2147483674
<threshold_integer> the FortiGate routing table before a warning message is
displayed. The route-threshold value must be lower than
the route-limit value. The range is from 1 to
2 147 483 674.

FortiGate CLI Version 3.0 MR6 Reference


250 01-30006-0015-20080205
router multicast

config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation
(sparse or dense). Global settings do not override interface-specific settings.

Note: All keywords are optional.

Variables Description Default


edit <interface_name> Enter the name of the FortiGate interface on which to enable No default.
PIM protocols.
cisco-exclude-genid This keyword applies only when pim-mode is sparse-mode. disable
{enable | disable} Enable or disable including a generation ID in hello messages
sent to neighboring PIM routers. A GenID value may be
included for compatibility with older Cisco IOS routers.
dr-priority This keyword applies only when pim-mode is sparse-mode. 1
<priority_integer> Assign a priority to FortiGate DR candidacy. The range is from
1 to 4 294 967 294. The value is compared to that of other DR
interfaces connected to the same network segment, and the
router having the highest DR priority is selected to be the DR.
If two DR priority values are the same, the interface having
the highest IP address is selected.
hello-holdtime Specify the amount of time (in seconds) that a PIM neighbor 105
<holdtime_integer> may consider the information in a hello message to be valid.
The range is from 1 to 65 535.
If the hello-interval attribute is modified and the hello-
holdtime attribute has never been set explicitly, the hello-
holdtime attribute is set to 3.5 x hello-interval
automatically.
hello-interval Set the amount of time (in seconds) that the FortiGate unit 30
<hello_integer> waits between sending hello messages to neighboring PIM
routers. The range is from 1 to 65 535. Changing the hello-
interval attribute may update the hello-holdtime
attribute automatically.
neighbour-filter Establish or terminate adjacency with PIM neighbors having Null.
<access_list_name> the IP addresses given in the specified access list. See
“access-list” on page 224.
passive {enable | Enable or disable PIM communications on the interface disable
disable} without affecting IGMP communications.
pim-mode {sparse-mode | Select the PIM mode of operation: sparse-
dense-mode} • Select sparse-mode to manage PIM packets through mode
distribution trees and multicast groups.
• Select dense-mode to enable multicast flooding.
propagation-delay This keyword is available when pim-mode is set to 500
<delay_integer> dense-mode.
Specify the amount of time (in milliseconds) that the FortiGate
unit waits to send prune-override messages. The range is
from 100 to 5 000.
rp-candidate {enable | This keyword is available when pim-mode is set to disable
disable} sparse-mode.
Enable or disable the FortiGate interface to offer Rendezvous
Point (RP) services.
rp-candidate-group This keyword is available when rp-candidate is set to Null.
<access_list_name> enable and pim-mode is set to sparse-mode.
Specify for which multicast groups RP candidacy is advertised
based on the multicast group prefixes given in the specified
access list. See “access-list” on page 224.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 251
multicast router

Variables Description Default


rp-candidate-interval This keyword is available when rp-candidate is set to 60
<interval_integer> enable and pim-mode is set to sparse-mode.
Set the amount of time (in seconds) that the FortiGate unit
waits between sending RP announcement messages. The
range is from 1 to 16 383.
rp-candidate-priority This keyword is available when rp-candidate is set to 192
<priority_integer> enable and pim-mode is set to sparse-mode.
Assign a priority to FortiGate RP candidacy. The range is from
0 to 255. The BSR compares the value to that of other RP
candidates that can service the same multicast group, and the
router having the highest RP priority is selected to be the RP
for that multicast group. If two RP priority values are the
same, the RP candidate having the highest IP address on its
RP interface is selected.
state-refresh-interval This keyword is available when pim-mode is set to 60
<refresh_integer> dense-mode.
This attribute is used when the FortiGate unit is connected
directly to the multicast source. Set the amount of time (in
seconds) that the FortiGate unit waits between sending state-
refresh messages. The range is from 1 to 100. When a state-
refresh message is received by a downstream router, the
prune state on the downstream router is refreshed.
ttl-threshold Specify the minimum Time-To-Live (TTL) value (in hops) that 1
<ttl_integer> an outbound multicast packet must have in order to be
forwarded from the interface. Specifying a high value (for
example, 195) prevents PIM packets from being forwarded
through the interface. The range is from 0 to 255.
config join-group variables
edit address Cause the FortiGate interface to activate (IGMP join) the No default.
<address_ipv4> multicast group associated with the specified multicast group
address.
config igmp variables
access-group Specify which multicast groups hosts on the connected Null.
<access_list_name> network segment may join based on the multicast addresses
given in the specified access list. See “access-list” on
page 224.
immediate-leave-group This keyword applies when version is set to 2 or 3. Null.
<access_list_name> Configure a FortiGate DR to stop sending traffic and IGMP
queries to receivers after receiving an IGMP version 2 group-
leave message from any member of the multicast groups
identified in the specified access list. See “access-list” on
page 224.
last-member-query-count This keyword applies when version is set to 2 or 3. 2
<count_integer> Specify the number of times that a FortiGate DR sends an
IGMP query to the last member of a multicast group after
receiving an IGMP version 2 group-leave message.
last-member-query- This keyword applies when version is set to 2 or 3. 1000
interval Set the amount of time (in milliseconds) that a FortiGate DR
<interval_integer> waits for the last member of a multicast group to respond to
an IGMP query. The range is from 1000 to 25 500. If no
response is received before the specified time expires and the
FortiGate DR has already sent an IGMP query last-
member-query-count times, the FortiGate DR removes the
member from the group and sends a prune message to the
associated RP.
query-interval Set the amount of time (in seconds) that a FortiGate DR waits 125
<interval_integer> between sending IGMP queries to determine which members
of a multicast group are active. The range is from 1 to 65 535.

FortiGate CLI Version 3.0 MR6 Reference


252 01-30006-0015-20080205
router multicast

Variables Description Default


query-max-response-time Set the maximum amount of time (in seconds) that a 10
<time_integer> FortiGate DR waits for a member of a multicast group to
respond to an IGMP query. The range is from 1 to 25. If no
response is received before the specified time expires, the
FortiGate DR removes the member from the group.
query-timeout Set the amount of time (in seconds) that must expire before a 255
<timeout_integer> FortiGate unit begins sending IGMP queries to the multicast
group that is managed through the interface. The range is
from 60 to 300. A FortiGate unit begins sending IGMP queries
if it does not receive regular IGMP queries from another DR
through the interface.
router-alert-check { Enable to require the Router Alert option in IGMP packets. disabled
enable | disable }
version {1 | 2 | 3} Specify the version number of IGMP to run on the interface. 3
The value can be 1, 2, or 3. The value must match the version
used by all other PIM routers on the connected network
segment.

config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not
override interface-specific PIM settings.
If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by
specifying the IP address of the RP through the config rp-address subcommand. The IP address
must be directly accessible to the DR. If multicast packets from more than one multicast group can
pass through the same RP, you can use an access list to specify the associated multicast group
addresses.

Note: To send multicast packets to a particular RP using the config rp-address subcommand, the ip-
address keyword is required. All other keywords are optional.

Variables Description Default


accept-register-list Cause a FortiGate RP to accept or deny register packets Null.
<access_list_name> from the source IP addresses given in the specified access
list. See “access-list” on page 224.
bsr-allow-quick-refresh Enable or disable accepting bsr quick refresh packets from disable
{enable | disable} neighbors.
bsr-candidate {enable | Enable or disable the FortiGate unit to offer its services as a disable
disable} Boot Strap Router (BSR) when required.
bsr-priority This keyword is available when bsr-candidate is set to 0
<priority_integer> enable.
Assign a priority to FortiGate BSR candidacy. The range is
from 0 to 255. The value is compared to that of other BSR
candidates and the candidate having the highest priority is
selected to be the BSR. If two BSR priority values are the
same, the BSR candidate having the highest IP address on
its BSR interface is selected.
bsr-interface This keyword is available when bsr-candidate is set to Null.
<interface_name> enable.
Specify the name of the PIM-enabled interface through
which the FortiGate unit may announce BSR candidacy.

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 253
multicast router

Variables Description Default


bsr-hash <hash_integer> This keyword is available when bsr-candidate is set to 10
enable.
Set the length of the mask (in bits) to apply to multicast
group addresses in order to derive a single Rendezvous
Point (RP) for one or more multicast groups. The range is
from 0 to 32. For example, a value of 24 means that the first
24 bits of the group address are significant. All multicast
groups having the same seed hash belong to the same RP.
cisco-crp-prefix {enable Enable or disable a FortiGate RP that has a group prefix disable
| disable} number of 0 to communicate with a Cisco BSR. You may
choose to enable the attribute if required for compatibility
with older Cisco BSRs.
cisco-ignore-rp-set- Enable or disable a FortiGate BSR to recognize Cisco RP- disable
priority {enable | SET priority values when deriving a single RP for one or
disable} more multicast groups. You may choose to enable the
attribute if required for compatibility with older Cisco RPs.
cisco-register-checksum Enable or disable performing a register checksum on entire disable
{enable | disable} PIM packets. A register checksum is performed on the
header only by default. You may choose to enable register
checksums on the whole packet for compatibility with older
Cisco IOS routers.
cisco-register-checksum- This keyword is available when cisco-register- Null.
group <access_list_name> checksum is set to enable.
Identify on which PIM packets to perform a whole-packet
register checksum based on the multicast group addresses
in the specified access list. See “access-list” on page 224.
You may choose to enable register checksums on entire
PIM packets for compatibility with older Cisco IOS routers.
message-interval Set the amount of time (in seconds) that the FortiGate unit 60
<interval_integer> waits between sending periodic PIM join/prune messages
(sparse mode) or prune messages (dense mode). The value
must be identical to the message interval value set on all
other PIM routers in the PIM domain. The range is from 1 to
65 535.
register-rate-limit Set the maximum number of register messages per (S,G) 0
<rate_integer> per second that a FortiGate DR can send for each PIM entry
in the routing table. The range is from 0 to 65 535, where 0
means an unlimited number of register messages per
second.
register-rp-reachability Enable or disable a FortiGate DR to check if an RP is enable
{enable | disable} accessible prior to sending register messages.
register-source {disable If the FortiGate unit acts as a DR, enable or disable ip-address
| interface | ip-address} changing the IP source address of outbound register
packets to one of the following IP addresses. The IP
address must be accessible to the RP so that the RP can
respond to the IP address with a Register-Stop message:
• To retain the IP address of the FortiGate DR interface
that faces the RP, select disable.
• To change the IP source address of a register packet to
the IP address of a particular FortiGate interface, select
interface. The register-source-interface
attribute specifies the interface name.
• To change the IP source address of a register packet to
a particular IP address, select ip-address. The
register-source-ip attribute specifies the IP
address.
register-source-interface This keyword is available when register-source is set Null.
<interface_name> to interface.
Enter the name of the FortiGate interface.

FortiGate CLI Version 3.0 MR6 Reference


254 01-30006-0015-20080205
router multicast

Variables Description Default


register-source-ip This keyword is available when register-source is set 0.0.0.0
<address_ipv4> to address.
Enter the IP source address to include in the register
message.
register-suppression Enter the amount of time (in seconds) that a FortiGate DR 60
<suppress_integer> waits to start sending data to an RP after receiving a
Register-Stop message from the RP. The range is from 1 to
65 535.
rp-register-keepalive If the FortiGate unit acts as an RP, set the frequency (in 185
<keepalive_integer> seconds) with which the FortiGate unit sends keepalive
messages to a DR. The range is from 1 to 65 535. The two
routers exchange keepalive messages to maintain a link for
as long as the source continues to generate traffic.
If the register-suppression attribute is modified on the
RP and the rp-register-keepalive attribute has never
been set explicitly, the rp-register-keepalive attribute
is set to (3 x register-suppression) + 5 automatically.
spt-threshold {enable | Enable or disable the FortiGate unit to build a Shortest Path enable
disable} Tree (SPT) for forwarding multicast packets.
spt-threshold-group This keyword is available when spt-threshold is set to Null.
<access_list_name> enable.
Build an SPT only for the multicast group addresses given in
the specified access list. See “access-list” on page 224.
ssm {enable | disable} This keyword is available when the IGMP version is set enable
to 3.
Enable or disable Source Specific Multicast (SSM)
interactions (see RFC 3569).
ssm-range This keyword is available when ssm is set to enable. Null.
<access_list_name> Enable SSM only for the multicast addresses given in the
specified access list. See “access-list” on page 224. By
default, multicast addresses in the 232.0.0.0 to
232.255.255.255 (232/8) range are used to support SSM
interactions.
config rp-address variables Applies only when pim-mode is sparse-mode.
edit <rp_id> Enter an ID number for the static RP address entry. The No default.
number must be an integer.
ip-address <address_ipv4> Specify a static IP address for the RP. 0.0.0.0
group <access_list_name> Configure a single static RP for the multicast group Null.
addresses given in the specified access list. See “access-
list” on page 224. If an RP for any of these group addresses
is already known to the BSR, the static RP address is
ignored and the RP known to the BSR is used instead.

Example
This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable
BSR candidacy on the dmz interface:
config router multicast
set multicast-routing enable
config interface
edit dmz
set pim-mode sparse-mode
end
end
config pim-sm-global
set bsr-candidate enable

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 255
multicast router

set bsr-priority 1
set bsr-interface dmz
set bsr-hash 24
end
This example shows how to enable RP candidacy on the port1 interface for the multicast group
addresses given through an access list named multicast_port1:
config router multicast
set multicast-routing enable
config interface
edit port1
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-group multicast_port1
set rp-candidate-priority 15
end
end

History

FortiOS v3.0 New.

Related topics
• get router info multicast
• execute mrouter clear

FortiGate CLI Version 3.0 MR6 Reference


256 01-30006-0015-20080205
router ospf

ospf
Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate
unit. More information on OSPF can be found in RFC 2328.
OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP
protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a
backbone area. A router connected to more than one area is an area border router (ABR). Routing
information is contained in a link state database. Routing information is communicated between
routers using link state advertisements (LSAs).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly
locate hardware failures in the network. Routers running BFD communicate with each other, and if a
timer runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated. BFD support was added in
FortiOS v3.0 MR4, and can only be configured through the CLI.

Syntax
config router ospf
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <mbps_integer>
set bfd {enable | disable | global}
set database-overflow {enable | disable}
set database-overflow-max-lsas <lsas_integer>
set database-overflow-time-to-recover <seconds_integer>
set default-information-metric <metric_integer>
set default-information-metric-type {1 | 2}
set default-information-originate {always | disable | enable}
set default-information-route-map <name_str>
set default-metric <metric_integer>
set distance <distance_integer>
set distance-external <distance_integer>
set distance-inter-area <distance_integer>
set distance-intra-area <distance_integer>
set distribute-list-in <access_list_name>
set passive-interface <name_str>
set restart-mode {graceful-restart | lls | none}
set rfc1583-compatible {enable | disable}
set router-id <address_ipv4>
set spf-timers <delay_integer> <hold_integer>
config area
edit <area_address_ipv4>
set authentication {md5 | none | text}
set default-cost <cost_integer>
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <metric>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
set nssa-translator-role {always | candidate | never}
set shortcut {default | disable | enable}
set stub-type {no-summary | summary}
set type {nssa | regular | stub}
config filter-list
edit <filter-list_id>

FortiGate CLI Version 3.0 MR6 Reference


01-30006-0015-20080205 257
ospf router

set direction {in | out}


set list <name_str>
end
config range
edit <range_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
set substitute <address_ipv4mask>
set substitute-status {enable | disable}
end
config virtual-link
edit <vlink_name>
set authentication {md5 | none | text}
set authentication-key <password_str>
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set md5-key <id_integer><key_str>
set peer <address_ipv4>
set retransmit-interval <seconds_integer>
set transmit-delay <seconds_integer>
end
end
config distribute-list
edit <distribute-list_id>
set access-list <name_str>
set protocol {connected | rip | static}
end
end
config neighbor
edit <neighbor_id>
set cost <cost_integer>
set ip <address_ipv4>
set poll-interval <seconds_integer>
set priority <priority_integer>
end
end
config network
edit <network_id>
set area <id-address_ipv4>
set prefix <address_ipv4mask>
end
end
config ospf-interface
edit <ospf_interface_name>
set authentication {md5 | none | text}
set authentication-key <password_str>
set
set cost <cost_integer>
set database-filter-out {enable | disable}
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set interface <name_str>
set ip <address_ipv4>
set md5-key <id_integer> <key_str>

FortiGate CLI Version 3.0 MR6 Reference


258 01-30006-0015-20080205
router ospf

set mtu <mtu_integer>


set mtu-ignore {enable | disable}
set network-type <type>
set priority <priority_integer>
set resync-timeout <integer>
set retransmit-interval <seconds_integer>
set status {enable | disable}
set transmit-delay <seconds_integer>
end
end
config redistribute {bgp | connected | static | rip}
set metric <metric_integer>
set metric-type {1 | 2}
set routemap <name_str>
set status {enable | disable}
set tag <tag_integer>
end
config summary-address
edit <summary-address_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
set tag <tag_integer>
end
end
end

config router ospf


Use this command to set the router ID of the FortiGate unit. Additional configuration options are
supported.

Note: The router-id keyword is required. All other keywords are optional.

Variables Description Default


abr-type {cisco | ibm | shortcut | Specify the behavior of a FortiGate unit acting as an standard
standard} OSPF area border router (ABR) when it has multiple
attached areas and has no backbone connection.
Selecting the ABR type c